| From 07caad7e0a9afb372e0608299fb3e832cc78495f Mon Sep 17 00:00:00 2001 |
| From: DRC <information@libjpeg-turbo.org> |
| Date: Tue, 2 Jun 2020 14:15:37 -0500 |
| Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM |
| |
| This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to |
| include binary PPM files with maximum values < 255, thus preventing a |
| malformed binary PPM input file with those specifications from |
| triggering an overrun of the rescale array and potentially crashing |
| cjpeg, TJBench, or any program that uses the tjLoadImage() function. |
| |
| Fixes #433 |
| |
| Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a] |
| CVE: CVE-2020-13790 |
| Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| |
| --- |
| ChangeLog.md | 14 ++++++++++---- |
| rdppm.c | 4 ++-- |
| 2 files changed, 12 insertions(+), 6 deletions(-) |
| |
| diff --git a/ChangeLog.md b/ChangeLog.md |
| index 4d1219e..af660ab 100644 |
| --- a/ChangeLog.md |
| +++ b/ChangeLog.md |
| @@ -38,6 +38,12 @@ this issue did not likely pose a security risk. |
| separate read-only data section rather than in the text section, to support |
| execute-only memory layouts. |
| |
| +3. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg, |
| +TJBench, or the `tjLoadImage()` function if one of the values in a binary |
| +PPM/PGM input file exceeded the maximum value defined in the file's header and |
| +that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a |
| +similar fix for binary PPM/PGM files with maximum values greater than 255. |
| + |
| |
| 2.0.3 |
| ===== |
| @@ -562,10 +568,10 @@ application was linked against. |
| |
| 3. Fixed a couple of issues in the PPM reader that would cause buffer overruns |
| in cjpeg if one of the values in a binary PPM/PGM input file exceeded the |
| -maximum value defined in the file's header. libjpeg-turbo 1.4.2 already |
| -included a similar fix for ASCII PPM/PGM files. Note that these issues were |
| -not security bugs, since they were confined to the cjpeg program and did not |
| -affect any of the libjpeg-turbo libraries. |
| +maximum value defined in the file's header and that maximum value was greater |
| +than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM |
| +files. Note that these issues were not security bugs, since they were confined |
| +to the cjpeg program and did not affect any of the libjpeg-turbo libraries. |
| |
| 4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt |
| header using the `tjDecompressToYUV2()` function would cause the function to |
| diff --git a/rdppm.c b/rdppm.c |
| index 87bc330..a8507b9 100644 |
| --- a/rdppm.c |
| +++ b/rdppm.c |
| @@ -5,7 +5,7 @@ |
| * Copyright (C) 1991-1997, Thomas G. Lane. |
| * Modified 2009 by Bill Allombert, Guido Vollbeding. |
| * libjpeg-turbo Modifications: |
| - * Copyright (C) 2015-2017, D. R. Commander. |
| + * Copyright (C) 2015-2017, 2020, D. R. Commander. |
| * For conditions of distribution and use, see the accompanying README.ijg |
| * file. |
| * |
| @@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) |
| /* On 16-bit-int machines we have to be careful of maxval = 65535 */ |
| source->rescale = (JSAMPLE *) |
| (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, |
| - (size_t)(((long)maxval + 1L) * |
| + (size_t)(((long)MAX(maxval, 255) + 1L) * |
| sizeof(JSAMPLE))); |
| half_maxval = maxval / 2; |
| for (val = 0; val <= (long)maxval; val++) { |