libjpeg-turbo: patch CVE-2023-2804

Relevant links: * linked fronm NVD: * https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118 * follow-up analysis: * https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989 * picked commits fix all issues mentioned in this analysis (From OE-Core rev: cb3c7efd313f758e9bade93b72527bc5dc470085) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2023-07-23 13:44:14 +0200
committer: Steve Sakoman <steve@sakoman.com> 2023-08-16 03:55:12 -1000
commit: 762bfb5fc5036c8fbea8d345a587a12e8b4eb908 (patch)
tree: 2ce2919ce1a7eb2345c53b7cb8b05d5d109b0aba /meta/recipes-graphics
parent: dcc4dbf46374d8acbd6aade1d338681b48f15d1f (diff)
download: poky-762bfb5fc5036c8fbea8d345a587a12e8b4eb908.tar.gz
3 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 0000000000..6668f6e41d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,97 @@
+From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+The 2-pass color quantization algorithm assumes 3-sample pixels.  RGB565
+is the only 3-component colorspace that doesn't have 3-sample pixels, so
+we need to treat it as a special case when determining whether to enable
+2-pass color quantization.  Otherwise, attempting to initialize 2-pass
+color quantization with an RGB565 output buffer could cause
+prescan_quantize() to read from uninitialized memory and subsequently
+underflow/overflow the histogram array.
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are
+specified, because none of its destination managers (image writers)
+support color quantization with RGB565.  However, prescan_quantize() was
+called before that could occur.  It is possible but very unlikely that
+these issues could have been reproduced in applications other than
+djpeg.  The issues involve the use of two features (12-bit precision and
+RGB565) that are incompatible, and they also involve the use of two
+rarely-used legacy features (RGB565 and color quantization) that don't
+make much sense when combined.
+Fixes #668
+Fixes #671
+Fixes #680
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md | 6 ++++++
+ jdmaster.c   | 5 +++--
+ jquant2.c    | 5 +++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index e605abe73..de0c4d0dd 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -1,3 +1,9 @@ quality values.
+9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
+overruns when attempting to decompress various specially-crafted malformed
+12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
+(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+enabled.
+
+ 2.0.4
+ =====
+ 
+diff --git a/jdmaster.c b/jdmaster.c
+index b20906438..8d8ef9956 100644
+--- a/jdmaster.c
+++ b/jdmaster.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2002-2009 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, D. R. Commander.
+ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
+     if (cinfo->raw_data_out)
+       ERREXIT(cinfo, JERR_NOTIMPL);
+     /* 2-pass quantizer only works in 3-component color space. */
+-    if (cinfo->out_color_components != 3) {
+    if (cinfo->out_color_components != 3 ||
+        cinfo->out_color_space == JCS_RGB565) {
+       cinfo->enable_1pass_quant = TRUE;
+       cinfo->enable_external_quant = FALSE;
+       cinfo->enable_2pass_quant = FALSE;
+diff --git a/jquant2.c b/jquant2.c
+index 6570613bb..c760380fb 100644
+--- a/jquant2.c
+++ b/jquant2.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, D. R. Commander.
+ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
+   cquantize->error_limiter = NULL;
+ 
+   /* Make sure jdmaster didn't give me a case I can't handle */
+-  if (cinfo->out_color_components != 3)
+  if (cinfo->out_color_components != 3 ||
+      cinfo->out_color_space == JCS_RGB565)
+     ERREXIT(cinfo, JERR_NOTIMPL);
+ 
+   /* Allocate the histogram/inverse colormap storage */
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
new file mode 100644
index 0000000000..bcba0b513d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
+From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 6 Apr 2023 18:33:41 -0500
+Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
+When computing the downsampled width for a particular component,
+jpeg_crop_scanline() needs to take into account the fact that the
+libjpeg code uses a combination of IDCT scaling and upsampling to
+implement 4x2 and 2x4 upsampling with certain decompression scaling
+factors.  Failing to account for that led to incomplete upsampling of
+4x2- or 2x4-subsampled components, which caused the color converter to
+read from uninitialized memory.  With 12-bit data precision, this caused
+a buffer overrun or underrun and subsequent segfault if the
+uninitialized memory contained a value that was outside of the valid
+sample range (because the color converter uses the value as an array
+index.)
+Fixes #669
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md |  8 ++++++++
+ jdapistd.c   | 10 ++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index de0c4d0dd..159bd1610 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed
+ (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+ enabled.
+ 
+10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
+downsampled width for components with 4x2 or 2x4 subsampling factors if
+decompression scaling was enabled.  This caused the components to be upsampled
+incompletely, which caused the color converter to read from uninitialized
+memory.  With 12-bit data precision, this caused a buffer overrun or underrun
+and subsequent segfault if the sample value read from unitialized memory was
+outside of the valid sample range.
+
+ 2.0.4
+ =====
+ 
+diff --git a/jdapistd.c b/jdapistd.c
+index 628626254..eb577928c 100644
+--- a/jdapistd.c
+++ b/jdapistd.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
+ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
+     /* Set downsampled_width to the new output width. */
+     orig_downsampled_width = compptr->downsampled_width;
+     compptr->downsampled_width =
+-      (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
+-                                       compptr->h_samp_factor),
+-                                (long)cinfo->max_h_samp_factor);
+      (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
+                                (long)(compptr->h_samp_factor *
+                                       compptr->_DCT_scaled_size),
+                                (long)(cinfo->max_h_samp_factor *
+                                       cinfo->_min_DCT_scaled_size));
+     if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
+       reinit_upsampler = TRUE;
+ 
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
index 630b20300f..fda425c219 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -16,6 +16,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
           file://CVE-2021-46822.patch \
           file://CVE-2020-35538-1.patch \
           file://CVE-2020-35538-2.patch \
+           file://CVE-2023-2804-1.patch \
+           file://CVE-2023-2804-2.patch \
           "
 SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"
author	Peter Marko <peter.marko@siemens.com>	2023-07-23 13:44:14 +0200
committer	Steve Sakoman <steve@sakoman.com>	2023-08-16 03:55:12 -1000
commit	762bfb5fc5036c8fbea8d345a587a12e8b4eb908 (patch)
tree	2ce2919ce1a7eb2345c53b7cb8b05d5d109b0aba /meta/recipes-graphics
parent	dcc4dbf46374d8acbd6aade1d338681b48f15d1f (diff)
download	poky-762bfb5fc5036c8fbea8d345a587a12e8b4eb908.tar.gz

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch new file mode 100644 index 0000000000..6668f6e41d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,97 @@
		1	From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
		2	From: DRC <information@libjpeg-turbo.org>
		3	Date: Tue, 4 Apr 2023 19:06:20 -0500
		4	Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
		5
		6	The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565
		7	is the only 3-component colorspace that doesn't have 3-sample pixels, so
		8	we need to treat it as a special case when determining whether to enable
		9	2-pass color quantization. Otherwise, attempting to initialize 2-pass
		10	color quantization with an RGB565 output buffer could cause
		11	prescan_quantize() to read from uninitialized memory and subsequently
		12	underflow/overflow the histogram array.
		13
		14	djpeg is supposed to fail gracefully if both -rgb565 and -colors are
		15	specified, because none of its destination managers (image writers)
		16	support color quantization with RGB565. However, prescan_quantize() was
		17	called before that could occur. It is possible but very unlikely that
		18	these issues could have been reproduced in applications other than
		19	djpeg. The issues involve the use of two features (12-bit precision and
		20	RGB565) that are incompatible, and they also involve the use of two
		21	rarely-used legacy features (RGB565 and color quantization) that don't
		22	make much sense when combined.
		23
		24	Fixes #668
		25	Fixes #671
		26	Fixes #680
		27
		28	CVE: CVE-2023-2804
		29	Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
		30
		31	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		32	---
		33	ChangeLog.md \| 6 ++++++
		34	jdmaster.c \| 5 +++--
		35	jquant2.c \| 5 +++--
		36	3 files changed, 12 insertions(+), 4 deletions(-)
		37
		38	diff --git a/ChangeLog.md b/ChangeLog.md
		39	index e605abe73..de0c4d0dd 100644
		40	--- a/ChangeLog.md
		41	+++ b/ChangeLog.md
		42	@@ -1,3 +1,9 @@ quality values.
		43	+9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
		44	+overruns when attempting to decompress various specially-crafted malformed
		45	+12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
		46	+(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
		47	+enabled.
		48	+
		49	2.0.4
		50	=====
		51
		52	diff --git a/jdmaster.c b/jdmaster.c
		53	index b20906438..8d8ef9956 100644
		54	--- a/jdmaster.c
		55	+++ b/jdmaster.c
		56	@@ -5,7 +5,7 @@
		57	* Copyright (C) 1991-1997, Thomas G. Lane.
		58	* Modified 2002-2009 by Guido Vollbeding.
		59	* libjpeg-turbo Modifications:
		60	- * Copyright (C) 2009-2011, 2016, D. R. Commander.
		61	+ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
		62	* Copyright (C) 2013, Linaro Limited.
		63	* Copyright (C) 2015, Google, Inc.
		64	* For conditions of distribution and use, see the accompanying README.ijg
		65	@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
		66	if (cinfo->raw_data_out)
		67	ERREXIT(cinfo, JERR_NOTIMPL);
		68	/* 2-pass quantizer only works in 3-component color space. */
		69	- if (cinfo->out_color_components != 3) {
		70	+ if (cinfo->out_color_components != 3 \|\|
		71	+ cinfo->out_color_space == JCS_RGB565) {
		72	cinfo->enable_1pass_quant = TRUE;
		73	cinfo->enable_external_quant = FALSE;
		74	cinfo->enable_2pass_quant = FALSE;
		75	diff --git a/jquant2.c b/jquant2.c
		76	index 6570613bb..c760380fb 100644
		77	--- a/jquant2.c
		78	+++ b/jquant2.c
		79	@@ -4,7 +4,7 @@
		80	* This file was part of the Independent JPEG Group's software:
		81	* Copyright (C) 1991-1996, Thomas G. Lane.
		82	* libjpeg-turbo Modifications:
		83	- * Copyright (C) 2009, 2014-2015, D. R. Commander.
		84	+ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
		85	* For conditions of distribution and use, see the accompanying README.ijg
		86	* file.
		87	*
		88	@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
		89	cquantize->error_limiter = NULL;
		90
		91	/* Make sure jdmaster didn't give me a case I can't handle */
		92	- if (cinfo->out_color_components != 3)
		93	+ if (cinfo->out_color_components != 3 \|\|
		94	+ cinfo->out_color_space == JCS_RGB565)
		95	ERREXIT(cinfo, JERR_NOTIMPL);
		96
		97	/* Allocate the histogram/inverse colormap storage */


diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..bcba0b513d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
		1	From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001
		2	From: DRC <information@libjpeg-turbo.org>
		3	Date: Thu, 6 Apr 2023 18:33:41 -0500
		4	Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
		5
		6	When computing the downsampled width for a particular component,
		7	jpeg_crop_scanline() needs to take into account the fact that the
		8	libjpeg code uses a combination of IDCT scaling and upsampling to
		9	implement 4x2 and 2x4 upsampling with certain decompression scaling
		10	factors. Failing to account for that led to incomplete upsampling of
		11	4x2- or 2x4-subsampled components, which caused the color converter to
		12	read from uninitialized memory. With 12-bit data precision, this caused
		13	a buffer overrun or underrun and subsequent segfault if the
		14	uninitialized memory contained a value that was outside of the valid
		15	sample range (because the color converter uses the value as an array
		16	index.)
		17
		18	Fixes #669
		19
		20	CVE: CVE-2023-2804
		21	Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001]
		22
		23	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		24	---
		25	ChangeLog.md \| 8 ++++++++
		26	jdapistd.c \| 10 ++++++----
		27	2 files changed, 14 insertions(+), 4 deletions(-)
		28
		29	diff --git a/ChangeLog.md b/ChangeLog.md
		30	index de0c4d0dd..159bd1610 100644
		31	--- a/ChangeLog.md
		32	+++ b/ChangeLog.md
		33	@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed
		34	(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
		35	enabled.
		36
		37	+10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
		38	+downsampled width for components with 4x2 or 2x4 subsampling factors if
		39	+decompression scaling was enabled. This caused the components to be upsampled
		40	+incompletely, which caused the color converter to read from uninitialized
		41	+memory. With 12-bit data precision, this caused a buffer overrun or underrun
		42	+and subsequent segfault if the sample value read from unitialized memory was
		43	+outside of the valid sample range.
		44	+
		45	2.0.4
		46	=====
		47
		48	diff --git a/jdapistd.c b/jdapistd.c
		49	index 628626254..eb577928c 100644
		50	--- a/jdapistd.c
		51	+++ b/jdapistd.c
		52	@@ -4,7 +4,7 @@
		53	* This file was part of the Independent JPEG Group's software:
		54	* Copyright (C) 1994-1996, Thomas G. Lane.
		55	* libjpeg-turbo Modifications:
		56	- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
		57	+ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander.
		58	* Copyright (C) 2015, Google, Inc.
		59	* For conditions of distribution and use, see the accompanying README.ijg
		60	* file.
		61	@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
		62	/* Set downsampled_width to the new output width. */
		63	orig_downsampled_width = compptr->downsampled_width;
		64	compptr->downsampled_width =
		65	- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
		66	- compptr->h_samp_factor),
		67	- (long)cinfo->max_h_samp_factor);
		68	+ (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
		69	+ (long)(compptr->h_samp_factor *
		70	+ compptr->_DCT_scaled_size),
		71	+ (long)(cinfo->max_h_samp_factor *
		72	+ cinfo->_min_DCT_scaled_size));
		73	if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
		74	reinit_upsampler = TRUE;
		75


diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb index 630b20300f..fda425c219 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -16,6 +16,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
16	file://CVE-2021-46822.patch \	16	file://CVE-2021-46822.patch \
17	file://CVE-2020-35538-1.patch \	17	file://CVE-2020-35538-1.patch \
18	file://CVE-2020-35538-2.patch \	18	file://CVE-2020-35538-2.patch \
		19	file://CVE-2023-2804-1.patch \
		20	file://CVE-2023-2804-2.patch \
19	"	21	"
20		22
21	SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"	23	SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"