diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2018-06-23 07:00:28 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2018-06-23 07:00:28 +0100 |
commit | e23cdda4dbb0c83b9e682ab5e916085a35203da5 (patch) | |
tree | 5a4ac448a3b288b731c24d947e0ce52df3cab07b /media-libs/libjpeg-turbo/files | |
parent | 8187a741807f3e9a9e26304973cf18087dcf2560 (diff) |
gentoo resync : 23.06.2018
Diffstat (limited to 'media-libs/libjpeg-turbo/files')
-rw-r--r-- | media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-divzero_fix.patch | 18 | ||||
-rw-r--r-- | media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.90-divzero_fix.patch | 41 |
2 files changed, 59 insertions, 0 deletions
diff --git a/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-divzero_fix.patch b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-divzero_fix.patch new file mode 100644 index 000000000000..c7e6d1056769 --- /dev/null +++ b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-divzero_fix.patch @@ -0,0 +1,18 @@ +Backported from +https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6 + +--- libjpeg-turbo-1.5.3/rdbmp.c ++++ libjpeg-turbo-1.5.3/rdbmp.c +@@ -434,6 +434,12 @@ + progress->total_extra_passes++; /* count file input as separate pass */ + } + ++ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum ++ value of the JDIMENSION type. This is only a danger with BMP files, since ++ their width and height fields are 32-bit integers. */ ++ if ((unsigned long long)biWidth * ++ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL) ++ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); + /* Allocate one-row buffer for returned data */ + source->pub.buffer = (*cinfo->mem->alloc_sarray) + ((j_common_ptr) cinfo, JPOOL_IMAGE, diff --git a/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.90-divzero_fix.patch b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.90-divzero_fix.patch new file mode 100644 index 000000000000..d505499a082d --- /dev/null +++ b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.90-divzero_fix.patch @@ -0,0 +1,41 @@ +From 43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6 Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Tue, 12 Jun 2018 20:27:00 -0500 +Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP + +In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound +when allocating the row buffer, because since BMP files have 32-bit +width and height fields, the value of biWidth can be up to 4294967295. +Specifically, if biWidth is 1073741824 and cinfo->input_components = 4, +then the samplesperrow argument in alloc_sarray() would wrap around to +0, and a division by zero error would occur at line 458 in jmemmgr.c. + +If biWidth is set to a higher value, then samplesperrow would wrap +around to a small number, which would likely cause a buffer overflow +(this has not been tested or verified.) +diff --git a/rdbmp.c b/rdbmp.c +index fcabbb13e..a02cfd909 100644 +--- a/rdbmp.c ++++ b/rdbmp.c +@@ -6,7 +6,7 @@ + * Modified 2009-2010 by Guido Vollbeding. + * libjpeg-turbo Modifications: + * Modified 2011 by Siarhei Siamashka. +- * Copyright (C) 2015, 2017, D. R. Commander. ++ * Copyright (C) 2015, 2017-2018, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + } + } + ++ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum ++ value of the JDIMENSION type. This is only a danger with BMP files, since ++ their width and height fields are 32-bit integers. */ ++ if ((unsigned long long)biWidth * ++ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL) ++ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); + /* Allocate one-row buffer for returned data */ + source->pub.buffer = (*cinfo->mem->alloc_sarray) + ((j_common_ptr)cinfo, JPOOL_IMAGE, |