decompress_smooth_data(): Fix another uninit. read

Regression introduced by 42825b68d5 The test case https://user-images.githubusercontent.com/3491627/101376530-fde56180-38b0-11eb-938d-734119a5b5ba.jpg is a malformed progressive JPEG image containing an interleaved Y/Cb/Cr DC scan followed by two non-interleaved Y DC scans. Thus, the prev_coef_bits[] array was initialized for the Y component but not the other components, the uninitialized values for Cb and Cr were transferred to the prev_coef_bits_latch[] array in smoothing_ok(), and because cinfo->master->last_good_iMCU_row was 0, decompress_smooth_data() read those uninitialized values when attempting to smooth the second iMCU row. Possibly fixes #478
2020-12-07 11:12:49 -06:00
parent 7b68764905
commit 110d8d6dca
2 changed files with 4 additions and 0 deletions
--- a/jdarith.c
+++ b/jdarith.c
@@ -672,6 +672,8 @@ bad:
      for (coefi = MIN(cinfo->Ss, 1); coefi <= MAX(cinfo->Se, 9); coefi++) {
        if (cinfo->input_scan_number > 1)
          prev_coef_bit_ptr[coefi] = coef_bit_ptr[coefi];
+        else
+          prev_coef_bit_ptr[coefi] = 0;
      }
      for (coefi = cinfo->Ss; coefi <= cinfo->Se; coefi++) {
        int expected = (coef_bit_ptr[coefi] < 0) ? 0 : coef_bit_ptr[coefi];
--- a/jdphuff.c
+++ b/jdphuff.c
@@ -130,6 +130,8 @@ start_pass_phuff_decoder(j_decompress_ptr cinfo)
    for (coefi = MIN(cinfo->Ss, 1); coefi <= MAX(cinfo->Se, 9); coefi++) {
      if (cinfo->input_scan_number > 1)
        prev_coef_bit_ptr[coefi] = coef_bit_ptr[coefi];
+      else
+        prev_coef_bit_ptr[coefi] = 0;
    }
    for (coefi = cinfo->Ss; coefi <= cinfo->Se; coefi++) {
      int expected = (coef_bit_ptr[coefi] < 0) ? 0 : coef_bit_ptr[coefi];