Commit 68aefa77 authored by prspkt's avatar prspkt Committed by Natanael Copa
Browse files

main/libjpeg-turbo: upgrade to 2.0.2

As of v2.0.0 the project transitioned to CMake on all platforms
and removed the autotools-based build system.
parent c134a889
From f1322acf6cdc8c25db0075d7d32dc2f25ed9d477 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 12 Jun 2018 20:27:00 -0500
Subject: [PATCH] rdbmp.c: Fix FPE triggered by malformed BMP
In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
when allocating the row buffer, because since BMP files have 32-bit
width and height fields, the value of biWidth can be up to 4294967295.
Specifically, high values of biWidth could cause the samplesperrow
argument in alloc_sarray() to wrap around to 0, triggering a division by
zero error at line 460 in jmemmgr.c, or to wrap around to a small
number, likely triggering a buffer overflow.
This fix is not documented in the change log for this branch, because
the bug was exposed using the tjLoadImage() function in the 2.0.x
branch. However, it is posited that the issue could be triggered using
TJBench in this branch.
---
rdbmp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/rdbmp.c b/rdbmp.c
index eaa7086..6b73f7c 100644
--- a/rdbmp.c
+++ b/rdbmp.c
@@ -6,7 +6,7 @@
* Modified 2009-2010 by Guido Vollbeding.
* libjpeg-turbo Modifications:
* Modified 2011 by Siarhei Siamashka.
- * Copyright (C) 2015, D. R. Commander.
+ * Copyright (C) 2015, 2018, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
*
@@ -434,6 +434,11 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
progress->total_extra_passes++; /* count file input as separate pass */
}
+ /* Ensure that biWidth * 3 doesn't exceed the maximum value of the
+ JDIMENSION type. This is only a danger with BMP files, since their width
+ and height fields are 32-bit integers. */
+ if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL)
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
/* Allocate one-row buffer for returned data */
source->pub.buffer = (*cinfo->mem->alloc_sarray)
((j_common_ptr) cinfo, JPOOL_IMAGE,
--
2.17.1
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libjpeg-turbo
pkgver=1.5.3
pkgrel=4
pkgver=2.0.2
pkgrel=0
pkgdesc="accelerated baseline JPEG compression and decompression library"
url="https://libjpeg-turbo.org/"
arch="all"
license="IJG"
depends=""
makedepends="nasm"
makedepends="cmake nasm"
replaces="libjpeg"
subpackages="$pkgname-doc $pkgname-dev $pkgname-utils"
source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz
0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
CVE-2018-11813.patch
"
source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz"
# secfixes:
# 1.5.3-r3:
......@@ -26,15 +23,17 @@ builddir="$srcdir"/libjpeg-turbo-$pkgver
build() {
cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--localstatedir=/var \
--with-jpeg8
if [ "$CBUILD" != "$CHOST" ]; then
CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux"
fi
cmake \
-DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_INSTALL_LIBDIR=/usr/lib \
-DBUILD_SHARED_LIBS=True \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_C_FLAGS="$CFLAGS" \
-DWITH_JPEG8=1 \
${CMAKE_CROSSOPTS}
make
}
......@@ -45,8 +44,7 @@ check() {
package() {
cd "$builddir"
make -j1 DESTDIR="$pkgdir" docdir=/usr/share/doc/$pkgname \
install
make -j1 DESTDIR="$pkgdir" install
install -d "$pkgdir"/usr/share/licenses/$pkgname
ln -s ../../doc/libjpeg-turbo/LICENSE.md "$pkgdir/usr/share/licenses/$pkgname"
}
......@@ -68,6 +66,4 @@ dev() {
replaces="jpeg-dev"
}
sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202 libjpeg-turbo-1.5.3.tar.gz
d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch"
sha512sums="204b6d083e99488c975c75efb08699e4dc1c409556e4dee4f21e3ee67e9c6682eb342f2e5712816b0342c00399fbe6e43fbce30c3d22f30f7ef91db006b3be08 libjpeg-turbo-2.0.2.tar.gz"
From 19074854d9d8bc32dff3ed252eed17ed6cc2ecfc Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 12 Jun 2018 16:08:26 -0500
Subject: [PATCH] Fix CVE-2018-11813
Refer to change log for details.
Fixes #242
---
ChangeLog.md | 14 ++++++++++++++
rdtarga.c | 6 ++----
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/ChangeLog.md b/ChangeLog.md
index bf63eb2dc..3aa41d173 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -24,6 +24,20 @@ an image was passed to `tjDecompressHeader3()`, `tjTransform()`,
`tjDecompressToYUVPlanes()`, `tjDecompressToYUV2()`, or the equivalent Java
methods.
+5. Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
+file (specifically, a file with a valid Targa header but incomplete pixel data)
+would cause cjpeg to generate a JPEG file that was potentially thousands of
+times larger than the input file. The Targa reader in cjpeg was not properly
+detecting that the end of the input file had been reached prematurely, so after
+all valid pixels had been read from the input, the reader injected dummy pixels
+with values of 255 into the JPEG compressor until the number of pixels
+specified in the Targa header had been compressed. The Targa reader in cjpeg
+now behaves like the PPM reader and aborts compression if the end of the input
+file is reached prematurely. Because this issue only affected cjpeg and not
+the underlying library, and because it did not involve any out-of-bounds reads
+or other exploitable behaviors, it was not believed to represent a security
+threat.
+
1.5.3
=====
diff --git a/rdtarga.c b/rdtarga.c
index b9bbd07cb..f874ece67 100644
--- a/rdtarga.c
+++ b/rdtarga.c
@@ -125,11 +125,10 @@ METHODDEF(void)
read_non_rle_pixel (tga_source_ptr sinfo)
/* Read one Targa pixel from the input file; no RLE expansion */
{
- register FILE *infile = sinfo->pub.input_file;
register int i;
for (i = 0; i < sinfo->pixel_size; i++) {
- sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
}
}
@@ -138,7 +137,6 @@ METHODDEF(void)
read_rle_pixel (tga_source_ptr sinfo)
/* Read one Targa pixel from the input file, expanding RLE data as needed */
{
- register FILE *infile = sinfo->pub.input_file;
register int i;
/* Duplicate previously read pixel? */
@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
/* Read next pixel */
for (i = 0; i < sinfo->pixel_size; i++) {
- sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment