search for: jpeg_decoder_decode_entropy_segment

Displaying 5 results from an estimated 5 matches for "jpeg_decoder_decode_entropy_segment".

libswfdec/jpeg
2007 Apr 18
2
libswfdec/jpeg
libswfdec/jpeg/jpeg_rgb_decoder.c | 1 - 1 files changed, 1 deletion(-) New commits: diff-tree 15ed4a69b4ffc265fe103ba79a0b60af7e42a9fa (from 2073f39bc0b0aa90f1f67def9bb3f0c6b68018ae) Author: Benjamin Otte <otte@gnome.org> Date: Wed Apr 18 10:47:06 2007 +0200 remove leftover debugging statement diff --git a/libswfdec/jpeg/jpeg_rgb_decoder.c b/libswfdec/jpeg/jpeg_rgb_decoder.c
8 commits - configure.ac doc/Makefile.am libswfdec/jpeg libswfdec/swfdec_debug.h libswfdec/swfdec_image.c
2007 Apr 17
0
8 commits - configure.ac doc/Makefile.am libswfdec/jpeg libswfdec/swfdec_debug.h libswfdec/swfdec_image.c
...rt_interval=%d", dec->restart_interval); return length; } int -jpeg_decoder_restart (JpegDecoder * dec, bits_t * bits) +jpeg_decoder_restart (JpegDecoder * dec, JpegBits * bits) { - OIL_DEBUG ("restart"); + SWFDEC_DEBUG ("restart"); return 0; } void -jpeg_decoder_decode_entropy_segment (JpegDecoder * dec, bits_t * bits) +jpeg_decoder_decode_entropy_segment (JpegDecoder * dec) { - bits_t b2, *bits2 = &b2; + JpegBits * bits = &dec->bits; + JpegBits b2, *bits2 = &b2; short block[64]; short block2[64]; unsigned char *newptr; @@ -648,7 +396,7 @@ jpeg_decode...
6 commits - libswfdec-gtk/swfdec_gtk_widget.c libswfdec/jpeg libswfdec/swfdec_image.c
2007 Apr 18
0
6 commits - libswfdec-gtk/swfdec_gtk_widget.c libswfdec/jpeg libswfdec/swfdec_image.c
...Benjamin Otte <otte@gnome.org> Date: Wed Apr 18 13:43:30 2007 +0200 fix security problem with overreading available data diff --git a/libswfdec/jpeg/jpeg.c b/libswfdec/jpeg/jpeg.c index 0c648c2..62aa499 100644 --- a/libswfdec/jpeg/jpeg.c +++ b/libswfdec/jpeg/jpeg.c @@ -381,6 +381,7 @@ jpeg_decoder_decode_entropy_segment (Jpe short block2[64]; unsigned char *newptr; int len; + int maxlen; int j; int i; int go; @@ -389,11 +390,11 @@ jpeg_decoder_decode_entropy_segment (Jpe int ret; len = 0; + maxlen = jpeg_bits_available (bits) - 1; j = 0; - while (1) { - if (bits->ptr[len] == 0...
libswfdec/jpeg libswfdec/swfdec_image.c
2007 Feb 13
0
libswfdec/jpeg libswfdec/swfdec_image.c
...=%d", dec->restart_interval); return length; } @@ -645,7 +620,7 @@ jpeg_decoder_restart_interval (JpegDecod int jpeg_decoder_restart (JpegDecoder * dec, bits_t * bits) { - JPEG_DEBUG ("restart"); + OIL_DEBUG ("restart"); return 0; } @@ -673,11 +648,11 @@ jpeg_decoder_decode_entropy_segment (Jpe } len++; } - JPEG_DEBUG ("entropy length = %d", len); + OIL_DEBUG ("entropy length = %d", len); /* we allocate extra space, since the getbits() code can * potentially read past the end of the buffer */ - newptr = g_malloc (len + 2); + newptr = mall...
[Bug 15528] New: jpeg decoder allocation size overflows
2008 Apr 16
8
[Bug 15528] New: jpeg decoder allocation size overflows
...id=15947) Test jpegs The two files cookiemon.jpg and wookiemon.jpg in the attached tar file trigger allocation overflows on x86 and amd64. Valgrind says: [for wookiemon.jpg] ==4516== Invalid write of size 1 ==4516== at 0x445D8F8: (within /usr/lib/liboil-0.3.so.0.1.0) ==4516== by 0x80497FF: jpeg_decoder_decode_entropy_segment (jpeg.c:503) ==4516== by 0x8049DEB: jpeg_decoder_decode (jpeg.c:683) ==4516== by 0x804B1E1: jpeg_decode_argb (jpeg_rgb_decoder.c:58) ==4516== by 0x8048A51: main (load.c:46) ==4516== Address 0x632C490 is 0 bytes after a block of size 0 alloc'd ==4516== at 0x442438B: malloc (vg_repla...