diff --git a/CMakeLists.txt b/CMakeLists.txt index 9c4e5e2d..dc808786 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -5,7 +5,7 @@ if(CMAKE_EXECUTABLE_SUFFIX) endif() project(libjpeg-turbo C) -set(VERSION 3.1.0) +set(VERSION 3.1.1) set(COPYRIGHT_YEAR "1991-2024") string(REPLACE "." ";" VERSION_TRIPLET ${VERSION}) list(GET VERSION_TRIPLET 0 VERSION_MAJOR) diff --git a/ChangeLog.md b/ChangeLog.md index 556e1287..91367a67 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,14 @@ +3.1.1 +===== + +### Significant changes relative to 3.1.0: + +1. Hardened the libjpeg API against hypothetical calling applications that may +erroneously change the value of the `data_precision` field in +`jpeg_compress_struct` or `jpeg_decompress_struct` after calling +`jpeg_start_compress()` or `jpeg_start_decompress()`. + + 3.1.0 ===== diff --git a/src/jcapimin.c b/src/jcapimin.c index eb4599fb..e9956903 100644 --- a/src/jcapimin.c +++ b/src/jcapimin.c @@ -195,13 +195,19 @@ jpeg_finish_compress(j_compress_ptr cinfo) * all work is being done from the coefficient buffer. */ if (cinfo->data_precision <= 8) { + if (cinfo->coef->compress_data == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); if (!(*cinfo->coef->compress_data) (cinfo, (JSAMPIMAGE)NULL)) ERREXIT(cinfo, JERR_CANT_SUSPEND); } else if (cinfo->data_precision <= 12) { + if (cinfo->coef->compress_data_12 == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); if (!(*cinfo->coef->compress_data_12) (cinfo, (J12SAMPIMAGE)NULL)) ERREXIT(cinfo, JERR_CANT_SUSPEND); } else { #ifdef C_LOSSLESS_SUPPORTED + if (cinfo->coef->compress_data_16 == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); if (!(*cinfo->coef->compress_data_16) (cinfo, (J16SAMPIMAGE)NULL)) ERREXIT(cinfo, JERR_CANT_SUSPEND); #else diff --git a/src/jcapistd.c b/src/jcapistd.c index 2226094b..b61590df 100644 --- a/src/jcapistd.c +++ b/src/jcapistd.c @@ -130,6 +130,8 @@ _jpeg_write_scanlines(j_compress_ptr cinfo, _JSAMPARRAY scanlines, num_lines = rows_left; row_ctr = 0; + if (cinfo->main->_process_data == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); (*cinfo->main->_process_data) (cinfo, scanlines, &row_ctr, num_lines); cinfo->next_scanline += row_ctr; return row_ctr; @@ -187,6 +189,8 @@ _jpeg_write_raw_data(j_compress_ptr cinfo, _JSAMPIMAGE data, ERREXIT(cinfo, JERR_BUFFER_SIZE); /* Directly compress the row. */ + if (cinfo->coef->_compress_data == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); if (!(*cinfo->coef->_compress_data) (cinfo, data)) { /* If compressor did not consume the whole row, suspend processing. */ return 0; diff --git a/src/jccoefct.c b/src/jccoefct.c index 2a5dde2d..4a47b3cb 100644 --- a/src/jccoefct.c +++ b/src/jccoefct.c @@ -4,7 +4,7 @@ * This file was part of the Independent JPEG Group's software: * Copyright (C) 1994-1997, Thomas G. Lane. * libjpeg-turbo Modifications: - * Copyright (C) 2022, D. R. Commander. + * Copyright (C) 2022, 2024, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -414,6 +414,7 @@ _jinit_c_coef_controller(j_compress_ptr cinfo, boolean need_full_buffer) coef = (my_coef_ptr) (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, sizeof(my_coef_controller)); + memset(coef, 0, sizeof(my_coef_controller)); cinfo->coef = (struct jpeg_c_coef_controller *)coef; coef->pub.start_pass = start_pass_coef; diff --git a/src/jcmainct.c b/src/jcmainct.c index 954e9401..b72f8deb 100644 --- a/src/jcmainct.c +++ b/src/jcmainct.c @@ -159,6 +159,7 @@ _jinit_c_main_controller(j_compress_ptr cinfo, boolean need_full_buffer) main_ptr = (my_main_ptr) (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, sizeof(my_main_controller)); + memset(main_ptr, 0, sizeof(my_main_controller)); cinfo->main = (struct jpeg_c_main_controller *)main_ptr; main_ptr->pub.start_pass = start_pass_main; diff --git a/src/jdapistd.c b/src/jdapistd.c index d0e5c0e5..a53b86b1 100644 --- a/src/jdapistd.c +++ b/src/jdapistd.c @@ -128,19 +128,28 @@ output_pass_setup(j_decompress_ptr cinfo) } /* Process some data */ last_scanline = cinfo->output_scanline; - if (cinfo->data_precision <= 8) + if (cinfo->data_precision <= 8) { + if (cinfo->main->process_data == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); (*cinfo->main->process_data) (cinfo, (JSAMPARRAY)NULL, &cinfo->output_scanline, (JDIMENSION)0); - else if (cinfo->data_precision <= 12) + } else if (cinfo->data_precision <= 12) { + if (cinfo->main->process_data_12 == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); (*cinfo->main->process_data_12) (cinfo, (J12SAMPARRAY)NULL, &cinfo->output_scanline, (JDIMENSION)0); + } else { #ifdef D_LOSSLESS_SUPPORTED - else + if (cinfo->main->process_data_16 == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); (*cinfo->main->process_data_16) (cinfo, (J16SAMPARRAY)NULL, &cinfo->output_scanline, (JDIMENSION)0); +#else + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); #endif + } if (cinfo->output_scanline == last_scanline) return FALSE; /* No progress made, must suspend */ } @@ -345,6 +354,8 @@ _jpeg_read_scanlines(j_decompress_ptr cinfo, _JSAMPARRAY scanlines, /* Process some data */ row_ctr = 0; + if (cinfo->main->_process_data == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); (*cinfo->main->_process_data) (cinfo, scanlines, &row_ctr, max_lines); cinfo->output_scanline += row_ctr; return row_ctr; @@ -691,6 +702,8 @@ _jpeg_read_raw_data(j_decompress_ptr cinfo, _JSAMPIMAGE data, ERREXIT(cinfo, JERR_BUFFER_SIZE); /* Decompress directly into user's buffer. */ + if (cinfo->coef->_decompress_data == NULL) + ERREXIT1(cinfo, JERR_BAD_PRECISION, cinfo->data_precision); if (!(*cinfo->coef->_decompress_data) (cinfo, data)) return 0; /* suspension forced, can do nothing more */ diff --git a/src/jdcoefct.c b/src/jdcoefct.c index 40ce2725..194d5a5c 100644 --- a/src/jdcoefct.c +++ b/src/jdcoefct.c @@ -5,7 +5,7 @@ * Copyright (C) 1994-1997, Thomas G. Lane. * libjpeg-turbo Modifications: * Copyright 2009 Pierre Ossman for Cendio AB - * Copyright (C) 2010, 2015-2016, 2019-2020, 2022-2023, D. R. Commander. + * Copyright (C) 2010, 2015-2016, 2019-2020, 2022-2024, D. R. Commander. * Copyright (C) 2015, 2020, Google, Inc. * For conditions of distribution and use, see the accompanying README.ijg * file. @@ -824,6 +824,7 @@ _jinit_d_coef_controller(j_decompress_ptr cinfo, boolean need_full_buffer) coef = (my_coef_ptr) (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, sizeof(my_coef_controller)); + memset(coef, 0, sizeof(my_coef_controller)); cinfo->coef = (struct jpeg_d_coef_controller *)coef; coef->pub.start_input_pass = start_input_pass; coef->pub.start_output_pass = start_output_pass; diff --git a/src/jdmainct.c b/src/jdmainct.c index fed1866e..fc97073e 100644 --- a/src/jdmainct.c +++ b/src/jdmainct.c @@ -450,6 +450,7 @@ _jinit_d_main_controller(j_decompress_ptr cinfo, boolean need_full_buffer) main_ptr = (my_main_ptr) (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, sizeof(my_main_controller)); + memset(main_ptr, 0, sizeof(my_main_controller)); cinfo->main = (struct jpeg_d_main_controller *)main_ptr; main_ptr->pub.start_pass = start_pass_main;