diff options
Diffstat (limited to 'package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch')
| -rw-r--r-- | package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch b/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch new file mode 100644 index 0000000000..a10fcf62af --- /dev/null +++ b/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch @@ -0,0 +1,51 @@ +From 3d9c64e9f8aa1ee954d1d0bb3390fc894bb84da3 Mon Sep 17 00:00:00 2001 +From: DRC <information@libjpeg-turbo.org> +Date: Tue, 1 Jan 2019 18:57:36 -0600 +Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP + +Fixes #304 + +[baruch: drop the ChangeLog.md hunk] +Signed-off-by: Baruch Siach <baruch@tkos.co.il> +--- +Upstream status: commit 3d9c64e9f8aa + + ChangeLog.md | 4 ++++ + turbojpeg.c | 9 ++++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/turbojpeg.c b/turbojpeg.c +index 90a9ce6a0be8..3f7cd640677f 100644 +--- a/turbojpeg.c ++++ b/turbojpeg.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved. ++ * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: +@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, + int align, int *height, int *pixelFormat, + int flags) + { +- int retval = 0, tempc, pitch; ++ int retval = 0, tempc; ++ size_t pitch; + tjhandle handle = NULL; + tjinstance *this; + j_compress_ptr cinfo = NULL; +@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, + *pixelFormat = cs2pf[cinfo->in_color_space]; + + pitch = PAD((*width) * tjPixelSize[*pixelFormat], align); +- if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) ++ if ((unsigned long long)pitch * (unsigned long long)(*height) > ++ (unsigned long long)((size_t)-1) || ++ (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) + _throwg("tjLoadImage(): Memory allocation failure"); + + if (setjmp(this->jerr.setjmp_buffer)) { +-- +2.20.1 + |
