Skip to content

Commit

Permalink
Fix rare bug: right shift by a negative # of bits
Browse files Browse the repository at this point in the history 
Under very rare circumstances, decompressing specific corrupt JPEG
images would create a situation whereby GET_BITS(1) was invoked
from within HUFF_DECODE_FAST() when bits_left=0. This produced a right
shift by a negative number of bits, which is undefined in C.
  • Loading branch information
@dcommander
dcommander committed Jul 27, 2015
2 parents a23542e + 1a761f4 commit 317129b
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions jdhuff.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -423,15 +423,15 @@ jpeg_fill_bit_buffer (bitread_working_state * state,

/* Pre-fetch 48 bytes, because the holding register is 64-bit */
#define FILL_BIT_BUFFER_FAST \
if (bits_left < 16) { \
if (bits_left <= 16) { \
GET_BYTE GET_BYTE GET_BYTE GET_BYTE GET_BYTE GET_BYTE \
}

#else

/* Pre-fetch 16 bytes, because the holding register is 32-bit */
#define FILL_BIT_BUFFER_FAST \
if (bits_left < 16) { \
if (bits_left <= 16) { \
GET_BYTE GET_BYTE \
}

Expand Down

0 comments on commit 317129b

Please sign in to comment.