From 3d9c64e9f8aa1ee954d1d0bb3390fc894bb84da3 Mon Sep 17 00:00:00 2001 From: DRC Date: Tue, 1 Jan 2019 18:57:36 -0600 Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP Fixes #304 --- ChangeLog.md | 4 ++++ turbojpeg.c | 9 ++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 4d185bf..bd5e0d3 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -10,6 +10,10 @@ executables for macOS and iOS. This caused a fatal error of the form unless `DYLD_LIBRARY_PATH` was explicitly set to the location of the libjpeg-turbo shared libraries. +2. Fixed an integer overflow and subsequent segfault (CVE-2018-20330) that +occurred when attempting to load a BMP file with more than 1 billion pixels +using the `tjLoadImage()` function. + 2.0.1 ===== diff --git a/turbojpeg.c b/turbojpeg.c index 90a9ce6..3f7cd64 100644 --- a/turbojpeg.c +++ b/turbojpeg.c @@ -1,5 +1,5 @@ /* - * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved. + * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, int align, int *height, int *pixelFormat, int flags) { - int retval = 0, tempc, pitch; + int retval = 0, tempc; + size_t pitch; tjhandle handle = NULL; tjinstance *this; j_compress_ptr cinfo = NULL; @@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, *pixelFormat = cs2pf[cinfo->in_color_space]; pitch = PAD((*width) * tjPixelSize[*pixelFormat], align); - if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) + if ((unsigned long long)pitch * (unsigned long long)(*height) > + (unsigned long long)((size_t)-1) || + (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) _throwg("tjLoadImage(): Memory allocation failure"); if (setjmp(this->jerr.setjmp_buffer)) { -- 2.50.1