jpeg load from buffer shouldn't modify buffer

fill_input_buffer() could write to the input buffer see: https://github.com/jcupitt/libvips/pull/107 thanks Lovell
2014-02-24 17:10:07 +00:00 · 2014-02-24 17:10:07 +00:00 · d843521f77
parent e4f0b4b469
commit d843521f77
3 changed files with 17 additions and 13 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+24/2/14 started 7.38.5
+- jpeg load from buffer could write to input, thanks Lovell
+
 13/2/14 started 7.38.4
 - --sharpen=none option to vipsthumbnail was broken, thanks ferryfax
 - more locking on property create and lookup to help very-threaded systems,
--- a/configure.ac
+++ b/configure.ac
@ -2,7 +2,7 @@

 # also update the version number in the m4 macros below

-AC_INIT([vips], [7.38.4], [vipsip@jiscmail.ac.uk])
+AC_INIT([vips], [7.38.5], [vipsip@jiscmail.ac.uk])
 # required for gobject-introspection
 AC_PREREQ(2.62)

@ -17,7 +17,7 @@ AC_CONFIG_MACRO_DIR([m4])
 # user-visible library versioning
 m4_define([vips_major_version], [7])
 m4_define([vips_minor_version], [38])
-m4_define([vips_micro_version], [4])
+m4_define([vips_micro_version], [5])
 m4_define([vips_version],
          [vips_major_version.vips_minor_version.vips_micro_version])

@ -37,7 +37,7 @@ VIPS_VERSION_STRING=$VIPS_VERSION-`date`
 #   binary interface changes not backwards compatible?: reset age to 0

 LIBRARY_CURRENT=37
-LIBRARY_REVISION=3
+LIBRARY_REVISION=4
 LIBRARY_AGE=0

 # patched into include/vips/version.h
--- a/libvips/foreign/jpeg2vips.c
+++ b/libvips/foreign/jpeg2vips.c
@ -55,6 +55,8 @@
 * 	- attach IPCT data (app13), thanks Gary
 * 6/7/13
 * 	- null-terminate exif strings, thanks Mike
+ * 24/2/14
+ * 	- don't write to our input buffer, thanks Lovell
 */

 /*
@ -1104,24 +1106,23 @@ init_source (j_decompress_ptr cinfo)
 static boolean
 fill_input_buffer (j_decompress_ptr cinfo)
 {
+  static const JOCTET eoi_buffer[4] = {
+    (JOCTET) 0xFF, (JOCTET) JPEG_EOI, 0, 0
+  };
+
  InputBuffer *src = (InputBuffer *) cinfo->src;
-  size_t nbytes;

  if (src->start_of_file) {
-    nbytes = src->len;
+    src->pub.next_input_byte = src->buf;
+    src->pub.bytes_in_buffer = src->len;
  }
  else {
    WARNMS(cinfo, JWRN_JPEG_EOF);
-    /* Insert a fake EOI marker */
-    src->buf[0] = (JOCTET) 0xFF;
-    src->buf[1] = (JOCTET) JPEG_EOI;
-    nbytes = 2;
+    src->pub.next_input_byte = eoi_buffer;
+    src->pub.bytes_in_buffer = 2;
+    src->start_of_file = FALSE;
  }

-  src->pub.next_input_byte = src->buf;
-  src->pub.bytes_in_buffer = nbytes;
-  src->start_of_file = FALSE;
-
  return TRUE;
 }