From 1ecd9a5729d78518397889a630e3534bd9d963a8 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@geekhood.net>
Date: Sat, 30 Sep 2017 12:05:53 +0100
Subject: [PATCH] Handle NULL buffer when discarding rows

---
 jdpostct.c | 5 +++++
 jquant1.c  | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/jdpostct.c b/jdpostct.c
index 601fc2a79..a24202ca9 100644
--- a/jdpostct.c
+++ b/jdpostct.c
@@ -132,6 +132,11 @@ post_process_1pass (j_decompress_ptr cinfo,
   my_post_ptr post = (my_post_ptr) cinfo->post;
   JDIMENSION num_rows, max_rows;
 
+  /* read_and_discard_scanlines may call it with rows "available", but no buffer */
+  if (output_buf == NULL) {
+    return;
+  }
+
   /* Fill the buffer, but not more than what we can dump out in one go. */
   /* Note we rely on the upsampler to detect bottom of image. */
   max_rows = out_rows_avail - *out_row_ctr;
diff --git a/jquant1.c b/jquant1.c
index e7814815e..ba2ea9b80 100644
--- a/jquant1.c
+++ b/jquant1.c
@@ -531,6 +531,10 @@ quantize_ord_dither (j_decompress_ptr cinfo, JSAMPARRAY input_buf,
   JDIMENSION col;
   JDIMENSION width = cinfo->output_width;
 
+  if (output_buf == NULL && num_rows) {
+    ERREXIT(cinfo, JERR_BAD_PARAM);
+  }
+
   for (row = 0; row < num_rows; row++) {
     /* Initialize output values to 0 so can process components separately */
     jzero_far((void *) output_buf[row], (size_t) (width * sizeof(JSAMPLE)));
Index: libjpeg-turbo-1.5.2/jerror.h
===================================================================
--- libjpeg-turbo-1.5.2.orig/jerror.h	2017-07-07 22:31:10.000000000 +0200
+++ libjpeg-turbo-1.5.2/jerror.h	2017-10-12 13:24:01.349954012 +0200
@@ -208,6 +208,7 @@ JMESSAGE(JERR_NO_ARITH_TABLE, "Arithmeti
 JMESSAGE(JWRN_ARITH_BAD_CODE, "Corrupt JPEG data: bad arithmetic code")
 #endif
 #endif
+JMESSAGE(JERR_BAD_PARAM, "Bogus parameter")
 
 #ifdef JMAKE_ENUM_LIST