From a572622dd654305c86585724c2a1ea34e22c2103 Mon Sep 17 00:00:00 2001 From: DRC Date: Sun, 6 Mar 2016 08:15:04 -0600 Subject: [PATCH] Ensure that default Huffman tables are initialized This prevents a malformed motion-JPEG frame (MJPEG frames lack Huffman tables) from causing the "fast path" of the Huffman decoder to read uninitialized memory. Essentially, this is doing the same thing for MJPEG frames as 43d8cf4d4572fa50a37cccadbe71b9bee37de55d did for regular images. --- ChangeLog.txt | 3 +++ jstdhuff.c | 1 + 2 files changed, 4 insertions(+) diff --git a/ChangeLog.txt b/ChangeLog.txt index 90e67f3b8..fdb175882 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -22,6 +22,9 @@ decoder only if there are > 512 bytes of data in the input buffer. [3] Fixed a memory leak in tjunittest encountered when running the program with the -yuv option. +[4] Fixed an issue whereby a malformed motion-JPEG frame could cause the "fast +path" of libjpeg-turbo's Huffman decoder to read from uninitialized memory. + 1.4.2 ===== diff --git a/jstdhuff.c b/jstdhuff.c index a6eb2d8a9..717c13456 100644 --- a/jstdhuff.c +++ b/jstdhuff.c @@ -41,6 +41,7 @@ add_huff_table (j_common_ptr cinfo, ERREXIT(cinfo, JERR_BAD_HUFF_TABLE); MEMCOPY((*htblptr)->huffval, val, nsymbols * sizeof(UINT8)); + MEMZERO(&((*htblptr)->huffval[nsymbols]), (256 - nsymbols) * sizeof(UINT8)); /* Initialize sent_table FALSE so table will be written to JPEG file. */ (*htblptr)->sent_table = FALSE;