From d843521f77ccea7cbfd0c59b98c83938425fad9e Mon Sep 17 00:00:00 2001
From: John Cupitt <jcupitt@gmail.com>
Date: Mon, 24 Feb 2014 17:10:07 +0000
Subject: [PATCH] jpeg load from buffer shouldn't modify buffer

fill_input_buffer() could write to the input buffer

see: https://github.com/jcupitt/libvips/pull/107

thanks Lovell
---
 ChangeLog                   |  3 +++
 configure.ac                |  6 +++---
 libvips/foreign/jpeg2vips.c | 21 +++++++++++----------
 3 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 08448e20..a0accaef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+24/2/14 started 7.38.5
+- jpeg load from buffer could write to input, thanks Lovell
+
 13/2/14 started 7.38.4
 - --sharpen=none option to vipsthumbnail was broken, thanks ferryfax
 - more locking on property create and lookup to help very-threaded systems,
diff --git a/configure.ac b/configure.ac
index 7c398d1c..8bf05eb3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@
 
 # also update the version number in the m4 macros below
 
-AC_INIT([vips], [7.38.4], [vipsip@jiscmail.ac.uk])
+AC_INIT([vips], [7.38.5], [vipsip@jiscmail.ac.uk])
 # required for gobject-introspection
 AC_PREREQ(2.62)
 
@@ -17,7 +17,7 @@ AC_CONFIG_MACRO_DIR([m4])
 # user-visible library versioning
 m4_define([vips_major_version], [7])
 m4_define([vips_minor_version], [38])
-m4_define([vips_micro_version], [4])
+m4_define([vips_micro_version], [5])
 m4_define([vips_version],
           [vips_major_version.vips_minor_version.vips_micro_version])
 
@@ -37,7 +37,7 @@ VIPS_VERSION_STRING=$VIPS_VERSION-`date`
 #   binary interface changes not backwards compatible?: reset age to 0
 
 LIBRARY_CURRENT=37
-LIBRARY_REVISION=3
+LIBRARY_REVISION=4
 LIBRARY_AGE=0
 
 # patched into include/vips/version.h
diff --git a/libvips/foreign/jpeg2vips.c b/libvips/foreign/jpeg2vips.c
index f103b912..f6193710 100644
--- a/libvips/foreign/jpeg2vips.c
+++ b/libvips/foreign/jpeg2vips.c
@@ -55,6 +55,8 @@
  * 	- attach IPCT data (app13), thanks Gary
  * 6/7/13
  * 	- null-terminate exif strings, thanks Mike
+ * 24/2/14
+ * 	- don't write to our input buffer, thanks Lovell
  */
 
 /*
@@ -1104,24 +1106,23 @@ init_source (j_decompress_ptr cinfo)
 static boolean
 fill_input_buffer (j_decompress_ptr cinfo)
 {
+  static const JOCTET eoi_buffer[4] = {
+    (JOCTET) 0xFF, (JOCTET) JPEG_EOI, 0, 0
+  };
+
   InputBuffer *src = (InputBuffer *) cinfo->src;
-  size_t nbytes;
 
   if (src->start_of_file) {
-    nbytes = src->len;
+    src->pub.next_input_byte = src->buf;
+    src->pub.bytes_in_buffer = src->len;
   }
   else {
     WARNMS(cinfo, JWRN_JPEG_EOF);
-    /* Insert a fake EOI marker */
-    src->buf[0] = (JOCTET) 0xFF;
-    src->buf[1] = (JOCTET) JPEG_EOI;
-    nbytes = 2;
+    src->pub.next_input_byte = eoi_buffer;
+    src->pub.bytes_in_buffer = 2;
+    src->start_of_file = FALSE;
   }
 
-  src->pub.next_input_byte = src->buf;
-  src->pub.bytes_in_buffer = nbytes;
-  src->start_of_file = FALSE;
-
   return TRUE;
 }