Thanks to the sources below; this patch discovered via Gentoo. http://bugzilla.redhat.com/show_bug.cgi?id=1031734 http://bugzilla.redhat.com/show_bug.cgi?id=1031749 http://sourceforge.net/p/libjpeg-turbo/code/1090/ --- libjpeg-turbo-1.3.0/jdmarker.c +++ libjpeg-turbo-1.3.0/jdmarker.c @@ -304,7 +304,7 @@ /* Process a SOS marker */ { INT32 length; - int i, ci, n, c, cc; + int i, ci, n, c, cc, pi; jpeg_component_info * compptr; INPUT_VARS(cinfo); @@ -348,6 +348,13 @@ TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc, compptr->dc_tbl_no, compptr->ac_tbl_no); + + /* This CSi (cc) should differ from the previous CSi */ + for (pi = 0; pi < i; pi++) { + if (cinfo->cur_comp_info[pi] == compptr) { + ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc); + } + } } /* Collect the additional scan parameters Ss, Se, Ah/Al. */ @@ -465,6 +472,8 @@ for (i = 0; i < count; i++) INPUT_BYTE(cinfo, huffval[i], return FALSE); + MEMZERO(&huffval[count], (256 - count) * SIZEOF(UINT8)); + length -= count; if (index & 0x10) { /* AC table definition */