From 5e0c9fff657498f9a74da38b2ce1b4721698a388 Mon Sep 17 00:00:00 2001
From: Brennan Saeta <saeta@google.com>
Date: Thu, 1 Dec 2016 09:36:55 -0800
Subject: [PATCH] Add bounds checks to jpeg parsing code. Change: 140740851

---
 tensorflow/core/lib/jpeg/jpeg_handle.cc | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/tensorflow/core/lib/jpeg/jpeg_handle.cc b/tensorflow/core/lib/jpeg/jpeg_handle.cc
index 64e7885ca38bfd..ce6398709263ce 100644
--- a/tensorflow/core/lib/jpeg/jpeg_handle.cc
+++ b/tensorflow/core/lib/jpeg/jpeg_handle.cc
@@ -147,8 +147,16 @@ void MemTermSource(j_decompress_ptr cinfo) {}
 // -----------------------------------------------------------------------------
 void MemSkipInputData(j_decompress_ptr cinfo, long jump) {
   MemSourceMgr *src = reinterpret_cast<MemSourceMgr *>(cinfo->src);
-  src->pub.bytes_in_buffer -= jump;
-  src->pub.next_input_byte += jump;
+  if (jump < 0) {
+    return;
+  }
+  if (jump > src->pub.bytes_in_buffer) {
+    src->pub.bytes_in_buffer = 0;
+    (void)MemFillInputBuffer(cinfo);  // warn with a fake EOI or error
+  } else {
+    src->pub.bytes_in_buffer -= jump;
+    src->pub.next_input_byte += jump;
+  }
 }
 
 // -----------------------------------------------------------------------------