File libjpeg-turbo-CVE-2019-2201.patch of Package libjpeg-turbo.25863

Overview Repositories Revisions Requests Users Attributes Meta

File libjpeg-turbo-CVE-2019-2201.patch of Package libjpeg-turbo.25863

Index: libjpeg-turbo-1.5.3/tjbench.c
===================================================================
--- libjpeg-turbo-1.5.3.orig/tjbench.c	2017-12-14 05:39:01.000000000 +0100
+++ libjpeg-turbo-1.5.3/tjbench.c	2019-11-13 08:48:18.339233270 +0100
@@ -32,6 +32,7 @@
 #include <ctype.h>
 #include <math.h>
 #include <errno.h>
+#include <limits.h>
 #include <cdjpeg.h>
 #include "./bmp.h"
 #include "./tjutil.h"
@@ -125,21 +126,25 @@ int decomp(unsigned char *srcbuf, unsign
 	if((handle=tjInitDecompress())==NULL)
 		_throwtj("executing tjInitDecompress()");
 
-	if(dstbuf==NULL)
-	{
-		if((dstbuf=(unsigned char *)malloc(pitch*scaledh))==NULL)
+        if (dstbuf == NULL) {
+ 	        if ((unsigned long long)pitch * (unsigned long long)scaledh >
+                    (unsigned long long)((size_t)-1))
+                        _throw("allocating destination buffer", "Image is too large");
+		if((dstbuf=(unsigned char *)malloc((size_t)pitch*scaledh))==NULL)
 			_throwunix("allocating destination buffer");
 		dstbufalloc=1;
 	}
 	/* Set the destination buffer to gray so we know whether the decompressor
 	   attempted to write to it */
-	memset(dstbuf, 127, pitch*scaledh);
+	memset(dstbuf, 127, (size_t)pitch*scaledh);
 
 	if(doyuv)
 	{
 		int width=dotile? tilew:scaledw;
 		int height=dotile? tileh:scaledh;
-		int yuvsize=tjBufSizeYUV2(width, yuvpad, height, subsamp);
+		unsigned long yuvsize=tjBufSizeYUV2(width, yuvpad, height, subsamp);
+                if (yuvsize == (unsigned long)-1)
+                        _throwtj("allocating YUV buffer");
 		if((yuvbuf=(unsigned char *)malloc(yuvsize))==NULL)
 			_throwunix("allocating YUV buffer");
 		memset(yuvbuf, 127, yuvsize);
@@ -152,7 +157,7 @@ int decomp(unsigned char *srcbuf, unsign
 	{
 		int tile=0;
 		double start=gettime();
-		for(row=0, dstptr=dstbuf; row<ntilesh; row++, dstptr+=pitch*tileh)
+		for(row=0, dstptr=dstbuf; row<ntilesh; row++, dstptr+=(size_t)pitch*tileh)
 		{
 			for(col=0, dstptr2=dstptr; col<ntilesw; col++, tile++, dstptr2+=ps*tilew)
 			{
@@ -242,14 +247,14 @@ int decomp(unsigned char *srcbuf, unsign
 		if(!quiet) printf("Compression error written to %s.\n", tempstr);
 		if(subsamp==TJ_GRAYSCALE)
 		{
-			int index, index2;
+			unsigned long index, index2;
 			for(row=0, index=0; row<h; row++, index+=pitch)
 			{
 				for(col=0, index2=index; col<w; col++, index2+=ps)
 				{
-					int rindex=index2+tjRedOffset[pf];
-					int gindex=index2+tjGreenOffset[pf];
-					int bindex=index2+tjBlueOffset[pf];
+					unsigned long rindex=index2+tjRedOffset[pf];
+					unsigned long gindex=index2+tjGreenOffset[pf];
+					unsigned long bindex=index2+tjBlueOffset[pf];
 					int y=(int)((double)srcbuf[rindex]*0.299
 						+ (double)srcbuf[gindex]*0.587
 						+ (double)srcbuf[bindex]*0.114 + 0.5);
@@ -290,13 +295,17 @@ int fullTest(unsigned char *srcbuf, int
 	unsigned char **jpegbuf=NULL, *yuvbuf=NULL, *tmpbuf=NULL, *srcptr, *srcptr2;
 	double start, elapsed, elapsedEncode;
 	int totaljpegsize=0, row, col, i, tilew=w, tileh=h, retval=0;
-	int iter, yuvsize=0;
+	int iter;
+        unsigned long yuvsize=0;
 	unsigned long *jpegsize=NULL;
 	int ps=tjPixelSize[pf];
 	int ntilesw=1, ntilesh=1, pitch=w*ps;
 	const char *pfStr=pixFormatStr[pf];
 
-	if((tmpbuf=(unsigned char *)malloc(pitch*h)) == NULL)
+        if ((unsigned long long)pitch * (unsigned long long)h >
+            (unsigned long long)((size_t)-1))
+                _throw("allocating temporary image buffer", "Image is too large");
+	if((tmpbuf=(unsigned char *)malloc((size_t)pitch*h)) == NULL)
 		_throwunix("allocating temporary image buffer");
 
 	if(!quiet)
@@ -322,6 +331,8 @@ int fullTest(unsigned char *srcbuf, int
 		if((flags&TJFLAG_NOREALLOC)!=0)
 			for(i=0; i<ntilesw*ntilesh; i++)
 			{
+                                if (tjBufSize(tilew, tileh, subsamp) > (unsigned long)INT_MAX)
+                                        _throw("getting buffer size", "Image is too large");
 				if((jpegbuf[i]=(unsigned char *)tjAlloc(tjBufSize(tilew, tileh,
 					subsamp)))==NULL)
 					_throwunix("allocating JPEG tiles");
@@ -339,6 +350,8 @@ int fullTest(unsigned char *srcbuf, int
 		if(doyuv)
 		{
 			yuvsize=tjBufSizeYUV2(tilew, yuvpad, tileh, subsamp);
+                        if (yuvsize == (unsigned long)-1)
+                                _throwtj("allocating YUV buffer");
 			if((yuvbuf=(unsigned char *)malloc(yuvsize))==NULL)
 				_throwunix("allocating YUV buffer");
 			memset(yuvbuf, 127, yuvsize);
@@ -418,7 +431,7 @@ int fullTest(unsigned char *srcbuf, int
 			{
 				printf("Encode YUV    --> Frame rate:         %f fps\n",
 					(double)iter/elapsedEncode);
-				printf("                  Output image size:  %d bytes\n", yuvsize);
+				printf("                  Output image size:  %lu bytes\n", yuvsize);
 				printf("                  Compression ratio:  %f:1\n",
 					(double)(w*h*ps)/(double)yuvsize);
 				printf("                  Throughput:         %f Megapixels/sec\n",
@@ -559,9 +572,12 @@ int decompTest(char *filename)
 			_throwunix("allocating JPEG size array");
 		memset(jpegsize, 0, sizeof(unsigned long)*ntilesw*ntilesh);
 
-		if((flags&TJFLAG_NOREALLOC)!=0 || !dotile)
+		if((flags&TJFLAG_NOREALLOC)!=0 &&
+                   (dotile || xformop != TJXOP_NONE || xformopt != 0 || customFilter))
 			for(i=0; i<ntilesw*ntilesh; i++)
 			{
+                                if (tjBufSize(tilew, tileh, subsamp) > (unsigned long)INT_MAX)
+                                        _throw("getting buffer size", "Image is too large");
 				if((jpegbuf[i]=(unsigned char *)tjAlloc(tjBufSize(tilew, tileh,
 					subsamp)))==NULL)
 					_throwunix("allocating JPEG tiles");
@@ -682,7 +698,7 @@ int decompTest(char *filename)
 		else
 		{
 			if(quiet==1) printf("N/A     N/A     ");
-			tjFree(jpegbuf[0]);
+			if(jpegbuf[0]) tjFree(jpegbuf[0]);
 			jpegbuf[0]=NULL;
 			decompsrc=1;
 		}
@@ -699,7 +715,7 @@ int decompTest(char *filename)
 
 		for(i=0; i<ntilesw*ntilesh; i++)
 		{
-			tjFree(jpegbuf[i]);  jpegbuf[i]=NULL;
+			 if(jpegbuf[i]) tjFree(jpegbuf[i]);  jpegbuf[i]=NULL;
 		}
 		free(jpegbuf);  jpegbuf=NULL;
 		if(jpegsize) {free(jpegsize);  jpegsize=NULL;}
Index: libjpeg-turbo-1.5.3/tjunittest.c
===================================================================
--- libjpeg-turbo-1.5.3.orig/tjunittest.c	2017-12-14 05:39:01.000000000 +0100
+++ libjpeg-turbo-1.5.3/tjunittest.c	2019-11-12 14:01:00.301625434 +0100
@@ -36,6 +36,7 @@
 #include <errno.h>
 #include "./tjutil.h"
 #include "./turbojpeg.h"
+#include "./jconfigint.h"
 #ifdef _WIN32
  #include <time.h>
  #define random() rand()
@@ -592,6 +593,43 @@ void doTest(int w, int h, const int *for
 	if(dstBuf) tjFree(dstBuf);
 }
 
+#if SIZEOF_SIZE_T == 8
+#define CHECKSIZE(function) { \
+  if ((unsigned long long)size < (unsigned long long)0xFFFFFFFF) { \
+    printf(#function " Overflow\n"); \
+    exit(1); \
+  } \
+}
+#else
+#define CHECKSIZE(function) { \
+  if (size != (unsigned long)(-1) || \
+      !strcmp(tjGetErrorStr(), "No error")) { \
+    printf(#function " Overflow\n"); \
+    exit(1); \
+  } \
+}
+#endif
+
+static void overflowTest(void)
+{
+  /* Ensure that the various buffer size functions don't overflow */
+  unsigned long size;
+
+  printf("Overflow test ..\n");
+
+  size = tjBufSize(26755, 26755, TJSAMP_444);
+  CHECKSIZE(tjBufSize());
+  size = TJBUFSIZE(26755, 26755);
+  CHECKSIZE(TJBUFSIZE());
+  size = tjBufSizeYUV2(37838, 1, 37838, TJSAMP_444);
+  CHECKSIZE(tjBufSizeYUV2());
+  size = TJBUFSIZEYUV(37838, 37838, TJSAMP_444);
+  CHECKSIZE(TJBUFSIZEYUV());
+  size = tjBufSizeYUV(37838, 37838, TJSAMP_444);
+  CHECKSIZE(tjBufSizeYUV());
+  size = tjPlaneSizeYUV(0, 65536, 0, 65536, TJSAMP_444);
+  CHECKSIZE(tjPlaneSizeYUV());
+}
 
 void bufSizeTest(void)
 {
@@ -704,6 +742,7 @@ int main(int argc, char *argv[])
 	}
 	if(alloc) printf("Testing automatic buffer allocation\n");
 	if(doyuv) num4bf=4;
+	overflowTest();
 	doTest(35, 39, _3byteFormats, 2, TJSAMP_444, "test");
 	doTest(39, 41, _4byteFormats, num4bf, TJSAMP_444, "test");
 	doTest(41, 35, _3byteFormats, 2, TJSAMP_422, "test");
Index: libjpeg-turbo-1.5.3/turbojpeg.c
===================================================================
--- libjpeg-turbo-1.5.3.orig/turbojpeg.c	2017-12-14 05:39:01.000000000 +0100
+++ libjpeg-turbo-1.5.3/turbojpeg.c	2019-11-12 14:01:00.301625434 +0100
@@ -622,7 +622,7 @@ DLLEXPORT tjhandle DLLCALL tjInitCompres
 DLLEXPORT unsigned long DLLCALL tjBufSize(int width, int height,
 	int jpegSubsamp)
 {
-	unsigned long retval=0;  int mcuw, mcuh, chromasf;
+	unsigned long long retval=0;  int mcuw, mcuh, chromasf;
 	if(width<1 || height<1 || jpegSubsamp<0 || jpegSubsamp>=NUMSUBOPT)
 		_throw("tjBufSize(): Invalid argument");
 
@@ -632,32 +632,37 @@ DLLEXPORT unsigned long DLLCALL tjBufSiz
 	mcuw=tjMCUWidth[jpegSubsamp];
 	mcuh=tjMCUHeight[jpegSubsamp];
 	chromasf=jpegSubsamp==TJSAMP_GRAY? 0: 4*64/(mcuw*mcuh);
-	retval=PAD(width, mcuw) * PAD(height, mcuh) * (2 + chromasf) + 2048;
+        retval = PAD(width, mcuw) * PAD(height, mcuh) * (2ULL + chromasf) + 2048ULL;
+        if (retval > (unsigned long long)((unsigned long)-1))
+          _throw("tjBufSize(): Image is too large");
 
 	bailout:
-	return retval;
+	return (unsigned long)retval;
 }
 
 DLLEXPORT unsigned long DLLCALL TJBUFSIZE(int width, int height)
 {
-	unsigned long retval=0;
+	unsigned long long retval=0;
 	if(width<1 || height<1)
 		_throw("TJBUFSIZE(): Invalid argument");
 
 	/* This allows for rare corner cases in which a JPEG image can actually be
 	   larger than the uncompressed input (we wouldn't mention it if it hadn't
 	   happened before.) */
-	retval=PAD(width, 16) * PAD(height, 16) * 6 + 2048;
+        retval = PAD(width, 16) * PAD(height, 16) * 6ULL + 2048ULL;
+        if (retval > (unsigned long long)((unsigned long)-1))
+          _throw("TJBUFSIZE(): Image is too large");
 
 	bailout:
-	return retval;
+	return (unsigned long)retval;
 }
 
 
 DLLEXPORT unsigned long DLLCALL tjBufSizeYUV2(int width, int pad, int height,
 	int subsamp)
 {
-	int retval=0, nc, i;
+        unsigned long long retval=0;
+	int nc, i;
 
 	if(subsamp<0 || subsamp>=NUMSUBOPT)
 		_throw("tjBufSizeYUV2(): Invalid argument");
@@ -669,11 +674,13 @@ DLLEXPORT unsigned long DLLCALL tjBufSiz
 		int stride=PAD(pw, pad);
 		int ph=tjPlaneHeight(i, height, subsamp);
 		if(pw<0 || ph<0) return -1;
-		else retval+=stride*ph;
+		else retval+=(unsigned long long)stride*ph;
 	}
+        if (retval > (unsigned long long)((unsigned long)-1))
+          _throw("tjBufSizeYUV2(): Image is too large");
 
 	bailout:
-	return retval;
+	return (unsigned long)retval;
 }
 
 DLLEXPORT unsigned long DLLCALL tjBufSizeYUV(int width, int height,
@@ -734,7 +741,7 @@ DLLEXPORT int tjPlaneHeight(int componen
 DLLEXPORT unsigned long DLLCALL tjPlaneSizeYUV(int componentID, int width,
 	int stride, int height, int subsamp)
 {
-	unsigned long retval=0;
+	unsigned long long retval=0;
 	int pw, ph;
 
 	if(width<1 || height<1 || subsamp<0 || subsamp>=NUMSUBOPT)
@@ -747,10 +754,12 @@ DLLEXPORT unsigned long DLLCALL tjPlaneS
 	if(stride==0) stride=pw;
 	else stride=abs(stride);
 
-	retval=stride*(ph-1)+pw;
+	retval=(unsigned long long)stride*(ph-1)+pw;
+        if (retval > (unsigned long long)((unsigned long)-1))
+          _throw("tjPlaneSizeYUV(): Image is too large");
 
 	bailout:
-	return retval;
+	return (unsigned long)retval;
 }
 
 
@@ -812,8 +821,8 @@ DLLEXPORT int DLLCALL tjCompress2(tjhand
 	for(i=0; i<height; i++)
 	{
 		if(flags&TJFLAG_BOTTOMUP)
-			row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*pitch];
-		else row_pointer[i]=(JSAMPROW)&srcBuf[i*pitch];
+			row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*(size_t)pitch];
+		else row_pointer[i]=(JSAMPROW)&srcBuf[i*(size_t)pitch];
 	}
 	while(cinfo->next_scanline<cinfo->image_height)
 	{
@@ -938,8 +947,8 @@ DLLEXPORT int DLLCALL tjEncodeYUVPlanes(
 	for(i=0; i<height; i++)
 	{
 		if(flags&TJFLAG_BOTTOMUP)
-			row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*pitch];
-		else row_pointer[i]=(JSAMPROW)&srcBuf[i*pitch];
+			row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*(size_t)pitch];
+		else row_pointer[i]=(JSAMPROW)&srcBuf[i*(size_t)pitch];
 	}
 	if(height<ph0)
 		for(i=height; i<ph0; i++) row_pointer[i]=row_pointer[height-1];
@@ -1455,8 +1464,8 @@ DLLEXPORT int DLLCALL tjDecompress2(tjha
 	for(i=0; i<(int)dinfo->output_height; i++)
 	{
 		if(flags&TJFLAG_BOTTOMUP)
-			row_pointer[i]=&dstBuf[(dinfo->output_height-i-1)*pitch];
-		else row_pointer[i]=&dstBuf[i*pitch];
+			row_pointer[i]=&dstBuf[(dinfo->output_height-i-1)*(size_t)pitch];
+		else row_pointer[i]=&dstBuf[i*(size_t)pitch];
 	}
 	while(dinfo->output_scanline<dinfo->output_height)
 	{
@@ -1640,8 +1649,8 @@ DLLEXPORT int DLLCALL tjDecodeYUVPlanes(
 		_throw("tjDecodeYUVPlanes(): Memory allocation failure");
 	for(i=0; i<height; i++)
 	{
-		if(flags&TJFLAG_BOTTOMUP) row_pointer[i]=&dstBuf[(height-i-1)*pitch];
-		else row_pointer[i]=&dstBuf[i*pitch];
+		if(flags&TJFLAG_BOTTOMUP) row_pointer[i]=&dstBuf[(height-i-1)*(size_t)pitch];
+		else row_pointer[i]=&dstBuf[i*(size_t)pitch];
 	}
 	if(height<ph0)
 		for(i=height; i<ph0; i++) row_pointer[i]=row_pointer[height-1];

Places

File libjpeg-turbo-CVE-2019-2201.patch of Package libjpeg-turbo.25863

Places