Gitweb links:
...log
http://git.netsurf-browser.org/netsurf.git/shortlog/a815ad62502669e9a2b689f6f609eb03008a4ca4
...commit
http://git.netsurf-browser.org/netsurf.git/commit/a815ad62502669e9a2b689f6f609eb03008a4ca4
...tree
http://git.netsurf-browser.org/netsurf.git/tree/a815ad62502669e9a2b689f6f609eb03008a4ca4
The branch, master has been updated
via a815ad62502669e9a2b689f6f609eb03008a4ca4 (commit)
from c95cca4ca6e806f1e2a3a829ce0dda655fdc886d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commitdiff
http://git.netsurf-browser.org/netsurf.git/commit/?id=a815ad62502669e9a2b689f6f609eb03008a4ca4
commit a815ad62502669e9a2b689f6f609eb03008a4ca4
Author: Sergei Rogachev <[email protected]>
Commit: Vincent Sanders <[email protected]>
Fix longjmp to invalid address on jpeg init error
Libjpeg used in NetSurf for decoding of JPEG images handles exceptions
using a
pair of non-local jump functions: setjmp() and longjmp(). When a
decompression
context is created via a call to the function jpeg_create_decompress() the
caller passes a structure jpeg_decompress_struct as a parameter. This
structure
should has a validly initialized jump buffer, so the initialization or other
functions called in future can jump to the exception handling context.
The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer
is
filled after the call to jpeg_create_decompress(). It results in jump to
random
addresses in the case of exception caught during operation of the function
jpeg_create_decompress().
The patch moves the initialization of jump buffer before the call to
jpeg_create_decompress().
Signed-off-by: Sergei Rogachev <[email protected]>
diff --git a/content/handlers/image/jpeg.c b/content/handlers/image/jpeg.c
index 278d9e6..5ae9e70 100644
--- a/content/handlers/image/jpeg.c
+++ b/content/handlers/image/jpeg.c
@@ -202,8 +202,8 @@ jpeg_cache_convert(struct content *c)
return bitmap;
}
- jpeg_create_decompress(&cinfo);
cinfo.client_data = &setjmp_buffer;
+ jpeg_create_decompress(&cinfo);
/* setup data source */
source_mgr.next_input_byte = source_data;
@@ -305,8 +305,8 @@ static bool nsjpeg_convert(struct content *c)
return false;
}
- jpeg_create_decompress(&cinfo);
cinfo.client_data = &setjmp_buffer;
+ jpeg_create_decompress(&cinfo);
source_mgr.next_input_byte = (unsigned char *) data;
source_mgr.bytes_in_buffer = size;
cinfo.src = &source_mgr;
-----------------------------------------------------------------------
Summary of changes:
content/handlers/image/jpeg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/handlers/image/jpeg.c b/content/handlers/image/jpeg.c
index 278d9e6..5ae9e70 100644
--- a/content/handlers/image/jpeg.c
+++ b/content/handlers/image/jpeg.c
@@ -202,8 +202,8 @@ jpeg_cache_convert(struct content *c)
return bitmap;
}
- jpeg_create_decompress(&cinfo);
cinfo.client_data = &setjmp_buffer;
+ jpeg_create_decompress(&cinfo);
/* setup data source */
source_mgr.next_input_byte = source_data;
@@ -305,8 +305,8 @@ static bool nsjpeg_convert(struct content *c)
return false;
}
- jpeg_create_decompress(&cinfo);
cinfo.client_data = &setjmp_buffer;
+ jpeg_create_decompress(&cinfo);
source_mgr.next_input_byte = (unsigned char *) data;
source_mgr.bytes_in_buffer = size;
cinfo.src = &source_mgr;
--
NetSurf Browser
_______________________________________________
netsurf-commits mailing list
[email protected]
http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/netsurf-commits-netsurf-browser.org
