diff options
author | DRC <information@libjpeg-turbo.org> | 2017-11-14 15:30:06 -0600 |
---|---|---|
committer | Max Spector <mspector@google.com> | 2019-09-18 17:13:29 -0700 |
commit | a945517fd9b1630848b78602818b826c7a45b460 (patch) | |
tree | b6d085fd0c0fa51cdbd5402ab36bf33313cf1ca2 | |
parent | 96c8b9aae7e6bb7929137a0938df90e963319f37 (diff) | |
download | libjpeg-turbo-oreo-mr1-security-release.tar.gz |
[RESTRICT AUTOMERGE] tjbench.exe: Fix decompression access violationandroid-security-8.1.0_r93android-security-8.1.0_r92android-security-8.1.0_r91android-security-8.1.0_r90android-security-8.1.0_r89android-security-8.1.0_r88android-security-8.1.0_r87android-security-8.1.0_r86android-security-8.1.0_r85android-security-8.1.0_r84android-security-8.1.0_r83android-security-8.1.0_r82android-8.1.0_r81android-8.1.0_r80android-8.1.0_r79android-8.1.0_r78android-8.1.0_r77android-8.1.0_r76android-8.1.0_r75android-8.1.0_r74android-8.1.0_r73android-8.1.0_r72android-8.1.0_r71android-8.1.0_r70security-oc-mr1-releaseoreo-mr1-security-release
This is a backport of an upstream commit. The original commit message
included the following:
"""
The program crashed when a JPEG image was passed on the command line,
because we were mixing our metaphors vis-a-vis malloc()/free() and
tjAlloc()/tjFree() (malloc()/free() uses the tjbench.exe heap,
whereas tjAlloc()/tjFree() uses the turbojpeg.dll heap.)
"""
This commit was pulled in due to a SEGFAULT that appeared after
backporting the fix to the original bug.
Bug: 120551338
Test: tj64 /data/local/tmp/crash-46.jpg
See b/120551338#comment1 to get crash-46.jpg
Change-Id: Ie970992b659118406528bc7519f22a1ae67ff14e
(cherry picked from commit 31f2242ed3be70079a2f592b94fa60cbf10c89f8)
-rw-r--r-- | README.android | 7 | ||||
-rw-r--r-- | tjbench.c | 13 |
2 files changed, 13 insertions, 7 deletions
diff --git a/README.android b/README.android index ba6a9ce8..2aa139cf 100644 --- a/README.android +++ b/README.android @@ -46,3 +46,10 @@ This was pulled in due to a SEGFAULT that occurs when running the proof-of-concept for (5) Cherry picked from upstream: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/11eec4a398f3fc1b9d39c1d3b81b53ae85d9b5e6 + +(7) tjbench.c +Fix memory management access violation +This was pulled in due to a SEGFAULT that occurs when running the +proof-of-concept for (5) +Cherry picked from upstream: +https://github.com/libjpeg-turbo/libjpeg-turbo/commit/5fce2e942136cb70e5a30ff15a2d58b07947aa84 @@ -504,7 +504,7 @@ int decompTest(char *filename) char *temp=NULL, tempstr[80], tempstr2[80]; int row, col, i, iter, tilew, tileh, ntilesw=1, ntilesh=1, retval=0; double start, elapsed; - int ps=tjPixelSize[pf], tile; + int ps=tjPixelSize[pf], tile, decompsrc=0; if((file=fopen(filename, "rb"))==NULL) _throwunix("opening file"); @@ -682,18 +682,17 @@ int decompTest(char *filename) else { if(quiet==1) printf("N/A N/A "); - jpegsize[0]=srcsize; - free(jpegbuf[0]); - jpegbuf[0]=srcbuf; - srcbuf=NULL; + tjFree(jpegbuf[0]); + jpegbuf[0]=NULL; + decompsrc=1; } if(w==tilew) _tilew=_w; if(h==tileh) _tileh=_h; if(!(xformopt&TJXOPT_NOOUTPUT)) { - if(decomp(NULL, jpegbuf, jpegsize, NULL, _w, _h, _subsamp, 0, - filename, _tilew, _tileh)==-1) + if(decomp(NULL, decompsrc? &srcbuf:jpegbuf, decompsrc? &srcsize:jpegsize, + NULL, _w, _h, _subsamp, 0, filename, _tilew, _tileh)==-1) goto bailout; } else if(quiet==1) printf("N/A\n"); |