Fix CVE-2018-20330 (#1665224)

2019-01-11 11:16:27 +01:00 · 2019-01-11 11:16:27 +01:00 · c8f4c0f91a
commit c8f4c0f91a
parent 53207d3c91
2 changed files with 44 additions and 1 deletions
--- a/libjpeg-turbo-CVE-2018-20330.patch
+++ b/libjpeg-turbo-CVE-2018-20330.patch
@ -0,0 +1,38 @@
+From 9c5f56c55a8610953854408b3aade01320064e07 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 1 Jan 2019 18:57:36 -0600
+Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP
+
+Fixes #304
+---
+ turbojpeg.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/turbojpeg.c b/turbojpeg.c
+index 90a9ce6..3b5154f 100644
+--- a/turbojpeg.c
+++ b/turbojpeg.c
+@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
+                                      int align, int *height, int *pixelFormat,
+                                      int flags)
+ {
+-  int retval = 0, tempc, pitch;
+  int retval = 0, tempc;
+  size_t pitch;
+   tjhandle handle = NULL;
+   tjinstance *this;
+   j_compress_ptr cinfo = NULL;
+@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
+   *pixelFormat = cs2pf[cinfo->in_color_space];
+ 
+   pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
+-  if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+  if ((unsigned long long)pitch * (unsigned long long)(*height) >
+      (unsigned long long)((size_t)-1) ||
+      (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+     _throwg("tjLoadImage(): Memory allocation failure");
+ 
+   if (setjmp(this->jerr.setjmp_buffer)) {
+-- 
+2.17.2
+
--- a/libjpeg-turbo.spec
+++ b/libjpeg-turbo.spec
@ -1,12 +1,13 @@
 Name:           libjpeg-turbo
 Version:        2.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
 License:        IJG
 URL:            http://sourceforge.net/projects/libjpeg-turbo

 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 Patch0:         libjpeg-turbo-cmake.patch
+Patch1:         libjpeg-turbo-CVE-2018-20330.patch

 BuildRequires:  gcc
 BuildRequires:  cmake
@ -69,6 +70,7 @@ manipulate JPEG files using the TurboJPEG library.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1

 %build
 %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
@ -168,6 +170,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
 %{_libdir}/pkgconfig/libturbojpeg.pc

 %changelog
+* Fri Jan 11 2019 Nikola Forró <nforro@redhat.com> - 2.0.0-2
+- Fix CVE-2018-20330 (#1665224)
+
 * Mon Jul 30 2018 Nikola Forró <nforro@redhat.com> - 2.0.0-1
 - New upstream release 2.0.0 (#1609439)