From: DRC Date: Sun, 24 Jun 2018 22:31:15 +0000 (-0500) Subject: Fix infinite loop in partial image decompression X-Git-Tag: 2.0.0~12 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=26f109290dc4ffc9c522d9f5d5a7d5d1ee2c0e0a;p=libjpeg-turbo Fix infinite loop in partial image decompression ... caused by using certain specific combinations of jpeg_skip_scanlines() and jpeg_read_scanlines() calls with progressive, vertically-subsampled JPEG images. Fixes #237 --- diff --git a/ChangeLog.md b/ChangeLog.md index ade31c5..f64866e 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -35,6 +35,11 @@ the header specified an image width of 1073741824 pixels, would trigger a floating point exception (division by zero) in the `tjLoadImage()` function when attempting to load the BMP file into a 4-component image buffer. +5. Fixed an issue whereby certain combinations of calls to +`jpeg_skip_scanlines()` and `jpeg_read_scanlines()` could trigger an infinite +loop when decompressing progressive JPEG images that use vertical chroma +subsampling (for instance, 4:2:0 or 4:4:0.) + 1.5.90 (2.0 beta1) ================== diff --git a/jdapistd.c b/jdapistd.c index 0e0642b..50c84c3 100644 --- a/jdapistd.c +++ b/jdapistd.c @@ -4,7 +4,7 @@ * This file was part of the Independent JPEG Group's software: * Copyright (C) 1994-1996, Thomas G. Lane. * libjpeg-turbo Modifications: - * Copyright (C) 2010, 2015-2017, D. R. Commander. + * Copyright (C) 2010, 2015-2018, D. R. Commander. * Copyright (C) 2015, Google, Inc. * For conditions of distribution and use, see the accompanying README.ijg * file. @@ -479,7 +479,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) if (cinfo->upsample->need_context_rows) { cinfo->output_scanline += lines_to_skip; cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row; - main_ptr->iMCU_row_ctr += lines_after_iMCU_row / lines_per_iMCU_row; + main_ptr->iMCU_row_ctr += lines_to_skip / lines_per_iMCU_row; /* It is complex to properly move to the middle of a context block, so * read the remaining lines instead of skipping them. */