Merge remote-tracking branch 'libjpeg-turbo/2.1.x' into HEAD
* libjpeg-turbo/2.1.x:
ChangeLog.md: List CVE ID fixed by ccaba5d7
jpeglib.h: Document that JCS_RGB565 is decomp-only
Fix block smoothing w/vert.-subsampled prog. JPEGs
This commit is contained in:
Kornel
11
ChangeLog.md
11
ChangeLog.md
@@ -38,6 +38,11 @@ default on x86 and Arm CPUs) to read from uninitialized memory when attempting
|
||||
to transform a specially-crafted malformed arithmetic-coded JPEG source image
|
||||
into a baseline Huffman-coded JPEG destination image.
|
||||
|
||||
5. Fixed two minor issues in the interblock smoothing algorithm that caused
|
||||
mathematical (but not necessarily perceptible) edge block errors when
|
||||
decompressing progressive JPEG images exactly two MCU blocks in width or that
|
||||
use vertical chrominance subsampling.
|
||||
|
||||
|
||||
2.1.5.1
|
||||
=======
|
||||
@@ -240,9 +245,9 @@ transform a specially-crafted malformed JPEG image.
|
||||
|
||||
### Significant changes relative to 2.1 beta1:
|
||||
|
||||
1. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
|
||||
decompress certain progressive JPEG images with one or more component planes of
|
||||
width 8 or less caused a buffer overrun.
|
||||
1. Fixed a regression (CVE-2021-29390) introduced by 2.1 beta1[6(b)] whereby
|
||||
attempting to decompress certain progressive JPEG images with one or more
|
||||
component planes of width 8 or less caused a buffer overrun.
|
||||
|
||||
2. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
|
||||
decompress a specially-crafted malformed progressive JPEG image caused the
|
||||
|
||||
17
jdcoefct.c
17
jdcoefct.c
@@ -5,7 +5,7 @@
|
||||
* Copyright (C) 1994-1997, Thomas G. Lane.
|
||||
* libjpeg-turbo Modifications:
|
||||
* Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB
|
||||
* Copyright (C) 2010, 2015-2016, 2019-2020, 2022, D. R. Commander.
|
||||
* Copyright (C) 2010, 2015-2016, 2019-2020, 2022-2023, D. R. Commander.
|
||||
* Copyright (C) 2015, 2020, Google, Inc.
|
||||
* For conditions of distribution and use, see the accompanying README.ijg
|
||||
* file.
|
||||
@@ -430,7 +430,8 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
|
||||
my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
|
||||
JDIMENSION last_iMCU_row = cinfo->total_iMCU_rows - 1;
|
||||
JDIMENSION block_num, last_block_column;
|
||||
int ci, block_row, block_rows, access_rows;
|
||||
int ci, block_row, block_rows, access_rows, image_block_row,
|
||||
image_block_rows;
|
||||
JBLOCKARRAY buffer;
|
||||
JBLOCKROW buffer_ptr, prev_prev_block_row, prev_block_row;
|
||||
JBLOCKROW next_block_row, next_next_block_row;
|
||||
@@ -496,6 +497,7 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
|
||||
(JDIMENSION)access_rows, FALSE);
|
||||
buffer += 2 * compptr->v_samp_factor; /* point to current iMCU row */
|
||||
} else if (cinfo->output_iMCU_row > 0) {
|
||||
access_rows += compptr->v_samp_factor; /* prior iMCU row too */
|
||||
buffer = (*cinfo->mem->access_virt_barray)
|
||||
((j_common_ptr)cinfo, coef->whole_image[ci],
|
||||
(cinfo->output_iMCU_row - 1) * compptr->v_samp_factor,
|
||||
@@ -538,29 +540,30 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
|
||||
inverse_DCT = cinfo->idct->inverse_DCT[ci];
|
||||
output_ptr = output_buf[ci];
|
||||
/* Loop over all DCT blocks to be processed. */
|
||||
image_block_rows = block_rows * cinfo->total_iMCU_rows;
|
||||
for (block_row = 0; block_row < block_rows; block_row++) {
|
||||
image_block_row = cinfo->output_iMCU_row * block_rows + block_row;
|
||||
buffer_ptr = buffer[block_row] + cinfo->master->first_MCU_col[ci];
|
||||
|
||||
if (block_row > 0 || cinfo->output_iMCU_row > 0)
|
||||
if (image_block_row > 0)
|
||||
prev_block_row =
|
||||
buffer[block_row - 1] + cinfo->master->first_MCU_col[ci];
|
||||
else
|
||||
prev_block_row = buffer_ptr;
|
||||
|
||||
if (block_row > 1 || cinfo->output_iMCU_row > 1)
|
||||
if (image_block_row > 1)
|
||||
prev_prev_block_row =
|
||||
buffer[block_row - 2] + cinfo->master->first_MCU_col[ci];
|
||||
else
|
||||
prev_prev_block_row = prev_block_row;
|
||||
|
||||
if (block_row < block_rows - 1 || cinfo->output_iMCU_row < last_iMCU_row)
|
||||
if (image_block_row < image_block_rows - 1)
|
||||
next_block_row =
|
||||
buffer[block_row + 1] + cinfo->master->first_MCU_col[ci];
|
||||
else
|
||||
next_block_row = buffer_ptr;
|
||||
|
||||
if (block_row < block_rows - 2 ||
|
||||
cinfo->output_iMCU_row + 1 < last_iMCU_row)
|
||||
if (image_block_row < image_block_rows - 2)
|
||||
next_next_block_row =
|
||||
buffer[block_row + 2] + cinfo->master->first_MCU_col[ci];
|
||||
else
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
* Copyright (C) 1991-1998, Thomas G. Lane.
|
||||
* Modified 2002-2009 by Guido Vollbeding.
|
||||
* libjpeg-turbo Modifications:
|
||||
* Copyright (C) 2009-2011, 2013-2014, 2016-2017, 2020, D. R. Commander.
|
||||
* Copyright (C) 2009-2011, 2013-2014, 2016-2017, 2020, 2023, D. R. Commander.
|
||||
* Copyright (C) 2015, Google, Inc.
|
||||
* mozjpeg Modifications:
|
||||
* Copyright (C) 2014, Mozilla Corporation.
|
||||
@@ -240,7 +240,8 @@ typedef enum {
|
||||
JCS_EXT_BGRA, /* blue/green/red/alpha */
|
||||
JCS_EXT_ABGR, /* alpha/blue/green/red */
|
||||
JCS_EXT_ARGB, /* alpha/red/green/blue */
|
||||
JCS_RGB565 /* 5-bit red/6-bit green/5-bit blue */
|
||||
JCS_RGB565 /* 5-bit red/6-bit green/5-bit blue
|
||||
[decompression only] */
|
||||
} J_COLOR_SPACE;
|
||||
|
||||
/* DCT/IDCT algorithm options. */
|
||||
|
||||
Reference in New Issue
Block a user