diff options
| author | noel@chromium.org <noel@chromium.org@4ff67af0-8c30-449e-8e8b-ad334ec8d88c> | 2014-04-14 06:56:00 +0000 |
|---|---|---|
| committer | noel@chromium.org <noel@chromium.org@4ff67af0-8c30-449e-8e8b-ad334ec8d88c> | 2014-04-14 06:56:00 +0000 |
| commit | 3395bcc26e390d2960d15020d4a4d27ae0c122fe (patch) | |
| tree | 70d532ca62c1eb0b3c8d44f818dc304a9a2a80ae /jdmarker.c | |
| parent | 24cafe92b7a98c36a8062e1ac2fef9832588ac85 (diff) | |
Upgrade libjpeg_turbo to 1.3.1 (r1219)
Remove google.jdmarker.patch, since the fixes for CVE-2013-6629
and CVE-2013-6630 are upstream most everywhere now [1]. Version
number to 1.3.1 (config.h, jconfig.h).
README.chromium: "Fixed valgrind error" patch was upstreamed in
r839 http://sourceforge.net/p/libjpeg-turbo/code/839. The r1188
cherry-pick was put in config.h, say that.
[1] http://seclists.org/fulldisclosure/2013/Nov/83
TBR=darin@chromium.org
BUG=258723, 299835
Review URL: https://codereview.appspot.com/87110044
git-svn-id: http://src.chromium.org/svn/trunk/deps/third_party/libjpeg_turbo@263594 4ff67af0-8c30-449e-8e8b-ad334ec8d88c
Diffstat (limited to 'jdmarker.c')
| -rw-r--r-- | jdmarker.c | 18 |
1 files changed, 11 insertions, 7 deletions
@@ -1,9 +1,10 @@ /* * jdmarker.c * + * This file was part of the Independent JPEG Group's software: * Copyright (C) 1991-1998, Thomas G. Lane. + * libjpeg-turbo Modifications: * Copyright (C) 2012, D. R. Commander. - * This file is part of the Independent JPEG Group's software. * For conditions of distribution and use, see the accompanying README file. * * This file contains routines to decode JPEG datastream markers. @@ -303,7 +304,7 @@ get_sos (j_decompress_ptr cinfo) /* Process a SOS marker */ { INT32 length; - int i, ci, n, c, cc; + int i, ci, n, c, cc, pi; jpeg_component_info * compptr; INPUT_VARS(cinfo); @@ -349,9 +350,10 @@ get_sos (j_decompress_ptr cinfo) compptr->dc_tbl_no, compptr->ac_tbl_no); /* This CSi (cc) should differ from the previous CSi */ - for (ci = 0; ci < i; ci++) { - if (cinfo->cur_comp_info[ci] == compptr) + for (pi = 0; pi < i; pi++) { + if (cinfo->cur_comp_info[pi] == compptr) { ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc); + } } } @@ -471,18 +473,20 @@ get_dht (j_decompress_ptr cinfo) INPUT_BYTE(cinfo, huffval[i], return FALSE); MEMZERO(&huffval[count], (256 - count) * SIZEOF(UINT8)); + length -= count; if (index & 0x10) { /* AC table definition */ index -= 0x10; + if (index < 0 || index >= NUM_HUFF_TBLS) + ERREXIT1(cinfo, JERR_DHT_INDEX, index); htblptr = &cinfo->ac_huff_tbl_ptrs[index]; } else { /* DC table definition */ + if (index < 0 || index >= NUM_HUFF_TBLS) + ERREXIT1(cinfo, JERR_DHT_INDEX, index); htblptr = &cinfo->dc_huff_tbl_ptrs[index]; } - if (index < 0 || index >= NUM_HUFF_TBLS) - ERREXIT1(cinfo, JERR_DHT_INDEX, index); - if (*htblptr == NULL) *htblptr = jpeg_alloc_huff_table((j_common_ptr) cinfo); |