From 2f897315ad8fcce137ee356105bb0c69db5228de Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Tue, 19 Jun 2012 08:52:06 +0100 Subject: [PATCH] fix a crash with corrupted jpg files three was a double-free crash with a scrambled jpg file, thanks Grigoriy --- ChangeLog | 3 ++- libvips/foreign/jpeg2vips.c | 9 +++------ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index bc2a16ba..1468907d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,8 @@ 18/6/12 started 7.28.7 - add vips_flatten() -- flatten RGBA to RGB - better alpha handling in PNG load -- don't save RGBA PNG as CMYK JPG +- don't save RGBA PNG as CMYK JPG (thanks Tobsn) +- fix a crash with malformed jpg files (thanks Grigoriy) 19/4/12 started 7.28.6 - better resolution unit handling in deprecated im_vips2tiff() diff --git a/libvips/foreign/jpeg2vips.c b/libvips/foreign/jpeg2vips.c index 33908ed3..925c8018 100644 --- a/libvips/foreign/jpeg2vips.c +++ b/libvips/foreign/jpeg2vips.c @@ -135,7 +135,6 @@ typedef struct _ReadJpeg { /* Used for file input only. */ - FILE *fp; char *filename; struct jpeg_decompress_struct cinfo; @@ -179,7 +178,7 @@ readjpeg_free( ReadJpeg *jpeg ) jpeg->decompressing = FALSE; } - VIPS_FREEF( fclose, jpeg->fp ); + VIPS_FREEF( fclose, jpeg->eman.fp ); VIPS_FREE( jpeg->filename ); jpeg->eman.fp = NULL; jpeg_destroy_decompress( &jpeg->cinfo ); @@ -203,7 +202,6 @@ readjpeg_new( VipsImage *out, int shrink, gboolean fail ) jpeg->out = out; jpeg->shrink = shrink; jpeg->fail = fail; - jpeg->fp = NULL; jpeg->filename = NULL; jpeg->decompressing = FALSE; @@ -225,10 +223,9 @@ static int readjpeg_file( ReadJpeg *jpeg, const char *filename ) { jpeg->filename = g_strdup( filename ); - if( !(jpeg->fp = vips__file_open_read( filename, NULL, FALSE )) ) + if( !(jpeg->eman.fp = vips__file_open_read( filename, NULL, FALSE )) ) return( -1 ); - jpeg->eman.fp = jpeg->fp; - jpeg_stdio_src( &jpeg->cinfo, jpeg->fp ); + jpeg_stdio_src( &jpeg->cinfo, jpeg->eman.fp ); return( 0 ); }