Jpeg Fuzz Fixes (#836)

* Nomalize jpeg exceptions. Fix #821

* Fix #822

* Fix #823

* Check for correct QT index. Touch #824

* Check DHT props. Touch #824

* Limit sampling factors to 1 & 2. Touch #824

* Add already fixed image 4. Touch #824

* Check for excessive code lengths. Touch #824

* Add already fixed image 6. Touch #824

* Lint progressive scan details. Touch #824

* Add already fixed image 8. Fix #824

* Remove duplicate per-block checks

* Add already fixed image 1. Touch #825

* Don't throw on bad JFIF density units.

* Add already fixed image 3. Touch #825

* Add already fixed image 4. Fix #825

* Check SOFn marker length. Touch #826

* Add already fixed image 2. Touch #826

* Add already fixed image 3. Fix #826

* Add fixed already fixed image. Fix #827

* Revert unneeded bounds check introduced in #804

Author: JimBobSquarePants

src/ImageSharp/Formats/Jpeg/Components/Decoder/HuffmanTable.cs

@@ -50,10 +50,8 @@ internal unsafe struct HuffmanTable
         /// <param name="values">The huffman values</param>
         public HuffmanTable(MemoryAllocator memoryAllocator, ReadOnlySpan<byte> codeLengths, ReadOnlySpan<byte> values)
         {
-            // We do some bounds checks in the code here to protect against AccessViolationExceptions
-            const int HuffCodeLength = 257;
-            const int MaxSizeLength = HuffCodeLength - 1;
-            using (IMemoryOwner<short> huffcode = memoryAllocator.Allocate<short>(HuffCodeLength))
+            const int Length = 257;
+            using (IMemoryOwner<short> huffcode = memoryAllocator.Allocate<short>(Length))
             {
                 ref short huffcodeRef = ref MemoryMarshal.GetReference(huffcode.GetSpan());
                 ref byte codeLengthsRef = ref MemoryMarshal.GetReference(codeLengths);
@@ -65,7 +63,7 @@ public HuffmanTable(MemoryAllocator memoryAllocator, ReadOnlySpan<byte> codeLeng
                 for (short i = 1; i < 17; i++)
                 {
                     byte length = Unsafe.Add(ref codeLengthsRef, i);
-                    for (short j = 0; j < length && x < MaxSizeLength; j++)
+                    for (short j = 0; j < length; j++)
                     {
                         Unsafe.Add(ref sizesRef, x++) = i;
                     }
@@ -86,7 +84,7 @@ public HuffmanTable(MemoryAllocator memoryAllocator, ReadOnlySpan<byte> codeLeng
                     Unsafe.Add(ref valOffsetRef, k) = (int)(si - code);
                     if (Unsafe.Add(ref sizesRef, si) == k)
                     {
-                        while (Unsafe.Add(ref sizesRef, si) == k && si < HuffCodeLength)
+                        while (Unsafe.Add(ref sizesRef, si) == k)
                         {
                             Unsafe.Add(ref huffcodeRef, si++) = (short)code++;
                         }
@@ -103,19 +101,19 @@ public HuffmanTable(MemoryAllocator memoryAllocator, ReadOnlySpan<byte> codeLeng
                 // Generate non-spec lookup tables to speed up decoding.
                 const int FastBits = ScanDecoder.FastBits;
                 ref byte lookaheadRef = ref this.Lookahead[0];
-                const uint MaxFastLength = 1 << FastBits;
-                Unsafe.InitBlockUnaligned(ref lookaheadRef, 0xFF, MaxFastLength); // Flag for non-accelerated
+                Unsafe.InitBlockUnaligned(ref lookaheadRef, 0xFF, 1 << FastBits); // Flag for non-accelerated
 
                 for (int i = 0; i < si; i++)
                 {
                     int size = Unsafe.Add(ref sizesRef, i);
                     if (size <= FastBits)
                     {
-                        int huffCode = Unsafe.Add(ref huffcodeRef, i) << (FastBits - size);
-                        int max = 1 << (FastBits - size);
-                        for (int left = 0; left < max; left++)
+                        int fastOffset = FastBits - size;
+                        int fastCode = Unsafe.Add(ref huffcodeRef, i) << fastOffset;
+                        int fastMax = 1 << fastOffset;
+                        for (int left = 0; left < fastMax; left++)
                         {
-                            Unsafe.Add(ref lookaheadRef, huffCode + left) = (byte)i;
+                            Unsafe.Add(ref lookaheadRef, fastCode + left) = (byte)i;
                         }
                     }
                 }

src/ImageSharp/Formats/Jpeg/Components/Decoder/JFifMarker.cs

@@ -27,12 +27,20 @@ namespace SixLabors.ImageSharp.Formats.Jpeg.Components.Decoder
         /// <param name="yDensity">The vertical pixel density</param>
         private JFifMarker(byte majorVersion, byte minorVersion, byte densityUnits, short xDensity, short yDensity)
         {
-            Guard.MustBeGreaterThan(xDensity, 0, nameof(xDensity));
-            Guard.MustBeGreaterThan(yDensity, 0, nameof(yDensity));
-            Guard.MustBeBetweenOrEqualTo(densityUnits, 0, 2, nameof(densityUnits));
+            if (xDensity <= 0)
+            {
+                JpegThrowHelper.ThrowImageFormatException($"X-Density {xDensity} must be greater than 0.");
+            }
+
+            if (yDensity <= 0)
+            {
+                JpegThrowHelper.ThrowImageFormatException($"Y-Density {yDensity} must be greater than 0.");
+            }
 
             this.MajorVersion = majorVersion;
             this.MinorVersion = minorVersion;
+
+            // LibJpeg and co will simply cast and not try to enforce a range.
             this.DensityUnits = (PixelResolutionUnit)densityUnits;
             this.XDensity = xDensity;
             this.YDensity = yDensity;
@@ -104,10 +112,7 @@ public bool Equals(JFifMarker other)
         }
 
         /// <inheritdoc/>
-        public override bool Equals(object obj)
-        {
-            return obj is JFifMarker other && this.Equals(other);
-        }
+        public override bool Equals(object obj) => obj is JFifMarker other && this.Equals(other);
 
         /// <inheritdoc/>
         public override int GetHashCode()

src/ImageSharp/Formats/Jpeg/Components/Decoder/JpegComponent.cs

@@ -21,9 +21,25 @@ public JpegComponent(MemoryAllocator memoryAllocator, JpegFrame frame, byte id,
             this.memoryAllocator = memoryAllocator;
             this.Frame = frame;
             this.Id = id;
+
+            // Valid sampling factors are 1..2
+            if (horizontalFactor == 0
+                || verticalFactor == 0
+                || horizontalFactor > 2
+                || verticalFactor > 2)
+            {
+                JpegThrowHelper.ThrowBadSampling();
+            }
+
             this.HorizontalSamplingFactor = horizontalFactor;
             this.VerticalSamplingFactor = verticalFactor;
             this.SamplingFactors = new Size(this.HorizontalSamplingFactor, this.VerticalSamplingFactor);
+
+            if (quantizationTableIndex > 3)
+            {
+                JpegThrowHelper.ThrowBadQuantizationTable();
+            }
+
             this.QuantizationTableIndex = quantizationTableIndex;
             this.Index = index;
         }
@@ -110,6 +126,11 @@ public void Init()
             JpegComponent c0 = this.Frame.Components[0];
             this.SubSamplingDivisors = c0.SamplingFactors.DivideBy(this.SamplingFactors);
 
+            if (this.SubSamplingDivisors.Width == 0 || this.SubSamplingDivisors.Height == 0)
+            {
+                JpegThrowHelper.ThrowBadSampling();
+            }
+
             int totalNumberOfBlocks = blocksPerColumnForMcu * (blocksPerLineForMcu + 1);
             int width = this.WidthInBlocks + 1;
             int height = totalNumberOfBlocks / width;

src/ImageSharp/Formats/Jpeg/Components/Decoder/JpegFrame.cs

@@ -83,7 +83,7 @@ public void Dispose()
             {
                 for (int i = 0; i < this.Components.Length; i++)
                 {
-                    this.Components[i].Dispose();
+                    this.Components[i]?.Dispose();
                 }
 
                 this.Components = null;

src/ImageSharp/Formats/Jpeg/Components/Decoder/ScanDecoder.cs

@@ -270,8 +270,60 @@ private void ParseBaselineDataNonInterleaved()
             }
         }
 
+        private void CheckProgressiveData()
+        {
+            // Validate successive scan parameters.
+            // Logic has been adapted from libjpeg.
+            // See Table B.3 – Scan header parameter size and values. itu-t81.pdf
+            bool invalid = false;
+            if (this.spectralStart == 0)
+            {
+                if (this.spectralEnd != 0)
+                {
+                    invalid = true;
+                }
+            }
+            else
+            {
+                // Need not check Ss/Se < 0 since they came from unsigned bytes.
+                if (this.spectralEnd < this.spectralStart || this.spectralEnd > 63)
+                {
+                    invalid = true;
+                }
+
+                // AC scans may have only one component.
+                if (this.componentsLength != 1)
+                {
+                    invalid = true;
+                }
+            }
+
+            if (this.successiveHigh != 0)
+            {
+                // Successive approximation refinement scan: must have Al = Ah-1.
+                if (this.successiveHigh - 1 != this.successiveLow)
+                {
+                    invalid = true;
+                }
+            }
+
+            // TODO: How does this affect 12bit jpegs.
+            // According to libjpeg the range covers 8bit only?
+            if (this.successiveLow > 13)
+            {
+                invalid = true;
+            }
+
+            if (invalid)
+            {
+                JpegThrowHelper.ThrowBadProgressiveScan(this.spectralStart, this.spectralEnd, this.successiveHigh, this.successiveLow);
+            }
+        }
+
         private void ParseProgressiveData()
         {
+            this.CheckProgressiveData();
+
             if (this.componentsLength == 1)
             {
                 this.ParseProgressiveDataNonInterleaved();
@@ -483,11 +535,6 @@ private void DecodeBlockProgressiveDC(
             ref Block8x8 block,
             ref HuffmanTable dcTable)
         {
-            if (this.spectralEnd != 0)
-            {
-                JpegThrowHelper.ThrowImageFormatException("Can't merge DC and AC.");
-            }
-
             this.CheckBits();
 
             ref short blockDataRef = ref Unsafe.As<Block8x8, short>(ref block);
@@ -518,11 +565,6 @@ private void DecodeBlockProgressiveAC(
             ref HuffmanTable acTable,
             ref short fastACRef)
         {
-            if (this.spectralStart == 0)
-            {
-                JpegThrowHelper.ThrowImageFormatException("Can't merge DC and AC.");
-            }
-
             ref short blockDataRef = ref Unsafe.As<Block8x8, short>(ref block);
 
             if (this.successiveHigh == 0)