Actually, we need to increase the size of BUFSIZE, not just the size of _buffer. The previous patch might have cause problems if, for instance, state->free_in_buffer was 127 but 129 bytes were compressed. In that case, only 127 of the 129 bytes would have been written to the file. Also document the fix.
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.3.x@1366 632fc199-4ca6-4c93-a231-07263d6284db
diff --git a/ChangeLog.txt b/ChangeLog.txt
index ac47db2..36046f9 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -17,6 +17,14 @@
[4] Fixed a bug in the build system that was causing the Windows version of
wrjpgcom to be built using the rdjpgcom code.
+[5] Fixed an extremely rare bug that could cause the Huffman encoder's local
+buffer to overrun when a very high-frequency MCU is compressed using quality
+100 and no subsampling, and when the JPEG output buffer is being dynamically
+resized by the destination manager. This issue was so rare that, even with a
+test program specifically designed to make the bug occur (by injecting random
+high-frequency YUV data into the compressor), it was reproducible only once in
+about every 25 million iterations.
+
1.3.1
=====
diff --git a/jchuff.c b/jchuff.c
index 648d3fd..fe5b7f7 100644
--- a/jchuff.c
+++ b/jchuff.c
@@ -391,7 +391,7 @@
#endif
-#define BUFSIZE (DCTSIZE2 * 2)
+#define BUFSIZE (DCTSIZE2 * 2) + 8
#define LOAD_BUFFER() { \
if (state->free_in_buffer < BUFSIZE) { \
@@ -426,7 +426,7 @@
LOCAL(boolean)
flush_bits (working_state * state)
{
- JOCTET _buffer[BUFSIZE + 8], *buffer;
+ JOCTET _buffer[BUFSIZE], *buffer;
size_t put_buffer; int put_bits;
size_t bytes, bytestocopy; int localbuf = 0;
@@ -455,7 +455,7 @@
int temp, temp2, temp3;
int nbits;
int r, code, size;
- JOCTET _buffer[BUFSIZE + 8], *buffer;
+ JOCTET _buffer[BUFSIZE], *buffer;
size_t put_buffer; int put_bits;
int code_0xf0 = actbl->ehufco[0xf0], size_0xf0 = actbl->ehufsi[0xf0];
size_t bytes, bytestocopy; int localbuf = 0;