[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [36086] trunk/blender/source/blender/imbuf /intern/jpeg.c: Fix [#26827] Blender Crashes when it opens corrupt jpeg
Andrea Weikert
elubie at gmx.net
Sun Apr 10 13:36:29 CEST 2011
Revision: 36086
http://projects.blender.org/scm/viewvc.php?view=rev&root=bf-blender&revision=36086
Author: elubie
Date: 2011-04-10 11:36:29 +0000 (Sun, 10 Apr 2011)
Log Message:
-----------
Fix [#26827] Blender Crashes when it opens corrupt jpeg
* memory corruption when skipping over long marker (was attempting to read over end of file)
* also updated internal jpeg macros to be the same as in jpeg lib
Modified Paths:
--------------
trunk/blender/source/blender/imbuf/intern/jpeg.c
Modified: trunk/blender/source/blender/imbuf/intern/jpeg.c
===================================================================
--- trunk/blender/source/blender/imbuf/intern/jpeg.c 2011-04-10 11:24:29 UTC (rev 36085)
+++ trunk/blender/source/blender/imbuf/intern/jpeg.c 2011-04-10 11:36:29 UTC (rev 36086)
@@ -163,8 +163,11 @@
my_src_ptr src = (my_src_ptr) cinfo->src;
if(num_bytes > 0) {
- src->pub.next_input_byte = src->pub.next_input_byte + num_bytes;
- src->pub.bytes_in_buffer = src->pub.bytes_in_buffer - num_bytes;
+ // prevent skipping over file end
+ size_t skip_size = (size_t)num_bytes <= src->pub.bytes_in_buffer ? num_bytes : src->pub.bytes_in_buffer;
+
+ src->pub.next_input_byte = src->pub.next_input_byte + skip_size;
+ src->pub.bytes_in_buffer = src->pub.bytes_in_buffer - skip_size;
}
}
@@ -222,17 +225,19 @@
*/
#define MAKE_BYTE_AVAIL(cinfo,action) \
if (bytes_in_buffer == 0) { \
- if (! (*datasrc->fill_input_buffer) (cinfo)) \
- { action; } \
- INPUT_RELOAD(cinfo); \
- } \
- bytes_in_buffer--
+ if (! (*datasrc->fill_input_buffer) (cinfo)) \
+ { action; } \
+ INPUT_RELOAD(cinfo); \
+ }
+
+
/* Read a byte into variable V.
* If must suspend, take the specified action (typically "return FALSE").
*/
#define INPUT_BYTE(cinfo,V,action) \
MAKESTMT( MAKE_BYTE_AVAIL(cinfo,action); \
+ bytes_in_buffer--; \
V = GETJOCTET(*next_input_byte++); )
/* As above, but read two bytes interpreted as an unsigned 16-bit integer.
@@ -240,8 +245,10 @@
*/
#define INPUT_2BYTES(cinfo,V,action) \
MAKESTMT( MAKE_BYTE_AVAIL(cinfo,action); \
+ bytes_in_buffer--; \
V = ((unsigned int) GETJOCTET(*next_input_byte++)) << 8; \
MAKE_BYTE_AVAIL(cinfo,action); \
+ bytes_in_buffer--; \
V += GETJOCTET(*next_input_byte++); )
@@ -252,7 +259,8 @@
char neogeo[128];
INPUT_VARS(cinfo);
-
+
+ length = 0;
INPUT_2BYTES(cinfo, length, return FALSE);
length -= 2;
More information about the Bf-blender-cvs
mailing list