diff options
author | Sergei Rogachev <rogachevsergei@gmail.com> | 2016-08-11 22:09:30 +0300 |
---|---|---|
committer | Vincent Sanders <vince@kyllikki.org> | 2016-08-14 22:37:12 +0100 |
commit | a815ad62502669e9a2b689f6f609eb03008a4ca4 (patch) | |
tree | fda802d620b8ace5598a99ac5276b6c03d503c54 | |
parent | c95cca4ca6e806f1e2a3a829ce0dda655fdc886d (diff) | |
download | netsurf-a815ad62502669e9a2b689f6f609eb03008a4ca4.tar.gz netsurf-a815ad62502669e9a2b689f6f609eb03008a4ca4.tar.bz2 |
Fix longjmp to invalid address on jpeg init error
Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a
pair of non-local jump functions: setjmp() and longjmp(). When a decompression
context is created via a call to the function jpeg_create_decompress() the
caller passes a structure jpeg_decompress_struct as a parameter. This structure
should has a validly initialized jump buffer, so the initialization or other
functions called in future can jump to the exception handling context.
The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is
filled after the call to jpeg_create_decompress(). It results in jump to random
addresses in the case of exception caught during operation of the function
jpeg_create_decompress().
The patch moves the initialization of jump buffer before the call to
jpeg_create_decompress().
Signed-off-by: Sergei Rogachev <rogachevsergei@gmail.com>
-rw-r--r-- | content/handlers/image/jpeg.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/content/handlers/image/jpeg.c b/content/handlers/image/jpeg.c index 278d9e618..5ae9e70cd 100644 --- a/content/handlers/image/jpeg.c +++ b/content/handlers/image/jpeg.c @@ -202,8 +202,8 @@ jpeg_cache_convert(struct content *c) return bitmap; } - jpeg_create_decompress(&cinfo); cinfo.client_data = &setjmp_buffer; + jpeg_create_decompress(&cinfo); /* setup data source */ source_mgr.next_input_byte = source_data; @@ -305,8 +305,8 @@ static bool nsjpeg_convert(struct content *c) return false; } - jpeg_create_decompress(&cinfo); cinfo.client_data = &setjmp_buffer; + jpeg_create_decompress(&cinfo); source_mgr.next_input_byte = (unsigned char *) data; source_mgr.bytes_in_buffer = size; cinfo.src = &source_mgr; |