Upgrade libjpeg_turbo to 1.3.1 (r1219)

Remove google.jdmarker.patch, since the fixes for CVE-2013-6629
and CVE-2013-6630 are upstream most everywhere now [1]. Version
number to 1.3.1 (config.h, jconfig.h).

README.chromium: "Fixed valgrind error" patch was upstreamed in
r839 http://sourceforge.net/p/libjpeg-turbo/code/839. The r1188
cherry-pick was put in config.h, say that.

[1] http://seclists.org/fulldisclosure/2013/Nov/83

TBR=darin@chromium.org
BUG=258723, 299835

Review URL: https://codereview.appspot.com/87110044

git-svn-id: http://src.chromium.org/svn/trunk/deps/third_party/libjpeg_turbo@263594 4ff67af0-8c30-449e-8e8b-ad334ec8d88c

1 files changed, 28 insertions, 16 deletions

diff --git a/turbojpeg.c b/turbojpeg.c
index 21599c8..9117273 100644
--- a/turbojpeg.c
+++ b/turbojpeg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C)2009-2012 D. R. Commander.  All Rights Reserved.
+ * Copyright (C)2009-2012, 2014 D. R. Commander.  All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
@@ -26,7 +26,8 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-/* TurboJPEG/OSS:  this implements the TurboJPEG API using libjpeg-turbo */
+/* TurboJPEG/LJT:  this implements the TurboJPEG API using libjpeg or
+   libjpeg-turbo */
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -518,9 +519,9 @@ DLLEXPORT unsigned long DLLCALL tjBufSize(int width, int height,
 	if(width<1 || height<1 || jpegSubsamp<0 || jpegSubsamp>=NUMSUBOPT)
 		_throw("tjBufSize(): Invalid argument");
 
-	// This allows for rare corner cases in which a JPEG image can actually be
-	// larger than the uncompressed input (we wouldn't mention it if it hadn't
-	// happened before.)
+	/* This allows for rare corner cases in which a JPEG image can actually be
+	   larger than the uncompressed input (we wouldn't mention it if it hadn't
+	   happened before.) */
 	mcuw=tjMCUWidth[jpegSubsamp];
 	mcuh=tjMCUHeight[jpegSubsamp];
 	chromasf=jpegSubsamp==TJSAMP_GRAY? 0: 4*64/(mcuw*mcuh);
@@ -530,16 +531,15 @@ DLLEXPORT unsigned long DLLCALL tjBufSize(int width, int height,
 	return retval;
 }
 
-
 DLLEXPORT unsigned long DLLCALL TJBUFSIZE(int width, int height)
 {
 	unsigned long retval=0;
 	if(width<1 || height<1)
 		_throw("TJBUFSIZE(): Invalid argument");
 
-	// This allows for rare corner cases in which a JPEG image can actually be
-	// larger than the uncompressed input (we wouldn't mention it if it hadn't
-	// happened before.)
+	/* This allows for rare corner cases in which a JPEG image can actually be
+	   larger than the uncompressed input (we wouldn't mention it if it hadn't
+	   happened before.) */
 	retval=PAD(width, 16) * PAD(height, 16) * 6 + 2048;
 
 	bailout:
@@ -686,8 +686,6 @@ DLLEXPORT int DLLCALL tjEncodeYUV2(tjhandle handle, unsigned char *srcBuf,
 	#endif
 
 	getinstance(handle);
-	if((this->init&COMPRESS)==0)
-		_throw("tjEncodeYUV2(): Instance has not been initialized for compression");
 
 	for(i=0; i<MAX_COMPONENTS; i++)
 	{
@@ -695,6 +693,9 @@ DLLEXPORT int DLLCALL tjEncodeYUV2(tjhandle handle, unsigned char *srcBuf,
 		tmpbuf2[i]=NULL;  _tmpbuf2[i]=NULL;  outbuf[i]=NULL;
 	}
 
+	if((this->init&COMPRESS)==0)
+		_throw("tjEncodeYUV2(): Instance has not been initialized for compression");
+
 	if(srcBuf==NULL || width<=0 || pitch<0 || height<=0 || pixelFormat<0
 		|| pixelFormat>=TJ_NUMPF || dstBuf==NULL || subsamp<0
 		|| subsamp>=NUMSUBOPT)
@@ -727,10 +728,20 @@ DLLEXPORT int DLLCALL tjEncodeYUV2(tjhandle handle, unsigned char *srcBuf,
 	else if(flags&TJFLAG_FORCESSE2) putenv("JSIMD_FORCESSE2=1");
 
 	yuvsize=tjBufSizeYUV(width, height, subsamp);
-	jpeg_mem_dest_tj(cinfo, &dstBuf, &yuvsize, 0);
 	if(setCompDefaults(cinfo, pixelFormat, subsamp, -1, flags)==-1) return -1;
 
-	jpeg_start_compress(cinfo, TRUE);
+	/* Execute only the parts of jpeg_start_compress() that we need.  If we
+	   were to call the whole jpeg_start_compress() function, then it would try
+	   to write the file headers, which could overflow the output buffer if the
+	   YUV image were very small. */
+	if(cinfo->global_state!=CSTATE_START)
+		_throw("tjEncodeYUV3(): libjpeg API is in the wrong state");
+	(*cinfo->err->reset_error_mgr)((j_common_ptr)cinfo);
+	jinit_c_master_control(cinfo, FALSE);
+	jinit_color_converter(cinfo);
+	jinit_downsampler(cinfo);
+	(*cinfo->cconvert->start_pass)(cinfo);
+
 	pw=PAD(width, cinfo->max_h_samp_factor);
 	ph=PAD(height, cinfo->max_v_samp_factor);
 
@@ -972,7 +983,7 @@ DLLEXPORT int DLLCALL tjDecompress2(tjhandle handle, unsigned char *jpegBuf,
 		scaledw=TJSCALED(jpegwidth, sf[i]);
 		scaledh=TJSCALED(jpegheight, sf[i]);
 		if(scaledw<=width && scaledh<=height)
-				break;
+			break;
 	}
 	if(scaledw>width || scaledh>height)
 		_throw("tjDecompress2(): Could not scale down to desired image dimensions");
@@ -1048,14 +1059,15 @@ DLLEXPORT int DLLCALL tjDecompressToYUV(tjhandle handle,
 	JSAMPLE *_tmpbuf=NULL, *ptr=dstBuf;  JSAMPROW *tmpbuf[MAX_COMPONENTS];
 
 	getinstance(handle);
-	if((this->init&DECOMPRESS)==0)
-		_throw("tjDecompressToYUV(): Instance has not been initialized for decompression");
 
 	for(i=0; i<MAX_COMPONENTS; i++)
 	{
 		tmpbuf[i]=NULL;  outbuf[i]=NULL;
 	}
 
+	if((this->init&DECOMPRESS)==0)
+		_throw("tjDecompressToYUV(): Instance has not been initialized for decompression");
+
 	if(jpegBuf==NULL || jpegSize<=0 || dstBuf==NULL)
 		_throw("tjDecompressToYUV(): Invalid argument");