kc3-lang/libjpeg-turbo/simd/arm

Diff

• Show log

  Commit

• Hash : 78a36f6d
  Author :
  Date : 2022-11-15T17:01:17
  

  Fix buffer overrun in 12-bit prog Huffman encoder
  
  Regression introduced by 16bd984557fa2c490be0b9665e2ea0d4274528a8 and
  5b177b3cab5cfb661256c1e74df160158ec6c34e
  
  The pre-computed absolute values used in encode_mcu_AC_first() and
  encode_mcu_AC_refine() were stored in a JCOEF (signed short) array.
  When attempting to losslessly transform a specially-crafted malformed
  12-bit JPEG image with a coefficient value of -32768 into a progressive
  12-bit JPEG image, the progressive Huffman encoder attempted to store
  the absolute value of -32768 in the JCOEF array, thus overflowing the
  16-bit signed data type.  Therefore, at this point in the code:
  https://github.com/libjpeg-turbo/libjpeg-turbo/blob/8c5e78ce292c1642057102eac42f12ab57964293/jcphuff.c#L889
  the absolute value was read as -32768, which caused the test at
  https://github.com/libjpeg-turbo/libjpeg-turbo/blob/8c5e78ce292c1642057102eac42f12ab57964293/jcphuff.c#L896
  to fail, falling through to
  https://github.com/libjpeg-turbo/libjpeg-turbo/blob/8c5e78ce292c1642057102eac42f12ab57964293/jcphuff.c#L908
  with an overly large value of r (46) that, when shifted left four
  places, incremented, and passed to emit_symbol(), exceeded the maximum
  index (255) for the derived code tables.  Fortunately, the buffer
  overrun was fully contained within phuff_entropy_encoder, so the issue
  did not generate a segfault or other user-visible errant behavior, but
  it did cause a UBSan failure that was detected by OSS-Fuzz.
  
  This commit introduces an unsigned JCOEF (UJCOEF) data type and uses it
  to store the absolute values of DCT coefficients computed by the
  AC_first_prepare() and AC_refine_prepare() methods.
  
  Note that the changes to the Arm Neon progressive Huffman encoder
  extensions cause signed 16-bit instructions to be replaced with
  equivalent unsigned 16-bit instructions, so the changes should be
  performance-neutral.
  
  Based on:
  https://github.com/mayeut/libjpeg-turbo/commit/bbf61c0382c4f8bd1f1cfc666467581496c2fb7c
  
  Closes #628
  

• Files

• aarch32/
• aarch64/
• align.h
• jccolor-neon.c
• jcgray-neon.c
• jcgryext-neon.c
• jchuff.h
• jcphuff-neon.c
• jcsample-neon.c
• jdcolext-neon.c
• jdcolor-neon.c
• jdmerge-neon.c
• jdmrgext-neon.c
• jdsample-neon.c
• jfdctfst-neon.c
• jfdctint-neon.c
• jidctfst-neon.c
• jidctint-neon.c
• jidctred-neon.c
• jquanti-neon.c
• neon-compat.h.in

• Properties

• Git HTTP	https://git.kmx.io/kc3-lang/libjpeg-turbo.git
  Git SSH	git@git.kmx.io:kc3-lang/libjpeg-turbo.git
  Public access ?	public
  Description	Fork of libjpeg with SIMD Upstream Homepage Github Fork Github
  Users
  Tags