Fix possible Huffman local buffer overrun

MFH:		2015Q1
Security:	CVE-2014-9092
This commit is contained in:
Antoine Brodin 2015-01-10 12:23:24 +00:00
parent 56a7e4534a
commit 59f7cc8a5d
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=376692
3 changed files with 22 additions and 2 deletions

View file

@ -3,7 +3,7 @@
PORTNAME= jpeg-turbo
PORTVERSION= 1.3.1
PORTREVISION?= 1
PORTREVISION?= 2
CATEGORIES= graphics
MASTER_SITES= SF/lib${PORTNAME}/${PORTVERSION}
DISTNAME= lib${PORTNAME}-${PORTVERSION}

View file

@ -0,0 +1,20 @@
--- jchuff.c.orig 2013-09-28 03:23:49 UTC
+++ jchuff.c
@@ -391,7 +391,16 @@ dump_buffer (working_state * state)
#endif
-#define BUFSIZE (DCTSIZE2 * 2)
+/* Although it is exceedingly rare, it is possible for a Huffman-encoded
+ * coefficient block to be larger than the 128-byte unencoded block. For each
+ * of the 64 coefficients, PUT_BITS is invoked twice, and each invocation can
+ * theoretically store 16 bits (for a maximum of 2048 bits or 256 bytes per
+ * encoded block.) If, for instance, one artificially sets the AC
+ * coefficients to alternating values of 32767 and -32768 (using the JPEG
+ * scanning order-- 1, 8, 16, etc.), then this will produce an encoded block
+ * larger than 200 bytes.
+ */
+#define BUFSIZE (DCTSIZE2 * 4)
#define LOAD_BUFFER() { \
if (state->free_in_buffer < BUFSIZE) { \

View file

@ -1,7 +1,7 @@
# Created by: Denis Podolskiy <bytestore@yandex.ru>
# $FreeBSD$
PORTREVISION= 4
PORTREVISION= 5
PKGNAMEPREFIX= lib
COMMENT= SIMD-accelerated JPEG codec library, provides libTurboJPEG