Update libjpeg-turbo to stable release 2.1.0
Update Chromium's copy of libjpeg-turbo to the latest upstream stable
release (v2.1.0) and re-apply our local changes documented in
README.chromium.
This upstream release fixes a long-standing libjpeg6b compatability
issue[1] meaning we can dispense with the locally-applied workaround.
[1] http://crbug.com/398235
Change-Id: Icae6741f49d4ae8bc12ccfcbef416fb6a6fa16f1
diff --git a/rdbmp.c b/rdbmp.c
index 6ba584a..358a026 100644
--- a/rdbmp.c
+++ b/rdbmp.c
@@ -6,7 +6,7 @@
* Modified 2009-2017 by Guido Vollbeding.
* libjpeg-turbo Modifications:
* Modified 2011 by Siarhei Siamashka.
- * Copyright (C) 2015, 2017-2018, D. R. Commander.
+ * Copyright (C) 2015, 2017-2018, 2021, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
*
@@ -424,14 +424,14 @@
(((unsigned int)UCH(array[offset + 2])) << 16) + \
(((unsigned int)UCH(array[offset + 3])) << 24))
- unsigned int bfOffBits;
- unsigned int headerSize;
+ int bfOffBits;
+ int headerSize;
int biWidth;
int biHeight;
unsigned short biPlanes;
unsigned int biCompression;
int biXPelsPerMeter, biYPelsPerMeter;
- unsigned int biClrUsed = 0;
+ int biClrUsed = 0;
int mapentrysize = 0; /* 0 indicates no colormap */
int bPad;
JDIMENSION row_width = 0;
@@ -450,7 +450,7 @@
if (!ReadOK(source->pub.input_file, bmpinfoheader, 4))
ERREXIT(cinfo, JERR_INPUT_EOF);
headerSize = GET_4B(bmpinfoheader, 0);
- if (headerSize < 12 || headerSize > 64)
+ if (headerSize < 12 || headerSize > 64 || (headerSize + 14) > bfOffBits)
ERREXIT(cinfo, JERR_BMP_BADHEADER);
if (!ReadOK(source->pub.input_file, bmpinfoheader + 4, headerSize - 4))
ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -522,6 +522,11 @@
if (biWidth <= 0 || biHeight <= 0)
ERREXIT(cinfo, JERR_BMP_EMPTY);
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ if (sinfo->max_pixels &&
+ (unsigned long long)biWidth * biHeight > sinfo->max_pixels)
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+#endif
if (biPlanes != 1)
ERREXIT(cinfo, JERR_BMP_BADPLANES);
@@ -575,7 +580,9 @@
cinfo->input_components = 4;
else
ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
- row_width = (JDIMENSION)(biWidth * 3);
+ if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL)
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+ row_width = (JDIMENSION)biWidth * 3;
break;
case 32:
if (cinfo->in_color_space == JCS_UNKNOWN)
@@ -586,7 +593,9 @@
cinfo->input_components = 4;
else
ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
- row_width = (JDIMENSION)(biWidth * 4);
+ if ((unsigned long long)biWidth * 4ULL > 0xFFFFFFFFULL)
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+ row_width = (JDIMENSION)biWidth * 4;
break;
default:
ERREXIT(cinfo, JERR_BMP_BADDEPTH);
@@ -631,7 +640,7 @@
/* Allocate one-row buffer for returned data */
source->pub.buffer = (*cinfo->mem->alloc_sarray)
((j_common_ptr)cinfo, JPOOL_IMAGE,
- (JDIMENSION)(biWidth * cinfo->input_components), (JDIMENSION)1);
+ (JDIMENSION)biWidth * (JDIMENSION)cinfo->input_components, (JDIMENSION)1);
source->pub.buffer_height = 1;
cinfo->data_precision = 8;
@@ -668,6 +677,9 @@
/* Fill in method ptrs, except get_pixel_rows which start_input sets */
source->pub.start_input = start_input_bmp;
source->pub.finish_input = finish_input_bmp;
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ source->pub.max_pixels = 0;
+#endif
source->use_inversion_array = use_inversion_array;