summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjason.lau <Haitao.Liu@windriver.com>2020-06-18 08:31:36 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-07-08 09:47:50 (GMT)
commit09d29eb36a335cadb1249f6849e090d22bbf5a2e (patch)
tree5689a6eb1a67da081206dff08d20b83f118e0de0
parente1d89748ec66ede80b08576b3f350ac5f84faaff (diff)
downloadpoky-09d29eb36a335cadb1249f6849e090d22bbf5a2e.tar.gz
libjpeg-turbo: Fix CVE-2020-13790
libjpeg-turbo 2.0.4 has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file. Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a] CVE:CVE-2020-13790 (From OE-Core rev: 90f4e2f299d8cd6c839b73307dc7b0ec3d389294) Signed-off-by: Liu Haitao <haitao.liu@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch81
-rw-r--r--meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb1
2 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch
new file mode 100644
index 0000000..03b6dba
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch
@@ -0,0 +1,81 @@
1From ade1818b7542ef9e11ece5ce98df91fab45d674c Mon Sep 17 00:00:00 2001
2From: DRC <information@libjpeg-turbo.org>
3Date: Tue, 2 Jun 2020 14:15:37 -0500
4Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
5
6This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
7include binary PPM files with maximum values < 255, thus preventing a
8malformed binary PPM input file with those specifications from
9triggering an overrun of the rescale array and potentially crashing
10cjpeg, TJBench, or any program that uses the tjLoadImage() function.
11
12Fixes #433
13
14CVE: CVE-2020-13790
15
16Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
17---
18 ChangeLog.md | 20 ++++++++++++++++----
19 rdppm.c | 4 ++--
20 2 files changed, 18 insertions(+), 6 deletions(-)
21
22diff --git a/ChangeLog.md b/ChangeLog.md
23index 3667d12..198c7b8 100644
24--- a/ChangeLog.md
25+++ b/ChangeLog.md
26@@ -1,3 +1,15 @@
27+2.0.4
28+=====
29+
30+### Significant changes relative to 2.0.3:
31+
32+1. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
33+TJBench, or the `tjLoadImage()` function if one of the values in a binary
34+PPM/PGM input file exceeded the maximum value defined in the file's header and
35+that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
36+similar fix for binary PPM/PGM files with maximum values greater than 255.
37+
38+
39 2.0.3
40 =====
41
42@@ -520,10 +532,10 @@ application was linked against.
43
44 3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
45 in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
46-maximum value defined in the file's header. libjpeg-turbo 1.4.2 already
47-included a similar fix for ASCII PPM/PGM files. Note that these issues were
48-not security bugs, since they were confined to the cjpeg program and did not
49-affect any of the libjpeg-turbo libraries.
50+maximum value defined in the file's header and that maximum value was greater
51+than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
52+files. Note that these issues were not security bugs, since they were confined
53+to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
54
55 4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
56 header using the `tjDecompressToYUV2()` function would cause the function to
57diff --git a/rdppm.c b/rdppm.c
58index 87bc330..a8507b9 100644
59--- a/rdppm.c
60+++ b/rdppm.c
61@@ -5,7 +5,7 @@
62 * Copyright (C) 1991-1997, Thomas G. Lane.
63 * Modified 2009 by Bill Allombert, Guido Vollbeding.
64 * libjpeg-turbo Modifications:
65- * Copyright (C) 2015-2017, D. R. Commander.
66+ * Copyright (C) 2015-2017, 2020, D. R. Commander.
67 * For conditions of distribution and use, see the accompanying README.ijg
68 * file.
69 *
70@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
71 /* On 16-bit-int machines we have to be careful of maxval = 65535 */
72 source->rescale = (JSAMPLE *)
73 (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
74- (size_t)(((long)maxval + 1L) *
75+ (size_t)(((long)MAX(maxval, 255) + 1L) *
76 sizeof(JSAMPLE)));
77 half_maxval = maxval / 2;
78 for (val = 0; val <= (long)maxval; val++) {
79--
802.17.0
81
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
index 1cf854d..8ea81f3 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
@@ -12,6 +12,7 @@ DEPENDS_append_x86_class-target = " nasm-native"
12 12
13SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ 13SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
14 file://0001-libjpeg-turbo-fix-package_qa-error.patch \ 14 file://0001-libjpeg-turbo-fix-package_qa-error.patch \
15 file://0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch \
15 " 16 "
16 17
17SRC_URI[md5sum] = "bd07fddf26f9def7bab02739eb655116" 18SRC_URI[md5sum] = "bd07fddf26f9def7bab02739eb655116"