Fix a segfault that occured in the MIPS DSPr2 fancy upsampling routine when downsampl...

git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.4.x@1562 632fc199-4ca6-4c93-a231-07263d6284db

diff --git a/ChangeLog.txt b/ChangeLog.txt
index e545606b6b333d34993533bc5a52d26e2205addf..c3b33164cffcde4c19be9a90535653f2ef6840e0 100644 (file)
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -53,6 +53,10 @@ corrupt, the TurboJPEG decompression functions will attempt to decompress
 as much of the image as possible, but those functions will now return -1 to
 indicate that the decompression was not entirely successful.
 
+[10] Fixed a bug in the MIPS DSPr2 4:2:2 fancy upsampling routine that caused a
+buffer overflow (and subsequent segfault) when decompressing a 4:2:2 JPEG image
+in which the right-most MCU was 5 or 6 pixels wide.
+
 
 1.4.0
 =====

diff --git a/simd/jsimd_mips_dspr2.S b/simd/jsimd_mips_dspr2.S
index 4572a51fa5397f0124f15157bb5f4c7dcae7dd01..c599096577e333cb1a4ade7c921f3027dc728c2a 100644 (file)
--- a/simd/jsimd_mips_dspr2.S
+++ b/simd/jsimd_mips_dspr2.S
@@ -916,7 +916,8 @@ LEAF_MIPS_DSPR2(jsimd_h2v2_fancy_upsample_mips_dspr2)
     srl            t1, t1, 4
     sb             t0, 0(s3)
     sb             t1, 1(s3)
-    addiu          s3, 2
+    beq            t8, s0, 22f     // skip to final iteration if width == 3
+     addiu          s3, 2
 2:
     lh             t0, 0(s0)       // t0 = A3|A2
     lh             t2, 0(s1)       // t2 = B3|B2
@@ -949,6 +950,7 @@ LEAF_MIPS_DSPR2(jsimd_h2v2_fancy_upsample_mips_dspr2)
     sb             t2, 3(s3)
     bne            t8, s0, 2b
      addiu         s3, 4
+22:
     beqz           s5, 4f
      addu          t8, s0, s5
 3: