Fix a segfault that occured in the MIPS DSPr2 fancy upsampling routine when downsampled_width==3. Because the DSPr2 code unrolls the loop for the middle columns (refer to jdsample.c), it has the effect of performing two column iterations, and that only works properly if the number of columns (minus the first and last) is >= 2. For the specific case of downsampled_width==3, this patch skips to the second iteration of the unrolled column loop.

git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.4.x@1562 632fc199-4ca6-4c93-a231-07263d6284db

2 files changed, 7 insertions, 1 deletions

diff --git a/ChangeLog.txt b/ChangeLog.txt
index e545606b..c3b33164 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -53,6 +53,10 @@ corrupt, the TurboJPEG decompression functions will attempt to decompress
 as much of the image as possible, but those functions will now return -1 to
 indicate that the decompression was not entirely successful.
 
+[10] Fixed a bug in the MIPS DSPr2 4:2:2 fancy upsampling routine that caused a
+buffer overflow (and subsequent segfault) when decompressing a 4:2:2 JPEG image
+in which the right-most MCU was 5 or 6 pixels wide.
+
 
 1.4.0
 =====
diff --git a/simd/jsimd_mips_dspr2.S b/simd/jsimd_mips_dspr2.S
index 4572a51f..c5990965 100644
--- a/simd/jsimd_mips_dspr2.S
+++ b/simd/jsimd_mips_dspr2.S
@@ -916,7 +916,8 @@ LEAF_MIPS_DSPR2(jsimd_h2v2_fancy_upsample_mips_dspr2)
     srl            t1, t1, 4
     sb             t0, 0(s3)
     sb             t1, 1(s3)
-    addiu          s3, 2
+    beq            t8, s0, 22f     // skip to final iteration if width == 3
+     addiu          s3, 2
 2:
     lh             t0, 0(s0)       // t0 = A3|A2
     lh             t2, 0(s1)       // t2 = B3|B2
@@ -949,6 +950,7 @@ LEAF_MIPS_DSPR2(jsimd_h2v2_fancy_upsample_mips_dspr2)
     sb             t2, 3(s3)
     bne            t8, s0, 2b
      addiu         s3, 4
+22:
     beqz           s5, 4f
      addu          t8, s0, s5
 3: