From 81098de5a63d15332216d5905998aed3a9536fd1 Mon Sep 17 00:00:00 2001
From: Jiyoun Park <jy0703.park@samsung.com>
Date: Mon, 11 Jul 2011 02:29:16 +0000
Subject: [PATCH] evas: fix _evas_jpeg_membuf_src_skip bug

If file was corrupted , the size value of app frame is bigger than real file
size.

For example, if somebody change file using editor, the file start with (FF
D8 FF E0 FF DB ..).

But real file size can be small than (FF DB).

In that case, _evas_jpeg_membuf_src_skip set src->pub.bytes_in_buffer to
negative value, it make crash later.

Signed-off-by: Jiyoun Park <jy0703.park@samsung.com>

SVN revision: 61222
---
 .../modules/loaders/jpeg/evas_image_load_jpeg.c    | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c b/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c
index 52feb46d5e..72d44cb52f 100644
--- a/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c
+++ b/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c
@@ -114,8 +114,18 @@ _evas_jpeg_membuf_src_skip(j_decompress_ptr cinfo,
 {
    struct jpeg_membuf_src *src = (struct jpeg_membuf_src *)cinfo->src;
 
-   src->pub.bytes_in_buffer -= num_bytes;
-   src->pub.next_input_byte += num_bytes;
+   long rec = 0;
+   rec = src->pub.bytes_in_buffer - num_bytes;
+
+   if (rec <0)
+     {
+        (*(cinfo)->err->error_exit) ((j_common_ptr) (cinfo));
+     }
+   else
+     {
+        src->pub.bytes_in_buffer -= num_bytes;
+        src->pub.next_input_byte += num_bytes;
+     }
 }
 
 static void