c/libjpeg-turbo
1
0
Fork 0
mirror of https://github.com/libjpeg-turbo/libjpeg-turbo synced 2025-03-28 21:13:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure methods called by global funcs are init'd

Browse Source 
If a hypothetical calling application does something really stupid and
changes cinfo->data_precision after calling jpeg_start_*compress(), then
the precision-specific methods called by jpeg_write_scanlines(),
jpeg_write_raw_data(), jpeg_finish_compress(), jpeg_read_scanlines(),
jpeg_read_raw_data(), or jpeg_start_output() may not be initialized.

Ensure that the first precision-specific method (which will always be
cinfo->main->process_data*(), cinfo->coef->compress_data*(), or
cinfo->coef->decompress_data()) called by any global function that may
be called after jpeg_start_*compress() is initialized and non-NULL.
This increases the likelihood (but does not guarantee) that a
hypothetical stupid calling application will fail gracefully rather than
segfault if it changes cinfo->data_precision after calling
jpeg_start_*compress().  A hypothetical stupid calling application can
still bork itself by changing cinfo->data_precision after initializing
the source manager but before calling jpeg_start_compress(), or after
initializing the destination manager but before calling
jpeg_start_decompress().
This commit is contained in:
DRC 2024-12-18 12:50:38 -05:00
parent cc095fee7b
commit e0e18dea54
9 changed files with 44 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@ -5,7 +5,7 @@ if(CMAKE_EXECUTABLE_SUFFIX)
endif()
project(libjpeg-turbo C)
set(VERSION 3.1.0)
set(VERSION 3.1.1)
set(COPYRIGHT_YEAR "1991-2024")
string(REPLACE "." ";" VERSION_TRIPLET ${VERSION})
list(GET VERSION_TRIPLET 0 VERSION_MAJOR)

11
ChangeLog.md
View File

@ -1,3 +1,14 @@
3.1.1
=====
### Significant changes relative to 3.1.0:
1. Hardened the libjpeg API against hypothetical calling applications that may
erroneously change the value of the `data_precision` field in
`jpeg_compress_struct` or `jpeg_decompress_struct` after calling
`jpeg_start_compress()` or `jpeg_start_decompress()`.
3.1.0
=====

6
src/jcapimin.c
View File

@ -195,13 +195,19 @@ jpeg_finish_compress(j_compress_ptr cinfo)
* all work is being done from the coefficient buffer.
*/
if (cinfo->data_precision <= 8) {
if (cinfo->coef->compress_data == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
if (!(*cinfo->coef->compress_data) (cinfo, (JSAMPIMAGE)NULL))
ERREXIT(cinfo, JERR_CANT_SUSPEND);
} else if (cinfo->data_precision <= 12) {
if (cinfo->coef->compress_data_12 == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
if (!(*cinfo->coef->compress_data_12) (cinfo, (J12SAMPIMAGE)NULL))
ERREXIT(cinfo, JERR_CANT_SUSPEND);
} else {
#ifdef C_LOSSLESS_SUPPORTED
if (cinfo->coef->compress_data_16 == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
if (!(*cinfo->coef->compress_data_16) (cinfo, (J16SAMPIMAGE)NULL))
ERREXIT(cinfo, JERR_CANT_SUSPEND);
#else

4
src/jcapistd.c
View File

@ -130,6 +130,8 @@ _jpeg_write_scanlines(j_compress_ptr cinfo, _JSAMPARRAY scanlines,
num_lines = rows_left;
row_ctr = 0;
if (cinfo->main->_process_data == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
(*cinfo->main->_process_data) (cinfo, scanlines, &row_ctr, num_lines);
cinfo->next_scanline += row_ctr;
return row_ctr;
@ -187,6 +189,8 @@ _jpeg_write_raw_data(j_compress_ptr cinfo, _JSAMPIMAGE data,
ERREXIT(cinfo, JERR_BUFFER_SIZE);
/* Directly compress the row. */
if (cinfo->coef->_compress_data == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
if (!(*cinfo->coef->_compress_data) (cinfo, data)) {
/* If compressor did not consume the whole row, suspend processing. */
return 0;

3
src/jccoefct.c
View File

@ -4,7 +4,7 @@
* This file was part of the Independent JPEG Group's software:
* Copyright (C) 1994-1997, Thomas G. Lane.
* libjpeg-turbo Modifications:
* Copyright (C) 2022, D. R. Commander.
* Copyright (C) 2022, 2024, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
*
@ -414,6 +414,7 @@ _jinit_c_coef_controller(j_compress_ptr cinfo, boolean need_full_buffer)
coef = (my_coef_ptr)
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
sizeof(my_coef_controller));
memset(coef, 0, sizeof(my_coef_controller));
cinfo->coef = (struct jpeg_c_coef_controller *)coef;
coef->pub.start_pass = start_pass_coef;

1
src/jcmainct.c
View File

@ -159,6 +159,7 @@ _jinit_c_main_controller(j_compress_ptr cinfo, boolean need_full_buffer)
main_ptr = (my_main_ptr)
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
sizeof(my_main_controller));
memset(main_ptr, 0, sizeof(my_main_controller));
cinfo->main = (struct jpeg_c_main_controller *)main_ptr;
main_ptr->pub.start_pass = start_pass_main;

19
src/jdapistd.c
View File

@ -128,19 +128,28 @@ output_pass_setup(j_decompress_ptr cinfo)
}
/* Process some data */
last_scanline = cinfo->output_scanline;
if (cinfo->data_precision <= 8)
if (cinfo->data_precision <= 8) {
if (cinfo->main->process_data == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
(*cinfo->main->process_data) (cinfo, (JSAMPARRAY)NULL,
&cinfo->output_scanline, (JDIMENSION)0);
else if (cinfo->data_precision <= 12)
} else if (cinfo->data_precision <= 12) {
if (cinfo->main->process_data_12 == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
(*cinfo->main->process_data_12) (cinfo, (J12SAMPARRAY)NULL,
&cinfo->output_scanline,
(JDIMENSION)0);
} else {
#ifdef D_LOSSLESS_SUPPORTED
else
if (cinfo->main->process_data_16 == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
(*cinfo->main->process_data_16) (cinfo, (J16SAMPARRAY)NULL,
&cinfo->output_scanline,
(JDIMENSION)0);
#else
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
#endif
}
if (cinfo->output_scanline == last_scanline)
return FALSE; /* No progress made, must suspend */
}
@ -345,6 +354,8 @@ _jpeg_read_scanlines(j_decompress_ptr cinfo, _JSAMPARRAY scanlines,
/* Process some data */
row_ctr = 0;
if (cinfo->main->_process_data == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
(*cinfo->main->_process_data) (cinfo, scanlines, &row_ctr, max_lines);
cinfo->output_scanline += row_ctr;
return row_ctr;
@ -691,6 +702,8 @@ _jpeg_read_raw_data(j_decompress_ptr cinfo, _JSAMPIMAGE data,
ERREXIT(cinfo, JERR_BUFFER_SIZE);
/* Decompress directly into user's buffer. */
if (cinfo->coef->_decompress_data == NULL)
ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision);
if (!(*cinfo->coef->_decompress_data) (cinfo, data))
return 0; /* suspension forced, can do nothing more */

3
src/jdcoefct.c
View File

@ -5,7 +5,7 @@
* Copyright (C) 1994-1997, Thomas G. Lane.
* libjpeg-turbo Modifications:
* Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB
* Copyright (C) 2010, 2015-2016, 2019-2020, 2022-2023, D. R. Commander.
* Copyright (C) 2010, 2015-2016, 2019-2020, 2022-2024, D. R. Commander.
* Copyright (C) 2015, 2020, Google, Inc.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
@ -824,6 +824,7 @@ _jinit_d_coef_controller(j_decompress_ptr cinfo, boolean need_full_buffer)
coef = (my_coef_ptr)
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
sizeof(my_coef_controller));
memset(coef, 0, sizeof(my_coef_controller));
cinfo->coef = (struct jpeg_d_coef_controller *)coef;
coef->pub.start_input_pass = start_input_pass;
coef->pub.start_output_pass = start_output_pass;

1
src/jdmainct.c
View File

@ -450,6 +450,7 @@ _jinit_d_main_controller(j_decompress_ptr cinfo, boolean need_full_buffer)
main_ptr = (my_main_ptr)
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
sizeof(my_main_controller));
memset(main_ptr, 0, sizeof(my_main_controller));
cinfo->main = (struct jpeg_d_main_controller *)main_ptr;
main_ptr->pub.start_pass = start_pass_main;