Cherry-pick upstream fix for uninitialised reads

Chromium fuzzers running with MSan found the use of uninitialised
values when decoding a progressive JPEG image.

This commit cherry-picks the upstream fix:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/110d8d6dcafaed517e8f77a6253169535ee3a20e

Original commit message:

decompress_smooth_data(): Fix another uninit. read

Regression introduced by 42825b6

The test case
https://user-images.githubusercontent.com/3491627/101376530-fde56180-38b0-11eb-938d-734119a5b5ba.jpg
is a malformed progressive JPEG image containing an interleaved Y/Cb/Cr
DC scan followed by two non-interleaved Y DC scans.  Thus, the
prev_coef_bits[] array was initialized for the Y component but not the
other components, the uninitialized values for Cb and Cr were
transferred to the prev_coef_bits_latch[] array in smoothing_ok(), and
because cinfo->master->last_good_iMCU_row was 0,
decompress_smooth_data() read those uninitialized values when attempting
to smooth the second iMCU row.

Possibly fixes #478

Bug: 1156513
Change-Id: Iff97f04dd27ed95050b05dbd1845489555891a9e

1 files changed, 2 insertions, 0 deletions

diff --git a/jdarith.c b/jdarith.c
index 3c7ac57..7f0d3a7 100644
--- a/jdarith.c
+++ b/jdarith.c
@@ -672,6 +672,8 @@ bad:
       for (coefi = MIN(cinfo->Ss, 1); coefi <= MAX(cinfo->Se, 9); coefi++) {
         if (cinfo->input_scan_number > 1)
           prev_coef_bit_ptr[coefi] = coef_bit_ptr[coefi];
+        else
+          prev_coef_bit_ptr[coefi] = 0;
       }
       for (coefi = cinfo->Ss; coefi <= cinfo->Se; coefi++) {
         int expected = (coef_bit_ptr[coefi] < 0) ? 0 : coef_bit_ptr[coefi];