[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [36086] trunk/blender/source/blender/imbuf /intern/jpeg.c: Fix [#26827] Blender Crashes when it opens corrupt jpeg

Sun Apr 10 13:36:29 CEST 2011

Revision: 36086
          http://projects.blender.org/scm/viewvc.php?view=rev&root=bf-blender&revision=36086
Author:   elubie
Date:     2011-04-10 11:36:29 +0000 (Sun, 10 Apr 2011)
Log Message:
-----------
Fix [#26827] Blender Crashes when it opens corrupt jpeg
* memory corruption when skipping over long marker (was attempting to read over end of file)
* also updated internal jpeg macros to be the same as in jpeg lib

Modified Paths:
--------------
    trunk/blender/source/blender/imbuf/intern/jpeg.c

Modified: trunk/blender/source/blender/imbuf/intern/jpeg.c
===================================================================

--- trunk/blender/source/blender/imbuf/intern/jpeg.c	2011-04-10 11:24:29 UTC (rev 36085)
+++ trunk/blender/source/blender/imbuf/intern/jpeg.c	2011-04-10 11:36:29 UTC (rev 36086)
@@ -163,8 +163,11 @@
 	my_src_ptr src = (my_src_ptr) cinfo->src;
 
 	if(num_bytes > 0) {
-		src->pub.next_input_byte = src->pub.next_input_byte + num_bytes;
-		src->pub.bytes_in_buffer = src->pub.bytes_in_buffer - num_bytes;
+		// prevent skipping over file end
+		size_t skip_size = (size_t)num_bytes <= src->pub.bytes_in_buffer ? num_bytes : src->pub.bytes_in_buffer;
+
+		src->pub.next_input_byte = src->pub.next_input_byte + skip_size;
+		src->pub.bytes_in_buffer = src->pub.bytes_in_buffer - skip_size;
 	}
 }
 
@@ -222,17 +225,19 @@
  */
 #define MAKE_BYTE_AVAIL(cinfo,action)  \
 	if (bytes_in_buffer == 0) {  \
-		if (! (*datasrc->fill_input_buffer) (cinfo))  \
-			{ action; }  \
-		  INPUT_RELOAD(cinfo);  \
-	}  \
-	bytes_in_buffer--
+	  if (! (*datasrc->fill_input_buffer) (cinfo))  \
+	    { action; }  \
+	  INPUT_RELOAD(cinfo);  \
+	}
 
+	
+
 /* Read a byte into variable V.
  * If must suspend, take the specified action (typically "return FALSE").
  */
 #define INPUT_BYTE(cinfo,V,action)  \
 	MAKESTMT( MAKE_BYTE_AVAIL(cinfo,action); \
+		  bytes_in_buffer--; \
 		  V = GETJOCTET(*next_input_byte++); )
 
 /* As above, but read two bytes interpreted as an unsigned 16-bit integer.
@@ -240,8 +245,10 @@
  */
 #define INPUT_2BYTES(cinfo,V,action)  \
 	MAKESTMT( MAKE_BYTE_AVAIL(cinfo,action); \
+		  bytes_in_buffer--; \
 		  V = ((unsigned int) GETJOCTET(*next_input_byte++)) << 8; \
 		  MAKE_BYTE_AVAIL(cinfo,action); \
+		  bytes_in_buffer--; \
 		  V += GETJOCTET(*next_input_byte++); )
 
 
@@ -252,7 +259,8 @@
 	char neogeo[128];
 	
 	INPUT_VARS(cinfo);
-
+	
+	length = 0;
 	INPUT_2BYTES(cinfo, length, return FALSE);
 	length -= 2;
 	


