From 95bec1cffbe0fad53135f7fbee734b29d6a47b53 Mon Sep 17 00:00:00 2001
From: Dmitry Pentin <riotbr3aker@gmail.com>
Date: Fri, 16 Jul 2021 16:41:22 +0300
Subject: [PATCH] Added comments, validated huffman table indices

---
 .../Formats/Jpeg/JpegDecoderCore.cs           | 23 +++++++++++++++----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs b/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
index 35f88e4959..8dc0bb5017 100644
--- a/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
+++ b/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
@@ -985,7 +985,7 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
             if (selectorsCount == 0 || selectorsCount > this.Frame.ComponentCount)
             {
                 // TODO: extract as separate method?
-                JpegThrowHelper.ThrowInvalidImageContentException($"Invalid number of components in scan: {selectorsCount}. Must be [1 <= count <= {this.Frame.ComponentCount}].");
+                JpegThrowHelper.ThrowInvalidImageContentException($"Invalid number of components in scan: {selectorsCount}.");
             }
 
             this.Frame.MultiScan = this.Frame.ComponentCount != selectorsCount;
@@ -1009,15 +1009,28 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
                 if (componentIndex == -1)
                 {
                     // TODO: extract as separate method?
-                    JpegThrowHelper.ThrowInvalidImageContentException($"Invalid component id in scan: {componentSelectorId}. Must be [0 <= id <= {this.Frame.ComponentCount - 1}]");
+                    JpegThrowHelper.ThrowInvalidImageContentException($"Unknown component id in scan: {componentSelectorId}.");
                 }
 
                 this.Frame.ComponentOrder[i] = (byte)componentIndex;
 
+                JpegComponent component = this.Frame.Components[componentIndex];
+
+                // 1 byte: Huffman table selectors.
+                // 4 bits - dc
+                // 4 bits - ac
                 int tableSpec = stream.ReadByte();
-                ref JpegComponent component = ref this.Frame.Components[componentIndex];
-                component.DCHuffmanTableId = tableSpec >> 4;
-                component.ACHuffmanTableId = tableSpec & 15;
+                int dcTableIndex = tableSpec >> 4;
+                int acTableIndex = tableSpec & 15;
+
+                // Validate: both must be < 4
+                if (dcTableIndex >= 4 || acTableIndex >= 4)
+                {
+                    JpegThrowHelper.ThrowInvalidImageContentException($"Invalid huffman table for component:{componentSelectorId}: dc={dcTableIndex}, ac={acTableIndex}");
+                }
+
+                component.DCHuffmanTableId = dcTableIndex;
+                component.ACHuffmanTableId = acTableIndex;
             }
 
             // 3 bytes: Progressive scan decoding data