20.0.1: Difference between revisions
| Line 28: | Line 28: | ||
* The only changed function was L_dce70. | * The only changed function was L_dce70. | ||
** This function iterates through "tmpCache" and attempts to shrink all JPEG images with [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] in a loop. | ** This function iterates through "tmpCache" and attempts to shrink all JPEG images with [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] in a loop. | ||
** However, the objects holding the JPEG file context were being freed unconditionally which resulted in passing invalid arguments to [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] which, in turn, would return the error code 0x7EECE (2206-1015) which the function would then blindly return back. | ** However, the objects holding the JPEG file context were being freed unconditionally which resulted in passing invalid arguments (use-after-free) to [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] which, in turn, would return the error code 0x7EECE (2206-1015) which the function would then blindly return back. | ||
** The issue was fixed by first no longer blindly return the error code returned by [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] and then properly implementing the conditions that lead to freeing the JPEG file objects. | ** The issue was fixed by first no longer blindly return the error code returned by [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] and then properly implementing the conditions that lead to freeing the JPEG file objects. | ||