Fix CVE-2013-6629 and CVE-2013-6630

git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.2.x@1090 632fc199-4ca6-4c93-a231-07263d6284db

ChangeLog.txt

@@ -20,6 +20,9 @@ entropy coding (by passing arguments of -progressive -arithmetic to cjpeg or
 jpegtran, for instance) would result in an error, "Requested feature was
 omitted at compile time".
 
+[6] Fixed a couple of issues whereby malformed JPEG images would cause
+libjpeg-turbo to use uninitialized memory during decompression.
+
 
 1.2.1
 =====

jdmarker.c

@@ -304,7 +304,7 @@ get_sos (j_decompress_ptr cinfo)
 /* Process a SOS marker */
 {
   INT32 length;
-  int i, ci, n, c, cc;
+  int i, ci, n, c, cc, pi;
   jpeg_component_info * compptr;
   INPUT_VARS(cinfo);
 
@@ -348,6 +348,13 @@ get_sos (j_decompress_ptr cinfo)
     
     TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc,
 	     compptr->dc_tbl_no, compptr->ac_tbl_no);
+
+    /* This CSi (cc) should differ from the previous CSi */
+    for (pi = 0; pi < i; pi++) {
+      if (cinfo->cur_comp_info[pi] == compptr) {
+        ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
+      }
+    }
   }
 
   /* Collect the additional scan parameters Ss, Se, Ah/Al. */
@@ -465,6 +472,8 @@ get_dht (j_decompress_ptr cinfo)
     for (i = 0; i < count; i++)
       INPUT_BYTE(cinfo, huffval[i], return FALSE);
 
+    MEMZERO(&huffval[count], (256 - count) * SIZEOF(UINT8));
+
     length -= count;
 
     if (index & 0x10) {		/* AC table definition */