Ensure that default Huffman tables are initialized

This prevents a malformed motion-JPEG frame (MJPEG frames lack Huffman
tables) from causing the "fast path" of the Huffman decoder to read
uninitialized memory.  Essentially, this is doing the same thing for
MJPEG frames as 43d8cf4d4572fa50a37cccadbe71b9bee37de55d did for regular
images.

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 90e67f3b844c12f385b63cdbeaea2b00fed63886..fdb17588283d04d3c700e3bd8c6b6d7deb319e12 100644 (file)
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -22,6 +22,9 @@ decoder only if there are > 512 bytes of data in the input buffer.
 [3] Fixed a memory leak in tjunittest encountered when running the program
 with the -yuv option.
 
+[4] Fixed an issue whereby a malformed motion-JPEG frame could cause the "fast
+path" of libjpeg-turbo's Huffman decoder to read from uninitialized memory.
+
 
 1.4.2
 =====

diff --git a/jstdhuff.c b/jstdhuff.c
index a6eb2d8a934f01fda2c79cd76ef8641bf7d96701..717c134565de988c14cc5a941f875af1ee693541 100644 (file)
--- a/jstdhuff.c
+++ b/jstdhuff.c
@@ -41,6 +41,7 @@ add_huff_table (j_common_ptr cinfo,
     ERREXIT(cinfo, JERR_BAD_HUFF_TABLE);
 
   MEMCOPY((*htblptr)->huffval, val, nsymbols * sizeof(UINT8));
+  MEMZERO(&((*htblptr)->huffval[nsymbols]), (256 - nsymbols) * sizeof(UINT8));
 
   /* Initialize sent_table FALSE so table will be written to JPEG file. */
   (*htblptr)->sent_table = FALSE;