Fix rare bug: right shift by a negative # of bits
Under very rare circumstances, decompressing specific corrupt JPEG
images would create a situation whereby GET_BITS(1) was invoked
from within HUFF_DECODE_FAST() when bits_left=0. This produced a right
shift by a negative number of bits, which is undefined in C.
diff --git a/jdhuff.c b/jdhuff.c
index 36fd03b..4197cc5 100644
--- a/jdhuff.c
+++ b/jdhuff.c
@@ -422,7 +422,7 @@
/* Pre-fetch 48 bytes, because the holding register is 64-bit */
#define FILL_BIT_BUFFER_FAST \
- if (bits_left < 16) { \
+ if (bits_left <= 16) { \
GET_BYTE GET_BYTE GET_BYTE GET_BYTE GET_BYTE GET_BYTE \
}
@@ -430,7 +430,7 @@
/* Pre-fetch 16 bytes, because the holding register is 32-bit */
#define FILL_BIT_BUFFER_FAST \
- if (bits_left < 16) { \
+ if (bits_left <= 16) { \
GET_BYTE GET_BYTE \
}