Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / libjpeg-turbo / 402a715f82313384ef4606660c32d8678c79f197^! / . / jchuff.c
commit402a715f82313384ef4606660c32d8678c79f197[log] [tgz]
authorDRC <dcommander@users.sourceforge.net>Sat Nov 22 22:09:30 2014 +0000
committerDRC <dcommander@users.sourceforge.net>Sat Nov 22 22:09:30 2014 +0000
treea0606ea4a0fee8075371ee90fa866952c977e58e
parent306add8b788c63590c476f693f95527f26909b62 [diff] [blame]
Fix Huffman local buffer overrun discovered by Debian developers when attempting to transform a junk image using ImageMagick:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369


git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.4.x@1426 632fc199-4ca6-4c93-a231-07263d6284db

diff --git a/jchuff.c b/jchuff.c
index 447209a..a5c0a1f 100644
--- a/jchuff.c
+++ b/jchuff.c

@@ -408,7 +408,16 @@
 #endif
 
 
-#define BUFSIZE (DCTSIZE2 * 2) + 8
+/* Although it is exceedingly rare, it is possible for a Huffman-encoded
+ * coefficient block to be larger than the 128-byte unencoded block.  For each
+ * of the 64 coefficients, PUT_BITS is invoked twice, and each invocation can
+ * theoretically store 16 bits (for a maximum of 2048 bits or 256 bytes per
+ * encoded block.)  If, for instance, one artificially sets the AC
+ * coefficients to alternating values of 32767 and -32768 (using the JPEG
+ * scanning order-- 1, 8, 16, etc.), then this will produce an encoded block
+ * larger than 200 bytes.
+ */
+#define BUFSIZE (DCTSIZE2 * 4)
 
 #define LOAD_BUFFER() { \
   if (state->free_in_buffer < BUFSIZE) { \