packages/libjpeg-turbo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

1

Browse Source 
(cherry picked from commit 07f40fc281f5d98ba8d7397b0771a165d09332a3)
This commit is contained in:
19909236985 2022-06-28 15:04:17 +08:00 committed by openeuler-sync-bot
parent 5ad0e11fdc
commit 52c19a71d1
2 changed files with 138 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
backport-CVE-2021-46822.patch Normal file
View File

@ -0,0 +1,132 @@
From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 6 Apr 2021 12:51:03 -0500
Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs
- The PPM reader now throws an error rather than segfaulting (due to a
buffer overrun) if an application attempts to load a 16-bit PPM file
into a grayscale uncompressed image buffer. No known applications
allowed that (not even the test applications in libjpeg-turbo),
because that mode of operation was never expected to work and did not
work under any circumstances. (In fact, it was necessary to modify
TJBench in order to reproduce the issue outside of a fuzzing
environment.) This was purely a matter of making the library bow out
gracefully rather than crash if an application tries to do something
really stupid.
- The PPM reader now throws an error rather than generating incorrect
pixels if an application attempts to load a 16-bit PGM file into an
RGB uncompressed image buffer.
- The PPM reader now correctly loads 16-bit PPM files into extended
RGB uncompressed image buffers. (Previously it generated incorrect
pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.)
The only way that users could have potentially encountered these issues
was through the tjLoadImage() function. cjpeg and TJBench were
unaffected.
Conflict:NA
Reference:https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2
---
ChangeLog.md | 10 ++++++++++
rdppm.c | 26 ++++++++++++++++++++------
2 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/ChangeLog.md b/ChangeLog.md
index 59fb2de..1d5a6aa 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -27,6 +27,16 @@ such as `tjBufSize()` and `tjLoadImage()` that do not require a TurboJPEG
instance handle, is now thread-safe on platforms that support thread-local
storage.
+7. The PPM reader now throws an error, rather than segfaulting (due to a buffer
+overrun) or generating incorrect pixels, if an application attempts to use the
+`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file
+with a maximum value greater than 255) into a grayscale image buffer or to load
+a 16-bit binary PGM file into an RGB image buffer.
+
+8. Fixed an issue in the PPM reader that caused incorrect pixels to be
+generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
+file into an extended RGB image buffer.
+
2.0.4
=====
diff --git a/rdppm.c b/rdppm.c
index a8507b9..d7518f7 100644
--- a/rdppm.c
+++ b/rdppm.c
@@ -5,7 +5,7 @@
* Copyright (C) 1991-1997, Thomas G. Lane.
* Modified 2009 by Bill Allombert, Guido Vollbeding.
* libjpeg-turbo Modifications:
- * Copyright (C) 2015-2017, 2020, D. R. Commander.
+ * Copyright (C) 2015-2017, 2020-2021, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
*
@@ -526,6 +526,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
register JSAMPLE *rescale = source->rescale;
JDIMENSION col;
unsigned int maxval = source->maxval;
+ register int rindex = rgb_red[cinfo->in_color_space];
+ register int gindex = rgb_green[cinfo->in_color_space];
+ register int bindex = rgb_blue[cinfo->in_color_space];
+ register int aindex = alpha_index[cinfo->in_color_space];
+ register int ps = rgb_pixelsize[cinfo->in_color_space];
if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -537,17 +542,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
temp |= UCH(*bufferptr++);
if (temp > maxval)
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
- *ptr++ = rescale[temp];
+ ptr[rindex] = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
- *ptr++ = rescale[temp];
+ ptr[gindex] = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
- *ptr++ = rescale[temp];
+ ptr[bindex] = rescale[temp];
+ if (aindex >= 0)
+ ptr[aindex] = 0xFF;
+ ptr += ps;
}
return 1;
}
@@ -634,7 +642,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
cinfo->in_color_space = JCS_GRAYSCALE;
TRACEMS2(cinfo, 1, JTRC_PGM, w, h);
if (maxval > 255) {
- source->pub.get_pixel_rows = get_word_gray_row;
+ if (cinfo->in_color_space == JCS_GRAYSCALE)
+ source->pub.get_pixel_rows = get_word_gray_row;
+ else
+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
} else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
cinfo->in_color_space == JCS_GRAYSCALE) {
source->pub.get_pixel_rows = get_raw_row;
@@ -657,7 +668,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
cinfo->in_color_space = JCS_EXT_RGB;
TRACEMS2(cinfo, 1, JTRC_PPM, w, h);
if (maxval > 255) {
- source->pub.get_pixel_rows = get_word_rgb_row;
+ if (IsExtRGB(cinfo->in_color_space))
+ source->pub.get_pixel_rows = get_word_rgb_row;
+ else
+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
} else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
(cinfo->in_color_space == JCS_EXT_RGB
#if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3
--
2.33.0

7
libjpeg-turbo.spec
View File

@ -1,11 +1,13 @@
Name: libjpeg-turbo Name: libjpeg-turbo
Version: 2.0.5 Version: 2.0.5
Release: 1 Release: 2
Summary: MMX/SSE2/SIMD accelerated libjpeg-compatible JPEG codec library Summary: MMX/SSE2/SIMD accelerated libjpeg-compatible JPEG codec library
License: IJG License: IJG
URL: http://sourceforge.net/projects/libjpeg-turbo URL: http://sourceforge.net/projects/libjpeg-turbo
Source0: http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz Source0: http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz
Patch6000: backport-CVE-2021-46822.patch
BuildRequires: gcc cmake libtool nasm BuildRequires: gcc cmake libtool nasm
Obsoletes: libjpeg < 6b-47 turbojpeg = %{version}-%{release} Obsoletes: libjpeg < 6b-47 turbojpeg = %{version}-%{release}
@ -101,6 +103,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
%{_mandir}/man1/*.1* %{_mandir}/man1/*.1*
%changelog %changelog
* Tue Jun 28 wuchaochao <wuchaochao4@h-partners.com> - 2.0.5-2
- fix CVE-2021-46822
* Thu Jul 23 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.5-1 * Thu Jul 23 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.5-1
- Type:enhancement - Type:enhancement
- Id:NA - Id:NA