kc3-lang/libjpeg-turbo/src

Diff

• Show log

  Commit

• Hash : f158143e
  Author :
  Date : 2025-07-28T20:45:02
  

  jpeg_skip_scanlines: Fix UAF w/merged upsamp/quant
  
  jpeg_skip_scanlines() (more specifically, read_and_discard_scanlines())
  should check whether merged upsampling is disabled before attempting
  to dereference cinfo->cconvert, and it should check whether color
  quantization is enabled before attempting to dereference
  cinfo->cquantize.  Otherwise, executing one of the following sequences
  with the same libjpeg API instance and any 4:2:0 or 4:2:2 JPEG image
  will cause a use-after-free issue:
  
  - Disable merged upsampling (default)
  - jpeg_start_decompress()
  - jpeg_finish_decompress()
    (frees but doesn't zero cinfo->cconvert)
  - Enable merged upsampling
  - jpeg_start_decompress()
    (doesn't re-allocate cinfo->cconvert, because
    j*init_color_deconverter() isn't called)
  - jpeg_skip_scanlines()
  
  - Enable 1-pass color quantization
  - jpeg_start_decompress()
  - jpeg_finish_decompress()
    (frees but doesn't zero cinfo->cquantize)
  - Disable 1-pass color quantization
  - jpeg_start_decompress()
    (doesn't re-allocate cinfo->cquantize, because j*init_*_quantizer()
    isn't called)
  - jpeg_skip_scanlines()
  
  These sequences are very unlikely to occur in a real-world application.
  In practice, this issue does not even cause a segfault or other
  user-visible errant behavior, so it is only detectable with ASan.  That
  is because the memory region is small enough that it doesn't get
  reclaimed by either the application or the O/S between the point at
  which it is freed and the point at which it is used (even though a
  subsequent malloc() call requests exactly the same amount of memory.)
  Thus, this is an undefined behavior issue, but it is unlikely to be
  exploitable.
  

• Files

• cderror.h
• cdjpeg.c
• cdjpeg.h
• cjpeg.c
• cmyk.h
• djpeg.c
• example.c
• jaricom.c
• jcapimin.c
• jcapistd.c
• jcarith.c
• jccoefct.c
• jccolext.c
• jccolor.c
• jcdctmgr.c
• jcdiffct.c
• jchuff.c
• jchuff.h
• jcicc.c
• jcinit.c
• jclhuff.c
• jclossls.c
• jcmainct.c
• jcmarker.c
• jcmaster.c
• jcmaster.h
• jcomapi.c
• jconfig.h.in
• jconfig.txt
• jconfigint.h.in
• jcparam.c
• jcphuff.c
• jcprepct.c
• jcsample.c
• jcstest.c
• jctrans.c
• jdapimin.c
• jdapistd.c
• jdarith.c
• jdatadst-tj.c
• jdatadst.c
• jdatasrc-tj.c
• jdatasrc.c
• jdcoefct.c
• jdcoefct.h
• jdcol565.c
• jdcolext.c
• jdcolor.c
• jdct.h
• jddctmgr.c
• jddiffct.c
• jdhuff.c
• jdhuff.h
• jdicc.c
• jdinput.c
• jdlhuff.c
• jdlossls.c
• jdmainct.c
• jdmainct.h
• jdmarker.c
• jdmaster.c
• jdmaster.h
• jdmerge.c
• jdmerge.h
• jdmrg565.c
• jdmrgext.c
• jdphuff.c
• jdpostct.c
• jdsample.c
• jdsample.h
• jdtrans.c
• jerror.c
• jerror.h
• jfdctflt.c
• jfdctfst.c
• jfdctint.c
• jidctflt.c
• jidctfst.c
• jidctint.c
• jidctred.c
• jinclude.h
• jlossls.h
• jmemmgr.c
• jmemnobs.c
• jmemsys.h
• jmorecfg.h
• jpeg_nbits.c
• jpeg_nbits.h
• jpegapicomp.h
• jpegint.h
• jpeglib.h
• jpegtran.c
• jquant1.c
• jquant2.c
• jsamplecomp.h
• jsimd.h
• jsimddct.h
• jstdhuff.c
• jutils.c
• jversion.h.in
• libjpeg.map.in
• md5/
• rdbmp.c
• rdcolmap.c
• rdgif.c
• rdjpgcom.c
• rdppm.c
• rdswitch.c
• rdtarga.c
• strtest.c
• tjbench.c
• tjcomp.c
• tjdecomp.c
• tjtran.c
• tjunittest.c
• tjutil.c
• tjutil.h
• transupp.c
• transupp.h
• turbojpeg-mapfile
• turbojpeg-mapfile.jni
• turbojpeg-mp.c
• turbojpeg.c
• turbojpeg.h
• wrapper/
• wrbmp.c
• wrgif.c
• wrjpgcom.c
• wrppm.c
• wrtarga.c

• Properties

• Git HTTP	https://git.kmx.io/kc3-lang/libjpeg-turbo.git
  Git SSH	git@git.kmx.io:kc3-lang/libjpeg-turbo.git
  Public access ?	public
  Description	Fork of libjpeg with SIMD Upstream Homepage Github Fork Github
  Users
  Tags