Age | Commit message (Collapse) | Author |
|
|
|
The accelerated Huffman decoder was previously invoked if there were
> 128 bytes in the input buffer. However, it is possible to construct a
JPEG image with Huffman blocks > 430 bytes in length
(http://stackoverflow.com/questions/2734678/jpeg-calculating-max-size).
While such images are pathological and could never be created by a
JPEG compressor, it is conceivable that an attacker could use such an
artifially-constructed image to trigger an input buffer overrun in the
libjpeg-turbo decompressor and thus gain access to some of the data on
the calling program's heap.
This patch simply increases the minimum buffer size for the accelerated
Huffman decoder to 512 bytes, which should (hopefully) accommodate any
possible input.
This addresses a major issue (LJT-01-005) identified in a security audit
by Cure53.
Cherry picked from upstream:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0463f7c9aad060fcd56e98d025ce16185279e2bc
BUG:27494207
BUG:27480923
Change-Id: I94876fecafa8b7d7f31734cb21d2ca0f382802ec
|
|
This prevents a malformed motion-JPEG frame (MJPEG frames lack Huffman
tables) from causing the "fast path" of the Huffman decoder to read
uninitialized memory. Essentially, this is doing the same thing for
MJPEG frames as 43d8cf4d4572fa50a37cccadbe71b9bee37de55d did for regular
images.
Cherry picked from upstream:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a572622dd654305c86585724c2a1ea34e22c2103
BUG:27494207
BUG:27480923
Change-Id: I91f334b82290b009bc624b3d5f8a9b3021f34ea0
|
|
This, in combination with the existing jpeg_skip_scanlines() function,
provides the ability to crop the image both horizontally and vertically
while decompressing (certain restrictions apply-- see libjpeg.txt.)
This also cleans up the documentation of the line skipping feature and
removes the "strip decompression" feature from djpeg, since the new
cropping feature is a superset of it.
Refer to #34 for discussion.
Closes #34
Cherry picked from upstream:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3ab68cf563f6edc2608c085f5c8b2d5d5c61157e
BUG:27290496
Change-Id: Id11312fa43959531bc6bea04ebb657c6e1140363
|
|
This provides ~2.5x speed-up on full image decodes.
BUG:25815224
BUG:25641008
Change-Id: I3ce188d371c5e41ebc810dbc810ac460be3b5074
|
|
Change-Id: I78a73665923db7200aaff7c5a9c0da8f7ac4a58e
|
|
|
|
This directive was preventing the code from assembling using the
integrated assembler in clang.
Fixes Upstream-Issue-33
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/33
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/d70a5c12fcb72443483456a2cc8dd18a4c238618
Change-Id: I9e361d509be759cd45ed8d8061f939059ad5fe4a
|
|
We have cherry-picked a fix from upstream so that the assembly is
now clang compatible.
BUG:25564571
Change-Id: Ic4a676b8648e5bc83e3a1da1f346ec2f5cc953ac
|
|
This is a workaround for
https://buganizer.corp.google.com/u/0/issues/26023491
libjpeg.so has text relocations.
BUG:26023491
Change-Id: I54cf63479a23fe5cbf2ecce97781cbb1110a46b3
|
|
|
|
Change-Id: I9422d03fbde8061619c52f4202fd0fa7dd12fe5a
|
|
BUG:25685061
Change-Id: I7a7710ed7d1320fac2062d83eba4a230de92e10c
|
|
|
|
I must have accidentally dropped this line from the previous
commit:
https://googleplex-android-review.git.corp.google.com/#/c/818568/
Change-Id: I0c19a01bdd588a88e13acfdea6df299dd839f780
|
|
|
|
Change-Id: I2aa903ea44cc3da9255543dd21a312e3dd410b8c
|
|
Because we have switched to the latest release from upstream,
we no longer need these chromium specific files.
Change-Id: Ibca796ddc3479671432afcd0c1d91def4d661cdc
|
|
BUG:23138693
BUG:25685061
|
|
|
|
|
|
When using context-based upsampling, use a dummy color conversion
routine instead of a dummy row buffer. This improves performance
(since the actual color conversion routine no longer has to be called),
and it also fixes valgrind errors when decompressing to RGB565.
Valgrind previously complained, because using the RGB565 color
converter with the dummy row buffer was causing a table lookup with
undefined indices.
|
|
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1591 632fc199-4ca6-4c93-a231-07263d6284db
|
|
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1589 632fc199-4ca6-4c93-a231-07263d6284db
|
|
Studio.
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1588 632fc199-4ca6-4c93-a231-07263d6284db
|
|
in djpeg; document -strip and -skip parameters in djpeg
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1587 632fc199-4ca6-4c93-a231-07263d6284db
|
|
jpeg_skip_scanlines() function + remove comment that is no longer relevant.
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1586 632fc199-4ca6-4c93-a231-07263d6284db
|
|
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1583 632fc199-4ca6-4c93-a231-07263d6284db
|
|
partially decoding a JPEG image.
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1582 632fc199-4ca6-4c93-a231-07263d6284db
|
|
This new name matches the name of external/jpeg.
This will make it easier to replace external/jpeg with this
library.
Change-Id: Iceaea74c2ca2cd0e6484526ae7281ba39f9d198e
|
|
We still need to disable the clang assembler for ARM v8 devices.
BUG:25564571
Change-Id: I8bf3b3a6a9efd1f761811b5829680746a095c151
|
|
Change-Id: Ic6cda8ac02fefec110f0c6270313449589471b49
|
|
For now we can get around the compile problems by using gcc.
We should follow up with clang to see about fixing these issues.
BUG:25564571
Change-Id: I573e02b19aaa4c3e59e4bd287502068cda49efb4
|
|
Change-Id: Ia2b983a15a7fc12d0f47c338f831d5de6e8de75b
|
|
Change-Id: I34d559da7f68fe10ec7aaa72e555626a7be75e72
|
|
Change-Id: Idd23e749fef193ee5ddaba02dad88939c5755ad3
|
|
Change-Id: Ieb73e8913a0902eea36b43e870337aa06de19a5f
|
|
BUG:25424175
BUG:23138693
Change-Id: I12314248a5c636bca0d69585dfb470ec656d0373
|
|
|
|
|
|
Most of these involved left shifting a negative number, which is
technically undefined (although every modern compiler I'm aware of
will implement this by treating the signed integer as a 2's complement
unsigned integer-- the LEFT_SHIFT() macro just makes this behavior
explicit in order to shut up ubsan.) This also fixes a couple of
non-issues in the entropy codecs, whereby the sanitizer reported an
out-of-bounds index in the 4th argument of jpeg_make_d_derived_tbl().
In those cases, the index was actually out of bounds (caused by a
malformed JPEG image), but jpeg_make_d_derived_tbl() would have caught
the error and aborted prior to actually using the invalid address. Here
again, the fix was to make our intentions explicit so as to shut up
ubsan.
|
|
The DSPr2 code was errantly comparing the residual (t9, width & 0xF)
with the end pointer (t4, out + width) instead of the width directly
(a1). This would give the wrong results with any image whose output
width was less than 16. The other small changes (ulw to lw and removal
of the nop) are just some easy optimizations around this code.
This issue caused a buffer overrun and subsequent segfault on images
whose scaled output height was 1 pixel and whose scaled output width was
< 16 pixels. Note that the "plain" (non-fancy and non-merged) upsample
routine, which was affected by this bug, is normally not used except
when decompressing a non-YCbCr JPEG image, but it is also used when
decompressing a single-row image (because the other upsampling
algorithms require at least two rows.)
Closes #16.
|
|
(descriptions cribbed by DRC from discussion in #20)
In the x86-64 ABI, the high (unused) DWORD of a 32-bit argument's
register is undefined, so it was incorrect to use a 64-bit mov
instruction to transfer a JDIMENSION argument in the 64-bit SSE2 SIMD
functions. The code worked thus far only because the existing compiler
optimizers weren't smart enough to do anything else with the register in
question, so the upper 32 bits happened to be all zeroes-- for the past
6 years, on every x86-64 compiler previously known to mankind.
The bleeding-edge Clang/LLVM compiler has a smarter optimizer, and
under certain circumstances, it will attempt to load-combine adjacent
32-bit integers from one of the libjpeg structures into a single 64-bit
integer and pass that 64-bit integer as a 32-bit argument to one of the
SIMD functions (which is allowed by the ABI, since the upper 32 bits of
the 32-bit argument's register are undefined.) This caused the
libjpeg-turbo regression tests to crash.
Also enhance the documentation of JDIMENSION to explain that its size
is significant to the implementation of the SIMD code.
Closes #20. Refer also to http://crbug.com/532214.
|
|
Previously this information was found in a page on libjpeg-turbo.org,
but there was still some confusion, because README-turbo.txt wasn't
clear as to which license applied to what.
|
|
With certain images, compressing using quality=100 and the fast integer
forward DCT will cause the divisor passed to compute_reciprocal() to be
1. In those cases, the library already disables the SIMD quantization
algorithm to avoid 16-bit overflow. However, compute_reciprocal()
doesn't properly handle the divisor==1 case, so we need to use special
values in that case so that the C quantization algorithm will behave
like an identity function.
|
|
|
|
Add checks to ensure values are within the specified range.
Fixes mozilla/mozjpeg#141, closes #8
|
|
Throw an error when image width or height is 0.
Fixes mozilla/mozjpeg#140, closes #7.
|
|
rdbmp.c used the ambiguous INT32 datatype, which is sometimes typedef'ed
to long. Windows bitmap headers use 32-bit signed integers for the
width and height, because height can sometimes be negative (this
indicates a top-down bitmap.) If biWidth or biHeight was negative and
INT32 was a 64-bit long, then biWidth and biHeight were read as a
positive integer > INT32_MAX, which failed the test in line 385:
if (biWidth <= 0 || biHeight <= 0)
ERREXIT(cinfo, JERR_BMP_EMPTY);
This commit refactors rdbmp.c so that it uses the datatypes specified by
Microsoft for the Windows BMP header.
This closes #9 and also provides a better solution for mozilla/mozjpeg#153.
|
|
This was a formatting regression in 1.4.x introduced when the new
TurboJPEG functions were added.
|