diff options
author | Sana.Kazi <Sana.Kazi@kpit.com> | 2022-07-25 14:08:25 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-08-08 16:23:33 +0100 |
commit | 97810ff2d785693f66a128bd3bfd71783004db49 (patch) | |
tree | 7a338609a828ddf893ee2eb209a8af7faa2ebe8d | |
parent | d32392304723d9cfd16bde573c311d8ce1238810 (diff) | |
download | poky-97810ff2d785693f66a128bd3bfd71783004db49.tar.gz |
libjpeg-turbo: Fix CVE-2021-46822
Add patch to fix CVE-2021-46822
Link: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch
(From OE-Core rev: 80d14a9aaff273daca68c2e860701d51fee45851)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch | 133 | ||||
-rw-r--r-- | meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb | 1 |
2 files changed, 134 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch new file mode 100644 index 0000000000..68cf89e628 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch | |||
@@ -0,0 +1,133 @@ | |||
1 | From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001 | ||
2 | From: DRC <information@libjpeg-turbo.org> | ||
3 | Date: Tue, 6 Apr 2021 12:51:03 -0500 | ||
4 | Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs | ||
5 | |||
6 | - The PPM reader now throws an error rather than segfaulting (due to a | ||
7 | buffer overrun) if an application attempts to load a 16-bit PPM file | ||
8 | into a grayscale uncompressed image buffer. No known applications | ||
9 | allowed that (not even the test applications in libjpeg-turbo), | ||
10 | because that mode of operation was never expected to work and did not | ||
11 | work under any circumstances. (In fact, it was necessary to modify | ||
12 | TJBench in order to reproduce the issue outside of a fuzzing | ||
13 | environment.) This was purely a matter of making the library bow out | ||
14 | gracefully rather than crash if an application tries to do something | ||
15 | really stupid. | ||
16 | |||
17 | - The PPM reader now throws an error rather than generating incorrect | ||
18 | pixels if an application attempts to load a 16-bit PGM file into an | ||
19 | RGB uncompressed image buffer. | ||
20 | |||
21 | - The PPM reader now correctly loads 16-bit PPM files into extended | ||
22 | RGB uncompressed image buffers. (Previously it generated incorrect | ||
23 | pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.) | ||
24 | |||
25 | The only way that users could have potentially encountered these issues | ||
26 | was through the tjLoadImage() function. cjpeg and TJBench were | ||
27 | unaffected. | ||
28 | |||
29 | CVE: CVE-2021-46822 | ||
30 | Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch] | ||
31 | Comment: Refreshed hunks from ChangeLog.md | ||
32 | Refreshed hunks from rdppm.c | ||
33 | |||
34 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
35 | |||
36 | --- | ||
37 | ChangeLog.md | 10 ++++++++++ | ||
38 | rdppm.c | 26 ++++++++++++++++++++------ | ||
39 | 2 files changed, 30 insertions(+), 6 deletions(-) | ||
40 | |||
41 | diff --git a/ChangeLog.md b/ChangeLog.md | ||
42 | index 968969c6b..12e730a0e 100644 | ||
43 | --- a/ChangeLog.md | ||
44 | +++ b/ChangeLog.md | ||
45 | @@ -44,6 +44,15 @@ | ||
46 | that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a | ||
47 | similar fix for binary PPM/PGM files with maximum values greater than 255. | ||
48 | |||
49 | +7. The PPM reader now throws an error, rather than segfaulting (due to a buffer | ||
50 | +overrun) or generating incorrect pixels, if an application attempts to use the | ||
51 | +`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file | ||
52 | +with a maximum value greater than 255) into a grayscale image buffer or to load | ||
53 | +a 16-bit binary PGM file into an RGB image buffer. | ||
54 | + | ||
55 | +8. Fixed an issue in the PPM reader that caused incorrect pixels to be | ||
56 | +generated when using the `tjLoadImage()` function to load a 16-bit binary PPM | ||
57 | +file into an extended RGB image buffer. | ||
58 | |||
59 | 2.0.3 | ||
60 | ===== | ||
61 | diff --git a/rdppm.c b/rdppm.c | ||
62 | index c4c937e8a..6ac8fdbf7 100644 | ||
63 | --- a/rdppm.c | ||
64 | +++ b/rdppm.c | ||
65 | @@ -5,7 +5,7 @@ | ||
66 | * Copyright (C) 1991-1997, Thomas G. Lane. | ||
67 | * Modified 2009 by Bill Allombert, Guido Vollbeding. | ||
68 | * libjpeg-turbo Modifications: | ||
69 | - * Copyright (C) 2015-2017, 2020, D. R. Commander. | ||
70 | + * Copyright (C) 2015-2017, 2020-2021, D. R. Commander. | ||
71 | * For conditions of distribution and use, see the accompanying README.ijg | ||
72 | * file. | ||
73 | * | ||
74 | @@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) | ||
75 | register JSAMPLE *rescale = source->rescale; | ||
76 | JDIMENSION col; | ||
77 | unsigned int maxval = source->maxval; | ||
78 | + register int rindex = rgb_red[cinfo->in_color_space]; | ||
79 | + register int gindex = rgb_green[cinfo->in_color_space]; | ||
80 | + register int bindex = rgb_blue[cinfo->in_color_space]; | ||
81 | + register int aindex = alpha_index[cinfo->in_color_space]; | ||
82 | + register int ps = rgb_pixelsize[cinfo->in_color_space]; | ||
83 | |||
84 | if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width)) | ||
85 | ERREXIT(cinfo, JERR_INPUT_EOF); | ||
86 | @@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) | ||
87 | temp |= UCH(*bufferptr++); | ||
88 | if (temp > maxval) | ||
89 | ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); | ||
90 | - *ptr++ = rescale[temp]; | ||
91 | + ptr[rindex] = rescale[temp]; | ||
92 | temp = UCH(*bufferptr++) << 8; | ||
93 | temp |= UCH(*bufferptr++); | ||
94 | if (temp > maxval) | ||
95 | ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); | ||
96 | - *ptr++ = rescale[temp]; | ||
97 | + ptr[gindex] = rescale[temp]; | ||
98 | temp = UCH(*bufferptr++) << 8; | ||
99 | temp |= UCH(*bufferptr++); | ||
100 | if (temp > maxval) | ||
101 | ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); | ||
102 | - *ptr++ = rescale[temp]; | ||
103 | + ptr[bindex] = rescale[temp]; | ||
104 | + if (aindex >= 0) | ||
105 | + ptr[aindex] = 0xFF; | ||
106 | + ptr += ps; | ||
107 | } | ||
108 | return 1; | ||
109 | } | ||
110 | @@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) | ||
111 | cinfo->in_color_space = JCS_GRAYSCALE; | ||
112 | TRACEMS2(cinfo, 1, JTRC_PGM, w, h); | ||
113 | if (maxval > 255) { | ||
114 | - source->pub.get_pixel_rows = get_word_gray_row; | ||
115 | + if (cinfo->in_color_space == JCS_GRAYSCALE) | ||
116 | + source->pub.get_pixel_rows = get_word_gray_row; | ||
117 | + else | ||
118 | + ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); | ||
119 | } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && | ||
120 | cinfo->in_color_space == JCS_GRAYSCALE) { | ||
121 | source->pub.get_pixel_rows = get_raw_row; | ||
122 | @@ -657,7 +657,10 @@ | ||
123 | cinfo->in_color_space = JCS_EXT_RGB; | ||
124 | TRACEMS2(cinfo, 1, JTRC_PPM, w, h); | ||
125 | if (maxval > 255) { | ||
126 | - source->pub.get_pixel_rows = get_word_rgb_row; | ||
127 | + if (IsExtRGB(cinfo->in_color_space)) | ||
128 | + source->pub.get_pixel_rows = get_word_rgb_row; | ||
129 | + else | ||
130 | + ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); | ||
131 | } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && | ||
132 | (cinfo->in_color_space == JCS_EXT_RGB | ||
133 | #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3 | ||
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb index 3005a8a789..6575582b0c 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb | |||
@@ -13,6 +13,7 @@ DEPENDS_append_x86_class-target = " nasm-native" | |||
13 | SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ | 13 | SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ |
14 | file://0001-libjpeg-turbo-fix-package_qa-error.patch \ | 14 | file://0001-libjpeg-turbo-fix-package_qa-error.patch \ |
15 | file://CVE-2020-13790.patch \ | 15 | file://CVE-2020-13790.patch \ |
16 | file://CVE-2021-46822.patch \ | ||
16 | " | 17 | " |
17 | 18 | ||
18 | SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" | 19 | SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" |