[gdk-pixbuf] jpeg: Prevent crashes when stopping loading files with errors

From: Bastien Nocera <hadess src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdk-pixbuf] jpeg: Prevent crashes when stopping loading files with errors
Date: Tue, 5 Dec 2017 10:40:16 +0000 (UTC)

commit 28ff9129141825e50ef9dc7b1eec64b82908cdda
Author: Bastien Nocera <hadess hadess net>
Date:   Tue Dec 5 11:36:02 2017 +0100

    jpeg: Prevent crashes when stopping loading files with errors
    
    This time, we want to make sure to avoid accessing JPEG internals when
    an error has already been set, in which case the file is irrecoverable.
    
    Reproducer in pixbuf-randomly-modified, with file valid.2.jpeg and
    seed R02S3d1f92e3076dbe16d2840cc408188f81

 gdk-pixbuf/io-jpeg.c |   31 +++++++++++++++++--------------
 1 files changed, 17 insertions(+), 14 deletions(-)
---
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index 6d9169f..e399722 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -850,20 +850,23 @@ gdk_pixbuf__jpeg_image_stop_load (gpointer data, GError **error)
 
        cinfo = &context->cinfo;
 
-       /* Try to finish loading truncated files */
-       if (context->pixbuf &&
-           cinfo->output_scanline < cinfo->output_height) {
-               my_src_ptr src = (my_src_ptr) cinfo->src;
-
-               /* But only if there's enough buffer space left */
-               if (src->skip_next < sizeof(src->buffer) - 2) {
-                       /* Insert a fake EOI marker */
-                       src->buffer[src->skip_next] = (JOCTET) 0xFF;
-                       src->buffer[src->skip_next + 1] = (JOCTET) JPEG_EOI;
-                       src->pub.next_input_byte = src->buffer + src->skip_next;
-                       src->pub.bytes_in_buffer = 2;
-
-                       gdk_pixbuf__jpeg_image_load_lines (context, NULL);
+       context->jerr.error = error;
+       if (!sigsetjmp (context->jerr.setjmp_buffer, 1)) {
+               /* Try to finish loading truncated files */
+               if (context->pixbuf &&
+                   cinfo->output_scanline < cinfo->output_height) {
+                       my_src_ptr src = (my_src_ptr) cinfo->src;
+
+                       /* But only if there's enough buffer space left */
+                       if (src->skip_next < sizeof(src->buffer) - 2) {
+                               /* Insert a fake EOI marker */
+                               src->buffer[src->skip_next] = (JOCTET) 0xFF;
+                               src->buffer[src->skip_next + 1] = (JOCTET) JPEG_EOI;
+                               src->pub.next_input_byte = src->buffer + src->skip_next;
+                               src->pub.bytes_in_buffer = 2;
+
+                               gdk_pixbuf__jpeg_image_load_lines (context, NULL);
+                       }
                }
        }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]