mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-03-16 20:29:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
caac6c06bbeff7691f4f26c1d41e94de3d3c1c9a
poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
Peter Marko f24230b04b libjpeg-turbo: patch CVE-2023-2804 
Relevant links:
* linked fronm NVD:
  * https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
  * https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
  * picked commits fix all issues mentioned in this analysis

(From OE-Core rev: ca8ede6d29c04159e85c2bdd2b635c58ec6a1484)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-08-02 04:47:12 -10:00

76 lines
3.3 KiB
Diff
Raw Blame History

From 2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Thu, 6 Apr 2023 18:33:41 -0500
Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
When computing the downsampled width for a particular component,
jpeg_crop_scanline() needs to take into account the fact that the
libjpeg code uses a combination of IDCT scaling and upsampling to
implement 4x2 and 2x4 upsampling with certain decompression scaling
factors. Failing to account for that led to incomplete upsampling of
4x2- or 2x4-subsampled components, which caused the color converter to
read from uninitialized memory. With 12-bit data precision, this caused
a buffer overrun or underrun and subsequent segfault if the
uninitialized memory contained a value that was outside of the valid
sample range (because the color converter uses the value as an array
index.)
Fixes #669
CVE: CVE-2023-2804
Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
ChangeLog.md | 8 ++++++++
jdapistd.c | 10 ++++++----
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/ChangeLog.md b/ChangeLog.md
index f1bfb3d87..0a075c3c5 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -9,6 +9,14 @@ overruns when attempting to decompress various specially-crafted malformed
(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
enabled.
+2. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
+downsampled width for components with 4x2 or 2x4 subsampling factors if
+decompression scaling was enabled. This caused the components to be upsampled
+incompletely, which caused the color converter to read from uninitialized
+memory. With 12-bit data precision, this caused a buffer overrun or underrun
+and subsequent segfault if the sample value read from unitialized memory was
+outside of the valid sample range.
+
2.1.5.1
=======
diff --git a/jdapistd.c b/jdapistd.c
index 02cd0cb93..96cded112 100644
--- a/jdapistd.c
+++ b/jdapistd.c
@@ -4,7 +4,7 @@
* This file was part of the Independent JPEG Group's software:
* Copyright (C) 1994-1996, Thomas G. Lane.
* libjpeg-turbo Modifications:
- * Copyright (C) 2010, 2015-2020, 2022, D. R. Commander.
+ * Copyright (C) 2010, 2015-2020, 2022-2023, D. R. Commander.
* Copyright (C) 2015, Google, Inc.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
@@ -236,9 +236,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
/* Set downsampled_width to the new output width. */
orig_downsampled_width = compptr->downsampled_width;
compptr->downsampled_width =
- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
- compptr->h_samp_factor),
- (long)cinfo->max_h_samp_factor);
+ (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
+ (long)(compptr->h_samp_factor *
+ compptr->_DCT_scaled_size),
+ (long)(cinfo->max_h_samp_factor *
+ cinfo->_min_DCT_scaled_size));
if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
reinit_upsampler = TRUE;
Reference in New Issue View Git Blame Copy Permalink