gentoo resync : 23.06.2018

2 files changed, 59 insertions, 0 deletions

diff --git a/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-divzero_fix.patch b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-divzero_fix.patch
new file mode 100644
index 000000000000..c7e6d1056769
--- /dev/null
+++ b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.3-divzero_fix.patch
@@ -0,0 +1,18 @@
+Backported from
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
+
+--- libjpeg-turbo-1.5.3/rdbmp.c
++++ libjpeg-turbo-1.5.3/rdbmp.c
+@@ -434,6 +434,12 @@
+     progress->total_extra_passes++; /* count file input as separate pass */
+   }
+ 
++  /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
++     value of the JDIMENSION type.  This is only a danger with BMP files, since
++     their width and height fields are 32-bit integers. */
++  if ((unsigned long long)biWidth *
++      (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
++    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+   /* Allocate one-row buffer for returned data */
+   source->pub.buffer = (*cinfo->mem->alloc_sarray)
+     ((j_common_ptr) cinfo, JPOOL_IMAGE,
diff --git a/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.90-divzero_fix.patch b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.90-divzero_fix.patch
new file mode 100644
index 000000000000..d505499a082d
--- /dev/null
+++ b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.5.90-divzero_fix.patch
@@ -0,0 +1,41 @@
+From 43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 12 Jun 2018 20:27:00 -0500
+Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP
+
+In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
+when allocating the row buffer, because since BMP files have 32-bit
+width and height fields, the value of biWidth can be up to 4294967295.
+Specifically, if biWidth is 1073741824 and cinfo->input_components = 4,
+then the samplesperrow argument in alloc_sarray() would wrap around to
+0, and a division by zero error would occur at line 458 in jmemmgr.c.
+
+If biWidth is set to a higher value, then samplesperrow would wrap
+around to a small number, which would likely cause a buffer overflow
+(this has not been tested or verified.)
+diff --git a/rdbmp.c b/rdbmp.c
+index fcabbb13e..a02cfd909 100644
+--- a/rdbmp.c
++++ b/rdbmp.c
+@@ -6,7 +6,7 @@
+  * Modified 2009-2010 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+  * Modified 2011 by Siarhei Siamashka.
+- * Copyright (C) 2015, 2017, D. R. Commander.
++ * Copyright (C) 2015, 2017-2018, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     }
+   }
+ 
++  /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
++     value of the JDIMENSION type.  This is only a danger with BMP files, since
++     their width and height fields are 32-bit integers. */
++  if ((unsigned long long)biWidth *
++      (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
++    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+   /* Allocate one-row buffer for returned data */
+   source->pub.buffer = (*cinfo->mem->alloc_sarray)
+     ((j_common_ptr)cinfo, JPOOL_IMAGE,