summaryrefslogtreecommitdiff
path: root/libjpeg-turbo-2.0.90-cve-2021-29390.patch
diff options
context:
space:
mode:
Diffstat (limited to 'libjpeg-turbo-2.0.90-cve-2021-29390.patch')
-rw-r--r--libjpeg-turbo-2.0.90-cve-2021-29390.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/libjpeg-turbo-2.0.90-cve-2021-29390.patch b/libjpeg-turbo-2.0.90-cve-2021-29390.patch
new file mode 100644
index 0000000..8a2f490
--- /dev/null
+++ b/libjpeg-turbo-2.0.90-cve-2021-29390.patch
@@ -0,0 +1,56 @@
+From caf7c8978025eb0cc307bfeffdad46a16d47dad9 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Wed, 25 Nov 2020 14:55:55 -0600
+Subject: [PATCH] Fix buffer overrun with certain narrow prog JPEGs
+
+Regression introduced by 6d91e950c871103a11bac2f10c63bf998796c719
+
+last_block_column in decompress_smooth_data() can be 0 if, for instance,
+decompressing a 4:4:4 image of width 8 or less or a 4:2:2 or 4:2:0 image
+of width 16 or less. Since last_block_column is an unsigned int,
+subtracting 1 from it produced 0xFFFFFFFF, the test in line 590 passed,
+and we attempted to access blocks from a second block column that didn't
+actually exist.
+
+Closes #476
+
+(cherry picked from commit ccaba5d7894ecfb5a8f11e48d3f86e1f14d5a469)
+---
+ ChangeLog.md | 10 ++++++++++
+ jdcoefct.c | 2 +-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 6eb06f0e..9084bee0 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -1,3 +1,13 @@
++2.1 post-beta
++=============
++
++### Significant changes relative to 2.1 beta1
++
++1. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
++decompress certain progressive JPEG images with one or more component planes of
++width 8 or less caused a buffer overrun.
++
++
+ 2.0.90 (2.1 beta1)
+ ==================
+
+diff --git a/jdcoefct.c b/jdcoefct.c
+index 699a4809..a3c6d4e8 100644
+--- a/jdcoefct.c
++++ b/jdcoefct.c
+@@ -587,7 +587,7 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
+ DC19 = (int)next_block_row[1][0];
+ DC24 = (int)next_next_block_row[1][0];
+ }
+- if (block_num < last_block_column - 1) {
++ if (block_num + 1 < last_block_column) {
+ DC05 = (int)prev_prev_block_row[2][0];
+ DC10 = (int)prev_block_row[2][0];
+ DC15 = (int)buffer_ptr[2][0];
+--
+2.41.0
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 23:04:44 +0000