From 944aa8e3c4ea827c57d7bb9125f39611eb67ede1 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 21 Jul 2015 16:43:39 -0500
Subject: [PATCH] Fix rare bug: right shift by a negative # of bits Under very
 rare circumstances, decompressing specific corrupt JPEG images would create a
 situation whereby GET_BITS(1) was invoked from within HUFF_DECODE_FAST() when
 bits_left=0. This produced a right shift by a negative number of bits, which
 is undefined in C.

---
 jdhuff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/jdhuff.c b/jdhuff.c
index 36fd03b93..4197cc5ce 100644
--- a/jdhuff.c
+++ b/jdhuff.c
@@ -422,7 +422,7 @@ jpeg_fill_bit_buffer (bitread_working_state * state,
 
 /* Pre-fetch 48 bytes, because the holding register is 64-bit */
 #define FILL_BIT_BUFFER_FAST \
-  if (bits_left < 16) { \
+  if (bits_left <= 16) { \
     GET_BYTE GET_BYTE GET_BYTE GET_BYTE GET_BYTE GET_BYTE \
   }
 
@@ -430,7 +430,7 @@ jpeg_fill_bit_buffer (bitread_working_state * state,
 
 /* Pre-fetch 16 bytes, because the holding register is 32-bit */
 #define FILL_BIT_BUFFER_FAST \
-  if (bits_left < 16) { \
+  if (bits_left <= 16) { \
     GET_BYTE GET_BYTE \
   }