Fix CVE-2018-1152 (#1593555)

2018-06-29 14:36:41 +02:00 · 2018-06-29 14:36:41 +02:00 · 9a2e90af63
commit 9a2e90af63
parent a2d36ac1a0
2 changed files with 45 additions and 1 deletions
--- a/libjpeg-turbo-CVE-2018-1152.patch
+++ b/libjpeg-turbo-CVE-2018-1152.patch
@ -0,0 +1,39 @@
+From 0079f602bacb13a5b0c9f4a191ddaadd8a8fa58c Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 12 Jun 2018 20:27:00 -0500
+Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP
+
+In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
+when allocating the row buffer, because since BMP files have 32-bit
+width and height fields, the value of biWidth can be up to 4294967295.
+Specifically, if biWidth is 1073741824 and cinfo->input_components = 4,
+then the samplesperrow argument in alloc_sarray() would wrap around to
+0, and a division by zero error would occur at line 458 in jmemmgr.c.
+
+If biWidth is set to a higher value, then samplesperrow would wrap
+around to a small number, which would likely cause a buffer overflow
+(this has not been tested or verified.)
+---
+ rdbmp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/rdbmp.c b/rdbmp.c
+index fcabbb1..a0efa93 100644
+--- a/rdbmp.c
+++ b/rdbmp.c
+@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     }
+   }
+ 
+  /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
+     value of the JDIMENSION type.  This is only a danger with BMP files, since
+     their width and height fields are 32-bit integers. */
+  if ((unsigned long long)biWidth *
+      (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
+    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+   /* Allocate one-row buffer for returned data */
+   source->pub.buffer = (*cinfo->mem->alloc_sarray)
+     ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-- 
+2.17.1
+
--- a/libjpeg-turbo.spec
+++ b/libjpeg-turbo.spec
@ -1,6 +1,6 @@
 Name:           libjpeg-turbo
 Version:        1.5.90
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
 License:        IJG
 URL:            http://sourceforge.net/projects/libjpeg-turbo
@ -8,6 +8,7 @@ URL:            http://sourceforge.net/projects/libjpeg-turbo
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 Patch0:         libjpeg-turbo-cmake.patch
 Patch1:         libjpeg-turbo-CVE-2018-11813.patch
+Patch2:         libjpeg-turbo-CVE-2018-1152.patch

 BuildRequires:  gcc
 BuildRequires:  cmake
@ -71,6 +72,7 @@ manipulate JPEG files using the TurboJPEG library.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1

 %build
 %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
@ -170,6 +172,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
 %{_libdir}/pkgconfig/libturbojpeg.pc

 %changelog
+* Fri Jun 29 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-3
+- Fix CVE-2018-1152 (#1593555)
+
 * Fri Jun 15 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-2
 - Fix CVE-2018-11813 (#1588804)