Google Git
Sign in
android / platform / external / libjpeg-turbo / a945517^! / .
commita945517fd9b1630848b78602818b826c7a45b460[log] [tgz]
authorDRC <information@libjpeg-turbo.org>Tue Nov 14 15:30:06 2017 -0600
committerMax Spector <mspector@google.com>Wed Sep 18 17:13:29 2019 -0700
treeb6d085fd0c0fa51cdbd5402ab36bf33313cf1ca2
parent96c8b9aae7e6bb7929137a0938df90e963319f37 [diff]
[RESTRICT AUTOMERGE] tjbench.exe: Fix decompression access violation

This is a backport of an upstream commit. The original commit message
included the following:

"""
The program crashed when a JPEG image was passed on the command line,
because we were mixing our metaphors vis-a-vis malloc()/free() and
tjAlloc()/tjFree() (malloc()/free() uses the tjbench.exe heap,
whereas tjAlloc()/tjFree() uses the turbojpeg.dll heap.)
"""

This commit was pulled in due to a SEGFAULT that appeared after
backporting the fix to the original bug.

Bug: 120551338
Test: tj64 /data/local/tmp/crash-46.jpg
See b/120551338#comment1 to get crash-46.jpg

Change-Id: Ie970992b659118406528bc7519f22a1ae67ff14e
(cherry picked from commit 31f2242ed3be70079a2f592b94fa60cbf10c89f8)

diff --git a/README.android b/README.android
index ba6a9ce..2aa139c 100644
--- a/README.android
+++ b/README.android

@@ -46,3 +46,10 @@
 proof-of-concept for (5)
 Cherry picked from upstream:
 https://github.com/libjpeg-turbo/libjpeg-turbo/commit/11eec4a398f3fc1b9d39c1d3b81b53ae85d9b5e6
+
+(7) tjbench.c
+Fix memory management access violation
+This was pulled in due to a SEGFAULT that occurs when running the
+proof-of-concept for (5)
+Cherry picked from upstream:
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/5fce2e942136cb70e5a30ff15a2d58b07947aa84

diff --git a/tjbench.c b/tjbench.c
index 4fe6ec0..06d564d 100644
--- a/tjbench.c
+++ b/tjbench.c

@@ -504,7 +504,7 @@
 	char *temp=NULL, tempstr[80], tempstr2[80];
 	int row, col, i, iter, tilew, tileh, ntilesw=1, ntilesh=1, retval=0;
 	double start, elapsed;
-	int ps=tjPixelSize[pf], tile;
+	int ps=tjPixelSize[pf], tile, decompsrc=0;
 
 	if((file=fopen(filename, "rb"))==NULL)
 		_throwunix("opening file");
@@ -682,18 +682,17 @@
 		else
 		{
 			if(quiet==1) printf("N/A     N/A     ");
-			jpegsize[0]=srcsize;
-			free(jpegbuf[0]);
-			jpegbuf[0]=srcbuf;
-			srcbuf=NULL;
+			tjFree(jpegbuf[0]);
+			jpegbuf[0]=NULL;
+			decompsrc=1;
 		}
 
 		if(w==tilew) _tilew=_w;
 		if(h==tileh) _tileh=_h;
 		if(!(xformopt&TJXOPT_NOOUTPUT))
 		{
-			if(decomp(NULL, jpegbuf, jpegsize, NULL, _w, _h, _subsamp, 0,
-				filename, _tilew, _tileh)==-1)
+			if(decomp(NULL, decompsrc? &srcbuf:jpegbuf, decompsrc? &srcsize:jpegsize,
+					NULL, _w, _h, _subsamp, 0, filename, _tilew, _tileh)==-1)
 				goto bailout;
 		}
 		else if(quiet==1) printf("N/A\n");