Merge branch 'master' into sync-error

Author: fintelia

src/decoder.rs

@@ -232,7 +232,7 @@ impl<R: Read> Decoder<R> {
                 Marker::DQT => {
                     let tables = parse_dqt(&mut self.reader)?;
 
-                    for (i, &table) in tables.into_iter().enumerate() {
+                    for (i, &table) in tables.iter().enumerate() {
                         if let Some(table) = table {
                             let mut unzigzagged_table = [0u16; 64];
 
@@ -333,23 +333,22 @@ impl<R: Read> Decoder<R> {
     }
 
     fn read_marker(&mut self) -> Result<Marker> {
-        // This should be an error as the JPEG spec doesn't allow extraneous data between marker segments.
-        // libjpeg allows this though and there are images in the wild utilising it, so we are
-        // forced to support this behavior.
-        // Sony Ericsson P990i is an example of a device which produce this sort of JPEGs.
-        while self.reader.read_u8()? != 0xFF {}
-
-        let mut byte = self.reader.read_u8()?;
-
-        // Section B.1.1.2
-        // "Any marker may optionally be preceded by any number of fill bytes, which are bytes assigned code X’FF’."
-        while byte == 0xFF {
-            byte = self.reader.read_u8()?;
-        }
-
-        match byte {
-            0x00 => Err(Error::Format("FF 00 found where marker was expected".to_owned())),
-            _    => Ok(Marker::from_u8(byte).unwrap()),
+        loop {
+            // This should be an error as the JPEG spec doesn't allow extraneous data between marker segments.
+            // libjpeg allows this though and there are images in the wild utilising it, so we are
+            // forced to support this behavior.
+            // Sony Ericsson P990i is an example of a device which produce this sort of JPEGs.
+            while self.reader.read_u8()? != 0xFF {}
+
+            // Section B.1.1.2
+            // All markers are assigned two-byte codes: an X’FF’ byte followed by a
+            // byte which is not equal to 0 or X’FF’ (see Table B.1). Any marker may
+            // optionally be preceded by any number of fill bytes, which are bytes
+            // assigned code X’FF’.
+            let byte = self.reader.read_u8()?;
+            if byte != 0x00 && byte != 0xFF {
+                return Ok(Marker::from_u8(byte).unwrap());
+            }
         }
     }
 
@@ -520,7 +519,10 @@ impl<R: Read> Decoder<R> {
             }
         }
 
-        let marker = huffman.take_marker(&mut self.reader)?;
+        let mut marker = huffman.take_marker(&mut self.reader)?;
+        while let Some(Marker::RST(_)) = marker {
+            marker = self.read_marker().ok();
+        }
 
         if produce_data {
             // Retrieve all the data from the worker thread.

tests/crashtest/images/README.md

@@ -5,3 +5,4 @@ imagetestsuite/           | The files in this directory were taken from https://
 dc-predictor-overflow.jpg | Found by Wim Looman (@Nemo157) while fuzzing
 derive-huffman-codes-overflow.jpg | Found by Pascal Hertleif (@killercup) while fuzzing
 missing-sof.jpg           | Found by Corey Farwell (@frewsxcv) when fuzz testing
+extraneous-bytes-after-sos.jpg | Scan from brother DSmobile 920DW provided by Filip Lundborg (@filipl)