diff --git a/libjpeg-turbo-CVE-2018-1152.patch b/libjpeg-turbo-CVE-2018-1152.patch new file mode 100644 index 0000000..f27a505 --- /dev/null +++ b/libjpeg-turbo-CVE-2018-1152.patch @@ -0,0 +1,39 @@ +From 0079f602bacb13a5b0c9f4a191ddaadd8a8fa58c Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 12 Jun 2018 20:27:00 -0500 +Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP + +In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound +when allocating the row buffer, because since BMP files have 32-bit +width and height fields, the value of biWidth can be up to 4294967295. +Specifically, if biWidth is 1073741824 and cinfo->input_components = 4, +then the samplesperrow argument in alloc_sarray() would wrap around to +0, and a division by zero error would occur at line 458 in jmemmgr.c. + +If biWidth is set to a higher value, then samplesperrow would wrap +around to a small number, which would likely cause a buffer overflow +(this has not been tested or verified.) +--- + rdbmp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/rdbmp.c b/rdbmp.c +index fcabbb1..a0efa93 100644 +--- a/rdbmp.c ++++ b/rdbmp.c +@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + } + } + ++ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum ++ value of the JDIMENSION type. This is only a danger with BMP files, since ++ their width and height fields are 32-bit integers. */ ++ if ((unsigned long long)biWidth * ++ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL) ++ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); + /* Allocate one-row buffer for returned data */ + source->pub.buffer = (*cinfo->mem->alloc_sarray) + ((j_common_ptr)cinfo, JPOOL_IMAGE, +-- +2.17.1 + diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index f382949..46fe3a5 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,6 +1,6 @@ Name: libjpeg-turbo Version: 1.5.90 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files License: IJG URL: http://sourceforge.net/projects/libjpeg-turbo @@ -8,6 +8,7 @@ URL: http://sourceforge.net/projects/libjpeg-turbo Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Patch0: libjpeg-turbo-cmake.patch Patch1: libjpeg-turbo-CVE-2018-11813.patch +Patch2: libjpeg-turbo-CVE-2018-1152.patch BuildRequires: gcc BuildRequires: cmake @@ -71,6 +72,7 @@ manipulate JPEG files using the TurboJPEG library. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \ @@ -170,6 +172,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags} %{_libdir}/pkgconfig/libturbojpeg.pc %changelog +* Fri Jun 29 2018 Nikola Forró - 1.5.90-3 +- Fix CVE-2018-1152 (#1593555) + * Fri Jun 15 2018 Nikola Forró - 1.5.90-2 - Fix CVE-2018-11813 (#1588804)