1
(cherry picked from commit 07f40fc281f5d98ba8d7397b0771a165d09332a3)
This commit is contained in:
19909236985
openeuler-sync-bot
parent
5ad0e11fdc
commit
52c19a71d1
132
backport-CVE-2021-46822.patch
Normal file
132
backport-CVE-2021-46822.patch
Normal file
@ -0,0 +1,132 @@
|
||||
From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001
|
||||
From: DRC <information@libjpeg-turbo.org>
|
||||
Date: Tue, 6 Apr 2021 12:51:03 -0500
|
||||
Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs
|
||||
|
||||
- The PPM reader now throws an error rather than segfaulting (due to a
|
||||
buffer overrun) if an application attempts to load a 16-bit PPM file
|
||||
into a grayscale uncompressed image buffer. No known applications
|
||||
allowed that (not even the test applications in libjpeg-turbo),
|
||||
because that mode of operation was never expected to work and did not
|
||||
work under any circumstances. (In fact, it was necessary to modify
|
||||
TJBench in order to reproduce the issue outside of a fuzzing
|
||||
environment.) This was purely a matter of making the library bow out
|
||||
gracefully rather than crash if an application tries to do something
|
||||
really stupid.
|
||||
|
||||
- The PPM reader now throws an error rather than generating incorrect
|
||||
pixels if an application attempts to load a 16-bit PGM file into an
|
||||
RGB uncompressed image buffer.
|
||||
|
||||
- The PPM reader now correctly loads 16-bit PPM files into extended
|
||||
RGB uncompressed image buffers. (Previously it generated incorrect
|
||||
pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.)
|
||||
|
||||
The only way that users could have potentially encountered these issues
|
||||
was through the tjLoadImage() function. cjpeg and TJBench were
|
||||
unaffected.
|
||||
|
||||
Conflict:NA
|
||||
Reference:https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2
|
||||
---
|
||||
ChangeLog.md | 10 ++++++++++
|
||||
rdppm.c | 26 ++++++++++++++++++++------
|
||||
2 files changed, 30 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog.md b/ChangeLog.md
|
||||
index 59fb2de..1d5a6aa 100644
|
||||
--- a/ChangeLog.md
|
||||
+++ b/ChangeLog.md
|
||||
@@ -27,6 +27,16 @@ such as `tjBufSize()` and `tjLoadImage()` that do not require a TurboJPEG
|
||||
instance handle, is now thread-safe on platforms that support thread-local
|
||||
storage.
|
||||
|
||||
+7. The PPM reader now throws an error, rather than segfaulting (due to a buffer
|
||||
+overrun) or generating incorrect pixels, if an application attempts to use the
|
||||
+`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file
|
||||
+with a maximum value greater than 255) into a grayscale image buffer or to load
|
||||
+a 16-bit binary PGM file into an RGB image buffer.
|
||||
+
|
||||
+8. Fixed an issue in the PPM reader that caused incorrect pixels to be
|
||||
+generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
|
||||
+file into an extended RGB image buffer.
|
||||
+
|
||||
|
||||
2.0.4
|
||||
=====
|
||||
diff --git a/rdppm.c b/rdppm.c
|
||||
index a8507b9..d7518f7 100644
|
||||
--- a/rdppm.c
|
||||
+++ b/rdppm.c
|
||||
@@ -5,7 +5,7 @@
|
||||
* Copyright (C) 1991-1997, Thomas G. Lane.
|
||||
* Modified 2009 by Bill Allombert, Guido Vollbeding.
|
||||
* libjpeg-turbo Modifications:
|
||||
- * Copyright (C) 2015-2017, 2020, D. R. Commander.
|
||||
+ * Copyright (C) 2015-2017, 2020-2021, D. R. Commander.
|
||||
* For conditions of distribution and use, see the accompanying README.ijg
|
||||
* file.
|
||||
*
|
||||
@@ -526,6 +526,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
register JSAMPLE *rescale = source->rescale;
|
||||
JDIMENSION col;
|
||||
unsigned int maxval = source->maxval;
|
||||
+ register int rindex = rgb_red[cinfo->in_color_space];
|
||||
+ register int gindex = rgb_green[cinfo->in_color_space];
|
||||
+ register int bindex = rgb_blue[cinfo->in_color_space];
|
||||
+ register int aindex = alpha_index[cinfo->in_color_space];
|
||||
+ register int ps = rgb_pixelsize[cinfo->in_color_space];
|
||||
|
||||
if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
|
||||
ERREXIT(cinfo, JERR_INPUT_EOF);
|
||||
@@ -537,17 +542,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
temp |= UCH(*bufferptr++);
|
||||
if (temp > maxval)
|
||||
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||
- *ptr++ = rescale[temp];
|
||||
+ ptr[rindex] = rescale[temp];
|
||||
temp = UCH(*bufferptr++) << 8;
|
||||
temp |= UCH(*bufferptr++);
|
||||
if (temp > maxval)
|
||||
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||
- *ptr++ = rescale[temp];
|
||||
+ ptr[gindex] = rescale[temp];
|
||||
temp = UCH(*bufferptr++) << 8;
|
||||
temp |= UCH(*bufferptr++);
|
||||
if (temp > maxval)
|
||||
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||
- *ptr++ = rescale[temp];
|
||||
+ ptr[bindex] = rescale[temp];
|
||||
+ if (aindex >= 0)
|
||||
+ ptr[aindex] = 0xFF;
|
||||
+ ptr += ps;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
@@ -634,7 +642,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
cinfo->in_color_space = JCS_GRAYSCALE;
|
||||
TRACEMS2(cinfo, 1, JTRC_PGM, w, h);
|
||||
if (maxval > 255) {
|
||||
- source->pub.get_pixel_rows = get_word_gray_row;
|
||||
+ if (cinfo->in_color_space == JCS_GRAYSCALE)
|
||||
+ source->pub.get_pixel_rows = get_word_gray_row;
|
||||
+ else
|
||||
+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
|
||||
} else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
|
||||
cinfo->in_color_space == JCS_GRAYSCALE) {
|
||||
source->pub.get_pixel_rows = get_raw_row;
|
||||
@@ -657,7 +668,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
cinfo->in_color_space = JCS_EXT_RGB;
|
||||
TRACEMS2(cinfo, 1, JTRC_PPM, w, h);
|
||||
if (maxval > 255) {
|
||||
- source->pub.get_pixel_rows = get_word_rgb_row;
|
||||
+ if (IsExtRGB(cinfo->in_color_space))
|
||||
+ source->pub.get_pixel_rows = get_word_rgb_row;
|
||||
+ else
|
||||
+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
|
||||
} else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
|
||||
(cinfo->in_color_space == JCS_EXT_RGB
|
||||
#if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -1,11 +1,13 @@
|
||||
Name: libjpeg-turbo
|
||||
Version: 2.0.5
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: MMX/SSE2/SIMD accelerated libjpeg-compatible JPEG codec library
|
||||
License: IJG
|
||||
URL: http://sourceforge.net/projects/libjpeg-turbo
|
||||
Source0: http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz
|
||||
|
||||
Patch6000: backport-CVE-2021-46822.patch
|
||||
|
||||
BuildRequires: gcc cmake libtool nasm
|
||||
|
||||
Obsoletes: libjpeg < 6b-47 turbojpeg = %{version}-%{release}
|
||||
@ -101,6 +103,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
|
||||
%{_mandir}/man1/*.1*
|
||||
|
||||
%changelog
|
||||
* Tue Jun 28 wuchaochao <wuchaochao4@h-partners.com> - 2.0.5-2
|
||||
- fix CVE-2021-46822
|
||||
|
||||
* Thu Jul 23 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.5-1
|
||||
- Type:enhancement
|
||||
- Id:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user