diff options
-rw-r--r-- | README.chromium | 4 | ||||
-rw-r--r-- | gtest/gtest-utils.cpp | 2 | ||||
-rw-r--r-- | gtest/tjbench-gtest-wrapper.cpp | 4 | ||||
-rw-r--r-- | jcomapi.c | 5 | ||||
-rw-r--r-- | jdmarker.c | 14 | ||||
-rw-r--r-- | jpegint.h | 7 |
6 files changed, 23 insertions, 13 deletions
diff --git a/README.chromium b/README.chromium index 78e33e25..2fc5ab1a 100644 --- a/README.chromium +++ b/README.chromium @@ -50,6 +50,10 @@ following changes which are not merged to upstream: lld) arising from attempts to reference the table from assembler on 32-bit x86. This only affects shared libraries, but that's important for downstream Android builds. +* Merged upstream patch https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0fc7313e545a3ff499c19ee6591bb87f0ad8b2a4 + This patch resolves an O(n^2) slowdown issue when JPEG files contain an + enormous number of markers; this would only occur in a maliciouly-crafted + image, or through fuzzing. * Patches to enable running the upstream unit tests through GTest. The upstream unit tests are defined here under the section 'TESTS': https://github.com/libjpeg-turbo/libjpeg-turbo/blob/master/CMakeLists.txt diff --git a/gtest/gtest-utils.cpp b/gtest/gtest-utils.cpp index b6df7aba..b64fb888 100644 --- a/gtest/gtest-utils.cpp +++ b/gtest/gtest-utils.cpp @@ -40,7 +40,7 @@ std::string GetTargetDirectory() { #endif void GetTestFilePath(base::FilePath* path, const std::string filename) { - ASSERT_TRUE(base::PathService::Get(base::DIR_SOURCE_ROOT, path)); + ASSERT_TRUE(base::PathService::Get(base::DIR_SRC_TEST_DATA_ROOT, path)); *path = path->AppendASCII("third_party"); *path = path->AppendASCII("libjpeg_turbo"); *path = path->AppendASCII("testimages"); diff --git a/gtest/tjbench-gtest-wrapper.cpp b/gtest/tjbench-gtest-wrapper.cpp index 700b1994..cdb671ae 100644 --- a/gtest/tjbench-gtest-wrapper.cpp +++ b/gtest/tjbench-gtest-wrapper.cpp @@ -60,7 +60,7 @@ class TJBenchTest : public static void SetUpTestSuite() { base::FilePath resource_path; - ASSERT_TRUE(base::PathService::Get(base::DIR_SOURCE_ROOT, &resource_path)); + ASSERT_TRUE(base::PathService::Get(base::DIR_SRC_TEST_DATA_ROOT, &resource_path)); resource_path = resource_path.AppendASCII("third_party"); resource_path = resource_path.AppendASCII("libjpeg_turbo"); resource_path = resource_path.AppendASCII("testimages"); @@ -130,7 +130,7 @@ class TJBenchTestMerged : public static void SetUpTestSuite() { base::FilePath resource_path; - ASSERT_TRUE(base::PathService::Get(base::DIR_SOURCE_ROOT, &resource_path)); + ASSERT_TRUE(base::PathService::Get(base::DIR_SRC_TEST_DATA_ROOT, &resource_path)); resource_path = resource_path.AppendASCII("third_party"); resource_path = resource_path.AppendASCII("libjpeg_turbo"); resource_path = resource_path.AppendASCII("testimages"); @@ -3,8 +3,8 @@ * * This file was part of the Independent JPEG Group's software: * Copyright (C) 1994-1997, Thomas G. Lane. - * It was modified by The libjpeg-turbo Project to include only code relevant - * to libjpeg-turbo. + * libjpeg-turbo Modifications: + * Copyright (C) 2024, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -51,6 +51,7 @@ jpeg_abort(j_common_ptr cinfo) * A bit kludgy to do it here, but this is the most central place. */ ((j_decompress_ptr)cinfo)->marker_list = NULL; + ((j_decompress_ptr)cinfo)->master->marker_list_end = NULL; } else { cinfo->global_state = CSTATE_START; } @@ -3,8 +3,10 @@ * * This file was part of the Independent JPEG Group's software: * Copyright (C) 1991-1998, Thomas G. Lane. + * Lossless JPEG Modifications: + * Copyright (C) 1999, Ken Murchison. * libjpeg-turbo Modifications: - * Copyright (C) 2012, 2015, 2022, D. R. Commander. + * Copyright (C) 2012, 2015, 2022, 2024, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -815,13 +817,11 @@ save_marker(j_decompress_ptr cinfo) /* Done reading what we want to read */ if (cur_marker != NULL) { /* will be NULL if bogus length word */ /* Add new marker to end of list */ - if (cinfo->marker_list == NULL) { - cinfo->marker_list = cur_marker; + if (cinfo->marker_list == NULL || cinfo->master->marker_list_end == NULL) { + cinfo->marker_list = cinfo->master->marker_list_end = cur_marker; } else { - jpeg_saved_marker_ptr prev = cinfo->marker_list; - while (prev->next != NULL) - prev = prev->next; - prev->next = cur_marker; + cinfo->master->marker_list_end->next = cur_marker; + cinfo->master->marker_list_end = cur_marker; } /* Reset pointer & calc remaining data length */ data = cur_marker->data; @@ -4,8 +4,10 @@ * This file was part of the Independent JPEG Group's software: * Copyright (C) 1991-1997, Thomas G. Lane. * Modified 1997-2009 by Guido Vollbeding. + * Lossless JPEG Modifications: + * Copyright (C) 1999, Ken Murchison. * libjpeg-turbo Modifications: - * Copyright (C) 2015-2016, 2019, 2021, D. R. Commander. + * Copyright (C) 2015-2017, 2019, 2021-2022, 2024, D. R. Commander. * Copyright (C) 2015, Google, Inc. * Copyright (C) 2021, Alex Richardson. * For conditions of distribution and use, see the accompanying README.ijg @@ -174,6 +176,9 @@ struct jpeg_decomp_master { /* Last iMCU row that was successfully decoded */ JDIMENSION last_good_iMCU_row; + + /* Tail of list of saved markers */ + jpeg_saved_marker_ptr marker_list_end; }; /* Input control module */ |