diff --git a/libjpeg-turbo-CVE-2018-1152.patch b/libjpeg-turbo-CVE-2018-1152.patch new file mode 100644 index 0000000..a71d3e1 --- /dev/null +++ b/libjpeg-turbo-CVE-2018-1152.patch @@ -0,0 +1,39 @@ +From 399719595f413158b3510128eb85f944654f960c Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 12 Jun 2018 20:27:00 -0500 +Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP + +In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound +when allocating the row buffer, because since BMP files have 32-bit +width and height fields, the value of biWidth can be up to 4294967295. +Specifically, if biWidth is 1073741824 and cinfo->input_components = 4, +then the samplesperrow argument in alloc_sarray() would wrap around to +0, and a division by zero error would occur at line 458 in jmemmgr.c. + +If biWidth is set to a higher value, then samplesperrow would wrap +around to a small number, which would likely cause a buffer overflow +(this has not been tested or verified.) +--- + rdbmp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/rdbmp.c b/rdbmp.c +index eaa7086..4104b68 100644 +--- a/rdbmp.c ++++ b/rdbmp.c +@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + progress->total_extra_passes++; /* count file input as separate pass */ + } + ++ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum ++ value of the JDIMENSION type. This is only a danger with BMP files, since ++ their width and height fields are 32-bit integers. */ ++ if ((unsigned long long)biWidth * ++ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL) ++ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); + /* Allocate one-row buffer for returned data */ + source->pub.buffer = (*cinfo->mem->alloc_sarray) + ((j_common_ptr) cinfo, JPOOL_IMAGE, +-- +2.17.1 + diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 486a6d1..573dee8 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,6 +1,6 @@ Name: libjpeg-turbo Version: 1.5.3 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files License: IJG URL: http://sourceforge.net/projects/libjpeg-turbo @@ -9,6 +9,7 @@ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar. Patch0: libjpeg-turbo14-noinst.patch Patch1: libjpeg-turbo-header-files.patch Patch2: libjpeg-turbo-CVE-2018-11813.patch +Patch3: libjpeg-turbo-CVE-2018-1152.patch BuildRequires: autoconf BuildRequires: automake @@ -73,6 +74,7 @@ manipulate JPEG files using the TurboJPEG library. %patch0 -p1 -b .noinst %patch1 -p1 -b .header-files %patch2 -p1 -b .CVE-2018-11813 +%patch3 -p1 -b .CVE-2018-1152 %build autoreconf -vif @@ -167,6 +169,9 @@ make test %{?_smp_mflags} %{_libdir}/pkgconfig/libturbojpeg.pc %changelog +* Fri Jun 29 2018 Nikola Forró - 1.5.3-6 +- Fix CVE-2018-1152 (#1593555) + * Fri Jun 15 2018 Nikola Forró - 1.5.3-5 - Bump release to prevent conflict with existing build in Koji