From c6838b243e7a730d45a4d9e76f350b6edfeb8fe3 Mon Sep 17 00:00:00 2001
From: DRC <dcommander@users.sourceforge.net>
Date: Mon, 15 Mar 2010 11:34:58 +0000
Subject: [PATCH] Fix data corruption issues when decompressing large JPEG
 images and/or using buffered I/O.  Specifically, decode_mcu_fast() can
 potentially process more than 1 MCU, so make sure there is enough space in
 the buffer to accommodate this case.  Otherwise, the buffer pointer goes
 negative, and bad mojo ensues.  Also, the fast decoder's method of handling
 unread markers doesn't make libjpeg's restart handler happy, so disable fast
 decode when restarts are used.

---
 jdhuff.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/jdhuff.c b/jdhuff.c
index 18a0c7ef..05511799 100644
--- a/jdhuff.c
+++ b/jdhuff.c
@@ -778,7 +778,8 @@ decode_mcu (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
    */
   if (! entropy->pub.insufficient_data) {
 
-    if (cinfo->src->bytes_in_buffer >= BUFSIZE) {
+    if (cinfo->src->bytes_in_buffer >= BUFSIZE * cinfo->blocks_in_MCU
+      && !cinfo->restart_interval) {
       if (!decode_mcu_fast(cinfo, MCU_data)) return FALSE;
     }
     else {