Fix rare bug: right shift by a negative # of bits
Under very rare circumstances, decompressing specific corrupt JPEG
images would create a situation whereby GET_BITS(1) was invoked
from within HUFF_DECODE_FAST() when bits_left=0. This produced a right
shift by a negative number of bits, which is undefined in C.
diff --git a/jdhuff.c b/jdhuff.c
index 877ff10..9bc4ebe 100644
--- a/jdhuff.c
+++ b/jdhuff.c
@@ -423,7 +423,7 @@
/* Pre-fetch 48 bytes, because the holding register is 64-bit */
#define FILL_BIT_BUFFER_FAST \
- if (bits_left < 16) { \
+ if (bits_left <= 16) { \
GET_BYTE GET_BYTE GET_BYTE GET_BYTE GET_BYTE GET_BYTE \
}
@@ -431,7 +431,7 @@
/* Pre-fetch 16 bytes, because the holding register is 32-bit */
#define FILL_BIT_BUFFER_FAST \
- if (bits_left < 16) { \
+ if (bits_left <= 16) { \
GET_BYTE GET_BYTE \
}