Overview

File libjpeg-turbo-CVE-2018-1152.patch of Package libjpeg62-turbo.25864

Index: libjpeg-turbo-1.5.3/rdbmp.c
===================================================================
--- libjpeg-turbo-1.5.3.orig/rdbmp.c
+++ libjpeg-turbo-1.5.3/rdbmp.c
@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, c
     progress->total_extra_passes++; /* count file input as separate pass */
   }
 
+  /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
+     value of the JDIMENSION type.  This is only a danger with BMP files, since
+     their width and height fields are 32-bit integers. */
+  if ((unsigned long long)biWidth *
+      (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
+    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
   /* Allocate one-row buffer for returned data */
   source->pub.buffer = (*cinfo->mem->alloc_sarray)
     ((j_common_ptr) cinfo, JPOOL_IMAGE,
openSUSE Build Service is sponsored by
Places