DRC [Fri, 5 Feb 2016 00:34:38 +0000 (18:34 -0600)]
Prevent overread when decoding malformed JPEG
The accelerated Huffman decoder was previously invoked if there were
> 128 bytes in the input buffer. However, it is possible to construct a
JPEG image with Huffman blocks > 430 bytes in length
(http://stackoverflow.com/questions/2734678/jpeg-calculating-max-size).
While such images are pathological and could never be created by a
JPEG compressor, it is conceivable that an attacker could use such an
artifially-constructed image to trigger an input buffer overrun in the
libjpeg-turbo decompressor and thus gain access to some of the data on
the calling program's heap.
This patch simply increases the minimum buffer size for the accelerated
Huffman decoder to 512 bytes, which should (hopefully) accommodate any
possible input.
This addresses a major issue (LJT-01-005) identified in a security audit
by Cure53.
DRC [Tue, 4 Aug 2015 04:58:40 +0000 (23:58 -0500)]
Update x86[-64] assembler recommendations
NASM 2.11.08 has a bug that prevents it from properly assembling a
macho64 version of libjpeg-turbo (the resulting binary generates corrupt
images.) 2.11.09 works properly. YASM also works properly and has been
a supported alternative since libjpeg-turbo 1.2.
DRC [Tue, 4 Aug 2015 04:56:09 +0000 (23:56 -0500)]
Update x86[-64] assembler recommendations
NASM 2.11.08 has a bug that prevents it from properly assembling a
macho64 version of libjpeg-turbo (the resulting binary generates corrupt
images.) 2.11.09 works properly. YASM also works properly and has been
a supported alternative since libjpeg-turbo 1.2.
Fix rare bug: right shift by a negative # of bits
Under very rare circumstances, decompressing specific corrupt JPEG
images would create a situation whereby GET_BITS(1) was invoked
from within HUFF_DECODE_FAST() when bits_left=0. This produced a right
shift by a negative number of bits, which is undefined in C.
Fix rare bug: right shift by a negative # of bits
Under very rare circumstances, decompressing specific corrupt JPEG
images would create a situation whereby GET_BITS(1) was invoked
from within HUFF_DECODE_FAST() when bits_left=0. This produced a right
shift by a negative number of bits, which is undefined in C.
DRC [Tue, 27 Jan 2015 21:00:22 +0000 (21:00 +0000)]
Oops. Need to set the alpha channel when using TYPE_4BYTE_ABGR*. This has no bearing on the actual tests, but it prevents the PNG pre-encode reference images for those tests from being blank.
DRC [Sat, 22 Nov 2014 22:24:41 +0000 (22:24 +0000)]
Fix Huffman local buffer overrun discovered by Debian developers when attempting to transform a junk image using ImageMagick:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369
DRC [Fri, 21 Nov 2014 15:33:19 +0000 (15:33 +0000)]
Sometimes the sampling factors in grayscale images can be > 1 (for instance, if compressing using 'cjpeg -sample 2x2 -grayscale'.) Technically, sampling factors have no meaning with grayscale JPEGs, and the libjpeg decompressor ignores them in that case. Thus, the TurboJPEG decompressor should ignore them as well.
DRC [Fri, 22 Aug 2014 19:59:51 +0000 (19:59 +0000)]
Ensure that tjFree() is used for any JPEG buffers that might have been dynamically allocated by the compress/transform functions. To keep things simple, we use tjAlloc() for the statically-allocated buffer as well, so that tjFree() can always be used to free the buffer, regardless of whether it was allocated by tjbench or by the TurboJPEG library. This fixes crashes that occurred on Windows when running tjunittest or tjbench with the -alloc flag.
DRC [Fri, 22 Aug 2014 02:57:34 +0000 (02:57 +0000)]
Extend tjbenchtest so that it tests the dynamic JPEG buffer allocation feature in TurboJPEG. Disable the tiling feature in TJBench whenever dynamic buffer allocation is enabled (because the tiling feature requires a separate buffer for each tile, using it successfully with dynamic buffer allocation would require a separate TurboJPEG compressor instance for each tile, and it's not worth going to that trouble right now.)
DRC [Fri, 22 Aug 2014 02:51:16 +0000 (02:51 +0000)]
Run the TurboJPEG conformance tests out of a directory in /tmp (for improved performance, if the source directory is on a remote file share.) Fix an issue in TJBench.java that prevented it from working properly if the source image resided in a directory with a dot in the name.
DRC [Thu, 21 Aug 2014 03:38:14 +0000 (03:38 +0000)]
Actually, we need to increase the size of BUFSIZE, not just the size of _buffer. The previous patch might have cause problems if, for instance, state->free_in_buffer was 127 but 129 bytes were compressed. In that case, only 127 of the 129 bytes would have been written to the file. Also document the fix.
DRC [Thu, 21 Aug 2014 01:55:22 +0000 (01:55 +0000)]
Fix an extremely rare crash that can occur when compressing a very high-frequency MCU using quality 100 and no subsampling, and when dynamically allocating the JPEG buffer in the destination manager. Even with a test program designed specifically to reproduce the crash, it only occurred once in about 25 million iterations. More details here: https://sourceforge.net/p/libjpeg-turbo/bugs/64
DRC [Thu, 14 Aug 2014 17:24:01 +0000 (17:24 +0000)]
Clean up exception handling in the JNI code. The exception is actually not thrown until the function exits, so we can let the code fall through to bailout: if the TurboJPEG C function fails. Also, per the JNI spec, no other JNI functions can be called between GetPrimitiveArrayCritical() and ReleasePrimitiveArrayCritical(). This hasn't caused any problems thus far, but better safe than sorry.
DRC [Sun, 10 Aug 2014 16:39:32 +0000 (16:39 +0000)]
Fix a display issue in the documentation for tjDecompress2() (doxygen treats a star at the beginning of the line as a list bullet); make the documentation more readable by displaying fixed-width text (which is used to refer to variables and functions) in a different color.
DRC [Sun, 22 Jun 2014 20:38:54 +0000 (20:38 +0000)]
Prevent a buffer overrun if the comment begins with a literal quote character and the string exceeds 65k characters. Also prevent comments longer than 65k characters from being written, since this will produce an incorrect JPEG file.
DRC [Wed, 28 May 2014 20:28:30 +0000 (20:28 +0000)]
Our copyright string is longer than JMSG_LENGTH_MAX, and this was causing a buffer overrun if output_message() was called with msg_code set to JMSG_COPYRIGHT, or if format_message() was called with msg_code set to JMSG_COPYRIGHT and with a buffer of length JMSG_LENGTH_MAX.
We can't simply increase JMSG_LENGTH_MAX, because it is part of the libjpeg API, and it is generally assumed that a buffer of this length will be passed to format_message(). Thus, the easiest solution is simply to use a shorter copyright string for JMSG_COPYRIGHT.
DRC [Wed, 28 May 2014 20:27:42 +0000 (20:27 +0000)]
Our copyright string is longer than JMSG_LENGTH_MAX, and this was causing a buffer overrun if output_message() was called with msg_code set to JMSG_COPYRIGHT, or if format_message() was called with msg_code set to JMSG_COPYRIGHT and with a buffer of length JMSG_LENGTH_MAX.
We can't simply increase JMSG_LENGTH_MAX, because it is part of the libjpeg API, and it is generally assumed that a buffer of this length will be passed to format_message(). Thus, the easiest solution is simply to use a shorter copyright string for JMSG_COPYRIGHT.
DRC [Tue, 13 May 2014 18:41:33 +0000 (18:41 +0000)]
The x86/x86-64 SIMD extensions were originally designed to accommodate changing the value of RGB_*, but this apparently broke when RGB-to-gray colorspace conversion was accelerated. Further, the ARM NEON extensions have always assumed that JCS_RGB behaves identically to JCS_EXT_RGB. Rather than fix these issues, it makes more sense to just stop claiming that we support changing the values of RGB_*, since doing so is no longer necessary.
DRC [Sun, 11 May 2014 09:36:25 +0000 (09:36 +0000)]
Convert tabs to spaces in the libjpeg code and the SIMD code (TurboJPEG retains the use of tabs for historical reasons. They were annoying in the libjpeg code primarily because they were not consistently used and because they were used to format as well as indent the code. In the case of TurboJPEG, tabs are used just to indent the code, so even if the editor assumes a different tab width, the code will still be readable.)
We use __CHAR_UNSIGNED__ (automatically defined by the AC_C_CHAR_UNSIGNED macro) rather than CHAR_IS_UNSIGNED (defined by custom autoconf code in libjpeg that we didn't port over), although I doubt it matters on any of the platforms we support.
This patch accomplishes the following:
-- Auto-generates HAVE_LOCALE_H macro and adds it to jconfig.h (this is used by rdjpgcom.c.)
-- Reconciles the description and ordering of macros between config.h.in and jconfig.h.in, so the two files can be easily diffed.
-- Eliminates the use of the autoheader-generated config.h in the project and moves relevant internal-only macros into a new file, jconfigint.h. This is to avoid "already defined" warnings in files that were including both config.h (to get the internal autotools package information or the INLINE definition) and jconfig.h.
Work around an issue in Visual C++ 2010 and 2013 that was causing the 256-bit bitmap test in the regression tests to fail. More specifically, when optimization is enabled in these versions of Visual C++, the optimizer seems to get confused by the following code block:
Each time cur0 is incremented by delta, the compiled code doubles the value of delta (WTF?!) Thus, by the time the end of the block is reached, cur0 is equal to 15 times its former self, not 7 times its former self as it should be. At any rate, it was a lot simpler to just refactor the code so that it uses multiplication.
Work around an issue in Visual C++ 2010 and 2013 that was causing the 256-bit bitmap test in the regression tests to fail. More specifically, when optimization is enabled in these versions of Visual C++, the optimizer seems to get confused by the following code block:
Each time cur0 is incremented by delta, the compiled code doubles the value of delta (WTF?!) Thus, by the time the end of the block is reached, cur0 is equal to 15 times its former self, not 7 times its former self as it should be. At any rate, it was a lot simpler to just refactor the code so that it uses multiplication.
Set the BUILD environment variable properly when building with MinGW implementations that lack a Unix shell (TDM-GCC, for instance); Only set CMP0022 if it is supported (older CMake implementations don't support it); Remove trailing spaces
DRC [Thu, 27 Mar 2014 20:47:39 +0000 (20:47 +0000)]
Modify svn:ignore so that it lists only files generated in-tree by autoreconf -fiv. It's pretty much impossible to maintain an up-to-date list of files generated by the actual build, so we'll just assume that the user will do an out-of-tree build if they want to avoid cluttering up their 'svn status' display.
DRC [Thu, 27 Mar 2014 03:36:04 +0000 (03:36 +0000)]
Make iOS build instructions more generic and applicable to all versions of Xcode; modify iOS build procedure for Xcode 5.0 and later to fix a build issue with Xcode 5.1.
DRC [Fri, 21 Mar 2014 23:34:53 +0000 (23:34 +0000)]
Since we're now maintaining our own Cygwin pseudo-repository directories instead of recommending that users install these packages from a local source, it makes more sense to name the packages according to Cygwin specs, so they can be copied as-is into the pseudo-repository.
DRC [Fri, 21 Mar 2014 11:00:00 +0000 (11:00 +0000)]
RHEL 6 (and probably other platforms as well) sets _defaultdocdir=%{_datadir}/doc, which screws things up, since we're overriding _datadir. Since we intend _defaultdocdir to be /usr/share/doc, just be explicit about it.
DRC [Mon, 17 Mar 2014 10:12:11 +0000 (10:12 +0000)]
Move the garbage collection of the JPEG tiles into the decompression function to increase the chances that tiled decompression of large images will succeed without an OutOfMemoryError.
DRC [Sat, 15 Mar 2014 13:25:11 +0000 (13:25 +0000)]
Add @Deprecated to the deprecated Java methods, so javac will actually print deprecation warnings, as opposed to just listing the methods as deprecated in javadoc; remove the use of the deprecated methods by our own test programs.
DRC [Tue, 11 Mar 2014 08:28:47 +0000 (08:28 +0000)]
Back-port the -subsamp option from 1.4 rather than use the hackish approach of replacing 4:2:2 with 4:4:0. This has the added advantage of allowing the user to test only a specific level of subsampling.
DRC [Tue, 11 Mar 2014 06:21:46 +0000 (06:21 +0000)]
Fix the build of the Java classes when using MSVC 2010 and later. Something in the recesses of my brain is telling me that I tried this before and it failed under some circumstances, but it must have been a bug in an older CMake implementation. CMake 2.8.8 and later seem to work fine with this patch. This patch also updates the minimum required version to 2.8.8, because 2.8.8 fixed another issue that was preventing the SIMD code from building under MSVC 2010 and later.
DRC [Fri, 28 Feb 2014 05:27:55 +0000 (05:27 +0000)]
Remove unused code (the destination manager is not used during YUV encoding, there are no virtual arrays to realize, and jinit_c_prep_controller() is unnecessary because we are not using smoothing.)
DRC [Fri, 28 Feb 2014 05:19:43 +0000 (05:19 +0000)]
Remove unused code (the destination manager is not used during YUV encoding, there are no virtual arrays to realize, and jinit_c_prep_controller() is unnecessary because we are not using smoothing.)
DRC [Tue, 11 Feb 2014 10:16:42 +0000 (10:16 +0000)]
Fix an issue that prevented tjEncodeYUV2() and TJCompressor.encodeYUV() from working properly if the source image was very tiny. Basically, jpeg_start_compress() was attempting to write the JPEG headers, which was overrunning the YUV buffer. This patch removes the call to jpeg_start_compress() in tjEncodeYUV2() and replaces it with calls to the individual routines that are necessary to initialize the color converter and downsampler. TJUnitTest has also been modified to test for this condition (the buffer size regression test now works in YUV mode.)
DRC [Tue, 11 Feb 2014 09:56:12 +0000 (09:56 +0000)]
Fix an issue that prevented tjEncodeYUV2() and TJCompressor.encodeYUV() from working properly if the source image was very tiny. Basically, jpeg_start_compress() was attempting to write the JPEG headers, which was overrunning the YUV buffer. This patch removes the call to jpeg_start_compress() in tjEncodeYUV2() and replaces it with calls to the individual routines that are necessary to initialize the color converter and downsampler. TJUnitTest has also been modified to test for this condition (the buffer size regression test now works in YUV mode.)
DRC [Fri, 7 Feb 2014 19:06:03 +0000 (19:06 +0000)]
Further examination of the code reveals that this change is unnecessary. The histogram stores a count of each color in the image, so it will always contain at least one non-zero element, and thus the total can never be zero. Since the histogram is generated from the image data and not read from the header, there is no chance that header corruption would affect it.
projects / libjpeg-turbo / log