From 6771703192dfb03c18b0889f9431b83d3181ceb3 Mon Sep 17 00:00:00 2001 From: Nathan Owens Date: Sun, 6 Jan 2019 17:17:57 -0600 Subject: [PATCH] libjpeg-turbo: fix CVE-2018-19664 and additional int overflow --- ...-Fix-int-overflow-segfault-w-big-BMP.patch | 42 +++++++++++++++++++ ...on-t-allow-quantization-w-non-RGB-CS.patch | 30 +++++++++++++ srcpkgs/libjpeg-turbo/template | 4 +- 3 files changed, 74 insertions(+), 2 deletions(-) create mode 100644 srcpkgs/libjpeg-turbo/patches/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch create mode 100644 srcpkgs/libjpeg-turbo/patches/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch diff --git a/srcpkgs/libjpeg-turbo/patches/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch b/srcpkgs/libjpeg-turbo/patches/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch new file mode 100644 index 0000000000..1478bdf3db --- /dev/null +++ b/srcpkgs/libjpeg-turbo/patches/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch @@ -0,0 +1,42 @@ +From 1e18a1a09af9f143400cedc54a210f616c80ffb9 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 1 Jan 2019 18:57:36 -0600 +Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP + +Fixes #304 +--- +diff --git turbojpeg.c turbojpeg.c +index 90a9ce6..3f7cd64 100644 +--- turbojpeg.c ++++ turbojpeg.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved. ++ * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: +@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, + int align, int *height, int *pixelFormat, + int flags) + { +- int retval = 0, tempc, pitch; ++ int retval = 0, tempc; ++ size_t pitch; + tjhandle handle = NULL; + tjinstance *this; + j_compress_ptr cinfo = NULL; +@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, + *pixelFormat = cs2pf[cinfo->in_color_space]; + + pitch = PAD((*width) * tjPixelSize[*pixelFormat], align); +- if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) ++ if ((unsigned long long)pitch * (unsigned long long)(*height) > ++ (unsigned long long)((size_t)-1) || ++ (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) + _throwg("tjLoadImage(): Memory allocation failure"); + + if (setjmp(this->jerr.setjmp_buffer)) { +-- +2.20.1 + diff --git a/srcpkgs/libjpeg-turbo/patches/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch b/srcpkgs/libjpeg-turbo/patches/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch new file mode 100644 index 0000000000..b03ef9dc5d --- /dev/null +++ b/srcpkgs/libjpeg-turbo/patches/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch @@ -0,0 +1,30 @@ +From 64bbd161f2a82c76db1f62a44714416ef44648a7 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 1 Jan 2019 20:32:40 -0600 +Subject: [PATCH] wrbmp.c: Don't allow quantization w/ non-RGB CS + +If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will +set cinfo->output_components to 1, and if cinfo->out_color_space is not +RGB (or extended RGB), hilarity will ensue. + +Fixes #305 +--- +diff --git wrbmp.c wrbmp.c +index 38a64e8..3489f14 100644 +--- wrbmp.c ++++ wrbmp.c +@@ -506,8 +506,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2, + dest->pub.put_pixel_rows = put_gray_rows; + else + dest->pub.put_pixel_rows = put_pixel_rows; +- } else if (cinfo->out_color_space == JCS_RGB565 || +- cinfo->out_color_space == JCS_CMYK) { ++ } else if (!cinfo->quantize_colors && ++ (cinfo->out_color_space == JCS_RGB565 || ++ cinfo->out_color_space == JCS_CMYK)) { + dest->pub.put_pixel_rows = put_pixel_rows; + } else { + ERREXIT(cinfo, JERR_BMP_COLORSPACE); +-- +2.20.1 + diff --git a/srcpkgs/libjpeg-turbo/template b/srcpkgs/libjpeg-turbo/template index 71bb2e8633..9c2eb479dd 100644 --- a/srcpkgs/libjpeg-turbo/template +++ b/srcpkgs/libjpeg-turbo/template @@ -1,14 +1,14 @@ # Template file for 'libjpeg-turbo' pkgname=libjpeg-turbo version=2.0.1 -revision=1 +revision=2 build_style=cmake configure_args="-DWITH_JPEG8=1 -DCMAKE_INSTALL_LIBDIR=/usr/lib" hostmakedepends="yasm" short_desc="Derivative of libjpeg which uses SIMD instructions" maintainer="Juan RP " license="IJG, BSD-3-Clause, Zlib" -homepage="http://libjpeg-turbo.virtualgl.org/" +homepage="https://libjpeg-turbo.org/" distfiles="${SOURCEFORGE_SITE}/${pkgname}/${pkgname}-${version}.tar.gz" checksum=e5f86cec31df1d39596e0cca619ab1b01f99025a27dafdfc97a30f3a12f866ff