1 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
new file mode 100644
index 0000000000..68cf89e628
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
@@ -0,0 +1,133 @@
+From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 6 Apr 2021 12:51:03 -0500
+Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs
+- The PPM reader now throws an error rather than segfaulting (due to a
+  buffer overrun) if an application attempts to load a 16-bit PPM file
+  into a grayscale uncompressed image buffer.  No known applications
+  allowed that (not even the test applications in libjpeg-turbo),
+  because that mode of operation was never expected to work and did not
+  work under any circumstances.  (In fact, it was necessary to modify
+  TJBench in order to reproduce the issue outside of a fuzzing
+  environment.)  This was purely a matter of making the library bow out
+  gracefully rather than crash if an application tries to do something
+  really stupid.
+- The PPM reader now throws an error rather than generating incorrect
+  pixels if an application attempts to load a 16-bit PGM file into an
+  RGB uncompressed image buffer.
+- The PPM reader now correctly loads 16-bit PPM files into extended
+  RGB uncompressed image buffers.  (Previously it generated incorrect
+  pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.)
+The only way that users could have potentially encountered these issues
+was through the tjLoadImage() function.  cjpeg and TJBench were
+unaffected.
+CVE: CVE-2021-46822
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch]
+Comment: Refreshed hunks from ChangeLog.md
+         Refreshed hunks from rdppm.c
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ ChangeLog.md | 10 ++++++++++
+ rdppm.c      | 26 ++++++++++++++++++++------
+ 2 files changed, 30 insertions(+), 6 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 968969c6b..12e730a0e 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -44,6 +44,15 @@
+ that maximum value was less than 255.  libjpeg-turbo 1.5.0 already included a
+ similar fix for binary PPM/PGM files with maximum values greater than 255.
+7. The PPM reader now throws an error, rather than segfaulting (due to a buffer
+overrun) or generating incorrect pixels, if an application attempts to use the
+`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file
+with a maximum value greater than 255) into a grayscale image buffer or to load
+a 16-bit binary PGM file into an RGB image buffer.
+
+8. Fixed an issue in the PPM reader that caused incorrect pixels to be
+generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
+file into an extended RGB image buffer.
+ 2.0.3
+ =====
+diff --git a/rdppm.c b/rdppm.c
+index c4c937e8a..6ac8fdbf7 100644
+--- a/rdppm.c
+++ b/rdppm.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2009 by Bill Allombert, Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2015-2017, 2020, D. R. Commander.
+ * Copyright (C) 2015-2017, 2020-2021, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+   register JSAMPLE *rescale = source->rescale;
+   JDIMENSION col;
+   unsigned int maxval = source->maxval;
+  register int rindex = rgb_red[cinfo->in_color_space];
+  register int gindex = rgb_green[cinfo->in_color_space];
+  register int bindex = rgb_blue[cinfo->in_color_space];
+  register int aindex = alpha_index[cinfo->in_color_space];
+  register int ps = rgb_pixelsize[cinfo->in_color_space];
+   if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
+     ERREXIT(cinfo, JERR_INPUT_EOF);
+@@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+       ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+-    *ptr++ = rescale[temp];
+    ptr[rindex] = rescale[temp];
+     temp  = UCH(*bufferptr++) << 8;
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+       ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+-    *ptr++ = rescale[temp];
+    ptr[gindex] = rescale[temp];
+     temp  = UCH(*bufferptr++) << 8;
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+       ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+-    *ptr++ = rescale[temp];
+    ptr[bindex] = rescale[temp];
+    if (aindex >= 0)
+      ptr[aindex] = 0xFF;
+    ptr += ps;
+   }
+   return 1;
+ }
+@@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+       cinfo->in_color_space = JCS_GRAYSCALE;
+     TRACEMS2(cinfo, 1, JTRC_PGM, w, h);
+     if (maxval > 255) {
+-      source->pub.get_pixel_rows = get_word_gray_row;
+      if (cinfo->in_color_space == JCS_GRAYSCALE)
+        source->pub.get_pixel_rows = get_word_gray_row;
+      else
+        ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
+     } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
+                cinfo->in_color_space == JCS_GRAYSCALE) {
+       source->pub.get_pixel_rows = get_raw_row;
+@@ -657,7 +657,10 @@
+       cinfo->in_color_space = JCS_EXT_RGB;
+     TRACEMS2(cinfo, 1, JTRC_PPM, w, h);
+     if (maxval > 255) {
+-      source->pub.get_pixel_rows = get_word_rgb_row;
+      if (IsExtRGB(cinfo->in_color_space))
+              source->pub.get_pixel_rows = get_word_rgb_row;
+              else
+              ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
+     } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
+                (cinfo->in_color_space == JCS_EXT_RGB
+ #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch new file mode 100644 index 0000000000..68cf89e628 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
@@ -0,0 +1,133 @@
	1	From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001
	2	From: DRC <information@libjpeg-turbo.org>
	3	Date: Tue, 6 Apr 2021 12:51:03 -0500
	4	Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs
	5
	6	- The PPM reader now throws an error rather than segfaulting (due to a
	7	buffer overrun) if an application attempts to load a 16-bit PPM file
	8	into a grayscale uncompressed image buffer. No known applications
	9	allowed that (not even the test applications in libjpeg-turbo),
	10	because that mode of operation was never expected to work and did not
	11	work under any circumstances. (In fact, it was necessary to modify
	12	TJBench in order to reproduce the issue outside of a fuzzing
	13	environment.) This was purely a matter of making the library bow out
	14	gracefully rather than crash if an application tries to do something
	15	really stupid.
	16
	17	- The PPM reader now throws an error rather than generating incorrect
	18	pixels if an application attempts to load a 16-bit PGM file into an
	19	RGB uncompressed image buffer.
	20
	21	- The PPM reader now correctly loads 16-bit PPM files into extended
	22	RGB uncompressed image buffers. (Previously it generated incorrect
	23	pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.)
	24
	25	The only way that users could have potentially encountered these issues
	26	was through the tjLoadImage() function. cjpeg and TJBench were
	27	unaffected.
	28
	29	CVE: CVE-2021-46822
	30	Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch]
	31	Comment: Refreshed hunks from ChangeLog.md
	32	Refreshed hunks from rdppm.c
	33
	34	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
	35
	36	---
	37	ChangeLog.md \| 10 ++++++++++
	38	rdppm.c \| 26 ++++++++++++++++++++------
	39	2 files changed, 30 insertions(+), 6 deletions(-)
	40
	41	diff --git a/ChangeLog.md b/ChangeLog.md
	42	index 968969c6b..12e730a0e 100644
	43	--- a/ChangeLog.md
	44	+++ b/ChangeLog.md
	45	@@ -44,6 +44,15 @@
	46	that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
	47	similar fix for binary PPM/PGM files with maximum values greater than 255.
	48
	49	+7. The PPM reader now throws an error, rather than segfaulting (due to a buffer
	50	+overrun) or generating incorrect pixels, if an application attempts to use the
	51	+`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file
	52	+with a maximum value greater than 255) into a grayscale image buffer or to load
	53	+a 16-bit binary PGM file into an RGB image buffer.
	54	+
	55	+8. Fixed an issue in the PPM reader that caused incorrect pixels to be
	56	+generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
	57	+file into an extended RGB image buffer.
	58
	59	2.0.3
	60	=====
	61	diff --git a/rdppm.c b/rdppm.c
	62	index c4c937e8a..6ac8fdbf7 100644
	63	--- a/rdppm.c
	64	+++ b/rdppm.c
	65	@@ -5,7 +5,7 @@
	66	* Copyright (C) 1991-1997, Thomas G. Lane.
	67	* Modified 2009 by Bill Allombert, Guido Vollbeding.
	68	* libjpeg-turbo Modifications:
	69	- * Copyright (C) 2015-2017, 2020, D. R. Commander.
	70	+ * Copyright (C) 2015-2017, 2020-2021, D. R. Commander.
	71	* For conditions of distribution and use, see the accompanying README.ijg
	72	* file.
	73	*
	74	@@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
	75	register JSAMPLE *rescale = source->rescale;
	76	JDIMENSION col;
	77	unsigned int maxval = source->maxval;
	78	+ register int rindex = rgb_red[cinfo->in_color_space];
	79	+ register int gindex = rgb_green[cinfo->in_color_space];
	80	+ register int bindex = rgb_blue[cinfo->in_color_space];
	81	+ register int aindex = alpha_index[cinfo->in_color_space];
	82	+ register int ps = rgb_pixelsize[cinfo->in_color_space];
	83
	84	if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
	85	ERREXIT(cinfo, JERR_INPUT_EOF);
	86	@@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
	87	temp \|= UCH(*bufferptr++);
	88	if (temp > maxval)
	89	ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
	90	- *ptr++ = rescale[temp];
	91	+ ptr[rindex] = rescale[temp];
	92	temp = UCH(*bufferptr++) << 8;
	93	temp \|= UCH(*bufferptr++);
	94	if (temp > maxval)
	95	ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
	96	- *ptr++ = rescale[temp];
	97	+ ptr[gindex] = rescale[temp];
	98	temp = UCH(*bufferptr++) << 8;
	99	temp \|= UCH(*bufferptr++);
	100	if (temp > maxval)
	101	ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
	102	- *ptr++ = rescale[temp];
	103	+ ptr[bindex] = rescale[temp];
	104	+ if (aindex >= 0)
	105	+ ptr[aindex] = 0xFF;
	106	+ ptr += ps;
	107	}
	108	return 1;
	109	}
	110	@@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
	111	cinfo->in_color_space = JCS_GRAYSCALE;
	112	TRACEMS2(cinfo, 1, JTRC_PGM, w, h);
	113	if (maxval > 255) {
	114	- source->pub.get_pixel_rows = get_word_gray_row;
	115	+ if (cinfo->in_color_space == JCS_GRAYSCALE)
	116	+ source->pub.get_pixel_rows = get_word_gray_row;
	117	+ else
	118	+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
	119	} else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
	120	cinfo->in_color_space == JCS_GRAYSCALE) {
	121	source->pub.get_pixel_rows = get_raw_row;
	122	@@ -657,7 +657,10 @@
	123	cinfo->in_color_space = JCS_EXT_RGB;
	124	TRACEMS2(cinfo, 1, JTRC_PPM, w, h);
	125	if (maxval > 255) {
	126	- source->pub.get_pixel_rows = get_word_rgb_row;
	127	+ if (IsExtRGB(cinfo->in_color_space))
	128	+ source->pub.get_pixel_rows = get_word_rgb_row;
	129	+ else
	130	+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
	131	} else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
	132	(cinfo->in_color_space == JCS_EXT_RGB
	133	#if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3