From 6e053525ee45171f65ecec596336cc3b0a5e9468 Mon Sep 17 00:00:00 2001 From: DRC <information@libjpeg-turbo.org> Date: Thu, 4 Feb 2016 09:20:41 -0600 Subject: [PATCH] TurboJPEG: Avoid dangling pointers This addresses a minor concern (LJT-01-002) expressed in a security audit by Cure53. _tjInitCompress() and _tjInitDecompress() call (respectively) jpeg_mem_dest_tj() and jpeg_mem_src_tj() with a pointer to a dummy buffer, in order to set up the destination/source manager. The dummy buffer should never be used, but it's still better to make it static so that the pointer in the destination/source manager always points to a valid region of memory. --- turbojpeg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/turbojpeg.c b/turbojpeg.c index 6b2c623..b20272a 100644 --- a/turbojpeg.c +++ b/turbojpeg.c @@ -556,7 +556,8 @@ DLLEXPORT unsigned char *DLLCALL tjAlloc(int bytes) static tjhandle _tjInitCompress(tjinstance *this) { - unsigned char buffer[1], *buf=buffer; unsigned long size=1; + static unsigned char buffer[1]; + unsigned char *buf=buffer; unsigned long size=1; /* This is also straight out of example.c */ this->cinfo.err=jpeg_std_error(&this->jerr.pub); @@ -1213,7 +1214,7 @@ DLLEXPORT int DLLCALL tjCompressFromYUV(tjhandle handle, unsigned char *srcBuf, static tjhandle _tjInitDecompress(tjinstance *this) { - unsigned char buffer[1]; + static unsigned char buffer[1]; /* This is also straight out of example.c */ this->dinfo.err=jpeg_std_error(&this->jerr.pub);