From 6e053525ee45171f65ecec596336cc3b0a5e9468 Mon Sep 17 00:00:00 2001 From: DRC Date: Thu, 4 Feb 2016 09:20:41 -0600 Subject: [PATCH] TurboJPEG: Avoid dangling pointers This addresses a minor concern (LJT-01-002) expressed in a security audit by Cure53. _tjInitCompress() and _tjInitDecompress() call (respectively) jpeg_mem_dest_tj() and jpeg_mem_src_tj() with a pointer to a dummy buffer, in order to set up the destination/source manager. The dummy buffer should never be used, but it's still better to make it static so that the pointer in the destination/source manager always points to a valid region of memory. --- turbojpeg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/turbojpeg.c b/turbojpeg.c index 6b2c623..b20272a 100644 --- a/turbojpeg.c +++ b/turbojpeg.c @@ -1,5 +1,5 @@ /* - * Copyright (C)2009-2015 D. R. Commander. All Rights Reserved. + * Copyright (C)2009-2016 D. R. Commander. All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -556,7 +556,8 @@ DLLEXPORT unsigned char *DLLCALL tjAlloc(int bytes) static tjhandle _tjInitCompress(tjinstance *this) { - unsigned char buffer[1], *buf=buffer; unsigned long size=1; + static unsigned char buffer[1]; + unsigned char *buf=buffer; unsigned long size=1; /* This is also straight out of example.c */ this->cinfo.err=jpeg_std_error(&this->jerr.pub); @@ -1213,7 +1214,7 @@ DLLEXPORT int DLLCALL tjCompressFromYUV(tjhandle handle, unsigned char *srcBuf, static tjhandle _tjInitDecompress(tjinstance *this) { - unsigned char buffer[1]; + static unsigned char buffer[1]; /* This is also straight out of example.c */ this->dinfo.err=jpeg_std_error(&this->jerr.pub); -- 2.40.0