Fix infinite loop in partial image decompression

... caused by using certain specific combinations of
jpeg_skip_scanlines() and jpeg_read_scanlines() calls with progressive,
vertically-subsampled JPEG images.

Fixes #237

diff --git a/ChangeLog.md b/ChangeLog.md
index 3aa41d173fba9ceee3bc36c02b4c41918c3e6e2a..f762efb3e8a6ff47122e9b645cf1c94bfaeb29d0 100644 (file)
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -38,6 +38,11 @@ the underlying library, and because it did not involve any out-of-bounds reads
 or other exploitable behaviors, it was not believed to represent a security
 threat.
 
+6. Fixed an issue whereby certain combinations of calls to
+`jpeg_skip_scanlines()` and `jpeg_read_scanlines()` could trigger an infinite
+loop when decompressing progressive JPEG images that use vertical chroma
+subsampling (for instance, 4:2:0 or 4:4:0.)
+
 
 1.5.3
 =====

diff --git a/jdapistd.c b/jdapistd.c
index 105121df2bef4d6b89eec412192a34ab735c2078..eb6808b6f24adc7ffe3280d824ae67d1cfd772a4 100644 (file)
--- a/jdapistd.c
+++ b/jdapistd.c
@@ -4,7 +4,7 @@
  * This file was part of the Independent JPEG Group's software:
  * Copyright (C) 1994-1996, Thomas G. Lane.
  * libjpeg-turbo Modifications:
- * Copyright (C) 2010, 2015-2017, D. R. Commander.
+ * Copyright (C) 2010, 2015-2018, D. R. Commander.
  * Copyright (C) 2015, Google, Inc.
  * For conditions of distribution and use, see the accompanying README.ijg
  * file.
@@ -481,7 +481,7 @@ jpeg_skip_scanlines (j_decompress_ptr cinfo, JDIMENSION num_lines)
     if (cinfo->upsample->need_context_rows) {
       cinfo->output_scanline += lines_to_skip;
       cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row;
-      main_ptr->iMCU_row_ctr += lines_after_iMCU_row / lines_per_iMCU_row;
+      main_ptr->iMCU_row_ctr += lines_to_skip / lines_per_iMCU_row;
       /* It is complex to properly move to the middle of a context block, so
        * read the remaining lines instead of skipping them.
        */