Fix CVE-2018-14498 (#1687428)
This commit is contained in:
Nikola Forró
parent
f4c77f81f1
commit
a19a7a452a
|
|
@ -0,0 +1,151 @@
|
|||
From 4ca3b0f44e49179fc5828e9a8d8240393f68c165 Mon Sep 17 00:00:00 2001
|
||||
From: DRC <information@libjpeg-turbo.org>
|
||||
Date: Fri, 20 Jul 2018 17:21:36 -0500
|
||||
Subject: [PATCH] cjpeg: Fix OOB read caused by malformed 8-bit BMP
|
||||
|
||||
... in which one or more of the color indices is out of range for the
|
||||
number of palette entries.
|
||||
|
||||
Fix partly borrowed from jpeg-9c. This commit also adopts Guido's
|
||||
JERR_PPM_OUTOFRANGE enum value in lieu of our project-specific
|
||||
JERR_PPM_TOOLARGE enum value.
|
||||
|
||||
Fixes #258
|
||||
---
|
||||
cderror.h | 5 +++--
|
||||
rdbmp.c | 7 ++++++-
|
||||
rdppm.c | 12 ++++++------
|
||||
3 files changed, 15 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/cderror.h b/cderror.h
|
||||
index 63de498..e57a8c8 100644
|
||||
--- a/cderror.h
|
||||
+++ b/cderror.h
|
||||
@@ -2,7 +2,7 @@
|
||||
* cderror.h
|
||||
*
|
||||
* Copyright (C) 1994-1997, Thomas G. Lane.
|
||||
- * Modified 2009 by Guido Vollbeding.
|
||||
+ * Modified 2009-2017 by Guido Vollbeding.
|
||||
* This file is part of the Independent JPEG Group's software.
|
||||
* For conditions of distribution and use, see the accompanying README.ijg
|
||||
* file.
|
||||
@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB")
|
||||
JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
|
||||
JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
|
||||
JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
|
||||
+JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file")
|
||||
JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
|
||||
JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
|
||||
JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")
|
||||
@@ -75,8 +76,8 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out of GIF bits")
|
||||
#ifdef PPM_SUPPORTED
|
||||
JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB")
|
||||
JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file")
|
||||
-JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file")
|
||||
JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file")
|
||||
+JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file")
|
||||
JMESSAGE(JTRC_PGM, "%ux%u PGM image")
|
||||
JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image")
|
||||
JMESSAGE(JTRC_PPM, "%ux%u PPM image")
|
||||
diff --git a/rdbmp.c b/rdbmp.c
|
||||
index 4104b68..a7dbe9f 100644
|
||||
--- a/rdbmp.c
|
||||
+++ b/rdbmp.c
|
||||
@@ -3,7 +3,7 @@
|
||||
*
|
||||
* This file was part of the Independent JPEG Group's software:
|
||||
* Copyright (C) 1994-1996, Thomas G. Lane.
|
||||
- * Modified 2009-2010 by Guido Vollbeding.
|
||||
+ * Modified 2009-2017 by Guido Vollbeding.
|
||||
* libjpeg-turbo Modifications:
|
||||
* Modified 2011 by Siarhei Siamashka.
|
||||
* Copyright (C) 2015, D. R. Commander.
|
||||
@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
|
||||
JDIMENSION row_width; /* Physical width of scanlines in file */
|
||||
|
||||
int bits_per_pixel; /* remembers 8- or 24-bit format */
|
||||
+ int cmap_length; /* colormap length */
|
||||
} bmp_source_struct;
|
||||
|
||||
|
||||
@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
{
|
||||
bmp_source_ptr source = (bmp_source_ptr) sinfo;
|
||||
register JSAMPARRAY colormap = source->colormap;
|
||||
+ int cmaplen = source->cmap_length;
|
||||
JSAMPARRAY image_ptr;
|
||||
register int t;
|
||||
register JSAMPROW inptr, outptr;
|
||||
@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
outptr = source->pub.buffer[0];
|
||||
for (col = cinfo->image_width; col > 0; col--) {
|
||||
t = GETJSAMPLE(*inptr++);
|
||||
+ if (t >= cmaplen)
|
||||
+ ERREXIT(cinfo, JERR_BMP_OUTOFRANGE);
|
||||
*outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */
|
||||
*outptr++ = colormap[1][t];
|
||||
*outptr++ = colormap[2][t];
|
||||
@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
source->colormap = (*cinfo->mem->alloc_sarray)
|
||||
((j_common_ptr) cinfo, JPOOL_IMAGE,
|
||||
(JDIMENSION) biClrUsed, (JDIMENSION) 3);
|
||||
+ source->cmap_length = (int)biClrUsed;
|
||||
/* and read it from the file */
|
||||
read_colormap(source, (int) biClrUsed, mapentrysize);
|
||||
/* account for size of colormap */
|
||||
diff --git a/rdppm.c b/rdppm.c
|
||||
index 33ff749..c0c0962 100644
|
||||
--- a/rdppm.c
|
||||
+++ b/rdppm.c
|
||||
@@ -69,7 +69,7 @@ typedef struct {
|
||||
JSAMPROW pixrow; /* compressor input buffer */
|
||||
size_t buffer_width; /* width of I/O buffer */
|
||||
JSAMPLE *rescale; /* => maxval-remapping array, or NULL */
|
||||
- int maxval;
|
||||
+ unsigned int maxval;
|
||||
} ppm_source_struct;
|
||||
|
||||
typedef ppm_source_struct *ppm_source_ptr;
|
||||
@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE *infile, unsigned int maxval)
|
||||
}
|
||||
|
||||
if (val > maxval)
|
||||
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
|
||||
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||
|
||||
return val;
|
||||
}
|
||||
@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
temp = UCH(*bufferptr++) << 8;
|
||||
temp |= UCH(*bufferptr++);
|
||||
if (temp > maxval)
|
||||
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
|
||||
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||
*ptr++ = rescale[temp];
|
||||
}
|
||||
return 1;
|
||||
@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
temp = UCH(*bufferptr++) << 8;
|
||||
temp |= UCH(*bufferptr++);
|
||||
if (temp > maxval)
|
||||
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
|
||||
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||
*ptr++ = rescale[temp];
|
||||
temp = UCH(*bufferptr++) << 8;
|
||||
temp |= UCH(*bufferptr++);
|
||||
if (temp > maxval)
|
||||
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
|
||||
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||
*ptr++ = rescale[temp];
|
||||
temp = UCH(*bufferptr++) << 8;
|
||||
temp |= UCH(*bufferptr++);
|
||||
if (temp > maxval)
|
||||
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
|
||||
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||
*ptr++ = rescale[temp];
|
||||
}
|
||||
return 1;
|
||||
--
|
||||
2.17.2
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
Name: libjpeg-turbo
|
||||
Version: 1.5.3
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
|
||||
License: IJG
|
||||
URL: http://sourceforge.net/projects/libjpeg-turbo
|
||||
|
|
@ -10,6 +10,7 @@ Patch0: libjpeg-turbo14-noinst.patch
|
|||
Patch1: libjpeg-turbo-header-files.patch
|
||||
Patch2: libjpeg-turbo-CVE-2018-11813.patch
|
||||
Patch3: libjpeg-turbo-CVE-2018-1152.patch
|
||||
Patch4: libjpeg-turbo-CVE-2018-14498.patch
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
|
|
@ -75,6 +76,7 @@ manipulate JPEG files using the TurboJPEG library.
|
|||
%patch1 -p1 -b .header-files
|
||||
%patch2 -p1 -b .CVE-2018-11813
|
||||
%patch3 -p1 -b .CVE-2018-1152
|
||||
%patch4 -p1 -b .CVE-2018-14498
|
||||
|
||||
%build
|
||||
autoreconf -vif
|
||||
|
|
@ -169,6 +171,9 @@ make test %{?_smp_mflags}
|
|||
%{_libdir}/pkgconfig/libturbojpeg.pc
|
||||
|
||||
%changelog
|
||||
* Wed Mar 13 2019 Nikola Forró <nforro@redhat.com> - 1.5.3-7
|
||||
- Fix CVE-2018-14498 (#1687428)
|
||||
|
||||
* Fri Jun 29 2018 Nikola Forró <nforro@redhat.com> - 1.5.3-6
|
||||
- Fix CVE-2018-1152 (#1593555)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue