Hello, probably the attached patch could help in diagnose the issue. It prints an error message and aborts, when the current buffer pointer is advanced past the _buffer.
In debugger it shows this happens a little before what roucaries bastien in message 47 wrote. (Because he stopped at the stack protector overwritten, this is _buffer[137] while its size is only 128.) Kind regards, Bernhard $ gdb --args convert -rotate 270 003632r270.jpg junk.jpg (gdb) run jchuff.c, line 591: written beyond end of _buffer, size=128, _buffer=0x0x7fffffff3e10, buffer=0x0x7fffffff3e91, pos=129 Program received signal SIGABRT, Aborted. (gdb) bt #0 0x00007ffff7067107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff70684e8 in __GI_abort () at abort.c:89 #2 0x00007ffff36d4268 in encode_one_block (actbl=0x646920, dctbl=<optimized out>, last_dc_val=<optimized out>, block=0x7ffff2cf9bb0, state=0x7fffffff3dd0) at jchuff.c:591 (gdb) up (gdb) up #2 0x00007ffff36d4268 in encode_one_block (actbl=0x646920, dctbl=<optimized out>, last_dc_val=<optimized out>, block=0x7ffff2cf9bb0, state=0x7fffffff3dd0) at jchuff.c:591 591 kloop(44);
Description: Detect buffer overrun in jchuff.c Author: Bernhard Ãbelacker <bernha...@vr-web.de> Bug-Debian: https://bugs.debian.org/768369 Last-Update: <2014-11-15> --- libjpeg-turbo-1.3.1.orig/jchuff.c +++ libjpeg-turbo-1.3.1/jchuff.c @@ -318,13 +318,24 @@ dump_buffer (working_state * state) * bytes can be stored in a 64-bit bit buffer before it has to be emptied. */ +#define CHECK_LOCALBUF_OVERRUN() { \ + if (localbuf && (buffer - _buffer) > sizeof(_buffer)) { \ + fprintf(stderr, "%s, line %d: written beyond end of _buffer, size=%ld, _buffer=0x%p, buffer=0x%p, pos=%ld\n", \ + __FILE__, __LINE__, sizeof(_buffer), (void*)_buffer, (void*)buffer, (buffer - _buffer)); \ + abort(); \ + } \ +} + #define EMIT_BYTE() { \ JOCTET c; \ put_bits -= 8; \ c = (JOCTET)GETJOCTET(put_buffer >> put_bits); \ *buffer++ = c; \ - if (c == 0xFF) /* need to stuff a zero byte? */ \ + CHECK_LOCALBUF_OVERRUN(); \ + if (c == 0xFF) { /* need to stuff a zero byte? */ \ *buffer++ = 0; \ + CHECK_LOCALBUF_OVERRUN(); \ + } \ } #define PUT_BITS(code, size) { \ @@ -532,17 +543,69 @@ encode_one_block (working_state * state, } /* One iteration for each value in jpeg_natural_order[] */ - kloop(1); kloop(8); kloop(16); kloop(9); kloop(2); kloop(3); - kloop(10); kloop(17); kloop(24); kloop(32); kloop(25); kloop(18); - kloop(11); kloop(4); kloop(5); kloop(12); kloop(19); kloop(26); - kloop(33); kloop(40); kloop(48); kloop(41); kloop(34); kloop(27); - kloop(20); kloop(13); kloop(6); kloop(7); kloop(14); kloop(21); - kloop(28); kloop(35); kloop(42); kloop(49); kloop(56); kloop(57); - kloop(50); kloop(43); kloop(36); kloop(29); kloop(22); kloop(15); - kloop(23); kloop(30); kloop(37); kloop(44); kloop(51); kloop(58); - kloop(59); kloop(52); kloop(45); kloop(38); kloop(31); kloop(39); - kloop(46); kloop(53); kloop(60); kloop(61); kloop(54); kloop(47); - kloop(55); kloop(62); kloop(63); + kloop(1); + kloop(8); + kloop(16); + kloop(9); + kloop(2); + kloop(3); + kloop(10); + kloop(17); + kloop(24); + kloop(32); + kloop(25); + kloop(18); + kloop(11); + kloop(4); + kloop(5); + kloop(12); + kloop(19); + kloop(26); + kloop(33); + kloop(40); + kloop(48); + kloop(41); + kloop(34); + kloop(27); + kloop(20); + kloop(13); + kloop(6); + kloop(7); + kloop(14); + kloop(21); + kloop(28); + kloop(35); + kloop(42); + kloop(49); + kloop(56); + kloop(57); + kloop(50); + kloop(43); + kloop(36); + kloop(29); + kloop(22); + kloop(15); + kloop(23); + kloop(30); + kloop(37); + kloop(44); + kloop(51); + kloop(58); + kloop(59); + kloop(52); + kloop(45); + kloop(38); + kloop(31); + kloop(39); + kloop(46); + kloop(53); + kloop(60); + kloop(61); + kloop(54); + kloop(47); + kloop(55); + kloop(62); + kloop(63); /* If the last coef(s) were zero, emit an end-of-block code */ if (r > 0) {
