- New upstream release 2.0.0 (#1609439)
This commit is contained in:
parent
aca311f48f
commit
53207d3c91
|
@ -1,39 +0,0 @@
|
|||
From 0079f602bacb13a5b0c9f4a191ddaadd8a8fa58c Mon Sep 17 00:00:00 2001
|
||||
From: DRC <information@libjpeg-turbo.org>
|
||||
Date: Tue, 12 Jun 2018 20:27:00 -0500
|
||||
Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP
|
||||
|
||||
In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
|
||||
when allocating the row buffer, because since BMP files have 32-bit
|
||||
width and height fields, the value of biWidth can be up to 4294967295.
|
||||
Specifically, if biWidth is 1073741824 and cinfo->input_components = 4,
|
||||
then the samplesperrow argument in alloc_sarray() would wrap around to
|
||||
0, and a division by zero error would occur at line 458 in jmemmgr.c.
|
||||
|
||||
If biWidth is set to a higher value, then samplesperrow would wrap
|
||||
around to a small number, which would likely cause a buffer overflow
|
||||
(this has not been tested or verified.)
|
||||
---
|
||||
rdbmp.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/rdbmp.c b/rdbmp.c
|
||||
index fcabbb1..a0efa93 100644
|
||||
--- a/rdbmp.c
|
||||
+++ b/rdbmp.c
|
||||
@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
|
||||
+ value of the JDIMENSION type. This is only a danger with BMP files, since
|
||||
+ their width and height fields are 32-bit integers. */
|
||||
+ if ((unsigned long long)biWidth *
|
||||
+ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
|
||||
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
|
||||
/* Allocate one-row buffer for returned data */
|
||||
source->pub.buffer = (*cinfo->mem->alloc_sarray)
|
||||
((j_common_ptr)cinfo, JPOOL_IMAGE,
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
From fccf53aed0093a626fca15f0d25f46fb6ed3e770 Mon Sep 17 00:00:00 2001
|
||||
From: DRC <information@libjpeg-turbo.org>
|
||||
Date: Tue, 12 Jun 2018 16:08:26 -0500
|
||||
Subject: [PATCH] Fix CVE-2018-11813
|
||||
|
||||
Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
|
||||
file (specifically, a file with a valid Targa header but incomplete pixel data)
|
||||
would cause cjpeg to generate a JPEG file that was potentially thousands of
|
||||
times larger than the input file. The Targa reader in cjpeg was not properly
|
||||
detecting that the end of the input file had been reached prematurely, so after
|
||||
all valid pixels had been read from the input, the reader injected dummy pixels
|
||||
with values of 255 into the JPEG compressor until the number of pixels
|
||||
specified in the Targa header had been compressed. The Targa reader in cjpeg
|
||||
now behaves like the PPM reader and aborts compression if the end of the input
|
||||
file is reached prematurely. Because this issue only affected cjpeg and not
|
||||
the underlying library, and because it did not involve any out-of-bounds reads
|
||||
or other exploitable behaviors, it was not believed to represent a security
|
||||
threat.
|
||||
---
|
||||
rdtarga.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/rdtarga.c b/rdtarga.c
|
||||
index ecb4219..e0c6947 100644
|
||||
--- a/rdtarga.c
|
||||
+++ b/rdtarga.c
|
||||
@@ -126,11 +126,10 @@ METHODDEF(void)
|
||||
read_non_rle_pixel(tga_source_ptr sinfo)
|
||||
/* Read one Targa pixel from the input file; no RLE expansion */
|
||||
{
|
||||
- register FILE *infile = sinfo->pub.input_file;
|
||||
register int i;
|
||||
|
||||
for (i = 0; i < sinfo->pixel_size; i++) {
|
||||
- sinfo->tga_pixel[i] = (U_CHAR)getc(infile);
|
||||
+ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -139,7 +138,6 @@ METHODDEF(void)
|
||||
read_rle_pixel(tga_source_ptr sinfo)
|
||||
/* Read one Targa pixel from the input file, expanding RLE data as needed */
|
||||
{
|
||||
- register FILE *infile = sinfo->pub.input_file;
|
||||
register int i;
|
||||
|
||||
/* Duplicate previously read pixel? */
|
||||
@@ -161,7 +159,7 @@ read_rle_pixel(tga_source_ptr sinfo)
|
||||
|
||||
/* Read next pixel */
|
||||
for (i = 0; i < sinfo->pixel_size; i++) {
|
||||
- sinfo->tga_pixel[i] = (U_CHAR)getc(infile);
|
||||
+ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -1,14 +1,12 @@
|
|||
Name: libjpeg-turbo
|
||||
Version: 1.5.90
|
||||
Release: 4%{?dist}
|
||||
Version: 2.0.0
|
||||
Release: 1%{?dist}
|
||||
Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
|
||||
License: IJG
|
||||
URL: http://sourceforge.net/projects/libjpeg-turbo
|
||||
|
||||
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
|
||||
Patch0: libjpeg-turbo-cmake.patch
|
||||
Patch1: libjpeg-turbo-CVE-2018-11813.patch
|
||||
Patch2: libjpeg-turbo-CVE-2018-1152.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: cmake
|
||||
|
@ -71,8 +69,6 @@ manipulate JPEG files using the TurboJPEG library.
|
|||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
%{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
|
||||
|
@ -172,6 +168,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
|
|||
%{_libdir}/pkgconfig/libturbojpeg.pc
|
||||
|
||||
%changelog
|
||||
* Mon Jul 30 2018 Nikola Forró <nforro@redhat.com> - 2.0.0-1
|
||||
- New upstream release 2.0.0 (#1609439)
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.90-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (libjpeg-turbo-1.5.90.tar.gz) = 6322f1013ace231fa51aa2cd2799fa526da14074cde08349c7c6f1719954aa4862d4e9b3975c0041aa93f7efce679dc782abdc5e60f92adfdf7d0c8aa2158e30
|
||||
SHA512 (libjpeg-turbo-2.0.0.tar.gz) = 220e5248e780d3c40c7842ba52937b9b0860e89164bca16ec6e2afaf99dd5d0bc706dd9320f4d2aef67ac11d4876453ef688b1efeaf93ceb42e8c25e83da2487
|
||||
|
|
Loading…
Reference in New Issue