diff options
| author | Andrea Weikert <elubie@gmx.net> | 2011-04-10 15:36:29 +0400 |
|---|---|---|
| committer | Andrea Weikert <elubie@gmx.net> | 2011-04-10 15:36:29 +0400 |
| commit | e137a3a081d60eefc43fb5ae33966d0a0c7048df (patch) | |
| tree | 39cf5038948b4f1ca255126a7d1cdc12b6084ebd /source/blender/imbuf | |
| parent | f8124d6db776d146854f95cf9589ceeca2dcc6fb (diff) | |
Fix [#26827] Blender Crashes when it opens corrupt jpeg
* memory corruption when skipping over long marker (was attempting to read over end of file)
* also updated internal jpeg macros to be the same as in jpeg lib
Diffstat (limited to 'source/blender/imbuf')
| -rw-r--r-- | source/blender/imbuf/intern/jpeg.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/source/blender/imbuf/intern/jpeg.c b/source/blender/imbuf/intern/jpeg.c index 93ebd0efcb0..32dae3c982e 100644 --- a/source/blender/imbuf/intern/jpeg.c +++ b/source/blender/imbuf/intern/jpeg.c @@ -163,8 +163,11 @@ static void skip_input_data(j_decompress_ptr cinfo, long num_bytes) my_src_ptr src = (my_src_ptr) cinfo->src; if(num_bytes > 0) { - src->pub.next_input_byte = src->pub.next_input_byte + num_bytes; - src->pub.bytes_in_buffer = src->pub.bytes_in_buffer - num_bytes; + // prevent skipping over file end + size_t skip_size = (size_t)num_bytes <= src->pub.bytes_in_buffer ? num_bytes : src->pub.bytes_in_buffer; + + src->pub.next_input_byte = src->pub.next_input_byte + skip_size; + src->pub.bytes_in_buffer = src->pub.bytes_in_buffer - skip_size; } } @@ -222,17 +225,19 @@ static void memory_source(j_decompress_ptr cinfo, unsigned char *buffer, size_t */ #define MAKE_BYTE_AVAIL(cinfo,action) \ if (bytes_in_buffer == 0) { \ - if (! (*datasrc->fill_input_buffer) (cinfo)) \ - { action; } \ - INPUT_RELOAD(cinfo); \ - } \ - bytes_in_buffer-- + if (! (*datasrc->fill_input_buffer) (cinfo)) \ + { action; } \ + INPUT_RELOAD(cinfo); \ + } + + /* Read a byte into variable V. * If must suspend, take the specified action (typically "return FALSE"). */ #define INPUT_BYTE(cinfo,V,action) \ MAKESTMT( MAKE_BYTE_AVAIL(cinfo,action); \ + bytes_in_buffer--; \ V = GETJOCTET(*next_input_byte++); ) /* As above, but read two bytes interpreted as an unsigned 16-bit integer. @@ -240,8 +245,10 @@ static void memory_source(j_decompress_ptr cinfo, unsigned char *buffer, size_t */ #define INPUT_2BYTES(cinfo,V,action) \ MAKESTMT( MAKE_BYTE_AVAIL(cinfo,action); \ + bytes_in_buffer--; \ V = ((unsigned int) GETJOCTET(*next_input_byte++)) << 8; \ MAKE_BYTE_AVAIL(cinfo,action); \ + bytes_in_buffer--; \ V += GETJOCTET(*next_input_byte++); ) @@ -252,7 +259,8 @@ handle_app1 (j_decompress_ptr cinfo) char neogeo[128]; INPUT_VARS(cinfo); - + + length = 0; INPUT_2BYTES(cinfo, length, return FALSE); length -= 2; |