rpms
/
libjpeg-turbo
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- New upstream release 2.0.0 (#1609439)

This commit is contained in:
Nikola Forró 2018-07-30 13:34:06 +02:00
parent aca311f48f
commit 53207d3c91
4 changed files with 6 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
libjpeg-turbo-CVE-2018-1152.patch
View File

@ -1,39 +0,0 @@
From 0079f602bacb13a5b0c9f4a191ddaadd8a8fa58c Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 12 Jun 2018 20:27:00 -0500
Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP
In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
when allocating the row buffer, because since BMP files have 32-bit
width and height fields, the value of biWidth can be up to 4294967295.
Specifically, if biWidth is 1073741824 and cinfo->input_components = 4,
then the samplesperrow argument in alloc_sarray() would wrap around to
0, and a division by zero error would occur at line 458 in jmemmgr.c.
If biWidth is set to a higher value, then samplesperrow would wrap
around to a small number, which would likely cause a buffer overflow
(this has not been tested or verified.)
---
rdbmp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/rdbmp.c b/rdbmp.c
index fcabbb1..a0efa93 100644
--- a/rdbmp.c
+++ b/rdbmp.c
@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
}
}
+ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
+ value of the JDIMENSION type. This is only a danger with BMP files, since
+ their width and height fields are 32-bit integers. */
+ if ((unsigned long long)biWidth *
+ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
/* Allocate one-row buffer for returned data */
source->pub.buffer = (*cinfo->mem->alloc_sarray)
((j_common_ptr)cinfo, JPOOL_IMAGE,
--
2.17.1

59
libjpeg-turbo-CVE-2018-11813.patch
View File

@ -1,59 +0,0 @@
From fccf53aed0093a626fca15f0d25f46fb6ed3e770 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 12 Jun 2018 16:08:26 -0500
Subject: [PATCH] Fix CVE-2018-11813
Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
file (specifically, a file with a valid Targa header but incomplete pixel data)
would cause cjpeg to generate a JPEG file that was potentially thousands of
times larger than the input file. The Targa reader in cjpeg was not properly
detecting that the end of the input file had been reached prematurely, so after
all valid pixels had been read from the input, the reader injected dummy pixels
with values of 255 into the JPEG compressor until the number of pixels
specified in the Targa header had been compressed. The Targa reader in cjpeg
now behaves like the PPM reader and aborts compression if the end of the input
file is reached prematurely. Because this issue only affected cjpeg and not
the underlying library, and because it did not involve any out-of-bounds reads
or other exploitable behaviors, it was not believed to represent a security
threat.
---
rdtarga.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/rdtarga.c b/rdtarga.c
index ecb4219..e0c6947 100644
--- a/rdtarga.c
+++ b/rdtarga.c
@@ -126,11 +126,10 @@ METHODDEF(void)
read_non_rle_pixel(tga_source_ptr sinfo)
/* Read one Targa pixel from the input file; no RLE expansion */
{
- register FILE *infile = sinfo->pub.input_file;
register int i;
for (i = 0; i < sinfo->pixel_size; i++) {
- sinfo->tga_pixel[i] = (U_CHAR)getc(infile);
+ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
}
}
@@ -139,7 +138,6 @@ METHODDEF(void)
read_rle_pixel(tga_source_ptr sinfo)
/* Read one Targa pixel from the input file, expanding RLE data as needed */
{
- register FILE *infile = sinfo->pub.input_file;
register int i;
/* Duplicate previously read pixel? */
@@ -161,7 +159,7 @@ read_rle_pixel(tga_source_ptr sinfo)
/* Read next pixel */
for (i = 0; i < sinfo->pixel_size; i++) {
- sinfo->tga_pixel[i] = (U_CHAR)getc(infile);
+ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
}
}
--
2.17.1

11
libjpeg-turbo.spec
View File

@ -1,14 +1,12 @@
Name: libjpeg-turbo
Version: 1.5.90
Release: 4%{?dist}
Version: 2.0.0
Release: 1%{?dist}
Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
License: IJG
URL: http://sourceforge.net/projects/libjpeg-turbo
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Patch0: libjpeg-turbo-cmake.patch
Patch1: libjpeg-turbo-CVE-2018-11813.patch
Patch2: libjpeg-turbo-CVE-2018-1152.patch
BuildRequires: gcc
BuildRequires: cmake
@ -71,8 +69,6 @@ manipulate JPEG files using the TurboJPEG library.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
%{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
@ -172,6 +168,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
%{_libdir}/pkgconfig/libturbojpeg.pc
%changelog
* Mon Jul 30 2018 Nikola Forró <nforro@redhat.com> - 2.0.0-1
- New upstream release 2.0.0 (#1609439)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.90-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (libjpeg-turbo-1.5.90.tar.gz) = 6322f1013ace231fa51aa2cd2799fa526da14074cde08349c7c6f1719954aa4862d4e9b3975c0041aa93f7efce679dc782abdc5e60f92adfdf7d0c8aa2158e30
SHA512 (libjpeg-turbo-2.0.0.tar.gz) = 220e5248e780d3c40c7842ba52937b9b0860e89164bca16ec6e2afaf99dd5d0bc706dd9320f4d2aef67ac11d4876453ef688b1efeaf93ceb42e8c25e83da2487