Google Git
Sign in
skia / external / github.com / libjpeg-turbo / libjpeg-turbo / 077e5bb4e0f6761c034e7c1f7e7a4120f580f1a0
commit077e5bb4e0f6761c034e7c1f7e7a4120f580f1a0[log] [tgz]
authorDRC <information@libjpeg-turbo.org>Thu Sep 08 21:49:02 2016 -0500
committerDRC <information@libjpeg-turbo.org>Thu Sep 08 22:01:09 2016 -0500
treef0cb647e573b1660cfba7c442eb5d8a20984f16f
parenta1dd35680d40758f234f214cef4c53cd1bc4b34e [diff]
Fix out-of-bounds write in partial decomp. feature

Reported by Clang UBSan (refer to
https://bugzilla.mozilla.org/show_bug.cgi?id=1301252 for test image.)
This appears to be a legitimate bug introduced by
3ab68cf563f6edc2608c085f5c8b2d5d5c61157e.  Any component array, such
as first_MCU_col and last_MCU_col, should always be able to accommodate
MAX_COMPONENTS values.  The aforementioned test image had 8 components,
which was not enough to make the out-of-bounds write bust out of the
jpeg_decomp_master struct (and fortunately the memory after last_MCU_col
is an integer used as a boolean, so stomping on it will do nothing other
than change the decoder state.)  I crafted another special image that
has 10 components (the maximum allowable), but that was apparently not
enough to bust out of the allocated memory, either.  Thus, it is
posited that the security threat posed by this bug is either extremely
minimal or non-existent.
2 files changed
tree: f0cb647e573b1660cfba7c442eb5d8a20984f16f
  1. cmakescripts/
  2. doc/
  3. java/
  4. md5/
  5. release/
  6. sharedlib/
  7. simd/
  8. testimages/
  9. win/
  10. .gitignore
  11. acinclude.m4
  12. bmp.c
  13. bmp.h
  14. BUILDING.md
  15. cderror.h
  16. cdjpeg.c
  17. cdjpeg.h
  18. change.log
  19. ChangeLog.md
  20. cjpeg.1
  21. cjpeg.c
  22. CMakeLists.txt
  23. coderules.txt
  24. configure.ac
  25. djpeg.1
  26. djpeg.c
  27. doxygen-extra.css
  28. doxygen.config
  29. example.c
  30. jaricom.c
  31. jcapimin.c
  32. jcapistd.c
  33. jcarith.c
  34. jccoefct.c
  35. jccolext.c
  36. jccolor.c
  37. jcdctmgr.c
  38. jchuff.c
  39. jchuff.h
  40. jcinit.c
  41. jcmainct.c
  42. jcmarker.c
  43. jcmaster.c
  44. jcomapi.c
  45. jconfig.h.in
  46. jconfig.txt
  47. jconfigint.h.in
  48. jcparam.c
  49. jcphuff.c
  50. jcprepct.c
  51. jcsample.c
  52. jcstest.c
  53. jctrans.c
  54. jdapimin.c
  55. jdapistd.c
  56. jdarith.c
  57. jdatadst-tj.c
  58. jdatadst.c
  59. jdatasrc-tj.c
  60. jdatasrc.c
  61. jdcoefct.c
  62. jdcoefct.h
  63. jdcol565.c
  64. jdcolext.c
  65. jdcolor.c
  66. jdct.h
  67. jddctmgr.c
  68. jdhuff.c
  69. jdhuff.h
  70. jdinput.c
  71. jdmainct.c
  72. jdmainct.h
  73. jdmarker.c
  74. jdmaster.c
  75. jdmaster.h
  76. jdmerge.c
  77. jdmrg565.c
  78. jdmrgext.c
  79. jdphuff.c
  80. jdpostct.c
  81. jdsample.c
  82. jdsample.h
  83. jdtrans.c
  84. jerror.c
  85. jerror.h
  86. jfdctflt.c
  87. jfdctfst.c
  88. jfdctint.c
  89. jidctflt.c
  90. jidctfst.c
  91. jidctint.c
  92. jidctred.c
  93. jinclude.h
  94. jmemmgr.c
  95. jmemnobs.c
  96. jmemsys.h
  97. jmorecfg.h
  98. jpeg_nbits_table.h
  99. jpegcomp.h
  100. jpegint.h
  101. jpeglib.h
  102. jpegtran.1
  103. jpegtran.c
  104. jquant1.c
  105. jquant2.c
  106. jsimd.h
  107. jsimd_none.c
  108. jsimddct.h
  109. jstdhuff.c
  110. jutils.c
  111. jversion.h
  112. libjpeg.map.in
  113. libjpeg.txt
  114. LICENSE.md
  115. Makefile.am
  116. rdbmp.c
  117. rdcolmap.c
  118. rdgif.c
  119. rdjpgcom.1
  120. rdjpgcom.c
  121. rdppm.c
  122. rdrle.c
  123. rdswitch.c
  124. rdtarga.c
  125. README.ijg
  126. README.md
  127. structure.txt
  128. tjbench.c
  129. tjbenchtest.in
  130. tjbenchtest.java.in
  131. tjexampletest.in
  132. tjunittest.c
  133. tjutil.c
  134. tjutil.h
  135. transupp.c
  136. transupp.h
  137. turbojpeg-jni.c
  138. turbojpeg-mapfile
  139. turbojpeg-mapfile.jni
  140. turbojpeg.c
  141. turbojpeg.h
  142. usage.txt
  143. wizard.txt
  144. wrbmp.c
  145. wrgif.c
  146. wrjpgcom.1
  147. wrjpgcom.c
  148. wrppm.c
  149. wrppm.h
  150. wrrle.c
  151. wrtarga.c