From: DRC <information@libjpeg-turbo.org>
Date: Sun, 6 Mar 2016 14:15:04 +0000 (-0600)
Subject: Ensure that default Huffman tables are initialized
X-Git-Tag: 1.5.0~24^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a572622dd654305c86585724c2a1ea34e22c2103;p=libjpeg-turbo

Ensure that default Huffman tables are initialized

This prevents a malformed motion-JPEG frame (MJPEG frames lack Huffman
tables) from causing the "fast path" of the Huffman decoder to read
uninitialized memory.  Essentially, this is doing the same thing for
MJPEG frames as 43d8cf4d4572fa50a37cccadbe71b9bee37de55d did for regular
images.
---

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 90e67f3..fdb1758 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -22,6 +22,9 @@ decoder only if there are > 512 bytes of data in the input buffer.
 [3] Fixed a memory leak in tjunittest encountered when running the program
 with the -yuv option.
 
+[4] Fixed an issue whereby a malformed motion-JPEG frame could cause the "fast
+path" of libjpeg-turbo's Huffman decoder to read from uninitialized memory.
+
 
 1.4.2
 =====
diff --git a/jstdhuff.c b/jstdhuff.c
index a6eb2d8..717c134 100644
--- a/jstdhuff.c
+++ b/jstdhuff.c
@@ -41,6 +41,7 @@ add_huff_table (j_common_ptr cinfo,
     ERREXIT(cinfo, JERR_BAD_HUFF_TABLE);
 
   MEMCOPY((*htblptr)->huffval, val, nsymbols * sizeof(UINT8));
+  MEMZERO(&((*htblptr)->huffval[nsymbols]), (256 - nsymbols) * sizeof(UINT8));
 
   /* Initialize sent_table FALSE so table will be written to JPEG file. */
   (*htblptr)->sent_table = FALSE;