libjpeg-turbo: Fix CVE-2020-13790

libjpeg-turbo 2.0.4 has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file. Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a] CVE:CVE-2020-13790 (From OE-Core rev: 90f4e2f299d8cd6c839b73307dc7b0ec3d389294) Signed-off-by: Liu Haitao <haitao.liu@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: jason.lau <Haitao.Liu@windriver.com> 2020-06-18 16:31:36 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-07-08 10:47:50 +0100
commit: 09d29eb36a335cadb1249f6849e090d22bbf5a2e (patch)
tree: 5689a6eb1a67da081206dff08d20b83f118e0de0
parent: e1d89748ec66ede80b08576b3f350ac5f84faaff (diff)
download: poky-09d29eb36a335cadb1249f6849e090d22bbf5a2e.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch
new file mode 100644
index 0000000000..03b6dba153
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch
@@ -0,0 +1,81 @@
+From ade1818b7542ef9e11ece5ce98df91fab45d674c Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 2 Jun 2020 14:15:37 -0500
+Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
+This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
+include binary PPM files with maximum values < 255, thus preventing a
+malformed binary PPM input file with those specifications from
+triggering an overrun of the rescale array and potentially crashing
+cjpeg, TJBench, or any program that uses the tjLoadImage() function.
+Fixes #433
+CVE: CVE-2020-13790
+Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
+---
+ ChangeLog.md | 20 ++++++++++++++++----
+ rdppm.c      |  4 ++--
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 3667d12..198c7b8 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -1,3 +1,15 @@
+2.0.4
+=====
+
+### Significant changes relative to 2.0.3:
+
+1. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
+TJBench, or the `tjLoadImage()` function if one of the values in a binary
+PPM/PGM input file exceeded the maximum value defined in the file's header and
+that maximum value was less than 255.  libjpeg-turbo 1.5.0 already included a
+similar fix for binary PPM/PGM files with maximum values greater than 255.
+
+
+ 2.0.3
+ =====
+ 
+@@ -520,10 +532,10 @@ application was linked against.
+ 
+ 3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
+ in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
+-maximum value defined in the file's header.  libjpeg-turbo 1.4.2 already
+-included a similar fix for ASCII PPM/PGM files.  Note that these issues were
+-not security bugs, since they were confined to the cjpeg program and did not
+-affect any of the libjpeg-turbo libraries.
+maximum value defined in the file's header and that maximum value was greater
+than 255.  libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
+files.  Note that these issues were not security bugs, since they were confined
+to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
+ 
+ 4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
+ header using the `tjDecompressToYUV2()` function would cause the function to
+diff --git a/rdppm.c b/rdppm.c
+index 87bc330..a8507b9 100644
+--- a/rdppm.c
+++ b/rdppm.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2009 by Bill Allombert, Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2015-2017, D. R. Commander.
+ * Copyright (C) 2015-2017, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     /* On 16-bit-int machines we have to be careful of maxval = 65535 */
+     source->rescale = (JSAMPLE *)
+       (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-                                  (size_t)(((long)maxval + 1L) *
+                                  (size_t)(((long)MAX(maxval, 255) + 1L) *
+                                            sizeof(JSAMPLE)));
+     half_maxval = maxval / 2;
+     for (val = 0; val <= (long)maxval; val++) {
+-- 
+2.17.0
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
index 1cf854de62..8ea81f386f 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
@@ -12,6 +12,7 @@ DEPENDS_append_x86_class-target    = " nasm-native"
 SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
           file://0001-libjpeg-turbo-fix-package_qa-error.patch \
+           file://0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch \
           "
 SRC_URI[md5sum] = "bd07fddf26f9def7bab02739eb655116"
author	jason.lau <Haitao.Liu@windriver.com>	2020-06-18 16:31:36 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-07-08 10:47:50 +0100
commit	09d29eb36a335cadb1249f6849e090d22bbf5a2e (patch)
tree	5689a6eb1a67da081206dff08d20b83f118e0de0
parent	e1d89748ec66ede80b08576b3f350ac5f84faaff (diff)
download	poky-09d29eb36a335cadb1249f6849e090d22bbf5a2e.tar.gz

diff --git a/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch new file mode 100644 index 0000000000..03b6dba153 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch
@@ -0,0 +1,81 @@
		1	From ade1818b7542ef9e11ece5ce98df91fab45d674c Mon Sep 17 00:00:00 2001
		2	From: DRC <information@libjpeg-turbo.org>
		3	Date: Tue, 2 Jun 2020 14:15:37 -0500
		4	Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
		5
		6	This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
		7	include binary PPM files with maximum values < 255, thus preventing a
		8	malformed binary PPM input file with those specifications from
		9	triggering an overrun of the rescale array and potentially crashing
		10	cjpeg, TJBench, or any program that uses the tjLoadImage() function.
		11
		12	Fixes #433
		13
		14	CVE: CVE-2020-13790
		15
		16	Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
		17	---
		18	ChangeLog.md \| 20 ++++++++++++++++----
		19	rdppm.c \| 4 ++--
		20	2 files changed, 18 insertions(+), 6 deletions(-)
		21
		22	diff --git a/ChangeLog.md b/ChangeLog.md
		23	index 3667d12..198c7b8 100644
		24	--- a/ChangeLog.md
		25	+++ b/ChangeLog.md
		26	@@ -1,3 +1,15 @@
		27	+2.0.4
		28	+=====
		29	+
		30	+### Significant changes relative to 2.0.3:
		31	+
		32	+1. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
		33	+TJBench, or the `tjLoadImage()` function if one of the values in a binary
		34	+PPM/PGM input file exceeded the maximum value defined in the file's header and
		35	+that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
		36	+similar fix for binary PPM/PGM files with maximum values greater than 255.
		37	+
		38	+
		39	2.0.3
		40	=====
		41
		42	@@ -520,10 +532,10 @@ application was linked against.
		43
		44	3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
		45	in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
		46	-maximum value defined in the file's header. libjpeg-turbo 1.4.2 already
		47	-included a similar fix for ASCII PPM/PGM files. Note that these issues were
		48	-not security bugs, since they were confined to the cjpeg program and did not
		49	-affect any of the libjpeg-turbo libraries.
		50	+maximum value defined in the file's header and that maximum value was greater
		51	+than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
		52	+files. Note that these issues were not security bugs, since they were confined
		53	+to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
		54
		55	4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
		56	header using the `tjDecompressToYUV2()` function would cause the function to
		57	diff --git a/rdppm.c b/rdppm.c
		58	index 87bc330..a8507b9 100644
		59	--- a/rdppm.c
		60	+++ b/rdppm.c
		61	@@ -5,7 +5,7 @@
		62	* Copyright (C) 1991-1997, Thomas G. Lane.
		63	* Modified 2009 by Bill Allombert, Guido Vollbeding.
		64	* libjpeg-turbo Modifications:
		65	- * Copyright (C) 2015-2017, D. R. Commander.
		66	+ * Copyright (C) 2015-2017, 2020, D. R. Commander.
		67	* For conditions of distribution and use, see the accompanying README.ijg
		68	* file.
		69	*
		70	@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
		71	/* On 16-bit-int machines we have to be careful of maxval = 65535 */
		72	source->rescale = (JSAMPLE *)
		73	(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
		74	- (size_t)(((long)maxval + 1L) *
		75	+ (size_t)(((long)MAX(maxval, 255) + 1L) *
		76	sizeof(JSAMPLE)));
		77	half_maxval = maxval / 2;
		78	for (val = 0; val <= (long)maxval; val++) {
		79	--
		80	2.17.0
		81


diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb index 1cf854de62..8ea81f386f 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
@@ -12,6 +12,7 @@ DEPENDS_append_x86_class-target = " nasm-native"
12		12
13	SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \	13	SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
14	file://0001-libjpeg-turbo-fix-package_qa-error.patch \	14	file://0001-libjpeg-turbo-fix-package_qa-error.patch \
		15	file://0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch \
15	"	16	"
16		17
17	SRC_URI[md5sum] = "bd07fddf26f9def7bab02739eb655116"	18	SRC_URI[md5sum] = "bd07fddf26f9def7bab02739eb655116"