NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
590e35a590
kumquat-buildroot/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch
Baruch Siach f60925beda package/jpeg-turbo: add upstream security fixes 
CVE-2018-20330: Integer overflow causing segfault occurred when
attempting to load a BMP file with more than 1 billion pixels using the
`tjLoadImage()` function.

CVE-2018-19664: Buffer overrun occurred when attempting to decompress a
specially-crafted malformed JPEG image to a 256-color BMP using djpeg.

Cc: Murat Demirten <mdemirten@yh.com.tr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-12 19:59:46 +01:00

52 lines
1.8 KiB
Diff
Raw Blame History

From 3d9c64e9f8aa1ee954d1d0bb3390fc894bb84da3 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 1 Jan 2019 18:57:36 -0600
Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP
Fixes #304
[baruch: drop the ChangeLog.md hunk]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status: commit 3d9c64e9f8aa
ChangeLog.md | 4 ++++
turbojpeg.c | 9 ++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/turbojpeg.c b/turbojpeg.c
index 90a9ce6a0be8..3f7cd640677f 100644
--- a/turbojpeg.c
+++ b/turbojpeg.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved.
+ * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
int align, int *height, int *pixelFormat,
int flags)
{
- int retval = 0, tempc, pitch;
+ int retval = 0, tempc;
+ size_t pitch;
tjhandle handle = NULL;
tjinstance *this;
j_compress_ptr cinfo = NULL;
@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
*pixelFormat = cs2pf[cinfo->in_color_space];
pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
- if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+ if ((unsigned long long)pitch * (unsigned long long)(*height) >
+ (unsigned long long)((size_t)-1) ||
+ (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
_throwg("tjLoadImage(): Memory allocation failure");
if (setjmp(this->jerr.setjmp_buffer)) {
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink