3,027
edits
Changes
Jump to navigation
Jump to search
Line 28:
Line 28: − +
→ns
* The only changed function was L_dce70.
* The only changed function was L_dce70.
** This function iterates through "tmpCache" and attempts to shrink all JPEG images with [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] in a loop.
** This function iterates through "tmpCache" and attempts to shrink all JPEG images with [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] in a loop.
** However, the objects holding the JPEG file context were being freed unconditionally which resulted in passing invalid arguments to [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] which, in turn, would return the error code 0x7EECE (2206-1015) which the function would then blindly return back.
** However, the objects holding the JPEG file context were being freed unconditionally which resulted in passing invalid arguments (use-after-free) to [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] which, in turn, would return the error code 0x7EECE (2206-1015) which the function would then blindly return back.
** The issue was fixed by first no longer blindly return the error code returned by [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] and then properly implementing the conditions that lead to freeing the JPEG file objects.
** The issue was fixed by first no longer blindly return the error code returned by [[Jpegdec_services#ShrinkJpegEx|ShrinkJpegEx]] and then properly implementing the conditions that lead to freeing the JPEG file objects.