Merge remote-tracking branch 'libjpeg-turbo/2.1.x' into HEAD
* libjpeg-turbo/2.1.x:
ChangeLog.md: List CVE ID fixed by ccaba5d7
jpeglib.h: Document that JCS_RGB565 is decomp-only
Fix block smoothing w/vert.-subsampled prog. JPEGs
This commit is contained in:
Kornel
11
ChangeLog.md
11
ChangeLog.md
@@ -38,6 +38,11 @@ default on x86 and Arm CPUs) to read from uninitialized memory when attempting
|
|||||||
to transform a specially-crafted malformed arithmetic-coded JPEG source image
|
to transform a specially-crafted malformed arithmetic-coded JPEG source image
|
||||||
into a baseline Huffman-coded JPEG destination image.
|
into a baseline Huffman-coded JPEG destination image.
|
||||||
|
|
||||||
|
5. Fixed two minor issues in the interblock smoothing algorithm that caused
|
||||||
|
mathematical (but not necessarily perceptible) edge block errors when
|
||||||
|
decompressing progressive JPEG images exactly two MCU blocks in width or that
|
||||||
|
use vertical chrominance subsampling.
|
||||||
|
|
||||||
|
|
||||||
2.1.5.1
|
2.1.5.1
|
||||||
=======
|
=======
|
||||||
@@ -240,9 +245,9 @@ transform a specially-crafted malformed JPEG image.
|
|||||||
|
|
||||||
### Significant changes relative to 2.1 beta1:
|
### Significant changes relative to 2.1 beta1:
|
||||||
|
|
||||||
1. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
|
1. Fixed a regression (CVE-2021-29390) introduced by 2.1 beta1[6(b)] whereby
|
||||||
decompress certain progressive JPEG images with one or more component planes of
|
attempting to decompress certain progressive JPEG images with one or more
|
||||||
width 8 or less caused a buffer overrun.
|
component planes of width 8 or less caused a buffer overrun.
|
||||||
|
|
||||||
2. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
|
2. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
|
||||||
decompress a specially-crafted malformed progressive JPEG image caused the
|
decompress a specially-crafted malformed progressive JPEG image caused the
|
||||||
|
|||||||
17
jdcoefct.c
17
jdcoefct.c
@@ -5,7 +5,7 @@
|
|||||||
* Copyright (C) 1994-1997, Thomas G. Lane.
|
* Copyright (C) 1994-1997, Thomas G. Lane.
|
||||||
* libjpeg-turbo Modifications:
|
* libjpeg-turbo Modifications:
|
||||||
* Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB
|
* Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB
|
||||||
* Copyright (C) 2010, 2015-2016, 2019-2020, 2022, D. R. Commander.
|
* Copyright (C) 2010, 2015-2016, 2019-2020, 2022-2023, D. R. Commander.
|
||||||
* Copyright (C) 2015, 2020, Google, Inc.
|
* Copyright (C) 2015, 2020, Google, Inc.
|
||||||
* For conditions of distribution and use, see the accompanying README.ijg
|
* For conditions of distribution and use, see the accompanying README.ijg
|
||||||
* file.
|
* file.
|
||||||
@@ -430,7 +430,8 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
|
|||||||
my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
|
my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
|
||||||
JDIMENSION last_iMCU_row = cinfo->total_iMCU_rows - 1;
|
JDIMENSION last_iMCU_row = cinfo->total_iMCU_rows - 1;
|
||||||
JDIMENSION block_num, last_block_column;
|
JDIMENSION block_num, last_block_column;
|
||||||
int ci, block_row, block_rows, access_rows;
|
int ci, block_row, block_rows, access_rows, image_block_row,
|
||||||
|
image_block_rows;
|
||||||
JBLOCKARRAY buffer;
|
JBLOCKARRAY buffer;
|
||||||
JBLOCKROW buffer_ptr, prev_prev_block_row, prev_block_row;
|
JBLOCKROW buffer_ptr, prev_prev_block_row, prev_block_row;
|
||||||
JBLOCKROW next_block_row, next_next_block_row;
|
JBLOCKROW next_block_row, next_next_block_row;
|
||||||
@@ -496,6 +497,7 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
|
|||||||
(JDIMENSION)access_rows, FALSE);
|
(JDIMENSION)access_rows, FALSE);
|
||||||
buffer += 2 * compptr->v_samp_factor; /* point to current iMCU row */
|
buffer += 2 * compptr->v_samp_factor; /* point to current iMCU row */
|
||||||
} else if (cinfo->output_iMCU_row > 0) {
|
} else if (cinfo->output_iMCU_row > 0) {
|
||||||
|
access_rows += compptr->v_samp_factor; /* prior iMCU row too */
|
||||||
buffer = (*cinfo->mem->access_virt_barray)
|
buffer = (*cinfo->mem->access_virt_barray)
|
||||||
((j_common_ptr)cinfo, coef->whole_image[ci],
|
((j_common_ptr)cinfo, coef->whole_image[ci],
|
||||||
(cinfo->output_iMCU_row - 1) * compptr->v_samp_factor,
|
(cinfo->output_iMCU_row - 1) * compptr->v_samp_factor,
|
||||||
@@ -538,29 +540,30 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
|
|||||||
inverse_DCT = cinfo->idct->inverse_DCT[ci];
|
inverse_DCT = cinfo->idct->inverse_DCT[ci];
|
||||||
output_ptr = output_buf[ci];
|
output_ptr = output_buf[ci];
|
||||||
/* Loop over all DCT blocks to be processed. */
|
/* Loop over all DCT blocks to be processed. */
|
||||||
|
image_block_rows = block_rows * cinfo->total_iMCU_rows;
|
||||||
for (block_row = 0; block_row < block_rows; block_row++) {
|
for (block_row = 0; block_row < block_rows; block_row++) {
|
||||||
|
image_block_row = cinfo->output_iMCU_row * block_rows + block_row;
|
||||||
buffer_ptr = buffer[block_row] + cinfo->master->first_MCU_col[ci];
|
buffer_ptr = buffer[block_row] + cinfo->master->first_MCU_col[ci];
|
||||||
|
|
||||||
if (block_row > 0 || cinfo->output_iMCU_row > 0)
|
if (image_block_row > 0)
|
||||||
prev_block_row =
|
prev_block_row =
|
||||||
buffer[block_row - 1] + cinfo->master->first_MCU_col[ci];
|
buffer[block_row - 1] + cinfo->master->first_MCU_col[ci];
|
||||||
else
|
else
|
||||||
prev_block_row = buffer_ptr;
|
prev_block_row = buffer_ptr;
|
||||||
|
|
||||||
if (block_row > 1 || cinfo->output_iMCU_row > 1)
|
if (image_block_row > 1)
|
||||||
prev_prev_block_row =
|
prev_prev_block_row =
|
||||||
buffer[block_row - 2] + cinfo->master->first_MCU_col[ci];
|
buffer[block_row - 2] + cinfo->master->first_MCU_col[ci];
|
||||||
else
|
else
|
||||||
prev_prev_block_row = prev_block_row;
|
prev_prev_block_row = prev_block_row;
|
||||||
|
|
||||||
if (block_row < block_rows - 1 || cinfo->output_iMCU_row < last_iMCU_row)
|
if (image_block_row < image_block_rows - 1)
|
||||||
next_block_row =
|
next_block_row =
|
||||||
buffer[block_row + 1] + cinfo->master->first_MCU_col[ci];
|
buffer[block_row + 1] + cinfo->master->first_MCU_col[ci];
|
||||||
else
|
else
|
||||||
next_block_row = buffer_ptr;
|
next_block_row = buffer_ptr;
|
||||||
|
|
||||||
if (block_row < block_rows - 2 ||
|
if (image_block_row < image_block_rows - 2)
|
||||||
cinfo->output_iMCU_row + 1 < last_iMCU_row)
|
|
||||||
next_next_block_row =
|
next_next_block_row =
|
||||||
buffer[block_row + 2] + cinfo->master->first_MCU_col[ci];
|
buffer[block_row + 2] + cinfo->master->first_MCU_col[ci];
|
||||||
else
|
else
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* Copyright (C) 1991-1998, Thomas G. Lane.
|
* Copyright (C) 1991-1998, Thomas G. Lane.
|
||||||
* Modified 2002-2009 by Guido Vollbeding.
|
* Modified 2002-2009 by Guido Vollbeding.
|
||||||
* libjpeg-turbo Modifications:
|
* libjpeg-turbo Modifications:
|
||||||
* Copyright (C) 2009-2011, 2013-2014, 2016-2017, 2020, D. R. Commander.
|
* Copyright (C) 2009-2011, 2013-2014, 2016-2017, 2020, 2023, D. R. Commander.
|
||||||
* Copyright (C) 2015, Google, Inc.
|
* Copyright (C) 2015, Google, Inc.
|
||||||
* mozjpeg Modifications:
|
* mozjpeg Modifications:
|
||||||
* Copyright (C) 2014, Mozilla Corporation.
|
* Copyright (C) 2014, Mozilla Corporation.
|
||||||
@@ -240,7 +240,8 @@ typedef enum {
|
|||||||
JCS_EXT_BGRA, /* blue/green/red/alpha */
|
JCS_EXT_BGRA, /* blue/green/red/alpha */
|
||||||
JCS_EXT_ABGR, /* alpha/blue/green/red */
|
JCS_EXT_ABGR, /* alpha/blue/green/red */
|
||||||
JCS_EXT_ARGB, /* alpha/red/green/blue */
|
JCS_EXT_ARGB, /* alpha/red/green/blue */
|
||||||
JCS_RGB565 /* 5-bit red/6-bit green/5-bit blue */
|
JCS_RGB565 /* 5-bit red/6-bit green/5-bit blue
|
||||||
|
[decompression only] */
|
||||||
} J_COLOR_SPACE;
|
} J_COLOR_SPACE;
|
||||||
|
|
||||||
/* DCT/IDCT algorithm options. */
|
/* DCT/IDCT algorithm options. */
|
||||||
|
|||||||
Reference in New Issue
Block a user