libjpeg-turbo: fix CVE-2020-13790

(From OE-Core rev: d4662adbb34d8c4a23fe7f111c2c991b1aedeaef) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-08-07 17:45:18 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-08-12 10:53:47 +0100
commit: 24f6a075e52ab2d88bd24f61526ee21d58ca1b33 (patch)
tree: 720d2c7ebcb1b81a298387e68766a3a4ee3a9b32
parent: 697e30dcb2953caf7c79f631dab77943e5b19703 (diff)
download: poky-24f6a075e52ab2d88bd24f61526ee21d58ca1b33.tar.gz
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch
new file mode 100644
index 0000000000..4617978bdc
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch
@@ -0,0 +1,76 @@
+From 07caad7e0a9afb372e0608299fb3e832cc78495f Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 2 Jun 2020 14:15:37 -0500
+Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
+This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
+include binary PPM files with maximum values < 255, thus preventing a
+malformed binary PPM input file with those specifications from
+triggering an overrun of the rescale array and potentially crashing
+cjpeg, TJBench, or any program that uses the tjLoadImage() function.
+Fixes #433
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a]
+CVE: CVE-2020-13790
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ ChangeLog.md | 14 ++++++++++----
+ rdppm.c      |  4 ++--
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 4d1219e..af660ab 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -38,6 +38,12 @@ this issue did not likely pose a security risk.
+ separate read-only data section rather than in the text section, to support
+ execute-only memory layouts.
+ 
+3. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
+TJBench, or the `tjLoadImage()` function if one of the values in a binary
+PPM/PGM input file exceeded the maximum value defined in the file's header and
+that maximum value was less than 255.  libjpeg-turbo 1.5.0 already included a
+similar fix for binary PPM/PGM files with maximum values greater than 255.
+
+ 
+ 2.0.3
+ =====
+@@ -562,10 +568,10 @@ application was linked against.
+ 
+ 3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
+ in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
+-maximum value defined in the file's header.  libjpeg-turbo 1.4.2 already
+-included a similar fix for ASCII PPM/PGM files.  Note that these issues were
+-not security bugs, since they were confined to the cjpeg program and did not
+-affect any of the libjpeg-turbo libraries.
+maximum value defined in the file's header and that maximum value was greater
+than 255.  libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
+files.  Note that these issues were not security bugs, since they were confined
+to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
+ 
+ 4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
+ header using the `tjDecompressToYUV2()` function would cause the function to
+diff --git a/rdppm.c b/rdppm.c
+index 87bc330..a8507b9 100644
+--- a/rdppm.c
+++ b/rdppm.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2009 by Bill Allombert, Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2015-2017, D. R. Commander.
+ * Copyright (C) 2015-2017, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     /* On 16-bit-int machines we have to be careful of maxval = 65535 */
+     source->rescale = (JSAMPLE *)
+       (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-                                  (size_t)(((long)maxval + 1L) *
+                                  (size_t)(((long)MAX(maxval, 255) + 1L) *
+                                            sizeof(JSAMPLE)));
+     half_maxval = maxval / 2;
+     for (val = 0; val <= (long)maxval; val++) {
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
index 1f49fd3d3b..3005a8a789 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -12,6 +12,7 @@ DEPENDS_append_x86_class-target    = " nasm-native"
 SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
           file://0001-libjpeg-turbo-fix-package_qa-error.patch \
+           file://CVE-2020-13790.patch \
           "
 SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-08-07 17:45:18 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-08-12 10:53:47 +0100
commit	24f6a075e52ab2d88bd24f61526ee21d58ca1b33 (patch)
tree	720d2c7ebcb1b81a298387e68766a3a4ee3a9b32
parent	697e30dcb2953caf7c79f631dab77943e5b19703 (diff)
download	poky-24f6a075e52ab2d88bd24f61526ee21d58ca1b33.tar.gz

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch new file mode 100644 index 0000000000..4617978bdc --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch
@@ -0,0 +1,76 @@
		1	From 07caad7e0a9afb372e0608299fb3e832cc78495f Mon Sep 17 00:00:00 2001
		2	From: DRC <information@libjpeg-turbo.org>
		3	Date: Tue, 2 Jun 2020 14:15:37 -0500
		4	Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
		5
		6	This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
		7	include binary PPM files with maximum values < 255, thus preventing a
		8	malformed binary PPM input file with those specifications from
		9	triggering an overrun of the rescale array and potentially crashing
		10	cjpeg, TJBench, or any program that uses the tjLoadImage() function.
		11
		12	Fixes #433
		13
		14	Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a]
		15	CVE: CVE-2020-13790
		16	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		17
		18	---
		19	ChangeLog.md \| 14 ++++++++++----
		20	rdppm.c \| 4 ++--
		21	2 files changed, 12 insertions(+), 6 deletions(-)
		22
		23	diff --git a/ChangeLog.md b/ChangeLog.md
		24	index 4d1219e..af660ab 100644
		25	--- a/ChangeLog.md
		26	+++ b/ChangeLog.md
		27	@@ -38,6 +38,12 @@ this issue did not likely pose a security risk.
		28	separate read-only data section rather than in the text section, to support
		29	execute-only memory layouts.
		30
		31	+3. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
		32	+TJBench, or the `tjLoadImage()` function if one of the values in a binary
		33	+PPM/PGM input file exceeded the maximum value defined in the file's header and
		34	+that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
		35	+similar fix for binary PPM/PGM files with maximum values greater than 255.
		36	+
		37
		38	2.0.3
		39	=====
		40	@@ -562,10 +568,10 @@ application was linked against.
		41
		42	3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
		43	in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
		44	-maximum value defined in the file's header. libjpeg-turbo 1.4.2 already
		45	-included a similar fix for ASCII PPM/PGM files. Note that these issues were
		46	-not security bugs, since they were confined to the cjpeg program and did not
		47	-affect any of the libjpeg-turbo libraries.
		48	+maximum value defined in the file's header and that maximum value was greater
		49	+than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
		50	+files. Note that these issues were not security bugs, since they were confined
		51	+to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
		52
		53	4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
		54	header using the `tjDecompressToYUV2()` function would cause the function to
		55	diff --git a/rdppm.c b/rdppm.c
		56	index 87bc330..a8507b9 100644
		57	--- a/rdppm.c
		58	+++ b/rdppm.c
		59	@@ -5,7 +5,7 @@
		60	* Copyright (C) 1991-1997, Thomas G. Lane.
		61	* Modified 2009 by Bill Allombert, Guido Vollbeding.
		62	* libjpeg-turbo Modifications:
		63	- * Copyright (C) 2015-2017, D. R. Commander.
		64	+ * Copyright (C) 2015-2017, 2020, D. R. Commander.
		65	* For conditions of distribution and use, see the accompanying README.ijg
		66	* file.
		67	*
		68	@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
		69	/* On 16-bit-int machines we have to be careful of maxval = 65535 */
		70	source->rescale = (JSAMPLE *)
		71	(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
		72	- (size_t)(((long)maxval + 1L) *
		73	+ (size_t)(((long)MAX(maxval, 255) + 1L) *
		74	sizeof(JSAMPLE)));
		75	half_maxval = maxval / 2;
		76	for (val = 0; val <= (long)maxval; val++) {


diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb index 1f49fd3d3b..3005a8a789 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -12,6 +12,7 @@ DEPENDS_append_x86_class-target = " nasm-native"
12		12
13	SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \	13	SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
14	file://0001-libjpeg-turbo-fix-package_qa-error.patch \	14	file://0001-libjpeg-turbo-fix-package_qa-error.patch \
		15	file://CVE-2020-13790.patch \
15	"	16	"
16		17
17	SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"	18	SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"