Bug 1050342. Fix a case where the fast huffman decoder in libjpeg-turbo can produce different results depending on how data is fed to it. This change comes from the blink repo https://codereview.appspot.com/229430043/ and is unlikely to be accepted upstream into libjpeg-turbo. diff --git jdhuff.c jdhuff.c --- jdhuff.c +++ jdhuff.c @@ -674,9 +674,9 @@ decode_mcu_fast(j_decompress_ptr cinfo, d_derived_tbl *dctbl = entropy->dc_cur_tbls[blkn]; d_derived_tbl *actbl = entropy->ac_cur_tbls[blkn]; register int s, k, r, l; - HUFF_DECODE_FAST(s, l, dctbl); + HUFF_DECODE_FAST(s, l, dctbl, slow_decode_mcu); if (s) { FILL_BIT_BUFFER_FAST r = GET_BITS(s); s = HUFF_EXTEND(r, s); @@ -692,9 +692,9 @@ decode_mcu_fast(j_decompress_ptr cinfo, if (entropy->ac_needed[blkn] && block) { for (k = 1; k < DCTSIZE2; k++) { - HUFF_DECODE_FAST(s, l, actbl); + HUFF_DECODE_FAST(s, l, actbl, slow_decode_mcu); r = s >> 4; s &= 15; if (s) { @@ -711,9 +711,9 @@ decode_mcu_fast(j_decompress_ptr cinfo, } else { for (k = 1; k < DCTSIZE2; k++) { - HUFF_DECODE_FAST(s, l, actbl); + HUFF_DECODE_FAST(s, l, actbl, slow_decode_mcu); r = s >> 4; s &= 15; if (s) { @@ -728,8 +728,9 @@ decode_mcu_fast(j_decompress_ptr cinfo, } } if (cinfo->unread_marker != 0) { +slow_decode_mcu: cinfo->unread_marker = 0; return FALSE; } diff --git jdhuff.h jdhuff.h --- jdhuff.h +++ jdhuff.h @@ -210,9 +210,9 @@ slowlabel: \ get_buffer = state.get_buffer; bits_left = state.bits_left; \ } \ } -#define HUFF_DECODE_FAST(s, nb, htbl) \ +#define HUFF_DECODE_FAST(s, nb, htbl, slowlabel) \ FILL_BIT_BUFFER_FAST; \ s = PEEK_BITS(HUFF_LOOKAHEAD); \ s = htbl->lookup[s]; \ nb = s >> HUFF_LOOKAHEAD; \ @@ -227,9 +227,11 @@ slowlabel: \ s <<= 1; \ s |= GET_BITS(1); \ nb++; \ } \ - s = htbl->pub->huffval[(int)(s + htbl->valoffset[nb]) & 0xFF]; \ + if (nb > 16) \ + goto slowlabel; \ + s = htbl->pub->huffval[ (int) (s + htbl->valoffset[nb]) ]; \ } /* Out-of-line case for Huffman code fetching */ EXTERN(int) jpeg_huff_decode(bitread_working_state *state,