Bug#972183: buster-pu: package libjpeg-turbo/1:1.5.2-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ondrej@debian.org, sunweaver@debian.org
This fixes a number of security issues in libjpeg,
which don't warrant a DSA. Package has been tested on
a buster system.
Cheers,
Moritz
diff -Nru libjpeg-turbo-1.5.2/debian/changelog libjpeg-turbo-1.5.2/debian/changelog
--- libjpeg-turbo-1.5.2/debian/changelog 2017-08-25 10:27:48.000000000 +0200
+++ libjpeg-turbo-1.5.2/debian/changelog 2020-10-07 22:25:43.000000000 +0200
@@ -1,3 +1,12 @@
+libjpeg-turbo (1:1.5.2-2+deb10u1) buster; urgency=medium
+
+ * CVE-2018-1152 (Closes: #902950)
+ * CVE-2018-14498 (Closes: #924678)
+ * CVE-2019-2201
+ * CVE-2020-13790 (Closes: #962829)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Wed, 07 Oct 2020 22:25:43 +0200
+
libjpeg-turbo (1:1.5.2-2) unstable; urgency=medium
* Drop env declaration patch on mips to fix FTBFS on mips
diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch
--- libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch 1970-01-01 01:00:00.000000000 +0100
+++ libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch 2020-10-07 22:25:25.000000000 +0200
@@ -0,0 +1,19 @@
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
+
+Index: libjpeg-turbo-1.5.2/rdbmp.c
+===================================================================
+--- libjpeg-turbo-1.5.2.orig/rdbmp.c 2018-07-05 14:47:54.525745754 -0400
++++ libjpeg-turbo-1.5.2/rdbmp.c 2018-07-05 14:47:54.521745700 -0400
+@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, c
+ progress->total_extra_passes++; /* count file input as separate pass */
+ }
+
++ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
++ value of the JDIMENSION type. This is only a danger with BMP files, since
++ their width and height fields are 32-bit integers. */
++ if ((unsigned long long)biWidth *
++ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
++ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+ /* Allocate one-row buffer for returned data */
+ source->pub.buffer = (*cinfo->mem->alloc_sarray)
+ ((j_common_ptr) cinfo, JPOOL_IMAGE,
diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch
--- libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 1970-01-01 01:00:00.000000000 +0100
+++ libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 2020-10-07 22:25:25.000000000 +0200
@@ -0,0 +1,117 @@
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
+
+diff --git a/cderror.h b/cderror.h
+index 63de498..bb093b8 100644
+--- a/cderror.h
++++ b/cderror.h
+@@ -49,6 +49,8 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB")
+ JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
+ JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
+ JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
++JMESSAGE(JERR_BMP_TOOLARGE, "Integer value too large in BMP file")
++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file")
+ JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
+ JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
+ JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")
+@@ -75,8 +77,8 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out of GIF bits")
+ #ifdef PPM_SUPPORTED
+ JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB")
+ JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file")
+-JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file")
+ JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file")
++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file")
+ JMESSAGE(JTRC_PGM, "%ux%u PGM image")
+ JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image")
+ JMESSAGE(JTRC_PPM, "%ux%u PPM image")
+diff --git a/rdbmp.c b/rdbmp.c
+index 4104b68..9ca4a26 100644
+--- a/rdbmp.c
++++ b/rdbmp.c
+@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
+ JDIMENSION row_width; /* Physical width of scanlines in file */
+
+ int bits_per_pixel; /* remembers 8- or 24-bit format */
++ int cmap_length; /* colormap length */
+ } bmp_source_struct;
+
+
+@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ {
+ bmp_source_ptr source = (bmp_source_ptr) sinfo;
+ register JSAMPARRAY colormap = source->colormap;
++ int cmaplen = source->cmap_length;
+ JSAMPARRAY image_ptr;
+ register int t;
+ register JSAMPROW inptr, outptr;
+@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ outptr = source->pub.buffer[0];
+ for (col = cinfo->image_width; col > 0; col--) {
+ t = GETJSAMPLE(*inptr++);
++ if ( t >= cmaplen)
++ ERREXIT(cinfo, JERR_BMP_TOOLARGE);
+ *outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */
+ *outptr++ = colormap[1][t];
+ *outptr++ = colormap[2][t];
+@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ source->colormap = (*cinfo->mem->alloc_sarray)
+ ((j_common_ptr) cinfo, JPOOL_IMAGE,
+ (JDIMENSION) biClrUsed, (JDIMENSION) 3);
++ source->cmap_length = (int)biClrUsed;
+ /* and read it from the file */
+ read_colormap(source, (int) biClrUsed, mapentrysize);
+ /* account for size of colormap */
+diff --git a/rdppm.c b/rdppm.c
+index 33ff749..c0c0962 100644
+--- a/rdppm.c
++++ b/rdppm.c
+@@ -69,7 +69,7 @@ typedef struct {
+ JSAMPROW pixrow; /* compressor input buffer */
+ size_t buffer_width; /* width of I/O buffer */
+ JSAMPLE *rescale; /* => maxval-remapping array, or NULL */
+- int maxval;
++ unsigned int maxval;
+ } ppm_source_struct;
+
+ typedef ppm_source_struct *ppm_source_ptr;
+@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE *infile, unsigned int maxval)
+ }
+
+ if (val > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+
+ return val;
+ }
+@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ temp = UCH(*bufferptr++) << 8;
+ temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ *ptr++ = rescale[temp];
+ }
+ return 1;
+@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ temp = UCH(*bufferptr++) << 8;
+ temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ *ptr++ = rescale[temp];
+ temp = UCH(*bufferptr++) << 8;
+ temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ *ptr++ = rescale[temp];
+ temp = UCH(*bufferptr++) << 8;
+ temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ *ptr++ = rescale[temp];
+ }
+ return 1;
+--
+2.22.0
+
diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2019-2201.patch libjpeg-turbo-1.5.2/debian/patches/CVE-2019-2201.patch
--- libjpeg-turbo-1.5.2/debian/patches/CVE-2019-2201.patch 1970-01-01 01:00:00.000000000 +0100
+++ libjpeg-turbo-1.5.2/debian/patches/CVE-2019-2201.patch 2020-10-07 22:25:43.000000000 +0200
@@ -0,0 +1,322 @@
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884
+
+diff --git a/java/TJBench.java b/java/TJBench.java
+index 5185d65..fd626af 100644
+--- a/java/TJBench.java
++++ b/java/TJBench.java
+@@ -96,6 +96,8 @@ class TJBench {
+ int rindex = TJ.getRedOffset(pixelFormat);
+ int gindex = TJ.getGreenOffset(pixelFormat);
+ int bindex = TJ.getBlueOffset(pixelFormat);
++ if ((long)w[0] * (long)h[0] * (long)ps > (long)Integer.MAX_VALUE)
++ throw new Exception("Image is too large");
+ byte[] dstBuf = new byte[w[0] * h[0] * ps];
+ int pixels = w[0] * h[0], dstPtr = 0, rgbPtr = 0;
+ while (pixels-- > 0) {
+@@ -147,9 +149,11 @@ class TJBench {
+
+ tjd = new TJDecompressor();
+
+- if (dstBuf == null)
++ if (dstBuf == null) {
++ if ((long)pitch * (long)scaledh > (long)Integer.MAX_VALUE)
++ throw new Exception("Image is too large");
+ dstBuf = new byte[pitch * scaledh];
+-
++ }
+ /* Set the destination buffer to gray so we know whether the decompressor
+ attempted to write to it */
+ Arrays.fill(dstBuf, (byte)127);
+@@ -287,6 +291,8 @@ class TJBench {
+ String pfStr = pixFormatStr[pf];
+ YUVImage yuvImage = null;
+
++ if ((long)pitch * (long)h > (long)Integer.MAX_VALUE)
++ throw new Exception("Image is too large");
+ tmpBuf = new byte[pitch * h];
+
+ if (quiet == 0)
+@@ -435,6 +441,8 @@ class TJBench {
+ int ps = TJ.getPixelSize(pf), tile;
+
+ FileInputStream fis = new FileInputStream(fileName);
++ if (fis.getChannel().size() > (long)Integer.MAX_VALUE)
++ throw new Exception("Image is too large");
+ int srcSize = (int)fis.getChannel().size();
+ srcBuf = new byte[srcSize];
+ fis.read(srcBuf, 0, srcSize);
+diff --git a/tjbench.c b/tjbench.c
+index 21b297c..625feae 100644
+--- a/tjbench.c
++++ b/tjbench.c
+@@ -32,6 +32,7 @@
+ #include <ctype.h>
+ #include <math.h>
+ #include <errno.h>
++#include <limits.h>
+ #include <cdjpeg.h>
+ #include "./bmp.h"
+ #include "./tjutil.h"
+@@ -127,7 +128,10 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+
+ if(dstbuf==NULL)
+ {
+- if((dstbuf=(unsigned char *)malloc(pitch*scaledh))==NULL)
++ if ((unsigned long long)pitch * (unsigned long long)scaledh >
++ (unsigned long long)((size_t)-1))
++ _throw("allocating destination buffer", "Image is too large");
++ if ((dstbuf = (unsigned char *)malloc((size_t)pitch * scaledh)) == NULL)
+ _throwunix("allocating destination buffer");
+ dstbufalloc=1;
+ }
+@@ -139,7 +143,10 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+ {
+ int width=dotile? tilew:scaledw;
+ int height=dotile? tileh:scaledh;
+- int yuvsize=tjBufSizeYUV2(width, yuvpad, height, subsamp);
++ unsigned long yuvsize = tjBufSizeYUV2(width, yuvpad, height, subsamp);
++
++ if (yuvsize == (unsigned long)-1)
++ _throwtj("allocating YUV buffer");
+ if((yuvbuf=(unsigned char *)malloc(yuvsize))==NULL)
+ _throwunix("allocating YUV buffer");
+ memset(yuvbuf, 127, yuvsize);
+@@ -242,14 +249,14 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+ if(!quiet) printf("Compression error written to %s.\n", tempstr);
+ if(subsamp==TJ_GRAYSCALE)
+ {
+- int index, index2;
++ unsigned long index, index2;
+ for(row=0, index=0; row<h; row++, index+=pitch)
+ {
+ for(col=0, index2=index; col<w; col++, index2+=ps)
+ {
+- int rindex=index2+tjRedOffset[pf];
+- int gindex=index2+tjGreenOffset[pf];
+- int bindex=index2+tjBlueOffset[pf];
++ unsigned long rindex=index2+tjRedOffset[pf];
++ unsigned long gindex=index2+tjGreenOffset[pf];
++ unsigned long bindex=index2+tjBlueOffset[pf];
+ int y=(int)((double)srcbuf[rindex]*0.299
+ + (double)srcbuf[gindex]*0.587
+ + (double)srcbuf[bindex]*0.114 + 0.5);
+@@ -290,13 +297,16 @@ int fullTest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual,
+ unsigned char **jpegbuf=NULL, *yuvbuf=NULL, *tmpbuf=NULL, *srcptr, *srcptr2;
+ double start, elapsed, elapsedEncode;
+ int totaljpegsize=0, row, col, i, tilew=w, tileh=h, retval=0;
+- int iter, yuvsize=0;
+- unsigned long *jpegsize=NULL;
++ int iter;
++ unsigned long *jpegsize=NULL, yuvsize = 0;
+ int ps=tjPixelSize[pf];
+ int ntilesw=1, ntilesh=1, pitch=w*ps;
+ const char *pfStr=pixFormatStr[pf];
+
+- if((tmpbuf=(unsigned char *)malloc(pitch*h)) == NULL)
++ if ((unsigned long long)pitch * (unsigned long long)h >
++ (unsigned long long)((size_t)-1))
++ _throw("allocating temporary image buffer", "Image is too large");
++ if ((tmpbuf = (unsigned char *)malloc((size_t)pitch * h)) == NULL)
+ _throwunix("allocating temporary image buffer");
+
+ if(!quiet)
+@@ -339,6 +349,8 @@ int fullTest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual,
+ if(doyuv)
+ {
+ yuvsize=tjBufSizeYUV2(tilew, yuvpad, tileh, subsamp);
++ if (yuvsize == (unsigned long)-1)
++ _throwtj("allocating YUV buffer");
+ if((yuvbuf=(unsigned char *)malloc(yuvsize))==NULL)
+ _throwunix("allocating YUV buffer");
+ memset(yuvbuf, 127, yuvsize);
+@@ -418,7 +430,7 @@ int fullTest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual,
+ {
+ printf("Encode YUV --> Frame rate: %f fps\n",
+ (double)iter/elapsedEncode);
+- printf(" Output image size: %d bytes\n", yuvsize);
++ printf(" Output image size: %lu bytes\n", yuvsize);
+ printf(" Compression ratio: %f:1\n",
+ (double)(w*h*ps)/(double)yuvsize);
+ printf(" Throughput: %f Megapixels/sec\n",
+@@ -559,9 +571,12 @@ int decompTest(char *filename)
+ _throwunix("allocating JPEG size array");
+ memset(jpegsize, 0, sizeof(unsigned long)*ntilesw*ntilesh);
+
+- if((flags&TJFLAG_NOREALLOC)!=0 || !dotile)
++ if ((flags & TJFLAG_NOREALLOC) != 0 &&
++ (dotile || xformop != TJXOP_NONE || xformopt != 0 || customFilter))
+ for(i=0; i<ntilesw*ntilesh; i++)
+ {
++ if (tjBufSize(tilew, tileh, subsamp) > (unsigned long)INT_MAX)
++ _throw("getting buffer size", "Image is too large");
+ if((jpegbuf[i]=(unsigned char *)tjAlloc(tjBufSize(tilew, tileh,
+ subsamp)))==NULL)
+ _throwunix("allocating JPEG tiles");
+@@ -683,9 +698,13 @@ int decompTest(char *filename)
+ {
+ if(quiet==1) printf("N/A N/A ");
+ jpegsize[0]=srcsize;
+- free(jpegbuf[0]);
+- jpegbuf[0]=srcbuf;
+- srcbuf=NULL;
++ if (jpegbuf[0]) {
++ tjFree(jpegbuf[0]);
++ jpegbuf[0] = NULL;
++ } else {
++ jpegbuf[0]=srcbuf;
++ srcbuf=NULL;
++ }
+ }
+
+ if(w==tilew) _tilew=_w;
+@@ -700,7 +719,8 @@ int decompTest(char *filename)
+
+ for(i=0; i<ntilesw*ntilesh; i++)
+ {
+- tjFree(jpegbuf[i]); jpegbuf[i]=NULL;
++ if(jpegbuf[i]) tjFree(jpegbuf[i]);
++ jpegbuf[i] = NULL;
+ }
+ free(jpegbuf); jpegbuf=NULL;
+ if(jpegsize) {free(jpegsize); jpegsize=NULL;}
+diff --git a/turbojpeg.c b/turbojpeg.c
+index c9bc619..936e1c0 100644
+--- a/turbojpeg.c
++++ b/turbojpeg.c
+@@ -622,7 +622,7 @@ DLLEXPORT tjhandle DLLCALL tjInitCompress(void)
+ DLLEXPORT unsigned long DLLCALL tjBufSize(int width, int height,
+ int jpegSubsamp)
+ {
+- unsigned long retval=0; int mcuw, mcuh, chromasf;
++ unsigned long long retval=0; int mcuw, mcuh, chromasf;
+ if(width<1 || height<1 || jpegSubsamp<0 || jpegSubsamp>=NUMSUBOPT)
+ _throw("tjBufSize(): Invalid argument");
+
+@@ -632,32 +632,37 @@ DLLEXPORT unsigned long DLLCALL tjBufSize(int width, int height,
+ mcuw=tjMCUWidth[jpegSubsamp];
+ mcuh=tjMCUHeight[jpegSubsamp];
+ chromasf=jpegSubsamp==TJSAMP_GRAY? 0: 4*64/(mcuw*mcuh);
+- retval=PAD(width, mcuw) * PAD(height, mcuh) * (2 + chromasf) + 2048;
++ retval=PAD(width, mcuw) * PAD(height, mcuh) * (2ULL + chromasf) + 2048ULL;
++ if (retval > (unsigned long long)((unsigned long)-1))
++ _throw("tjBufSize(): Image is too large");
+
+ bailout:
+- return retval;
++ return (unsigned long)retval;
+ }
+
+ DLLEXPORT unsigned long DLLCALL TJBUFSIZE(int width, int height)
+ {
+- unsigned long retval=0;
++ unsigned long long retval=0;
+ if(width<1 || height<1)
+ _throw("TJBUFSIZE(): Invalid argument");
+
+ /* This allows for rare corner cases in which a JPEG image can actually be
+ larger than the uncompressed input (we wouldn't mention it if it hadn't
+ happened before.) */
+- retval=PAD(width, 16) * PAD(height, 16) * 6 + 2048;
++ retval=PAD(width, 16) * PAD(height, 16) * 6ULL + 2048ULL;
++ if (retval > (unsigned long long)((unsigned long)-1))
++ _throw("TJBUFSIZE(): Image is too large");
+
+ bailout:
+- return retval;
++ return (unsigned long)retval;
+ }
+
+
+ DLLEXPORT unsigned long DLLCALL tjBufSizeYUV2(int width, int pad, int height,
+ int subsamp)
+ {
+- int retval=0, nc, i;
++ unsigned long long retval=0;
++ int nc, i;
+
+ if(subsamp<0 || subsamp>=NUMSUBOPT)
+ _throw("tjBufSizeYUV2(): Invalid argument");
+@@ -669,11 +674,13 @@ DLLEXPORT unsigned long DLLCALL tjBufSizeYUV2(int width, int pad, int height,
+ int stride=PAD(pw, pad);
+ int ph=tjPlaneHeight(i, height, subsamp);
+ if(pw<0 || ph<0) return -1;
+- else retval+=stride*ph;
++ else retval+= (unsigned long long)stride*ph;
+ }
++ if (retval > (unsigned long long)((unsigned long)-1))
++ _throw("tjBufSizeYUV2(): Image is too large");
+
+ bailout:
+- return retval;
++ return (unsigned long)retval;
+ }
+
+ DLLEXPORT unsigned long DLLCALL tjBufSizeYUV(int width, int height,
+@@ -734,7 +741,7 @@ DLLEXPORT int tjPlaneHeight(int componentID, int height, int subsamp)
+ DLLEXPORT unsigned long DLLCALL tjPlaneSizeYUV(int componentID, int width,
+ int stride, int height, int subsamp)
+ {
+- unsigned long retval=0;
++ unsigned long long retval=0;
+ int pw, ph;
+
+ if(width<1 || height<1 || subsamp<0 || subsamp>=NUMSUBOPT)
+@@ -747,10 +754,12 @@ DLLEXPORT unsigned long DLLCALL tjPlaneSizeYUV(int componentID, int width,
+ if(stride==0) stride=pw;
+ else stride=abs(stride);
+
+- retval=stride*(ph-1)+pw;
++ retval=(unsigned long long)stride*(ph-1)+pw;
++ if (retval > (unsigned long long)((unsigned long)-1))
++ _throw("tjPlaneSizeYUV(): Image is too large");
+
+ bailout:
+- return retval;
++ return (unsigned long)retval;
+ }
+
+
+@@ -813,8 +822,8 @@ DLLEXPORT int DLLCALL tjCompress2(tjhandle handle, const unsigned char *srcBuf,
+ for(i=0; i<height; i++)
+ {
+ if(flags&TJFLAG_BOTTOMUP)
+- row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*pitch];
+- else row_pointer[i]=(JSAMPROW)&srcBuf[i*pitch];
++ row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*(size_t)pitch];
++ else row_pointer[i]=(JSAMPROW)&srcBuf[i*(size_t)pitch];
+ }
+ while(cinfo->next_scanline<cinfo->image_height)
+ {
+@@ -940,8 +949,8 @@ DLLEXPORT int DLLCALL tjEncodeYUVPlanes(tjhandle handle,
+ for(i=0; i<height; i++)
+ {
+ if(flags&TJFLAG_BOTTOMUP)
+- row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*pitch];
+- else row_pointer[i]=(JSAMPROW)&srcBuf[i*pitch];
++ row_pointer[i]=(JSAMPROW)&srcBuf[(height-i-1)*(size_t)pitch];
++ else row_pointer[i]=(JSAMPROW)&srcBuf[i*(size_t)pitch];
+ }
+ if(height<ph0)
+ for(i=height; i<ph0; i++) row_pointer[i]=row_pointer[height-1];
+@@ -1462,8 +1471,8 @@ DLLEXPORT int DLLCALL tjDecompress2(tjhandle handle,
+ for(i=0; i<(int)dinfo->output_height; i++)
+ {
+ if(flags&TJFLAG_BOTTOMUP)
+- row_pointer[i]=&dstBuf[(dinfo->output_height-i-1)*pitch];
+- else row_pointer[i]=&dstBuf[i*pitch];
++ row_pointer[i]=&dstBuf[(dinfo->output_height-i-1)*(size_t)pitch];
++ else row_pointer[i]=&dstBuf[i*(size_t)pitch];
+ }
+ while(dinfo->output_scanline<dinfo->output_height)
+ {
+@@ -1648,8 +1657,8 @@ DLLEXPORT int DLLCALL tjDecodeYUVPlanes(tjhandle handle,
+ _throw("tjDecodeYUVPlanes(): Memory allocation failure");
+ for(i=0; i<height; i++)
+ {
+- if(flags&TJFLAG_BOTTOMUP) row_pointer[i]=&dstBuf[(height-i-1)*pitch];
+- else row_pointer[i]=&dstBuf[i*pitch];
++ if(flags&TJFLAG_BOTTOMUP) row_pointer[i]=&dstBuf[(height-i-1)*(size_t)pitch];
++ else row_pointer[i]=&dstBuf[i*(size_t)pitch];
+ }
+ if(height<ph0)
+ for(i=height; i<ph0; i++) row_pointer[i]=row_pointer[height-1];
diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2020-13790.patch libjpeg-turbo-1.5.2/debian/patches/CVE-2020-13790.patch
--- libjpeg-turbo-1.5.2/debian/patches/CVE-2020-13790.patch 1970-01-01 01:00:00.000000000 +0100
+++ libjpeg-turbo-1.5.2/debian/patches/CVE-2020-13790.patch 2020-10-07 22:25:25.000000000 +0200
@@ -0,0 +1,24 @@
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1bfb0b5247f4fc8f6677639781ce468543490216
+
+diff --git a/rdppm.c b/rdppm.c
+index c0c0962..4547acd 100644
+--- a/rdppm.c
++++ b/rdppm.c
+@@ -299,6 +299,8 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ }
+
+
++// Redefine MAX here for support CVE-2020-13790
++#define MAX(a, b) ((a) > (b) ? (a) : (b))
+ /*
+ * Read the file header; return image size and component count.
+ */
+@@ -425,7 +427,7 @@ start_input_ppm (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ /* On 16-bit-int machines we have to be careful of maxval = 65535 */
+ source->rescale = (JSAMPLE *)
+ (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
+- (size_t) (((long) maxval + 1L) *
++ (size_t)(((long)MAX(maxval, 255) + 1L) *
+ sizeof(JSAMPLE)));
+ half_maxval = maxval / 2;
+ for (val = 0; val <= (long) maxval; val++) {
diff -Nru libjpeg-turbo-1.5.2/debian/patches/series libjpeg-turbo-1.5.2/debian/patches/series
--- libjpeg-turbo-1.5.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libjpeg-turbo-1.5.2/debian/patches/series 2020-10-07 22:25:36.000000000 +0200
@@ -0,0 +1,4 @@
+CVE-2018-1152.patch
+CVE-2018-14498.patch
+CVE-2019-2201.patch
+CVE-2020-13790.patch
Reply to: