summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-08-07 17:45:18 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-12 10:53:47 +0100
commit24f6a075e52ab2d88bd24f61526ee21d58ca1b33 (patch)
tree720d2c7ebcb1b81a298387e68766a3a4ee3a9b32 /meta/recipes-graphics
parent697e30dcb2953caf7c79f631dab77943e5b19703 (diff)
downloadpoky-24f6a075e52ab2d88bd24f61526ee21d58ca1b33.tar.gz
libjpeg-turbo: fix CVE-2020-13790
(From OE-Core rev: d4662adbb34d8c4a23fe7f111c2c991b1aedeaef) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r--meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch76
-rw-r--r--meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb1
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch
new file mode 100644
index 0000000000..4617978bdc
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2020-13790.patch
@@ -0,0 +1,76 @@
1From 07caad7e0a9afb372e0608299fb3e832cc78495f Mon Sep 17 00:00:00 2001
2From: DRC <information@libjpeg-turbo.org>
3Date: Tue, 2 Jun 2020 14:15:37 -0500
4Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
5
6This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
7include binary PPM files with maximum values < 255, thus preventing a
8malformed binary PPM input file with those specifications from
9triggering an overrun of the rescale array and potentially crashing
10cjpeg, TJBench, or any program that uses the tjLoadImage() function.
11
12Fixes #433
13
14Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a]
15CVE: CVE-2020-13790
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17
18---
19 ChangeLog.md | 14 ++++++++++----
20 rdppm.c | 4 ++--
21 2 files changed, 12 insertions(+), 6 deletions(-)
22
23diff --git a/ChangeLog.md b/ChangeLog.md
24index 4d1219e..af660ab 100644
25--- a/ChangeLog.md
26+++ b/ChangeLog.md
27@@ -38,6 +38,12 @@ this issue did not likely pose a security risk.
28 separate read-only data section rather than in the text section, to support
29 execute-only memory layouts.
30
31+3. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
32+TJBench, or the `tjLoadImage()` function if one of the values in a binary
33+PPM/PGM input file exceeded the maximum value defined in the file's header and
34+that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
35+similar fix for binary PPM/PGM files with maximum values greater than 255.
36+
37
38 2.0.3
39 =====
40@@ -562,10 +568,10 @@ application was linked against.
41
42 3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
43 in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
44-maximum value defined in the file's header. libjpeg-turbo 1.4.2 already
45-included a similar fix for ASCII PPM/PGM files. Note that these issues were
46-not security bugs, since they were confined to the cjpeg program and did not
47-affect any of the libjpeg-turbo libraries.
48+maximum value defined in the file's header and that maximum value was greater
49+than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
50+files. Note that these issues were not security bugs, since they were confined
51+to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
52
53 4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
54 header using the `tjDecompressToYUV2()` function would cause the function to
55diff --git a/rdppm.c b/rdppm.c
56index 87bc330..a8507b9 100644
57--- a/rdppm.c
58+++ b/rdppm.c
59@@ -5,7 +5,7 @@
60 * Copyright (C) 1991-1997, Thomas G. Lane.
61 * Modified 2009 by Bill Allombert, Guido Vollbeding.
62 * libjpeg-turbo Modifications:
63- * Copyright (C) 2015-2017, D. R. Commander.
64+ * Copyright (C) 2015-2017, 2020, D. R. Commander.
65 * For conditions of distribution and use, see the accompanying README.ijg
66 * file.
67 *
68@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
69 /* On 16-bit-int machines we have to be careful of maxval = 65535 */
70 source->rescale = (JSAMPLE *)
71 (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
72- (size_t)(((long)maxval + 1L) *
73+ (size_t)(((long)MAX(maxval, 255) + 1L) *
74 sizeof(JSAMPLE)));
75 half_maxval = maxval / 2;
76 for (val = 0; val <= (long)maxval; val++) {
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
index 1f49fd3d3b..3005a8a789 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -12,6 +12,7 @@ DEPENDS_append_x86_class-target = " nasm-native"
12 12
13SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ 13SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
14 file://0001-libjpeg-turbo-fix-package_qa-error.patch \ 14 file://0001-libjpeg-turbo-fix-package_qa-error.patch \
15 file://CVE-2020-13790.patch \
15 " 16 "
16 17
17SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" 18SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"