From: Darrell Walisser <darrell.walisser@gmail.com>
Date: Sat, 16 Jun 2018 22:31:35 +0000 (-0400)
Subject: Fix jpeg_skip_scanlines() segfault w/merged upsamp
X-Git-Tag: 2.0.0~11
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=398c1e9acc9b4531edceb3d77da0de5744675052;p=libjpeg-turbo

Fix jpeg_skip_scanlines() segfault w/merged upsamp

Fixes NULL pointer reference when decompressing 4:2:2 or 4:2:0 JPEG
images with cinfo.do_fancy_upsampling = FALSE.

Closes #244
---

diff --git a/ChangeLog.md b/ChangeLog.md
index f64866e..e18a282 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -40,6 +40,10 @@ when attempting to load the BMP file into a 4-component image buffer.
 loop when decompressing progressive JPEG images that use vertical chroma
 subsampling (for instance, 4:2:0 or 4:4:0.)
 
+6. Fixed a segfault in `jpeg_skip_scanlines()` that occurred when decompressing
+a 4:2:2 or 4:2:0 JPEG image using the merged (non-fancy) upsampling algorithms
+(that is, when setting `cinfo.do_fancy_upsampling` to `FALSE`.)
+
 
 1.5.90 (2.0 beta1)
 ==================
diff --git a/jdapistd.c b/jdapistd.c
index 50c84c3..2c808fa 100644
--- a/jdapistd.c
+++ b/jdapistd.c
@@ -318,12 +318,15 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
   JDIMENSION n;
   void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
                          JDIMENSION input_row, JSAMPARRAY output_buf,
-                         int num_rows);
+                         int num_rows) = NULL;
   void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf,
                           JSAMPARRAY output_buf, int num_rows) = NULL;
 
-  color_convert = cinfo->cconvert->color_convert;
-  cinfo->cconvert->color_convert = noop_convert;
+  if (cinfo->cconvert && cinfo->cconvert->color_convert) {
+    color_convert = cinfo->cconvert->color_convert;
+    cinfo->cconvert->color_convert = noop_convert;
+  }
+
   if (cinfo->cquantize && cinfo->cquantize->color_quantize) {
     color_quantize = cinfo->cquantize->color_quantize;
     cinfo->cquantize->color_quantize = noop_quantize;
@@ -332,7 +335,9 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
   for (n = 0; n < num_lines; n++)
     jpeg_read_scanlines(cinfo, NULL, 1);
 
-  cinfo->cconvert->color_convert = color_convert;
+  if (color_convert)
+    cinfo->cconvert->color_convert = color_convert;
+
   if (color_quantize)
     cinfo->cquantize->color_quantize = color_quantize;
 }