mirrors/netsurf
1
0
Fork 0
mirror of https://github.com/netsurf-browser/netsurf synced 2024-11-21 22:11:22 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix longjmp to invalid address on jpeg init error

Browse Source 
Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a
pair of non-local jump functions: setjmp() and longjmp(). When a decompression
context is created via a call to the function jpeg_create_decompress() the
caller passes a structure jpeg_decompress_struct as a parameter. This structure
should has a validly initialized jump buffer, so the initialization or other
functions called in future can jump to the exception handling context.

The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is
filled after the call to jpeg_create_decompress(). It results in jump to random
addresses in the case of exception caught during operation of the function
jpeg_create_decompress().

The patch moves the initialization of jump buffer before the call to
jpeg_create_decompress().

Signed-off-by: Sergei Rogachev <rogachevsergei@gmail.com>
This commit is contained in:
Sergei Rogachev 2016-08-11 22:09:30 +03:00 committed by Vincent Sanders
parent c95cca4ca6
commit a815ad6250
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/handlers/image/jpeg.c
View File

@ -202,8 +202,8 @@ jpeg_cache_convert(struct content *c)
return bitmap;
}
jpeg_create_decompress(&cinfo);
cinfo.client_data = &setjmp_buffer;
jpeg_create_decompress(&cinfo);
/* setup data source */
source_mgr.next_input_byte = source_data;
@ -305,8 +305,8 @@ static bool nsjpeg_convert(struct content *c)
return false;
}
jpeg_create_decompress(&cinfo);
cinfo.client_data = &setjmp_buffer;
jpeg_create_decompress(&cinfo);
source_mgr.next_input_byte = (unsigned char *) data;
source_mgr.bytes_in_buffer = size;
cinfo.src = &source_mgr;