Silence additional UBSan warnings

NOTE: The jdhuff.c/jdphuff.c warnings should have already been silenced
by 8e9cef2e6f5156c4b055a04a8f979b7291fc6b7a, but apparently I need to
be REALLY clear that I'm trying to do pointer arithmetic rather than
dereference an array.  Grrr...

Refer to:
https://bugzilla.mozilla.org/show_bug.cgi?id=1301250
https://bugzilla.mozilla.org/show_bug.cgi?id=1301256

diff --git a/ChangeLog.md b/ChangeLog.md
index aba5776db6aad61bf464c1308133aafc13ecc782..7cf08c14e58e9b62b3fa0dffc73c000865a93af2 100644 (file)
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -69,6 +69,12 @@ affected only 32-bit code and did not pose a security threat, but removing the
 warning makes it easier to detect actual security issues, should they arise in
 the future.
 
+8. Fixed additional negative left shifts and other issues reported by the GCC
+and Clang undefined behavior sanitizers when attempting to decompress
+specially-crafted malformed JPEG images.  None of these issues posed a security
+threat, but removing the warnings makes it easier to detect actual security
+issues, should they arise in the future.
+
 
 1.5.0
 =====

diff --git a/jdarith.c b/jdarith.c
index 98d5fad1525280611a50cee048961aec03537875..df3540eef54504e04bd030c26a01f226a5bd9a0c 100644 (file)
--- a/jdarith.c
+++ b/jdarith.c
@@ -4,7 +4,7 @@
  * This file was part of the Independent JPEG Group's software:
  * Developed 1997-2015 by Guido Vollbeding.
  * libjpeg-turbo Modifications:
- * Copyright (C) 2015, D. R. Commander.
+ * Copyright (C) 2015-2016, D. R. Commander.
  * For conditions of distribution and use, see the accompanying README.ijg
  * file.
  *
@@ -382,7 +382,7 @@ decode_mcu_AC_first (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
       if (arith_decode(cinfo, st)) v |= m;
     v += 1; if (sign) v = -v;
     /* Scale and output coefficient in natural (dezigzagged) order */
-    (*block)[jpeg_natural_order[k]] = (JCOEF) (v << cinfo->Al);
+    (*block)[jpeg_natural_order[k]] = (JCOEF) ((unsigned)v << cinfo->Al);
   }
 
   return TRUE;

diff --git a/jdhuff.c b/jdhuff.c
index 338f2a49243c6db95bd27a5ea2eb9ce6f2009eb3..bb2b84887cab60f289730d02b519f5c318e79199 100644 (file)
--- a/jdhuff.c
+++ b/jdhuff.c
@@ -109,9 +109,9 @@ start_pass_huff_decoder (j_decompress_ptr cinfo)
     actbl = compptr->ac_tbl_no;
     /* Compute derived values for Huffman tables */
     /* We may do this more than once for a table, but it's not expensive */
-    pdtbl = entropy->dc_derived_tbls + dctbl;
+    pdtbl = (d_derived_tbl **)(entropy->dc_derived_tbls) + dctbl;
     jpeg_make_d_derived_tbl(cinfo, TRUE, dctbl, pdtbl);
-    pdtbl = entropy->ac_derived_tbls + actbl;
+    pdtbl = (d_derived_tbl **)(entropy->ac_derived_tbls) + actbl;
     jpeg_make_d_derived_tbl(cinfo, FALSE, actbl, pdtbl);
     /* Initialize DC predictions to 0 */
     entropy->saved.last_dc_val[ci] = 0;

diff --git a/jdphuff.c b/jdphuff.c
index 42a7068bf1e0c972a5d3aa6d30cce18a9226bb2d..c927ffa071063cfe4efc948aea55e9054f90327f 100644 (file)
--- a/jdphuff.c
+++ b/jdphuff.c
@@ -4,7 +4,7 @@
  * This file was part of the Independent JPEG Group's software:
  * Copyright (C) 1995-1997, Thomas G. Lane.
  * libjpeg-turbo Modifications:
- * Copyright (C) 2015, D. R. Commander.
+ * Copyright (C) 2015-2016, D. R. Commander.
  * For conditions of distribution and use, see the accompanying README.ijg
  * file.
  *
@@ -170,12 +170,12 @@ start_pass_phuff_decoder (j_decompress_ptr cinfo)
     if (is_DC_band) {
       if (cinfo->Ah == 0) {     /* DC refinement needs no table */
         tbl = compptr->dc_tbl_no;
-        pdtbl = entropy->derived_tbls + tbl;
+        pdtbl = (d_derived_tbl **)(entropy->derived_tbls) + tbl;
         jpeg_make_d_derived_tbl(cinfo, TRUE, tbl, pdtbl);
       }
     } else {
       tbl = compptr->ac_tbl_no;
-      pdtbl = entropy->derived_tbls + tbl;
+      pdtbl = (d_derived_tbl **)(entropy->derived_tbls) + tbl;
       jpeg_make_d_derived_tbl(cinfo, FALSE, tbl, pdtbl);
       /* remember the single active table */
       entropy->ac_derived_tbl = entropy->derived_tbls[tbl];