diff options
Diffstat (limited to 'pkgs/development/libraries/libjpeg-turbo/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch')
| -rw-r--r-- | pkgs/development/libraries/libjpeg-turbo/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/pkgs/development/libraries/libjpeg-turbo/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch b/pkgs/development/libraries/libjpeg-turbo/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch new file mode 100644 index 00000000000..8c0f9c75054 --- /dev/null +++ b/pkgs/development/libraries/libjpeg-turbo/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch @@ -0,0 +1,40 @@ +Thanks to the sources below; this patch discovered via Gentoo. + +http://bugzilla.redhat.com/show_bug.cgi?id=1031734 +http://bugzilla.redhat.com/show_bug.cgi?id=1031749 +http://sourceforge.net/p/libjpeg-turbo/code/1090/ + +--- libjpeg-turbo-1.3.0/jdmarker.c ++++ libjpeg-turbo-1.3.0/jdmarker.c +@@ -304,7 +304,7 @@ + /* Process a SOS marker */ + { + INT32 length; +- int i, ci, n, c, cc; ++ int i, ci, n, c, cc, pi; + jpeg_component_info * compptr; + INPUT_VARS(cinfo); + +@@ -348,6 +348,13 @@ + + TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc, + compptr->dc_tbl_no, compptr->ac_tbl_no); ++ ++ /* This CSi (cc) should differ from the previous CSi */ ++ for (pi = 0; pi < i; pi++) { ++ if (cinfo->cur_comp_info[pi] == compptr) { ++ ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc); ++ } ++ } + } + + /* Collect the additional scan parameters Ss, Se, Ah/Al. */ +@@ -465,6 +472,8 @@ + for (i = 0; i < count; i++) + INPUT_BYTE(cinfo, huffval[i], return FALSE); + ++ MEMZERO(&huffval[count], (256 - count) * SIZEOF(UINT8)); ++ + length -= count; + + if (index & 0x10) { /* AC table definition */ |