rpms/libjpeg-turbo
6
0
Fork 0
Code Issues Pull Requests Releases Activity
a246bd77d2
libjpeg-turbo/libjpeg-turbo-CVE-2020-13790.patch
Michal Hlavinka a246bd77d2 fix CVE-2020-13790: heap-based buffer over-read in get_rgb_row (RHEL-87364) 
Resolves: RHEL-87364
2025-04-22 23:28:29 +02:00

30 lines
1.2 KiB
Diff
Raw Blame History

From 3de15e0c344d11d4b90f4a47136467053eb2d09a Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 2 Jun 2020 14:15:37 -0500
Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
include binary PPM files with maximum values < 255, thus preventing a
malformed binary PPM input file with those specifications from
triggering an overrun of the rescale array and potentially crashing
cjpeg, TJBench, or any program that uses the tjLoadImage() function.
Fixes #433
---
rdppm.c | 4 ++--
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/rdppm.c b/rdppm.c
index 87bc33090..a8507b902 100644
--- a/rdppm.c
+++ b/rdppm.c
@ -425,7 +425,7 @@ start_input_ppm (j_compress_ptr cinfo, c
/* On 16-bit-int machines we have to be careful of maxval = 65535 */
source->rescale = (JSAMPLE *)
(*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
- (size_t) (((long) maxval + 1L) *
+ (size_t)(((long)MAX(maxval, 255) + 1L) *
sizeof(JSAMPLE)));
half_maxval = maxval / 2;
for (val = 0; val <= (long) maxval; val++) {
Reference in New Issue View Git Blame Copy Permalink