ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix various issues reported by the UB sanitizers

Browse Source 
Most of these involved left shifting a negative number, which is
technically undefined (although every modern compiler I'm aware of
will implement this by treating the signed integer as a 2's complement
unsigned integer-- the LEFT_SHIFT() macro just makes this behavior
explicit in order to shut up ubsan.)  This also fixes a couple of
non-issues in the entropy codecs, whereby the sanitizer reported an
out-of-bounds index in the 4th argument of jpeg_make_d_derived_tbl().
In those cases, the index was actually out of bounds (caused by a
malformed JPEG image), but jpeg_make_d_derived_tbl() would have caught
the error and aborted prior to actually using the invalid address.  Here
again, the fix was to make our intentions explicit so as to shut up
ubsan.
This commit is contained in:
DRC
2015-09-21 12:57:41 -05:00
parent 54792ba340
commit 8e9cef2e6f
9 changed files with 121 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
jdphuff.c
View File

@@ -3,8 +3,8 @@
*
* This file was part of the Independent JPEG Group's software:
* Copyright (C) 1995-1997, Thomas G. Lane.
* It was modified by The libjpeg-turbo Project to include only code relevant
* to libjpeg-turbo.
* libjpeg-turbo Modifications:
* Copyright (C) 2015, D. R. Commander.
* For conditions of distribution and use, see the accompanying README file.
*
* This file contains Huffman entropy decoding routines for progressive JPEG.
@@ -96,6 +96,7 @@ start_pass_phuff_decoder (j_decompress_ptr cinfo)
phuff_entropy_ptr entropy = (phuff_entropy_ptr) cinfo->entropy;
boolean is_DC_band, bad;
int ci, coefi, tbl;
d_derived_tbl **pdtbl;
int *coef_bit_ptr;
jpeg_component_info * compptr;
@@ -168,13 +169,13 @@ start_pass_phuff_decoder (j_decompress_ptr cinfo)
if (is_DC_band) {
if (cinfo->Ah == 0) { /* DC refinement needs no table */
tbl = compptr->dc_tbl_no;
jpeg_make_d_derived_tbl(cinfo, TRUE, tbl,
& entropy->derived_tbls[tbl]);
pdtbl = entropy->derived_tbls + tbl;
jpeg_make_d_derived_tbl(cinfo, TRUE, tbl, pdtbl);
}
} else {
tbl = compptr->ac_tbl_no;
jpeg_make_d_derived_tbl(cinfo, FALSE, tbl,
& entropy->derived_tbls[tbl]);
pdtbl = entropy->derived_tbls + tbl;
jpeg_make_d_derived_tbl(cinfo, FALSE, tbl, pdtbl);
/* remember the single active table */
entropy->ac_derived_tbl = entropy->derived_tbls[tbl];
}
@@ -203,7 +204,8 @@ start_pass_phuff_decoder (j_decompress_ptr cinfo)
#define AVOID_TABLES
#ifdef AVOID_TABLES
#define HUFF_EXTEND(x,s) ((x) < (1<<((s)-1)) ? (x) + (((-1)<<(s)) + 1) : (x))
#define NEG_1 ((unsigned)-1)
#define HUFF_EXTEND(x,s) ((x) < (1<<((s)-1)) ? (x) + (((NEG_1)<<(s)) + 1) : (x))
#else
@@ -336,7 +338,7 @@ decode_mcu_DC_first (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
s += state.last_dc_val[ci];
state.last_dc_val[ci] = s;
/* Scale and output the coefficient (assumes jpeg_natural_order[0]=0) */
(*block)[0] = (JCOEF) (s << Al);
(*block)[0] = (JCOEF) LEFT_SHIFT(s, Al);
}
/* Completed MCU, so update state */
@@ -404,7 +406,7 @@ decode_mcu_AC_first (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
r = GET_BITS(s);
s = HUFF_EXTEND(r, s);
/* Scale and output coefficient in natural (dezigzagged) order */
(*block)[jpeg_natural_order[k]] = (JCOEF) (s << Al);
(*block)[jpeg_natural_order[k]] = (JCOEF) LEFT_SHIFT(s, Al);
} else {
if (r == 15) { /* ZRL */
k += 15; /* skip 15 zeroes in band */
@@ -495,8 +497,8 @@ decode_mcu_AC_refine (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
{
phuff_entropy_ptr entropy = (phuff_entropy_ptr) cinfo->entropy;
int Se = cinfo->Se;
int p1 = 1 << cinfo->Al; /* 1 in the bit position being coded */
int m1 = (-1) << cinfo->Al; /* -1 in the bit position being coded */
int p1 = 1 << cinfo->Al; /* 1 in the bit position being coded */
int m1 = (NEG_1) << cinfo->Al; /* -1 in the bit position being coded */
register int s, k, r;
unsigned int EOBRUN;
JBLOCKROW block;