Fix CVE-2020-13790

https://bugzilla.redhat.com/show_bug.cgi?id=1847160
2020-06-16 11:49:10 +02:00 · 2020-06-16 11:49:10 +02:00 · f6c3cc8708
commit f6c3cc8708
parent 1017ed0e17
2 changed files with 37 additions and 1 deletions
--- a/libjpeg-turbo-CVE-2020-13790.patch
+++ b/libjpeg-turbo-CVE-2020-13790.patch
@ -0,0 +1,32 @@
+From a224e4dfd34823a4d993dcb97819bdcee8471676 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 2 Jun 2020 14:15:37 -0500
+Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
+
+This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
+include binary PPM files with maximum values < 255, thus preventing a
+malformed binary PPM input file with those specifications from
+triggering an overrun of the rescale array and potentially crashing
+cjpeg, TJBench, or any program that uses the tjLoadImage() function.
+
+Fixes #433
+---
+ rdppm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rdppm.c b/rdppm.c
+index 87bc330..71dd146 100644
+--- a/rdppm.c
+++ b/rdppm.c
+@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     /* On 16-bit-int machines we have to be careful of maxval = 65535 */
+     source->rescale = (JSAMPLE *)
+       (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-                                  (size_t)(((long)maxval + 1L) *
+                                  (size_t)(((long)MAX(maxval, 255) + 1L) *
+                                            sizeof(JSAMPLE)));
+     half_maxval = maxval / 2;
+     for (val = 0; val <= (long)maxval; val++) {
+-- 
+2.26.2
+
--- a/mingw-libjpeg-turbo.spec
+++ b/mingw-libjpeg-turbo.spec
@ -6,7 +6,7 @@

 Name:           mingw-libjpeg-turbo
 Version:        2.0.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        MinGW Windows Libjpeg-turbo library

 License:        wxWidgets
@ -16,6 +16,7 @@ Source0:        http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-%{v
 # Make jconfig.h more autoconf friendly
 # https://bugzilla.redhat.com/show_bug.cgi?id=843193
 Patch0:         libjpeg-turbo-match-autoconf-behavior.patch
+Patch2:         libjpeg-turbo-CVE-2020-13790.patch

 BuildArch:      noarch

@ -156,6 +157,9 @@ chmod -x README.md


 %changelog
+* Tue Jun 16 2020 Kalev Lember <klember@redhat.com> - 2.0.4-3
+- Fix CVE-2020-13790 (#1847160)
+
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild