diff options
| author | Jonathan Wright <jonathan.wright@arm.com> | 2020-12-08 16:53:51 +0000 |
|---|---|---|
| committer | Jonathan Wright <jonathan.wright@arm.com> | 2020-12-08 17:26:49 +0000 |
| commit | e9a659a09e9600883e499c06ede04ba514d7f942 (patch) | |
| tree | 7ef856d93df0ff38ce97755d5da8a06283e0d5c0 | |
| parent | bbb828223e9c8f83f0e84db1e98b116029e62765 (diff) | |
Cherry-pick upstream fix for uninitialised reads
Chromium fuzzers running with MSan found the use of uninitialised
values when decoding a progressive JPEG image.
This commit cherry-picks the upstream fix:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/110d8d6dcafaed517e8f77a6253169535ee3a20e
Original commit message:
decompress_smooth_data(): Fix another uninit. read
Regression introduced by 42825b6
The test case
https://user-images.githubusercontent.com/3491627/101376530-fde56180-38b0-11eb-938d-734119a5b5ba.jpg
is a malformed progressive JPEG image containing an interleaved Y/Cb/Cr
DC scan followed by two non-interleaved Y DC scans. Thus, the
prev_coef_bits[] array was initialized for the Y component but not the
other components, the uninitialized values for Cb and Cr were
transferred to the prev_coef_bits_latch[] array in smoothing_ok(), and
because cinfo->master->last_good_iMCU_row was 0,
decompress_smooth_data() read those uninitialized values when attempting
to smooth the second iMCU row.
Possibly fixes #478
Bug: 1156513
Change-Id: Iff97f04dd27ed95050b05dbd1845489555891a9e
| -rw-r--r-- | README.chromium | 3 | ||||
| -rw-r--r-- | jdarith.c | 2 | ||||
| -rw-r--r-- | jdphuff.c | 2 |
3 files changed, 6 insertions, 1 deletions
diff --git a/README.chromium b/README.chromium index 1aa67cf..469e550 100644 --- a/README.chromium +++ b/README.chromium @@ -14,10 +14,11 @@ This consists of the components: * An OWNERS file * A codereview.settings file * Patched header files used by Chromium -* Cherry-picked two additional patches from upstream master to fix bugs found +* Cherry-picked three additional patches from upstream master to fix bugs found by fuzzers: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/ccaba5d7894ecfb5a8f11e48d3f86e1f14d5a469 https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c7ca521bc85b57d41d3ad4963c13fc0100481084 + https://github.com/libjpeg-turbo/libjpeg-turbo/commit/110d8d6dcafaed517e8f77a6253169535ee3a20e * Deleted unused directories: ci, cmakescripts, doc, java, release, sharedlib, simd/loongson, simd/mips, simd/powerpc, and win * Deleted unused files: appveyor.yml, CMakeLists.txt, doxygen.config, @@ -672,6 +672,8 @@ bad: for (coefi = MIN(cinfo->Ss, 1); coefi <= MAX(cinfo->Se, 9); coefi++) { if (cinfo->input_scan_number > 1) prev_coef_bit_ptr[coefi] = coef_bit_ptr[coefi]; + else + prev_coef_bit_ptr[coefi] = 0; } for (coefi = cinfo->Ss; coefi <= cinfo->Se; coefi++) { int expected = (coef_bit_ptr[coefi] < 0) ? 0 : coef_bit_ptr[coefi]; @@ -130,6 +130,8 @@ start_pass_phuff_decoder(j_decompress_ptr cinfo) for (coefi = MIN(cinfo->Ss, 1); coefi <= MAX(cinfo->Se, 9); coefi++) { if (cinfo->input_scan_number > 1) prev_coef_bit_ptr[coefi] = coef_bit_ptr[coefi]; + else + prev_coef_bit_ptr[coefi] = 0; } for (coefi = cinfo->Ss; coefi <= cinfo->Se; coefi++) { int expected = (coef_bit_ptr[coefi] < 0) ? 0 : coef_bit_ptr[coefi]; |