Merge commit 'eadd243'

# By DRC
# Via DRC
* commit 'eadd243':
  Fix interblock smoothing with narrow prog. JPEGs
  jchuff.c/flush_bits(): Guard against free_bits < 0
  jchuff.c/flush_bits(): Guard against put_bits < 0
  Restore xform fuzzer behavior from before 19f9d8f
  xform fuzz: Use src subsamp to calc dst buf size
  Doc: Mention that we are a JPEG ref implementation
  jchuff.c: Test for out-of-range coefficients
  turbojpeg.h: Make customFilter() proto match doc
  ChangeLog.md: Fix typo
  tjTransform(): Calc dst buf size from xformed dims
  Fix build warnings/errs w/ -DNO_GETENV/-DNO_PUTENV
  GitHub: Fix x32 build
  tjexample.c: Prevent integer overflow
  jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
  Decomp: Don't enable 2-pass color quant w/ RGB565
  TJBench: w/JPEG input imgs, set min tile= MCU size
  Bump version to 2.1.6 to prepare for new commits
  GitHub: Add pull request template
  Build: Clarify CMAKE_OSX_ARCHITECTURES error
  Build: Fail if included with add_subdirectory()

# Conflicts:
#	.github/workflows/build.yml
#	CMakeLists.txt
#	README.md
#	release/deb-control.in

Author: kornelski

.github/pull_request_template.md

@@ -0,0 +1,8 @@
+**Complete description of the bug fix or feature that this pull request implements**
+
+
+**Checklist before submitting the pull request, to maximize the chances that the pull request will be accepted**
+
+- [ ] Read CONTRIBUTING.md, a link to which appears under "Helpful resources" below.  That document discusses general guidelines for contributing to libjpeg-turbo, as well as the types of contributions that will not be accepted or are unlikely to be accepted.
+- [ ] Search the existing issues and pull requests (both open and closed) to ensure that a similar request has not already been submitted and rejected.
+- [ ] Discuss the proposed bug fix or feature in a GitHub issue, through direct e-mail with the project maintainer, or on the libjpeg-turbo-devel mailing list.

CMakeLists.txt

@@ -31,6 +31,34 @@ pad_number(VERSION_MINOR 3)
 pad_number(VERSION_REVISION 3)
 set(LIBJPEG_TURBO_VERSION_NUMBER ${VERSION_MAJOR}${VERSION_MINOR}${VERSION_REVISION})
 
+# The libjpeg-turbo build system has never supported and will never support
+# being integrated into another build system using add_subdirectory(), because
+# doing so would require that we (minimally):
+#
+# 1. avoid using certain CMake variables, such as CMAKE_SOURCE_DIR,
+#    CMAKE_BINARY_DIR, and CMAKE_PROJECT_NAME;
+# 2. avoid using implicit include directories and relative paths;
+# 3. optionally provide a way to skip the installation of libjpeg-turbo
+#    components when the 'install' target is built;
+# 4. optionally provide a way to postfix target names, to avoid namespace
+#    conflicts;
+# 5. restructure the top-level CMakeLists.txt so that it properly sets the
+#    PROJECT_VERSION variable; and
+# 6. design automated regression tests to ensure that new commits don't break
+#    any of the above.
+#
+# Even if we did all of that, issues would still arise, because it is
+# impossible for an upstream build system to anticipate the widely varying
+# needs of every downstream build system.  That's why the CMake
+# ExternalProject_Add() function exists.  Downstream projects that wish to
+# integrate libjpeg-turbo as a subdirectory should either use
+# ExternalProject_Add() or make downstream modifications to the libjpeg-turbo
+# build system to suit their specific needs.  Please do not file bug reports,
+# feature requests, or pull requests regarding this.
+if(NOT CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
+  message(FATAL_ERROR "The libjpeg-turbo build system cannot be integrated into another build system using add_subdirectory().  Use ExternalProject_Add() instead.")
+endif()
+
 # CMake 3.14 and later sets CMAKE_MACOSX_BUNDLE to TRUE by default when
 # CMAKE_SYSTEM_NAME is iOS, tvOS, or watchOS, which breaks the libjpeg-turbo
 # build.  (Specifically, when CMAKE_MACOSX_BUNDLE is TRUE, executables for
@@ -70,7 +98,7 @@ string(TOLOWER ${CMAKE_SYSTEM_PROCESSOR} CMAKE_SYSTEM_PROCESSOR_LC)
 set(COUNT 1)
 foreach(ARCH ${CMAKE_OSX_ARCHITECTURES})
   if(COUNT GREATER 1)
-    message(FATAL_ERROR "The libjpeg-turbo build system does not support multiple values in CMAKE_OSX_ARCHITECTURES.")
+    message(FATAL_ERROR "libjpeg-turbo contains assembly code, so it cannot be built with multiple values in CMAKE_OSX_ARCHITECTURES.")
   endif()
   math(EXPR COUNT "${COUNT}+1")
 endforeach()

ChangeLog.md

@@ -1,3 +1,44 @@
+2.1.6
+=====
+
+### Significant changes relative to 2.1.5.1:
+
+1. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
+overruns when attempting to decompress various specially-crafted malformed
+12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
+(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+enabled.
+
+2. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
+downsampled width for components with 4x2 or 2x4 subsampling factors if
+decompression scaling was enabled.  This caused the components to be upsampled
+incompletely, which caused the color converter to read from uninitialized
+memory.  With 12-bit data precision, this caused a buffer overrun or underrun
+and subsequent segfault if the sample value read from uninitialized memory was
+outside of the valid sample range.
+
+3. Fixed a long-standing issue whereby the `tjTransform()` function, when used
+with the `TJXOP_TRANSPOSE`, `TJXOP_TRANSVERSE`, `TJXOP_ROT90`, or
+`TJXOP_ROT270` transform operation and without automatic JPEG destination
+buffer (re)allocation or lossless cropping, computed the worst-case transformed
+JPEG image size based on the source image dimensions rather than the
+transformed image dimensions.  If a calling program allocated the JPEG
+destination buffer based on the transformed image dimensions, as the API
+documentation instructs, and attempted to transform a specially-crafted 4:2:2,
+4:4:0, or 4:1:1 JPEG source image containing a large amount of metadata, the
+issue caused `tjTransform()` to overflow the JPEG destination buffer rather
+than fail gracefully.  The issue could be worked around by setting
+`TJXOPT_COPYNONE`.  Note that, irrespective of this issue, `tjTransform()`
+cannot reliably transform JPEG source images that contain a large amount of
+metadata unless automatic JPEG destination buffer (re)allocation is used or
+`TJXOPT_COPYNONE` is set.
+
+4. Fixed an issue that caused the C Huffman encoder (which is not used by
+default on x86 and Arm CPUs) to read from uninitialized memory when attempting
+to transform a specially-crafted malformed arithmetic-coded JPEG source image
+into a baseline Huffman-coded JPEG destination image.
+
+
 2.1.5.1
 =======
 

doc/html/functions.html

@@ -65,7 +65,7 @@
 <div class="contents">
 <div class="textblock">Here is a list of all documented struct and union fields with links to the struct/union documentation for each field:</div><ul>
 <li>customFilter
-: <a class="el" href="structtjtransform.html#afd7fc262df33f741e120ef4183202ef5">tjtransform</a>
+: <a class="el" href="structtjtransform.html#a0dc7697d59a7abe48afc629e96cbc1d2">tjtransform</a>
 </li>
 <li>data
 : <a class="el" href="structtjtransform.html#a688fe8f1a8ecc12a538d9e561cf338e3">tjtransform</a>

doc/html/functions_vars.html

@@ -65,7 +65,7 @@
 <div class="contents">
 &#160;<ul>
 <li>customFilter
-: <a class="el" href="structtjtransform.html#afd7fc262df33f741e120ef4183202ef5">tjtransform</a>
+: <a class="el" href="structtjtransform.html#a0dc7697d59a7abe48afc629e96cbc1d2">tjtransform</a>
 </li>
 <li>data
 : <a class="el" href="structtjtransform.html#a688fe8f1a8ecc12a538d9e561cf338e3">tjtransform</a>

doc/html/group___turbo_j_p_e_g.html

@@ -2664,7 +2664,7 @@ <h2 class="memtitle"><span class="permalink"><a href="#ga9cb8abf4cc91881e04a0329
     <tr><td class="paramname">dstBufs</td><td>pointer to an array of n byte buffers. <code>dstBufs[i]</code> will receive a JPEG image that has been transformed using the parameters in <code>transforms[i]</code>. TurboJPEG has the ability to reallocate the JPEG destination buffer to accommodate the size of the transformed JPEG image. Thus, you can choose to:<ol type="1">
 <li>pre-allocate the JPEG destination buffer with an arbitrary size using <a class="el" href="group___turbo_j_p_e_g.html#gaec627dd4c5f30b7a775a7aea3bec5d83" title="Allocate a byte buffer for use with TurboJPEG.">tjAlloc()</a> and let TurboJPEG grow the buffer as needed,</li>
 <li>set <code>dstBufs[i]</code> to NULL to tell TurboJPEG to allocate the buffer for you, or</li>
-<li>pre-allocate the buffer to a "worst case" size determined by calling <a class="el" href="group___turbo_j_p_e_g.html#ga67ac12fee79073242cb216e07c9f1f90" title="The maximum size of the buffer (in bytes) required to hold a JPEG image with the given parameters.">tjBufSize()</a> with the transformed or cropped width and height. Under normal circumstances, this should ensure that the buffer never has to be re-allocated. (Setting <a class="el" href="group___turbo_j_p_e_g.html#ga8808d403c68b62aaa58a4c1e58e98963" title="Disable JPEG buffer (re)allocation.">TJFLAG_NOREALLOC</a> guarantees that it won't be.) Note, however, that there are some rare cases (such as transforming images with a large amount of embedded EXIF or ICC profile data) in which the transformed JPEG image will be larger than the worst-case size, and <a class="el" href="group___turbo_j_p_e_g.html#ga8808d403c68b62aaa58a4c1e58e98963" title="Disable JPEG buffer (re)allocation.">TJFLAG_NOREALLOC</a> cannot be used in those cases.</li>
+<li>pre-allocate the buffer to a "worst case" size determined by calling <a class="el" href="group___turbo_j_p_e_g.html#ga67ac12fee79073242cb216e07c9f1f90" title="The maximum size of the buffer (in bytes) required to hold a JPEG image with the given parameters.">tjBufSize()</a> with the transformed or cropped width and height and the level of subsampling used in the source image. Under normal circumstances, this should ensure that the buffer never has to be re-allocated. (Setting <a class="el" href="group___turbo_j_p_e_g.html#ga8808d403c68b62aaa58a4c1e58e98963" title="Disable JPEG buffer (re)allocation.">TJFLAG_NOREALLOC</a> guarantees that it won't be.) Note, however, that there are some rare cases (such as transforming images with a large amount of embedded EXIF or ICC profile data) in which the transformed JPEG image will be larger than the worst-case size, and <a class="el" href="group___turbo_j_p_e_g.html#ga8808d403c68b62aaa58a4c1e58e98963" title="Disable JPEG buffer (re)allocation.">TJFLAG_NOREALLOC</a> cannot be used in those cases.</li>
 </ol>
 If you choose option 1, then <code>dstSizes[i]</code> should be set to the size of your pre-allocated buffer. In any case, unless you have set <a class="el" href="group___turbo_j_p_e_g.html#ga8808d403c68b62aaa58a4c1e58e98963" title="Disable JPEG buffer (re)allocation.">TJFLAG_NOREALLOC</a>, you should always check <code>dstBufs[i]</code> upon return from this function, as it may have changed.</td></tr>
     <tr><td class="paramname">dstSizes</td><td>pointer to an array of n unsigned long variables that will receive the actual sizes (in bytes) of each transformed JPEG image. If <code>dstBufs[i]</code> points to a pre-allocated buffer, then <code>dstSizes[i]</code> should be set to the size of the buffer. Upon return, <code>dstSizes[i]</code> will contain the size of the transformed JPEG image (in bytes.)</td></tr>

doc/html/search/all_0.js

@@ -1,4 +1,4 @@
 var searchData=
 [
-  ['customfilter_0',['customFilter',['../structtjtransform.html#afd7fc262df33f741e120ef4183202ef5',1,'tjtransform']]]
+  ['customfilter_0',['customFilter',['../structtjtransform.html#a0dc7697d59a7abe48afc629e96cbc1d2',1,'tjtransform']]]
 ];

doc/html/search/variables_0.js

@@ -1,4 +1,4 @@
 var searchData=
 [
-  ['customfilter_142',['customFilter',['../structtjtransform.html#afd7fc262df33f741e120ef4183202ef5',1,'tjtransform']]]
+  ['customfilter_142',['customFilter',['../structtjtransform.html#a0dc7697d59a7abe48afc629e96cbc1d2',1,'tjtransform']]]
 ];

doc/html/structtjtransform.html

@@ -89,21 +89,21 @@
 <tr class="memitem:a688fe8f1a8ecc12a538d9e561cf338e3"><td class="memItemLeft" align="right" valign="top">void *&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="structtjtransform.html#a688fe8f1a8ecc12a538d9e561cf338e3">data</a></td></tr>
 <tr class="memdesc:a688fe8f1a8ecc12a538d9e561cf338e3"><td class="mdescLeft">&#160;</td><td class="mdescRight">Arbitrary data that can be accessed within the body of the callback function.  <a href="structtjtransform.html#a688fe8f1a8ecc12a538d9e561cf338e3">More...</a><br /></td></tr>
 <tr class="separator:a688fe8f1a8ecc12a538d9e561cf338e3"><td class="memSeparator" colspan="2">&#160;</td></tr>
-<tr class="memitem:afd7fc262df33f741e120ef4183202ef5"><td class="memItemLeft" align="right" valign="top">int(*&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="structtjtransform.html#afd7fc262df33f741e120ef4183202ef5">customFilter</a> )(short *coeffs, <a class="el" href="structtjregion.html">tjregion</a> arrayRegion, <a class="el" href="structtjregion.html">tjregion</a> planeRegion, int componentIndex, int transformIndex, struct <a class="el" href="structtjtransform.html">tjtransform</a> *transform)</td></tr>
-<tr class="memdesc:afd7fc262df33f741e120ef4183202ef5"><td class="mdescLeft">&#160;</td><td class="mdescRight">A callback function that can be used to modify the DCT coefficients after they are losslessly transformed but before they are transcoded to a new JPEG image.  <a href="structtjtransform.html#afd7fc262df33f741e120ef4183202ef5">More...</a><br /></td></tr>
-<tr class="separator:afd7fc262df33f741e120ef4183202ef5"><td class="memSeparator" colspan="2">&#160;</td></tr>
+<tr class="memitem:a0dc7697d59a7abe48afc629e96cbc1d2"><td class="memItemLeft" align="right" valign="top">int(*&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="structtjtransform.html#a0dc7697d59a7abe48afc629e96cbc1d2">customFilter</a> )(short *coeffs, <a class="el" href="structtjregion.html">tjregion</a> arrayRegion, <a class="el" href="structtjregion.html">tjregion</a> planeRegion, int componentID, int transformID, struct <a class="el" href="structtjtransform.html">tjtransform</a> *transform)</td></tr>
+<tr class="memdesc:a0dc7697d59a7abe48afc629e96cbc1d2"><td class="mdescLeft">&#160;</td><td class="mdescRight">A callback function that can be used to modify the DCT coefficients after they are losslessly transformed but before they are transcoded to a new JPEG image.  <a href="structtjtransform.html#a0dc7697d59a7abe48afc629e96cbc1d2">More...</a><br /></td></tr>
+<tr class="separator:a0dc7697d59a7abe48afc629e96cbc1d2"><td class="memSeparator" colspan="2">&#160;</td></tr>
 </table>
 <a name="details" id="details"></a><h2 class="groupheader">Detailed Description</h2>
 <div class="textblock"><p>Lossless transform. </p>
 </div><h2 class="groupheader">Field Documentation</h2>
-<a id="afd7fc262df33f741e120ef4183202ef5"></a>
-<h2 class="memtitle"><span class="permalink"><a href="#afd7fc262df33f741e120ef4183202ef5">&#9670;&nbsp;</a></span>customFilter</h2>
+<a id="a0dc7697d59a7abe48afc629e96cbc1d2"></a>
+<h2 class="memtitle"><span class="permalink"><a href="#a0dc7697d59a7abe48afc629e96cbc1d2">&#9670;&nbsp;</a></span>customFilter</h2>
 
 <div class="memitem">
 <div class="memproto">
       <table class="memname">
         <tr>
-          <td class="memname">int(* tjtransform::customFilter) (short *coeffs, <a class="el" href="structtjregion.html">tjregion</a> arrayRegion, <a class="el" href="structtjregion.html">tjregion</a> planeRegion, int componentIndex, int transformIndex, struct <a class="el" href="structtjtransform.html">tjtransform</a> *transform)</td>
+          <td class="memname">int(* tjtransform::customFilter) (short *coeffs, <a class="el" href="structtjregion.html">tjregion</a> arrayRegion, <a class="el" href="structtjregion.html">tjregion</a> planeRegion, int componentID, int transformID, struct <a class="el" href="structtjtransform.html">tjtransform</a> *transform)</td>
         </tr>
       </table>
 </div><div class="memdoc">

fuzz/transform.cc

@@ -1,5 +1,5 @@
 /*
- * Copyright (C)2021 D. R. Commander.  All Rights Reserved.
+ * Copyright (C)2021, 2023 D. R. Commander.  All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
@@ -32,16 +32,13 @@
 #include <string.h>
 
 
-#define NUMXFORMS  3
-
-
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
   tjhandle handle = NULL;
-  unsigned char *dstBufs[NUMXFORMS] = { NULL, NULL, NULL };
-  unsigned long dstSizes[NUMXFORMS] = { 0, 0, 0 }, maxBufSize;
-  int width = 0, height = 0, jpegSubsamp, jpegColorspace, i, t;
-  tjtransform transforms[NUMXFORMS];
+  unsigned char *dstBufs[1] = { NULL };
+  unsigned long dstSizes[1] = { 0 }, maxBufSize;
+  int width = 0, height = 0, jpegSubsamp, jpegColorspace, i;
+  tjtransform transforms[1];
 #if defined(__has_feature) && __has_feature(memory_sanitizer)
   char env[18] = "JSIMD_FORCENONE=1";
 
@@ -67,53 +64,84 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
   if (jpegSubsamp < 0 || jpegSubsamp >= TJ_NUMSAMP)
     jpegSubsamp = TJSAMP_444;
 
-  for (t = 0; t < NUMXFORMS; t++)
-    memset(&transforms[t], 0, sizeof(tjtransform));
+  memset(&transforms[0], 0, sizeof(tjtransform));
 
   transforms[0].op = TJXOP_NONE;
   transforms[0].options = TJXOPT_PROGRESSIVE | TJXOPT_COPYNONE;
   dstBufs[0] = (unsigned char *)malloc(tjBufSize(width, height, jpegSubsamp));
   if (!dstBufs[0])
     goto bailout;
 
-  transforms[1].r.w = (width + 1) / 2;
-  transforms[1].r.h = (height + 1) / 2;
-  transforms[1].op = TJXOP_TRANSPOSE;
-  transforms[1].options = TJXOPT_GRAY | TJXOPT_CROP | TJXOPT_COPYNONE;
-  dstBufs[1] =
-    (unsigned char *)malloc(tjBufSize((width + 1) / 2, (height + 1) / 2,
-                                      TJSAMP_GRAY));
-  if (!dstBufs[1])
+  maxBufSize = tjBufSize(width, height, jpegSubsamp);
+
+  if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
+                  TJFLAG_LIMITSCANS | TJFLAG_NOREALLOC) == 0) {
+    /* Touch all of the output pixels in order to catch uninitialized reads
+       when using MemorySanitizer. */
+    int sum = 0;
+
+    for (i = 0; i < dstSizes[0]; i++)
+      sum += dstBufs[0][i];
+
+    /* Prevent the code above from being optimized out.  This test should
+       never be true, but the compiler doesn't know that. */
+    if (sum > 255 * maxBufSize)
+      goto bailout;
+  }
+
+  free(dstBufs[0]);
+  dstBufs[0] = NULL;
+
+  transforms[0].r.w = (height + 1) / 2;
+  transforms[0].r.h = (width + 1) / 2;
+  transforms[0].op = TJXOP_TRANSPOSE;
+  transforms[0].options = TJXOPT_GRAY | TJXOPT_CROP | TJXOPT_COPYNONE;
+  dstBufs[0] =
+    (unsigned char *)malloc(tjBufSize((height + 1) / 2, (width + 1) / 2,
+                                      jpegSubsamp));
+  if (!dstBufs[0])
     goto bailout;
 
-  transforms[2].op = TJXOP_ROT90;
-  transforms[2].options = TJXOPT_TRIM | TJXOPT_COPYNONE;
-  dstBufs[2] = (unsigned char *)malloc(tjBufSize(height, width, jpegSubsamp));
-  if (!dstBufs[2])
+  maxBufSize = tjBufSize((height + 1) / 2, (width + 1) / 2, jpegSubsamp);
+
+  if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
+                  TJFLAG_LIMITSCANS | TJFLAG_NOREALLOC) == 0) {
+    int sum = 0;
+
+    for (i = 0; i < dstSizes[0]; i++)
+      sum += dstBufs[0][i];
+
+    if (sum > 255 * maxBufSize)
+      goto bailout;
+  }
+
+  free(dstBufs[0]);
+  dstBufs[0] = NULL;
+
+  transforms[0].op = TJXOP_ROT90;
+  transforms[0].options = TJXOPT_TRIM;
+  dstBufs[0] = (unsigned char *)malloc(tjBufSize(height, width, jpegSubsamp));
+  if (!dstBufs[0])
     goto bailout;
 
-  maxBufSize = tjBufSize(width, height, jpegSubsamp);
+  maxBufSize = tjBufSize(height, width, jpegSubsamp);
 
-  if (tjTransform(handle, data, size, NUMXFORMS, dstBufs, dstSizes, transforms,
+  if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
                   TJFLAG_LIMITSCANS | TJFLAG_NOREALLOC) == 0) {
-    /* Touch all of the output pixels in order to catch uninitialized reads
-       when using MemorySanitizer. */
-    for (t = 0; t < NUMXFORMS; t++) {
-      int sum = 0;
+    int sum = 0;
 
-      for (i = 0; i < dstSizes[t]; i++)
-        sum += dstBufs[t][i];
+    for (i = 0; i < dstSizes[0]; i++)
+      sum += dstBufs[0][i];
 
-      /* Prevent the code above from being optimized out.  This test should
-         never be true, but the compiler doesn't know that. */
-      if (sum > 255 * maxBufSize)
-        goto bailout;
-    }
+    if (sum > 255 * maxBufSize)
+      goto bailout;
   }
 
-  transforms[0].options &= ~TJXOPT_COPYNONE;
   free(dstBufs[0]);
   dstBufs[0] = NULL;
+
+  transforms[0].op = TJXOP_NONE;
+  transforms[0].options = TJXOPT_PROGRESSIVE;
   dstSizes[0] = 0;
 
   if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
@@ -128,8 +156,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
   }
 
 bailout:
-  for (t = 0; t < NUMXFORMS; t++)
-    free(dstBufs[t]);
+  free(dstBufs[0]);
   if (handle) tjDestroy(handle);
   return 0;
 }