svn commit: r376692 - in head/graphics: jpeg-turbo jpeg-turbo/files libjpeg-turbo

Antoine Brodin antoine at FreeBSD.org
Sat Jan 10 12:23:25 UTC 2015 

Author: antoine
Date: Sat Jan 10 12:23:24 2015
New Revision: 376692
URL: https://svnweb.freebsd.org/changeset/ports/376692
QAT: https://qat.redports.org/buildarchive/r376692/

Log:
  Fix possible Huffman local buffer overrun
  
  MFH:		2015Q1
  Security:	CVE-2014-9092

Added:
  head/graphics/jpeg-turbo/files/
  head/graphics/jpeg-turbo/files/patch-jchuff.c   (contents, props changed)
Modified:
  head/graphics/jpeg-turbo/Makefile
  head/graphics/libjpeg-turbo/Makefile

Modified: head/graphics/jpeg-turbo/Makefile
==============================================================================
--- head/graphics/jpeg-turbo/Makefile	Sat Jan 10 11:51:04 2015	(r376691)
+++ head/graphics/jpeg-turbo/Makefile	Sat Jan 10 12:23:24 2015	(r376692)
@@ -3,7 +3,7 @@
 
 PORTNAME=	jpeg-turbo
 PORTVERSION=	1.3.1
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	graphics
 MASTER_SITES=	SF/lib${PORTNAME}/${PORTVERSION}
 DISTNAME=	lib${PORTNAME}-${PORTVERSION}

Added: head/graphics/jpeg-turbo/files/patch-jchuff.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/jpeg-turbo/files/patch-jchuff.c	Sat Jan 10 12:23:24 2015	(r376692)
@@ -0,0 +1,20 @@
+--- jchuff.c.orig	2013-09-28 03:23:49 UTC
++++ jchuff.c
+@@ -391,7 +391,16 @@ dump_buffer (working_state * state)
+ #endif
+ 
+ 
+-#define BUFSIZE (DCTSIZE2 * 2)
++/* Although it is exceedingly rare, it is possible for a Huffman-encoded
++ * coefficient block to be larger than the 128-byte unencoded block.  For each
++ * of the 64 coefficients, PUT_BITS is invoked twice, and each invocation can
++ * theoretically store 16 bits (for a maximum of 2048 bits or 256 bytes per
++ * encoded block.)  If, for instance, one artificially sets the AC
++ * coefficients to alternating values of 32767 and -32768 (using the JPEG
++ * scanning order-- 1, 8, 16, etc.), then this will produce an encoded block
++ * larger than 200 bytes.
++ */
++#define BUFSIZE (DCTSIZE2 * 4)
+ 
+ #define LOAD_BUFFER() { \
+   if (state->free_in_buffer < BUFSIZE) { \

Modified: head/graphics/libjpeg-turbo/Makefile
==============================================================================
--- head/graphics/libjpeg-turbo/Makefile	Sat Jan 10 11:51:04 2015	(r376691)
+++ head/graphics/libjpeg-turbo/Makefile	Sat Jan 10 12:23:24 2015	(r376692)
@@ -1,7 +1,7 @@
 # Created by: Denis Podolskiy <bytestore at yandex.ru>
 # $FreeBSD$
 
-PORTREVISION=	4
+PORTREVISION=	5
 PKGNAMEPREFIX=	lib
 
 COMMENT=	SIMD-accelerated JPEG codec library, provides libTurboJPEG

More information about the svn-ports-head mailing list