1 files changed, 11 insertions, 5 deletions

diff --git a/plugins/AdvaImg/src/LibJPEG/jdmarker.c b/plugins/AdvaImg/src/LibJPEG/jdmarker.c
index 47ebee9576..b1faf88fb7 100644
--- a/plugins/AdvaImg/src/LibJPEG/jdmarker.c
+++ b/plugins/AdvaImg/src/LibJPEG/jdmarker.c
@@ -2,7 +2,7 @@
  * jdmarker.c

  *

  * Copyright (C) 1991-1998, Thomas G. Lane.

- * Modified 2009-2012 by Guido Vollbeding.

+ * Modified 2009-2013 by Guido Vollbeding.

  * This file is part of the Independent JPEG Group's software.

  * For conditions of distribution and use, see the accompanying README file.

  *

@@ -269,8 +269,8 @@ get_sof (j_decompress_ptr cinfo, boolean is_baseline, boolean is_prog,
   /* We don't support files in which the image height is initially specified */

   /* as 0 and is later redefined by DNL.  As long as we have to check that,  */

   /* might as well have a general sanity check. */

-  if (cinfo->image_height <= 0 || cinfo->image_width <= 0

-      || cinfo->num_components <= 0)

+  if (cinfo->image_height <= 0 || cinfo->image_width <= 0 ||

+      cinfo->num_components <= 0)

     ERREXIT(cinfo, JERR_EMPTY_IMAGE);

 

   if (length != (cinfo->num_components * 3))

@@ -350,6 +350,9 @@ get_sos (j_decompress_ptr cinfo)
 

     /* Detect the case where component id's are not unique, and, if so, */

     /* create a fake component id using the same logic as in get_sof.   */

+    /* Note:  This also ensures that all of the SOF components are      */

+    /* referenced in the single scan case, which prevents access to     */

+    /* uninitialized memory in later decoding stages. */

     for (ci = 0; ci < i; ci++) {

       if (c == cinfo->cur_comp_info[ci]->component_id) {

 	c = cinfo->cur_comp_info[0]->component_id;

@@ -493,6 +496,8 @@ get_dht (j_decompress_ptr cinfo)
     if (count > 256 || ((INT32) count) > length)

       ERREXIT(cinfo, JERR_BAD_HUFF_TABLE);

 

+    MEMZERO(huffval, SIZEOF(huffval)); /* pre-zero array for later copy */

+

     for (i = 0; i < count; i++)

       INPUT_BYTE(cinfo, huffval[i], return FALSE);

 

@@ -735,12 +740,13 @@ examine_app0 (j_decompress_ptr cinfo, JOCTET FAR * data,
     cinfo->X_density = (GETJOCTET(data[8]) << 8) + GETJOCTET(data[9]);

     cinfo->Y_density = (GETJOCTET(data[10]) << 8) + GETJOCTET(data[11]);

     /* Check version.

-     * Major version must be 1, anything else signals an incompatible change.

+     * Major version must be 1 or 2, anything else signals an incompatible

+     * change.

      * (We used to treat this as an error, but now it's a nonfatal warning,

      * because some bozo at Hijaak couldn't read the spec.)

      * Minor version should be 0..2, but process anyway if newer.

      */

-    if (cinfo->JFIF_major_version != 1)

+    if (cinfo->JFIF_major_version != 1 && cinfo->JFIF_major_version != 2)

       WARNMS2(cinfo, JWRN_JFIF_MAJOR,

 	      cinfo->JFIF_major_version, cinfo->JFIF_minor_version);

     /* Generate trace messages */