summaryrefslogtreecommitdiffstats
path: root/media/libjpeg/1050342.diff
diff options
context:
space:
mode:
Diffstat (limited to 'media/libjpeg/1050342.diff')
-rw-r--r--media/libjpeg/1050342.diff121
1 files changed, 121 insertions, 0 deletions
diff --git a/media/libjpeg/1050342.diff b/media/libjpeg/1050342.diff
new file mode 100644
index 000000000..a409ca2c4
--- /dev/null
+++ b/media/libjpeg/1050342.diff
@@ -0,0 +1,121 @@
+Bug 1050342. Fix a case where the fast huffman decoder in libjpeg-turbo can produce different results depending on how data is fed to it.
+
+This change comes from the blink repo https://codereview.appspot.com/229430043/ and is unlikely to be accepted upstream into libjpeg-turbo.
+
+diff --git jdhuff.c jdhuff.c
+--- jdhuff.c
++++ jdhuff.c
+@@ -664,17 +664,17 @@ decode_mcu_fast (j_decompress_ptr cinfo,
+ ASSIGN_STATE(state, entropy->saved);
+
+ for (blkn = 0; blkn < cinfo->blocks_in_MCU; blkn++) {
+ JBLOCKROW block = MCU_data ? MCU_data[blkn] : NULL;
+ d_derived_tbl *dctbl = entropy->dc_cur_tbls[blkn];
+ d_derived_tbl *actbl = entropy->ac_cur_tbls[blkn];
+ register int s, k, r, l;
+
+- HUFF_DECODE_FAST(s, l, dctbl);
++ HUFF_DECODE_FAST(s, l, dctbl, slow_decode_mcu);
+ if (s) {
+ FILL_BIT_BUFFER_FAST
+ r = GET_BITS(s);
+ s = HUFF_EXTEND(r, s);
+ }
+
+ if (entropy->dc_needed[blkn]) {
+ int ci = cinfo->MCU_membership[blkn];
+@@ -682,17 +682,17 @@ decode_mcu_fast (j_decompress_ptr cinfo,
+ state.last_dc_val[ci] = s;
+ if (block)
+ (*block)[0] = (JCOEF) s;
+ }
+
+ if (entropy->ac_needed[blkn] && block) {
+
+ for (k = 1; k < DCTSIZE2; k++) {
+- HUFF_DECODE_FAST(s, l, actbl);
++ HUFF_DECODE_FAST(s, l, actbl, slow_decode_mcu);
+ r = s >> 4;
+ s &= 15;
+
+ if (s) {
+ k += r;
+ FILL_BIT_BUFFER_FAST
+ r = GET_BITS(s);
+ s = HUFF_EXTEND(r, s);
+@@ -701,33 +701,34 @@ decode_mcu_fast (j_decompress_ptr cinfo,
+ if (r != 15) break;
+ k += 15;
+ }
+ }
+
+ } else {
+
+ for (k = 1; k < DCTSIZE2; k++) {
+- HUFF_DECODE_FAST(s, l, actbl);
++ HUFF_DECODE_FAST(s, l, actbl, slow_decode_mcu);
+ r = s >> 4;
+ s &= 15;
+
+ if (s) {
+ k += r;
+ FILL_BIT_BUFFER_FAST
+ DROP_BITS(s);
+ } else {
+ if (r != 15) break;
+ k += 15;
+ }
+ }
+ }
+ }
+
+ if (cinfo->unread_marker != 0) {
++slow_decode_mcu:
+ cinfo->unread_marker = 0;
+ return FALSE;
+ }
+
+ br_state.bytes_in_buffer -= (buffer - br_state.next_input_byte);
+ br_state.next_input_byte = buffer;
+ BITREAD_SAVE_STATE(cinfo,entropy->bitstate);
+ ASSIGN_STATE(entropy->saved, state);
+diff --git jdhuff.h jdhuff.h
+--- jdhuff.h
++++ jdhuff.h
+@@ -203,32 +203,34 @@ EXTERN(boolean) jpeg_fill_bit_buffer
+ } else { \
+ slowlabel: \
+ if ((result=jpeg_huff_decode(&state,get_buffer,bits_left,htbl,nb)) < 0) \
+ { failaction; } \
+ get_buffer = state.get_buffer; bits_left = state.bits_left; \
+ } \
+ }
+
+-#define HUFF_DECODE_FAST(s,nb,htbl) \
++#define HUFF_DECODE_FAST(s,nb,htbl,slowlabel) \
+ FILL_BIT_BUFFER_FAST; \
+ s = PEEK_BITS(HUFF_LOOKAHEAD); \
+ s = htbl->lookup[s]; \
+ nb = s >> HUFF_LOOKAHEAD; \
+ /* Pre-execute the common case of nb <= HUFF_LOOKAHEAD */ \
+ DROP_BITS(nb); \
+ s = s & ((1 << HUFF_LOOKAHEAD) - 1); \
+ if (nb > HUFF_LOOKAHEAD) { \
+ /* Equivalent of jpeg_huff_decode() */ \
+ /* Don't use GET_BITS() here because we don't want to modify bits_left */ \
+ s = (get_buffer >> bits_left) & ((1 << (nb)) - 1); \
+ while (s > htbl->maxcode[nb]) { \
+ s <<= 1; \
+ s |= GET_BITS(1); \
+ nb++; \
+ } \
+- s = htbl->pub->huffval[ (int) (s + htbl->valoffset[nb]) & 0xFF ]; \
++ if (nb > 16) \
++ goto slowlabel; \
++ s = htbl->pub->huffval[ (int) (s + htbl->valoffset[nb]) ]; \
+ }
+
+ /* Out-of-line case for Huffman code fetching */
+ EXTERN(int) jpeg_huff_decode
+ (bitread_working_state *state, register bit_buf_type get_buffer,
+ register int bits_left, d_derived_tbl *htbl, int min_bits);