media-libs/libjpeg-turbo: Patch CVE-2020-13790

Bug: https://bugs.gentoo.org/727010 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Mike Gilbert <floppym@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/16184
author: Sam James (sam_c) <sam@cmpct.info> 2020-06-11 00:37:52 +0000
committer: Mike Gilbert <floppym@gentoo.org> 2020-06-13 12:30:39 -0400
commit: 8110962edc520001b3d2059be69702a1ceccee9b (patch)
tree: f383f08a6141bf296325a61f155d5ea50159e09f /media-libs/libjpeg-turbo/files
parent: sci-astronomy/pyephem: Bump to 3.7.7.1 (diff)
download: gentoo-8110962edc520001b3d2059be69702a1ceccee9b.tar.gz
gentoo-8110962edc520001b3d2059be69702a1ceccee9b.tar.bz2
gentoo-8110962edc520001b3d2059be69702a1ceccee9b.zip
2 files changed, 77 insertions, 0 deletions
diff --git a/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-CVE-2020-13790.patch b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-CVE-2020-13790.patch
new file mode 100644
index 000000000000..8a9fcbd79724
--- /dev/null
+++ b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-CVE-2020-13790.patch
@@ -0,0 +1,43 @@
+From 1bfb0b5247f4fc8f6677639781ce468543490216 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 2 Jun 2020 14:15:37 -0500
+Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
+
+This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
+include binary PPM files with maximum values < 255, thus preventing a
+malformed binary PPM input file with those specifications from
+triggering an overrun of the rescale array and potentially crashing
+cjpeg, TJBench, or any program that uses the tjLoadImage() function.
+
+Fixes #433
+diff --git a/rdppm.c b/rdppm.c
+index c0c096218..899436eec 100644
+--- a/rdppm.c
++++ b/rdppm.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2009 by Bill Allombert, Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2015, 2016, D. R. Commander.
++ * Copyright (C) 2015, 2016, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -22,6 +22,7 @@
+  * the file is indeed PPM format).
+  */
+ 
++#define JPEG_INTERNALS
+ #include "cdjpeg.h"             /* Common decls for cjpeg/djpeg applications */
+ 
+ #ifdef PPM_SUPPORTED
+@@ -425,7 +426,7 @@ start_input_ppm (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     /* On 16-bit-int machines we have to be careful of maxval = 65535 */
+     source->rescale = (JSAMPLE *)
+       (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
+-                                  (size_t) (((long) maxval + 1L) *
++                                  (size_t) (((long) MAX(maxval, 255) + 1L) *
+                                             sizeof(JSAMPLE)));
+     half_maxval = maxval / 2;
+     for (val = 0; val <= (long) maxval; val++) {
+
diff --git a/media-libs/libjpeg-turbo/files/libjpeg-turbo-2.0.4-CVE-2020-13790.patch b/media-libs/libjpeg-turbo/files/libjpeg-turbo-2.0.4-CVE-2020-13790.patch
new file mode 100644
index 000000000000..e88ac174684d
--- /dev/null
+++ b/media-libs/libjpeg-turbo/files/libjpeg-turbo-2.0.4-CVE-2020-13790.patch
@@ -0,0 +1,34 @@
+From 3de15e0c344d11d4b90f4a47136467053eb2d09a Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 2 Jun 2020 14:15:37 -0500
+Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
+
+This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
+include binary PPM files with maximum values < 255, thus preventing a
+malformed binary PPM input file with those specifications from
+triggering an overrun of the rescale array and potentially crashing
+cjpeg, TJBench, or any program that uses the tjLoadImage() function.
+
+Fixes #433
+diff --git a/rdppm.c b/rdppm.c
+index 87bc33090..a8507b902 100644
+--- a/rdppm.c
++++ b/rdppm.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2009 by Bill Allombert, Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2015-2017, D. R. Commander.
++ * Copyright (C) 2015-2017, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     /* On 16-bit-int machines we have to be careful of maxval = 65535 */
+     source->rescale = (JSAMPLE *)
+       (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-                                  (size_t)(((long)maxval + 1L) *
++                                  (size_t)(((long)MAX(maxval, 255) + 1L) *
+                                            sizeof(JSAMPLE)));
+     half_maxval = maxval / 2;
+     for (val = 0; val <= (long)maxval; val++) {
author	Sam James (sam_c) <sam@cmpct.info>	2020-06-11 00:37:52 +0000
committer	Mike Gilbert <floppym@gentoo.org>	2020-06-13 12:30:39 -0400
commit	8110962edc520001b3d2059be69702a1ceccee9b (patch)
tree	f383f08a6141bf296325a61f155d5ea50159e09f /media-libs/libjpeg-turbo/files
parent	sci-astronomy/pyephem: Bump to 3.7.7.1 (diff)
download	gentoo-8110962edc520001b3d2059be69702a1ceccee9b.tar.gz gentoo-8110962edc520001b3d2059be69702a1ceccee9b.tar.bz2 gentoo-8110962edc520001b3d2059be69702a1ceccee9b.zip