diff --git a/libjpeg-turbo-CVE-2018-19664.patch b/libjpeg-turbo-CVE-2018-19664.patch new file mode 100644 index 0000000..f99863e --- /dev/null +++ b/libjpeg-turbo-CVE-2018-19664.patch @@ -0,0 +1,33 @@ +From 4a3f52b4d191d79f500831649037b9b24c730e37 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 1 Jan 2019 20:32:40 -0600 +Subject: [PATCH] wrbmp.c: Don't allow quantization w/ non-RGB CS + +If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will +set cinfo->output_components to 1, and if cinfo->out_color_space is not +RGB (or extended RGB), hilarity will ensue. + +Fixes #305 +--- + wrbmp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/wrbmp.c b/wrbmp.c +index 38a64e8..3489f14 100644 +--- a/wrbmp.c ++++ b/wrbmp.c +@@ -506,8 +506,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2, + dest->pub.put_pixel_rows = put_gray_rows; + else + dest->pub.put_pixel_rows = put_pixel_rows; +- } else if (cinfo->out_color_space == JCS_RGB565 || +- cinfo->out_color_space == JCS_CMYK) { ++ } else if (!cinfo->quantize_colors && ++ (cinfo->out_color_space == JCS_RGB565 || ++ cinfo->out_color_space == JCS_CMYK)) { + dest->pub.put_pixel_rows = put_pixel_rows; + } else { + ERREXIT(cinfo, JERR_BMP_COLORSPACE); +-- +2.17.2 + diff --git a/libjpeg-turbo-CVE-2018-20330.patch b/libjpeg-turbo-CVE-2018-20330.patch new file mode 100644 index 0000000..169d01a --- /dev/null +++ b/libjpeg-turbo-CVE-2018-20330.patch @@ -0,0 +1,38 @@ +From 9c5f56c55a8610953854408b3aade01320064e07 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 1 Jan 2019 18:57:36 -0600 +Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP + +Fixes #304 +--- + turbojpeg.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/turbojpeg.c b/turbojpeg.c +index 90a9ce6..3b5154f 100644 +--- a/turbojpeg.c ++++ b/turbojpeg.c +@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, + int align, int *height, int *pixelFormat, + int flags) + { +- int retval = 0, tempc, pitch; ++ int retval = 0, tempc; ++ size_t pitch; + tjhandle handle = NULL; + tjinstance *this; + j_compress_ptr cinfo = NULL; +@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, + *pixelFormat = cs2pf[cinfo->in_color_space]; + + pitch = PAD((*width) * tjPixelSize[*pixelFormat], align); +- if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) ++ if ((unsigned long long)pitch * (unsigned long long)(*height) > ++ (unsigned long long)((size_t)-1) || ++ (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) + _throwg("tjLoadImage(): Memory allocation failure"); + + if (setjmp(this->jerr.setjmp_buffer)) { +-- +2.17.2 + diff --git a/mingw-libjpeg-turbo.spec b/mingw-libjpeg-turbo.spec index 956e259..90d9570 100644 --- a/mingw-libjpeg-turbo.spec +++ b/mingw-libjpeg-turbo.spec @@ -6,7 +6,7 @@ Name: mingw-libjpeg-turbo Version: 2.0.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: MinGW Windows Libjpeg-turbo library License: wxWidgets @@ -16,6 +16,8 @@ Source0: http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-%{v # Make jconfig.h more autoconf friendly # https://bugzilla.redhat.com/show_bug.cgi?id=843193 Patch0: libjpeg-turbo-match-autoconf-behavior.patch +Patch1: libjpeg-turbo-CVE-2018-19664.patch +Patch2: libjpeg-turbo-CVE-2018-20330.patch BuildArch: noarch @@ -77,8 +79,7 @@ Static version of the MinGW Windows cross compiled Libjpeg-turbo library. %prep -%setup -q -n libjpeg-turbo-%{version} -%patch0 -p1 +%autosetup -n libjpeg-turbo-%{version} -p1 %build @@ -157,6 +158,9 @@ chmod -x README.md %changelog +* Fri Jan 11 2019 Kalev Lember - 2.0.0-2 +- Fix CVE-2018-19664 and CVE-2018-20330 + * Wed Aug 01 2018 Sandro Mani - 2.0.0-1 - Update to 2.0.0