Fix CVE-2018-19664 and CVE-2018-20330

libjpeg-turbo-CVE-2018-19664.patch

@@ -0,0 +1,33 @@
+From 4a3f52b4d191d79f500831649037b9b24c730e37 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 1 Jan 2019 20:32:40 -0600
+Subject: [PATCH] wrbmp.c: Don't allow quantization w/ non-RGB CS
+
+If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will
+set cinfo->output_components to 1, and if cinfo->out_color_space is not
+RGB (or extended RGB), hilarity will ensue.
+
+Fixes #305
+---
+ wrbmp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/wrbmp.c b/wrbmp.c
+index 38a64e8..3489f14 100644
+--- a/wrbmp.c
++++ b/wrbmp.c
+@@ -506,8 +506,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2,
+       dest->pub.put_pixel_rows = put_gray_rows;
+     else
+       dest->pub.put_pixel_rows = put_pixel_rows;
+-  } else if (cinfo->out_color_space == JCS_RGB565 ||
+-             cinfo->out_color_space == JCS_CMYK) {
++  } else if (!cinfo->quantize_colors &&
++             (cinfo->out_color_space == JCS_RGB565 ||
++              cinfo->out_color_space == JCS_CMYK)) {
+     dest->pub.put_pixel_rows = put_pixel_rows;
+   } else {
+     ERREXIT(cinfo, JERR_BMP_COLORSPACE);
+-- 
+2.17.2
+

libjpeg-turbo-CVE-2018-20330.patch

@@ -0,0 +1,38 @@
+From 9c5f56c55a8610953854408b3aade01320064e07 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 1 Jan 2019 18:57:36 -0600
+Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP
+
+Fixes #304
+---
+ turbojpeg.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/turbojpeg.c b/turbojpeg.c
+index 90a9ce6..3b5154f 100644
+--- a/turbojpeg.c
++++ b/turbojpeg.c
+@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
+                                      int align, int *height, int *pixelFormat,
+                                      int flags)
+ {
+-  int retval = 0, tempc, pitch;
++  int retval = 0, tempc;
++  size_t pitch;
+   tjhandle handle = NULL;
+   tjinstance *this;
+   j_compress_ptr cinfo = NULL;
+@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
+   *pixelFormat = cs2pf[cinfo->in_color_space];
+ 
+   pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
+-  if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
++  if ((unsigned long long)pitch * (unsigned long long)(*height) >
++      (unsigned long long)((size_t)-1) ||
++      (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+     _throwg("tjLoadImage(): Memory allocation failure");
+ 
+   if (setjmp(this->jerr.setjmp_buffer)) {
+-- 
+2.17.2
+

mingw-libjpeg-turbo.spec

@@ -6,7 +6,7 @@
 
 Name:           mingw-libjpeg-turbo
 Version:        2.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        MinGW Windows Libjpeg-turbo library
 
 License:        wxWidgets
@@ -16,6 +16,8 @@ Source0:        http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-%{v
 # Make jconfig.h more autoconf friendly
 # https://bugzilla.redhat.com/show_bug.cgi?id=843193
 Patch0:         libjpeg-turbo-match-autoconf-behavior.patch
+Patch1:         libjpeg-turbo-CVE-2018-19664.patch
+Patch2:         libjpeg-turbo-CVE-2018-20330.patch
 
 BuildArch:      noarch
 
@@ -77,8 +79,7 @@ Static version of the MinGW Windows cross compiled Libjpeg-turbo library.
 
 
 %prep
-%setup -q -n libjpeg-turbo-%{version}
+%autosetup -n libjpeg-turbo-%{version} -p1
-%patch0 -p1
 
 
 %build
@@ -157,6 +158,9 @@ chmod -x README.md
 
 
 %changelog
+* Fri Jan 11 2019 Kalev Lember <klember@redhat.com> - 2.0.0-2
+- Fix CVE-2018-19664 and CVE-2018-20330
+
 * Wed Aug 01 2018 Sandro Mani <manisandro@gmail.com> - 2.0.0-1
 - Update to 2.0.0