32 lines
1.3 KiB
Diff
32 lines
1.3 KiB
Diff
Fix integer overflow which can potentially lead to RCE.
|
|
|
|
https://www.openwall.com/lists/oss-security/2019/11/11/1
|
|
https://nvd.nist.gov/vuln/detail/CVE-2019-2201
|
|
|
|
The problem was partially fixed in 2.0.3. This patch is a follow-up.
|
|
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
|
|
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad
|
|
|
|
diff --git a/tjbench.c b/tjbench.c
|
|
index a7d397318..13a5bde62 100644
|
|
--- a/tjbench.c
|
|
+++ b/tjbench.c
|
|
@@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
|
|
}
|
|
/* Set the destination buffer to gray so we know whether the decompressor
|
|
attempted to write to it */
|
|
- memset(dstBuf, 127, pitch * scaledh);
|
|
+ memset(dstBuf, 127, (size_t)pitch * scaledh);
|
|
|
|
if (doYUV) {
|
|
int width = doTile ? tilew : scaledw;
|
|
@@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
|
|
double start = getTime();
|
|
|
|
for (row = 0, dstPtr = dstBuf; row < ntilesh;
|
|
- row++, dstPtr += pitch * tileh) {
|
|
+ row++, dstPtr += (size_t)pitch * tileh) {
|
|
for (col = 0, dstPtr2 = dstPtr; col < ntilesw;
|
|
col++, tile++, dstPtr2 += ps * tilew) {
|
|
int width = doTile ? min(tilew, w - col * tilew) : scaledw;
|