From 9fa807ad2c8127d8c9b2c131e904a6f69a3a7798 Mon Sep 17 00:00:00 2001
From: Per Hedbor <ph@opera.com>
Date: Mon, 19 Oct 2015 17:01:34 +0200
Subject: [PATCH] Fixed crash (infinite loop allocating ram) in
 Image.JPEG.decode

When decoding markers, if there were more than two of a single type
(as an example when an image contains a 1.2Mb ICC profile) the code
got stuck in an infinite loop instead of progressing.
---
 src/modules/_Image_JPEG/image_jpeg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/modules/_Image_JPEG/image_jpeg.c b/src/modules/_Image_JPEG/image_jpeg.c
index a8418d7c91..5fee3b22d3 100644
--- a/src/modules/_Image_JPEG/image_jpeg.c
+++ b/src/modules/_Image_JPEG/image_jpeg.c
@@ -1167,7 +1167,7 @@ static void img_jpeg_decode(INT32 args,int mode)
 		  * Remove the extra reference from above.
 		  */
 		 free_array(old);
-		 continue;
+		 goto next_marker;
 	       }
 	       /* The reference we added to old has migrated to new.
 		* Pass it along to the stack.
@@ -1189,6 +1189,7 @@ static void img_jpeg_decode(INT32 args,int mode)
 	 } else {
 	    pop_n_elems(2);
 	 }
+      next_marker:
 	 mds.first_marker=mm->next;
 	 free(mm);
       }
-- 
GitLab