aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
blob: 35f2bf596360bc9181d2231f6a0e1a7af2337644 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Fix integer overflow which can potentially lead to RCE.

https://www.openwall.com/lists/oss-security/2019/11/11/1
https://nvd.nist.gov/vuln/detail/CVE-2019-2201

The problem was partially fixed in 2.0.3.  This patch is a follow-up.
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad

diff --git a/tjbench.c b/tjbench.c
index a7d397318..13a5bde62 100644
--- a/tjbench.c
+++ b/tjbench.c
@@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
   }
   /* Set the destination buffer to gray so we know whether the decompressor
      attempted to write to it */
-  memset(dstBuf, 127, pitch * scaledh);
+  memset(dstBuf, 127, (size_t)pitch * scaledh);
 
   if (doYUV) {
     int width = doTile ? tilew : scaledw;
@@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
     double start = getTime();
 
     for (row = 0, dstPtr = dstBuf; row < ntilesh;
-         row++, dstPtr += pitch * tileh) {
+         row++, dstPtr += (size_t)pitch * tileh) {
       for (col = 0, dstPtr2 = dstPtr; col < ntilesw;
            col++, tile++, dstPtr2 += ps * tilew) {
         int width = doTile ? min(tilew, w - col * tilew) : scaledw;