[Gtkradiant] [Bug 655] New: Q3Map2 crashes on certain JPEG files.

[gtkradiant@zerowing.idsoftware.com]

http://zerowing.idsoftware.com/bugzilla/show_bug.cgi?id=655

           Summary: Q3Map2 crashes on certain JPEG files.
           Product: GtkRadiant
           Version: 1.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: tools
        AssignedTo: ttimo@idsoftware.com
        ReportedBy: mailinglist.gtkradiant@hydras-world.com


Attached is a JPEG image that breaks Q3Map2

it was created by extracting grnwall_m06.jpg from pak0.pk3 from RTCW
using winzip 8.1, then opening it with Paint Shop Pro 7.0, then changing the 
color, and then saving it.

All other apps I have can load the image, including GTKRadiant itself.  Only 
q3map (and q3map2) have a problem with it.

Notes:

in stage 5 of JPGLOAD.cpp a buffer is allocated using the size calculated like 
this:

nSize = cinfo.output_width*cinfo.output_height*cinfo.output_components;

the attached image is 256x256, and cinfo.output_components == 1
this appears to be 4 for most other jpegs i have.

the buffer is then filled with the image, and then the alpha map is cleared 
(jpegs don't have alpha maps) like so:

    j = cinfo.output_width * cinfo.output_height * 4;
    for ( i = 3 ; i < j ; i+=4 ) {
      buf[i] = 255;  // <--- crash here!!!
    }

and BANG crash, because j > nSize so it overflows the buffer after a few passes.

I tried replacing the "4" on the "j =" line with "cinfo.output_components" but 
the crash just moves elsewhere.

I think the image needs to be converted from a single byte per pixel to a three 
byte per pixel image first.

I took the liberty of taking a screenshot of PSP's Image Imformation dialog, 
which shows the image details.   Also attached.