summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergei Rogachev <rogachevsergei@gmail.com>2016-08-11 19:09:30 (GMT)
committer Vincent Sanders <vince@kyllikki.org>2016-08-14 21:37:12 (GMT)
commita815ad62502669e9a2b689f6f609eb03008a4ca4 (patch)
treefda802d620b8ace5598a99ac5276b6c03d503c54
parentc95cca4ca6e806f1e2a3a829ce0dda655fdc886d (diff)
downloadnetsurf-a815ad62502669e9a2b689f6f609eb03008a4ca4.tar.gz
netsurf-a815ad62502669e9a2b689f6f609eb03008a4ca4.tar.bz2
Fix longjmp to invalid address on jpeg init error
Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a pair of non-local jump functions: setjmp() and longjmp(). When a decompression context is created via a call to the function jpeg_create_decompress() the caller passes a structure jpeg_decompress_struct as a parameter. This structure should has a validly initialized jump buffer, so the initialization or other functions called in future can jump to the exception handling context. The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is filled after the call to jpeg_create_decompress(). It results in jump to random addresses in the case of exception caught during operation of the function jpeg_create_decompress(). The patch moves the initialization of jump buffer before the call to jpeg_create_decompress(). Signed-off-by: Sergei Rogachev <rogachevsergei@gmail.com>
-rw-r--r--content/handlers/image/jpeg.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/content/handlers/image/jpeg.c b/content/handlers/image/jpeg.c
index 278d9e6..5ae9e70 100644
--- a/content/handlers/image/jpeg.c
+++ b/content/handlers/image/jpeg.c
@@ -202,8 +202,8 @@ jpeg_cache_convert(struct content *c)
return bitmap;
}
- jpeg_create_decompress(&cinfo);
cinfo.client_data = &setjmp_buffer;
+ jpeg_create_decompress(&cinfo);
/* setup data source */
source_mgr.next_input_byte = source_data;
@@ -305,8 +305,8 @@ static bool nsjpeg_convert(struct content *c)
return false;
}
- jpeg_create_decompress(&cinfo);
cinfo.client_data = &setjmp_buffer;
+ jpeg_create_decompress(&cinfo);
source_mgr.next_input_byte = (unsigned char *) data;
source_mgr.bytes_in_buffer = size;
cinfo.src = &source_mgr;