jdarith.c: Fix two signed integer overflows
I guess I have to fix these, or Google Autofuzz is going to keep bugging
me about them.
Fixes #171
Fixes #197
Fixes #198
diff --git a/ChangeLog.md b/ChangeLog.md
index f5fe44b..e44ddc8 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,13 @@
+1.5.4
+=====
+
+1. Fixed two signed integer overflows in the arithmetic decoder, detected by
+the Clang undefined behavior sanitizer, that could be triggered by attempting
+to decompress a specially-crafted malformed JPEG image. These issues did not
+pose a security threat, but removing the warnings makes it easier to detect
+actual security issues, should they arise in the future.
+
+
1.5.3
=====
diff --git a/jdarith.c b/jdarith.c
index ce0f920..0f560f6 100644
--- a/jdarith.c
+++ b/jdarith.c
@@ -4,7 +4,7 @@
* This file was part of the Independent JPEG Group's software:
* Developed 1997-2015 by Guido Vollbeding.
* libjpeg-turbo Modifications:
- * Copyright (C) 2015-2016, D. R. Commander.
+ * Copyright (C) 2015-2017, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
*
@@ -306,7 +306,7 @@
while (m >>= 1)
if (arith_decode(cinfo, st)) v |= m;
v += 1; if (sign) v = -v;
- entropy->last_dc_val[ci] += v;
+ entropy->last_dc_val[ci] = (entropy->last_dc_val[ci] + v) & 0xffff;
}
/* Scale and output the DC coefficient (assumes jpeg_natural_order[0]=0) */
@@ -564,7 +564,7 @@
while (m >>= 1)
if (arith_decode(cinfo, st)) v |= m;
v += 1; if (sign) v = -v;
- entropy->last_dc_val[ci] += v;
+ entropy->last_dc_val[ci] = (entropy->last_dc_val[ci] + v) & 0xffff;
}
if (block)
