Fix copy_jpeg with invalid/corrupt JPEG data (Issue #132)

CHANGES.md

@@ -7,6 +7,7 @@ v1.5.4 - YYYY-MM-DD
 
 - Updated indirect reference reading code to limit the range of generation
   numbers.
+- Fixed a JPEG copy bug (Issue #132)
 
 
 v1.5.3 - 2025-05-03

pdfio-content.c

@@ -2527,8 +2527,12 @@ copy_jpeg(pdfio_dict_t *dict,		// I - Dictionary
       bufend += bytes;
     }
 
-    if (*bufptr == _PDFIO_JPEG_MARKER)
+    if (*bufptr != _PDFIO_JPEG_MARKER)
     {
+      _pdfioFileError(dict->pdf, "Invalid JPEG data: <%02X>", *bufptr);
+      goto finish;
+    }
+
     // Start of a marker in the file...
     bufptr ++;
 
@@ -2536,13 +2540,11 @@ copy_jpeg(pdfio_dict_t *dict,		// I - Dictionary
     length = (size_t)((bufptr[1] << 8) | bufptr[2]);
     bufptr += 3;
 
-      if (marker == _PDFIO_JPEG_MARKER)
-	continue;
-      else if (marker == _PDFIO_JPEG_EOI || marker == _PDFIO_JPEG_SOS || length < 2)
-        break;
-
     PDFIO_DEBUG("copy_jpeg: JPEG X'FF%02X' (length %u)\n", marker, (unsigned)length);
 
+    if (marker == _PDFIO_JPEG_EOI || marker == _PDFIO_JPEG_SOS || length < 2)
+      break;
+
     length -= 2;
 
     if ((marker >= _PDFIO_JPEG_SOF0 && marker <= _PDFIO_JPEG_SOF3) || (marker >= _PDFIO_JPEG_SOF5 && marker <= _PDFIO_JPEG_SOF7) || (marker >= _PDFIO_JPEG_SOF9 && marker <= _PDFIO_JPEG_SOF11) || (marker >= _PDFIO_JPEG_SOF13 && marker <= _PDFIO_JPEG_SOF15))
@@ -2648,7 +2650,6 @@ copy_jpeg(pdfio_dict_t *dict,		// I - Dictionary
       }
     }
   }
-  }
 
   if (width == 0 || height == 0 || (num_colors != 1 && num_colors != 3))
   {