[RESTRICT AUTOMERGE] tjbench.exe: Fix decompression access violation
This is a backport of an upstream commit. The original commit message
included the following:
"""
The program crashed when a JPEG image was passed on the command line,
because we were mixing our metaphors vis-a-vis malloc()/free() and
tjAlloc()/tjFree() (malloc()/free() uses the tjbench.exe heap,
whereas tjAlloc()/tjFree() uses the turbojpeg.dll heap.)
"""
This commit was pulled in due to a SEGFAULT that appeared after
backporting the fix to the original bug.
Bug: 120551338
Test: tj64 /data/local/tmp/crash-46.jpg
See b/120551338#comment1 to get crash-46.jpg
Change-Id: Ie970992b659118406528bc7519f22a1ae67ff14e
(cherry picked from commit 31f2242ed3be70079a2f592b94fa60cbf10c89f8)
diff --git a/README.android b/README.android
index ba6a9ce..2aa139c 100644
--- a/README.android
+++ b/README.android
@@ -46,3 +46,10 @@
proof-of-concept for (5)
Cherry picked from upstream:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/11eec4a398f3fc1b9d39c1d3b81b53ae85d9b5e6
+
+(7) tjbench.c
+Fix memory management access violation
+This was pulled in due to a SEGFAULT that occurs when running the
+proof-of-concept for (5)
+Cherry picked from upstream:
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/5fce2e942136cb70e5a30ff15a2d58b07947aa84
diff --git a/tjbench.c b/tjbench.c
index 4fe6ec0..06d564d 100644
--- a/tjbench.c
+++ b/tjbench.c
@@ -504,7 +504,7 @@
char *temp=NULL, tempstr[80], tempstr2[80];
int row, col, i, iter, tilew, tileh, ntilesw=1, ntilesh=1, retval=0;
double start, elapsed;
- int ps=tjPixelSize[pf], tile;
+ int ps=tjPixelSize[pf], tile, decompsrc=0;
if((file=fopen(filename, "rb"))==NULL)
_throwunix("opening file");
@@ -682,18 +682,17 @@
else
{
if(quiet==1) printf("N/A N/A ");
- jpegsize[0]=srcsize;
- free(jpegbuf[0]);
- jpegbuf[0]=srcbuf;
- srcbuf=NULL;
+ tjFree(jpegbuf[0]);
+ jpegbuf[0]=NULL;
+ decompsrc=1;
}
if(w==tilew) _tilew=_w;
if(h==tileh) _tileh=_h;
if(!(xformopt&TJXOPT_NOOUTPUT))
{
- if(decomp(NULL, jpegbuf, jpegsize, NULL, _w, _h, _subsamp, 0,
- filename, _tilew, _tileh)==-1)
+ if(decomp(NULL, decompsrc? &srcbuf:jpegbuf, decompsrc? &srcsize:jpegsize,
+ NULL, _w, _h, _subsamp, 0, filename, _tilew, _tileh)==-1)
goto bailout;
}
else if(quiet==1) printf("N/A\n");