jchuff.c/flush_bits(): Guard against put_bits < 0

dcommander · dcommander · commit 041c80a42eae · 2023-07-12T14:16:13.000-04:00
This fixes a UBSan negative shift warning, reported by OSS-Fuzz, that occurred when attempting to transform a specially-crafted malformed arithmetic-coded JPEG image into a baseline Huffman-coded JPEG destination image with default Huffman tables. This issue probably had a similar root cause to the issue fixed in 31a3013, but in this case, the issue only occurred with the SIMD baseline Huffman encoder in libjpeg-turbo 2.1.x. It was not reproducible in 2.0.x or 3.0.x or when using the C baseline Huffman encoder.
diff --git a/jchuff.c b/jchuff.c
@@ -518,7 +518,7 @@ flush_bits(working_state *state)
     temp = (JOCTET)(put_buffer >> put_bits);
     EMIT_BYTE(temp)
   }
-  if (put_bits) {
+  if (put_bits > 0) {
     /* fill partial byte with ones */
     temp = (JOCTET)((put_buffer << (8 - put_bits)) | (0xFF >> put_bits));
     EMIT_BYTE(temp)

Original file line number	Diff line number	Diff line change
`@@ -518,7 +518,7 @@ flush_bits(working_state *state)`
`518`	`518`	`temp = (JOCTET)(put_buffer >> put_bits);`
`519`	`519`	`EMIT_BYTE(temp)`
`520`	`520`	`}`
`521`		`- if (put_bits) {`
	`521`	`+ if (put_bits > 0) {`
`522`	`522`	`/* fill partial byte with ones */`
`523`	`523`	`temp = (JOCTET)((put_buffer << (8 - put_bits)) \| (0xFF >> put_bits));`
`524`	`524`	`EMIT_BYTE(temp)`