Merge libjpeg-turbo fix for O(n^2) slowdown with markers.upstream-main

Context: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/764

Upstream PR: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0fc7313e545a3ff499c19ee6591bb87f0ad8b2a4

Bug: 339704200
Change-Id: I39bbbdd86d5e19f152112bfbc8f09d234abbefee

4 files changed, 20 insertions, 10 deletions

diff --git a/README.chromium b/README.chromium
index 78e33e25..2fc5ab1a 100644
--- a/README.chromium
+++ b/README.chromium
@@ -50,6 +50,10 @@ following changes which are not merged to upstream:
   lld) arising from attempts to reference the table from assembler on
   32-bit x86. This only affects shared libraries, but that's important
   for downstream Android builds.
+* Merged upstream patch https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0fc7313e545a3ff499c19ee6591bb87f0ad8b2a4
+  This patch resolves an O(n^2) slowdown issue when JPEG files contain an
+  enormous number of markers; this would only occur in a maliciouly-crafted
+  image, or through fuzzing.
 * Patches to enable running the upstream unit tests through GTest.
   The upstream unit tests are defined here under the section 'TESTS':
   https://github.com/libjpeg-turbo/libjpeg-turbo/blob/master/CMakeLists.txt
diff --git a/jcomapi.c b/jcomapi.c
index efbb8357..84f37e17 100644
--- a/jcomapi.c
+++ b/jcomapi.c
@@ -3,8 +3,8 @@
  *
  * This file was part of the Independent JPEG Group's software:
  * Copyright (C) 1994-1997, Thomas G. Lane.
- * It was modified by The libjpeg-turbo Project to include only code relevant
- * to libjpeg-turbo.
+ * libjpeg-turbo Modifications:
+ * Copyright (C) 2024, D. R. Commander.
  * For conditions of distribution and use, see the accompanying README.ijg
  * file.
  *
@@ -51,6 +51,7 @@ jpeg_abort(j_common_ptr cinfo)
      * A bit kludgy to do it here, but this is the most central place.
      */
     ((j_decompress_ptr)cinfo)->marker_list = NULL;
+    ((j_decompress_ptr)cinfo)->master->marker_list_end = NULL;
   } else {
     cinfo->global_state = CSTATE_START;
   }
diff --git a/jdmarker.c b/jdmarker.c
index f7eba615..e12c9559 100644
--- a/jdmarker.c
+++ b/jdmarker.c
@@ -3,8 +3,10 @@
  *
  * This file was part of the Independent JPEG Group's software:
  * Copyright (C) 1991-1998, Thomas G. Lane.
+ * Lossless JPEG Modifications:
+ * Copyright (C) 1999, Ken Murchison.
  * libjpeg-turbo Modifications:
- * Copyright (C) 2012, 2015, 2022, D. R. Commander.
+ * Copyright (C) 2012, 2015, 2022, 2024, D. R. Commander.
  * For conditions of distribution and use, see the accompanying README.ijg
  * file.
  *
@@ -815,13 +817,11 @@ save_marker(j_decompress_ptr cinfo)
   /* Done reading what we want to read */
   if (cur_marker != NULL) {     /* will be NULL if bogus length word */
     /* Add new marker to end of list */
-    if (cinfo->marker_list == NULL) {
-      cinfo->marker_list = cur_marker;
+    if (cinfo->marker_list == NULL || cinfo->master->marker_list_end == NULL) {
+      cinfo->marker_list = cinfo->master->marker_list_end = cur_marker;
     } else {
-      jpeg_saved_marker_ptr prev = cinfo->marker_list;
-      while (prev->next != NULL)
-        prev = prev->next;
-      prev->next = cur_marker;
+      cinfo->master->marker_list_end->next = cur_marker;
+      cinfo->master->marker_list_end = cur_marker;
     }
     /* Reset pointer & calc remaining data length */
     data = cur_marker->data;
diff --git a/jpegint.h b/jpegint.h
index 6af9e2a1..d4adc983 100644
--- a/jpegint.h
+++ b/jpegint.h
@@ -4,8 +4,10 @@
  * This file was part of the Independent JPEG Group's software:
  * Copyright (C) 1991-1997, Thomas G. Lane.
  * Modified 1997-2009 by Guido Vollbeding.
+ * Lossless JPEG Modifications:
+ * Copyright (C) 1999, Ken Murchison.
  * libjpeg-turbo Modifications:
- * Copyright (C) 2015-2016, 2019, 2021, D. R. Commander.
+ * Copyright (C) 2015-2017, 2019, 2021-2022, 2024, D. R. Commander.
  * Copyright (C) 2015, Google, Inc.
  * Copyright (C) 2021, Alex Richardson.
  * For conditions of distribution and use, see the accompanying README.ijg
@@ -174,6 +176,9 @@ struct jpeg_decomp_master {
 
   /* Last iMCU row that was successfully decoded */
   JDIMENSION last_good_iMCU_row;
+
+  /* Tail of list of saved markers */
+  jpeg_saved_marker_ptr marker_list_end;
 };
 
 /* Input control module */