rpms/libjpeg-turbo
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2018-20330 (#1665224)

Browse Source
This commit is contained in:
Nikola Forró 2019-01-11 11:16:27 +01:00
parent 53207d3c91
commit c8f4c0f91a
2 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
libjpeg-turbo-CVE-2018-20330.patch Normal file
View File

@ -0,0 +1,38 @@
From 9c5f56c55a8610953854408b3aade01320064e07 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 1 Jan 2019 18:57:36 -0600
Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP
Fixes #304
---
turbojpeg.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/turbojpeg.c b/turbojpeg.c
index 90a9ce6..3b5154f 100644
--- a/turbojpeg.c
+++ b/turbojpeg.c
@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
int align, int *height, int *pixelFormat,
int flags)
{
- int retval = 0, tempc, pitch;
+ int retval = 0, tempc;
+ size_t pitch;
tjhandle handle = NULL;
tjinstance *this;
j_compress_ptr cinfo = NULL;
@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
*pixelFormat = cs2pf[cinfo->in_color_space];
pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
- if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+ if ((unsigned long long)pitch * (unsigned long long)(*height) >
+ (unsigned long long)((size_t)-1) ||
+ (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
_throwg("tjLoadImage(): Memory allocation failure");
if (setjmp(this->jerr.setjmp_buffer)) {
--
2.17.2

7
libjpeg-turbo.spec
View File

@ -1,12 +1,13 @@
Name: libjpeg-turbo Name: libjpeg-turbo
Version: 2.0.0 Version: 2.0.0
Release: 1%{?dist} Release: 2%{?dist}
Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
License: IJG License: IJG
URL: http://sourceforge.net/projects/libjpeg-turbo URL: http://sourceforge.net/projects/libjpeg-turbo
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Patch0: libjpeg-turbo-cmake.patch Patch0: libjpeg-turbo-cmake.patch
Patch1: libjpeg-turbo-CVE-2018-20330.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: cmake BuildRequires: cmake
@ -69,6 +70,7 @@ manipulate JPEG files using the TurboJPEG library.
%prep %prep
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1
%build %build
%{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \ %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
@ -168,6 +170,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
%{_libdir}/pkgconfig/libturbojpeg.pc %{_libdir}/pkgconfig/libturbojpeg.pc
%changelog %changelog
* Fri Jan 11 2019 Nikola Forró <nforro@redhat.com> - 2.0.0-2
- Fix CVE-2018-20330 (#1665224)
* Mon Jul 30 2018 Nikola Forró <nforro@redhat.com> - 2.0.0-1 * Mon Jul 30 2018 Nikola Forró <nforro@redhat.com> - 2.0.0-1
- New upstream release 2.0.0 (#1609439) - New upstream release 2.0.0 (#1609439)