package/libjxl: security bump to version 0.8.1

Security: Fix OOB read in exif.h https://github.com/libjxl/libjxl/releases/tag/v0.8.1 https://github.com/libjxl/libjxl/releases/tag/v0.8.0 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Tested-by: Julien Olivain <ju.o@free.fr> Reviewed-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-02-19 17:48:22 +01:00 · 2023-02-19 17:48:22 +01:00 · ff7c37e574
commit ff7c37e574
parent 13b05a9b00
3 changed files with 46 additions and 2 deletions
--- a/package/libjxl/0001-djxl-fix-segmentation-fault-when-JPEG-is-disabled.patch
+++ b/package/libjxl/0001-djxl-fix-segmentation-fault-when-JPEG-is-disabled.patch
@ -0,0 +1,44 @@
+From 504f35c8204248ae6f97278e8b7c6cc5853a1b94 Mon Sep 17 00:00:00 2001
+From: Julien Olivain <ju.o@free.fr>
+Date: Fri, 10 Feb 2023 21:31:30 +0100
+Subject: [PATCH] djxl: fix segmentation fault when JPEG is disabled
+
+When libjxl is compiled without JPEG support, by configuring for example
+with:
+
+    cmake -DCMAKE_DISABLE_FIND_PACKAGE_JPEG=TRUE ...
+
+djxl crashes with a segmentation fault at:
+https://github.com/libjxl/libjxl/blob/v0.8.1/tools/djxl_main.cc#L367
+
+The crash can be reproduced with the sequence:
+
+    gm convert IMAGE:LOGO ref.ppm
+    cjxl ref.ppm enc.jxl
+    djxl enc.jxl dec.ppm
+
+The crash happen because opt_jpeg_quality_id does not get
+initialized at:
+https://github.com/libjxl/libjxl/blob/v0.8.1/tools/djxl_main.cc#L107
+
+This commit fixes the crash by adding a test on opt_jpeg_quality_id.
+
+Signed-off-by: Julien Olivain <ju.o@free.fr>
+[Retrieved from:
+https://github.com/libjxl/libjxl/pull/2178/commits/504f35c8204248ae6f97278e8b7c6cc5853a1b94]
+---
+ tools/djxl_main.cc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/djxl_main.cc b/tools/djxl_main.cc
+index b755301fcb..42b889e7ce 100644
+--- a/tools/djxl_main.cc
+++ b/tools/djxl_main.cc
+@@ -370,6 +370,7 @@ int main(int argc, const char* argv[]) {
+     args.color_space = force_colorspace;
+   }
+   if (codec == jxl::extras::Codec::kPNM && extension != ".pfm" &&
+      args.opt_jpeg_quality_id != -1 &&
+       !cmdline.GetOption(args.opt_jpeg_quality_id)->matched()) {
+     args.bits_per_sample = 0;
+   }
--- a/package/libjxl/libjxl.hash
+++ b/package/libjxl/libjxl.hash
@ -1,4 +1,4 @@
 # Locally computed:
-sha256  3114bba1fabb36f6f4adc2632717209aa6f84077bc4e93b420e0d63fa0455c5e  libjxl-0.7.0.tar.gz
+sha256  60f43921ad3209c9e180563025eda0c0f9b1afac51a2927b9ff59fff3950dc56  libjxl-0.8.1.tar.gz
 sha256  8405932022a556380c2d8c272eff154a923feb197233f348ce5f7334fb0a5ede  LICENSE
 sha256  91915f8ae056a68a3c5bdf05d9f6f78bb6903e27a8ca3a8434c9e4ac87300575  PATENTS
--- a/package/libjxl/libjxl.mk
+++ b/package/libjxl/libjxl.mk
@ -4,7 +4,7 @@
 #
 ################################################################################

-LIBJXL_VERSION = 0.7.0
+LIBJXL_VERSION = 0.8.1
 LIBJXL_SITE = $(call github,libjxl,libjxl,v$(LIBJXL_VERSION))
 LIBJXL_LICENSE = BSD-3-Clause
 LIBJXL_LICENSE_FILES = LICENSE PATENTS