rpms / libjpeg-turbo

Clone
Source Code
GIT

Files

  1.   51a3346969aadd03f87b4d088fc6467e6e2a1ca3
  2.   libjpeg-turbo-CVE-2018-20330.patch
Blob Blame History Raw 
From 9c5f56c55a8610953854408b3aade01320064e07 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 1 Jan 2019 18:57:36 -0600
Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP

Fixes #304
---
 turbojpeg.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/turbojpeg.c b/turbojpeg.c
index 90a9ce6..3b5154f 100644
--- a/turbojpeg.c
+++ b/turbojpeg.c
@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
                                      int align, int *height, int *pixelFormat,
                                      int flags)
 {
-  int retval = 0, tempc, pitch;
+  int retval = 0, tempc;
+  size_t pitch;
   tjhandle handle = NULL;
   tjinstance *this;
   j_compress_ptr cinfo = NULL;
@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
   *pixelFormat = cs2pf[cinfo->in_color_space];
 
   pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
-  if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+  if ((unsigned long long)pitch * (unsigned long long)(*height) >
+      (unsigned long long)((size_t)-1) ||
+      (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
     _throwg("tjLoadImage(): Memory allocation failure");
 
   if (setjmp(this->jerr.setjmp_buffer)) {
-- 
2.17.2
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.