Here is the jpegdump of 743AE19C.jpg:

offset $0 SOI

offset $2 SOF3 (spatial lossless Huffman) (length 11)

sample precision 12

width 1024, height 1024 components 1

id 0 horizontal sampling 1, vertical sampling 1, quantization table 0

offset $f DHT (length 36)

table 0

bits 1 (codes= 0)

bits 2 (codes= 3) $03 $04 $05

bits 3 (codes= 0)

bits 4 (codes= 3) $00 $02 $06

bits 5 (codes= 1) $01

bits 6 (codes= 1) $07

bits 7 (codes= 1) $08

bits 8 (codes= 1) $09

bits 9 (codes= 1) $0a

bits 10 (codes= 1) $0b

bits 11 (codes= 1) $0c

bits 12 (codes= 0)

bits 13 (codes= 4) $0d $0e $0f $10

bits 14 (codes= 0)

bits 15 (codes= 0)

bits 16 (codes= 0)

offset $35 SOS (length 8)

components 1

id 0 dc table 0, ac table 0

spectral selection 1 to 0

bit position high 0, low 0

offset $ce79b EOI

The Huffman table generated from the above DHT looks like:

huffsize[ 0] = 2, huffcode[ 0] = 0x0

huffsize[ 1] = 2, huffcode[ 1] = 0x1

huffsize[ 2] = 2, huffcode[ 2] = 0x2

huffsize[ 3] = 4, huffcode[ 3] = 0xC

huffsize[ 4] = 4, huffcode[ 4] = 0xD

huffsize[ 5] = 4, huffcode[ 5] = 0xE

huffsize[ 6] = 5, huffcode[ 6] = 0x1E

huffsize[ 7] = 6, huffcode[ 7] = 0x3E

huffsize[ 8] = 7, huffcode[ 8] = 0x7E

huffsize[ 9] = 8, huffcode[ 9] = 0xFE

huffsize[10] = 9, huffcode[10] = 0x1FE

huffsize[11] = 10, huffcode[11] = 0x3FE

huffsize[12] = 11, huffcode[12] = 0x7FE

huffsize[13] = 13, huffcode[13] = 0x1FFC

huffsize[14] = 13, huffcode[14] = 0x1FFD

huffsize[15] = 13, huffcode[15] = 0x1FFE

huffsize[16] = 13, huffcode[16] = 0x1FFF

Note that the last one, huffcode[16] is an all-1-bits code word, which

is at odds with the spec, in Annex C of T.81,

"..., the codes shall be generated such that the all-1-bits code word

of any length is reserved as a prefix for longer code words."

It probably should be something like this:

huffsize[16] = 14, huffcode[16] = 0x3FFE

The clib JPEG decoder found this problem, but it failed to handle it

in a graceful way. For this specific bitstream, the code word 0x1FFF

does not seem to be really used, so the decoder might be able to work

around this problem, or at least not to cause a VM crash.

Created an attachment (id=133)

Sample DICOM file that causes the VM crash