From b16108d018f625d19508e757a9a4d213165ad84a Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Thu, 14 Sep 2017 11:56:12 +0200 Subject: Initialize libjpeg state to avoid crashes upon error. Previously, in case of error in fz_jpg_mem_init(), jpeg_finish_decompress()/jpeg_destroy_decompress() would be called before jpeg_create_decompress() had initlized all state. This sometimes led to segfaults or accessing uninitialized data. --- source/fitz/filter-dct.c | 2 ++ source/fitz/load-jpeg.c | 4 ++++ 2 files changed, 6 insertions(+) (limited to 'source') diff --git a/source/fitz/filter-dct.c b/source/fitz/filter-dct.c index 54ec6a98..cdec5d3f 100644 --- a/source/fitz/filter-dct.c +++ b/source/fitz/filter-dct.c @@ -169,6 +169,8 @@ next_dctd(fz_context *ctx, fz_stream *stm, size_t max) if (!state->init) { int c; + + cinfo->src = NULL; cinfo->client_data = state; cinfo->err = &state->errmgr; jpeg_std_error(cinfo->err); diff --git a/source/fitz/load-jpeg.c b/source/fitz/load-jpeg.c index 0634f239..a156c84d 100644 --- a/source/fitz/load-jpeg.c +++ b/source/fitz/load-jpeg.c @@ -236,6 +236,8 @@ fz_load_jpeg(fz_context *ctx, unsigned char *rbuf, size_t rlen) fz_try(ctx) { + cinfo.mem = NULL; + cinfo.global_state = 0; cinfo.client_data = ctx; cinfo.err = jpeg_std_error(&err); err.error_exit = error_exit; @@ -340,6 +342,8 @@ fz_load_jpeg_info(fz_context *ctx, unsigned char *rbuf, size_t rlen, int *xp, in fz_try(ctx) { + cinfo.mem = NULL; + cinfo.global_state = 0; cinfo.client_data = ctx; cinfo.err = jpeg_std_error(&err); err.error_exit = error_exit; -- cgit v1.2.3