Fix CVE-2018-1152 (#1593555)
This commit is contained in:
Nikola Forró
parent
a2d36ac1a0
commit
9a2e90af63
|
|
@ -0,0 +1,39 @@
|
|||
From 0079f602bacb13a5b0c9f4a191ddaadd8a8fa58c Mon Sep 17 00:00:00 2001
|
||||
From: DRC <information@libjpeg-turbo.org>
|
||||
Date: Tue, 12 Jun 2018 20:27:00 -0500
|
||||
Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP
|
||||
|
||||
In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
|
||||
when allocating the row buffer, because since BMP files have 32-bit
|
||||
width and height fields, the value of biWidth can be up to 4294967295.
|
||||
Specifically, if biWidth is 1073741824 and cinfo->input_components = 4,
|
||||
then the samplesperrow argument in alloc_sarray() would wrap around to
|
||||
0, and a division by zero error would occur at line 458 in jmemmgr.c.
|
||||
|
||||
If biWidth is set to a higher value, then samplesperrow would wrap
|
||||
around to a small number, which would likely cause a buffer overflow
|
||||
(this has not been tested or verified.)
|
||||
---
|
||||
rdbmp.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/rdbmp.c b/rdbmp.c
|
||||
index fcabbb1..a0efa93 100644
|
||||
--- a/rdbmp.c
|
||||
+++ b/rdbmp.c
|
||||
@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
|
||||
+ value of the JDIMENSION type. This is only a danger with BMP files, since
|
||||
+ their width and height fields are 32-bit integers. */
|
||||
+ if ((unsigned long long)biWidth *
|
||||
+ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
|
||||
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
|
||||
/* Allocate one-row buffer for returned data */
|
||||
source->pub.buffer = (*cinfo->mem->alloc_sarray)
|
||||
((j_common_ptr)cinfo, JPOOL_IMAGE,
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
Name: libjpeg-turbo
|
||||
Version: 1.5.90
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
|
||||
License: IJG
|
||||
URL: http://sourceforge.net/projects/libjpeg-turbo
|
||||
|
|
@ -8,6 +8,7 @@ URL: http://sourceforge.net/projects/libjpeg-turbo
|
|||
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
|
||||
Patch0: libjpeg-turbo-cmake.patch
|
||||
Patch1: libjpeg-turbo-CVE-2018-11813.patch
|
||||
Patch2: libjpeg-turbo-CVE-2018-1152.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: cmake
|
||||
|
|
@ -71,6 +72,7 @@ manipulate JPEG files using the TurboJPEG library.
|
|||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
%{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
|
||||
|
|
@ -170,6 +172,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
|
|||
%{_libdir}/pkgconfig/libturbojpeg.pc
|
||||
|
||||
%changelog
|
||||
* Fri Jun 29 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-3
|
||||
- Fix CVE-2018-1152 (#1593555)
|
||||
|
||||
* Fri Jun 15 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-2
|
||||
- Fix CVE-2018-11813 (#1588804)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue