diff options
Diffstat (limited to 'poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch')
-rw-r--r-- | poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..af955a72f6 --- /dev/null +++ b/poky/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch @@ -0,0 +1,75 @@ +From 2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593 Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Thu, 6 Apr 2023 18:33:41 -0500 +Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp + +When computing the downsampled width for a particular component, +jpeg_crop_scanline() needs to take into account the fact that the +libjpeg code uses a combination of IDCT scaling and upsampling to +implement 4x2 and 2x4 upsampling with certain decompression scaling +factors. Failing to account for that led to incomplete upsampling of +4x2- or 2x4-subsampled components, which caused the color converter to +read from uninitialized memory. With 12-bit data precision, this caused +a buffer overrun or underrun and subsequent segfault if the +uninitialized memory contained a value that was outside of the valid +sample range (because the color converter uses the value as an array +index.) + +Fixes #669 + +CVE: CVE-2023-2804 +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + ChangeLog.md | 8 ++++++++ + jdapistd.c | 10 ++++++---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog.md b/ChangeLog.md +index f1bfb3d87..0a075c3c5 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -9,6 +9,14 @@ overruns when attempting to decompress various specially-crafted malformed + (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion + enabled. + ++2. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the ++downsampled width for components with 4x2 or 2x4 subsampling factors if ++decompression scaling was enabled. This caused the components to be upsampled ++incompletely, which caused the color converter to read from uninitialized ++memory. With 12-bit data precision, this caused a buffer overrun or underrun ++and subsequent segfault if the sample value read from unitialized memory was ++outside of the valid sample range. ++ + + 2.1.5.1 + ======= +diff --git a/jdapistd.c b/jdapistd.c +index 02cd0cb93..96cded112 100644 +--- a/jdapistd.c ++++ b/jdapistd.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2010, 2015-2020, 2022, D. R. Commander. ++ * Copyright (C) 2010, 2015-2020, 2022-2023, D. R. Commander. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -236,9 +236,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset, + /* Set downsampled_width to the new output width. */ + orig_downsampled_width = compptr->downsampled_width; + compptr->downsampled_width = +- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width * +- compptr->h_samp_factor), +- (long)cinfo->max_h_samp_factor); ++ (JDIMENSION)jdiv_round_up((long)cinfo->output_width * ++ (long)(compptr->h_samp_factor * ++ compptr->_DCT_scaled_size), ++ (long)(cinfo->max_h_samp_factor * ++ cinfo->_min_DCT_scaled_size)); + if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2) + reinit_upsampler = TRUE; + |