diff --git a/.travis.yml b/.travis.yml index 32f7c325..dc27ebf7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -80,7 +80,7 @@ script: mkdir -p ~/src/ljt.nightly && if [ "$TRAVIS_OS_NAME" = "linux" ]; then mkdir $HOME/rpmkeys && - wget --no-check-certificate "http://ha.pool.sks-keyservers.net/pks/lookup?op=get&search=0x0575F26BD5B3FDB1" -O $HOME/rpmkeys/LJTPR-GPG-KEY && + wget --no-check-certificate "http://www.libjpeg-turbo.org/key/LJTPR-GPG-KEY" -O $HOME/rpmkeys/LJTPR-GPG-KEY && docker run -v $HOME/src/ljt.nightly:/root/src/ljt.nightly -v $HOME/src/buildscripts:/root/src/buildscripts -v $TRAVIS_BUILD_DIR:/root/src/libjpeg-turbo -v $HOME/.gnupg:/root/.gnupg -v $HOME/rpmkeys:/rpmkeys -t dcommander/buildljt:latest bash -c "rpm --import /rpmkeys/LJTPR-GPG-KEY && ~/src/buildscripts/buildljt -d /root/src/libjpeg-turbo -v" && sudo chown -R travis:travis ~/src/ljt.nightly && mv ~/src/ljt.nightly/latest/log-$TRAVIS_OS_NAME.txt ~/src/ljt.nightly/latest/files/; diff --git a/CMakeLists.txt b/CMakeLists.txt index 104622a8..f37d1cd1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -111,10 +111,6 @@ endif() include(cmakescripts/GNUInstallDirs.cmake) -if(ENABLE_SHARED) - set(CMAKE_INSTALL_RPATH ${CMAKE_INSTALL_FULL_LIBDIR}) -endif() - macro(report_directory var) if(CMAKE_INSTALL_${var} STREQUAL CMAKE_INSTALL_FULL_${var}) message(STATUS "CMAKE_INSTALL_${var} = ${CMAKE_INSTALL_${var}}") @@ -199,6 +195,10 @@ endif() report_option(ENABLE_SHARED "Shared libraries") report_option(ENABLE_STATIC "Static libraries") +if(ENABLE_SHARED) + set(CMAKE_INSTALL_RPATH ${CMAKE_INSTALL_FULL_LIBDIR}) +endif() + if(WITH_12BIT) set(WITH_ARITH_DEC 0) set(WITH_ARITH_ENC 0) @@ -476,8 +476,8 @@ if(UNIX AND NOT APPLE) # still work. file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/conftest.map "VERS_1 { global: foo; local: *; }; VERS_2 { global: foo2; } VERS_1;") - set(CMAKE_REQUIRED_FLAGS "-Wl,-M,${CMAKE_CURRENT_BINARY_DIR}/conftest.map") - check_c_source_compiles("void foo() {} void foo2() {} int main(void) { return 0; }" + set(CMAKE_REQUIRED_FLAGS "-Wl,-M,${CMAKE_CURRENT_BINARY_DIR}/conftest.map -shared") + check_c_source_compiles("int foo() { return 0; } int foo2() { return 2; }" HAVE_MAPFILE) set(CMAKE_REQUIRED_FLAGS) file(REMOVE ${CMAKE_CURRENT_BINARY_DIR}/conftest.map) diff --git a/ChangeLog.md b/ChangeLog.md index eea7dd8e..bb29d417 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -17,6 +17,31 @@ automatically be disabled with x32 builds. work with the x32 ABI and will be disabled in x32 builds. +2.0.2 +===== + +### Significant changes relative to 2.0.1: + +1. Fixed a regression introduced by 2.0.1[5] that prevented a runtime search +path (rpath) from being embedded in the libjpeg-turbo shared libraries and +executables for macOS and iOS. This caused a fatal error of the form +"dyld: Library not loaded" when attempting to use one of the executables, +unless `DYLD_LIBRARY_PATH` was explicitly set to the location of the +libjpeg-turbo shared libraries. + +2. Fixed an integer overflow and subsequent segfault (CVE-2018-20330) that +occurred when attempting to load a BMP file with more than 1 billion pixels +using the `tjLoadImage()` function. + +3. Fixed a buffer overrun (CVE-2018-19664) that occurred when attempting to +decompress a specially-crafted malformed JPEG image to a 256-color BMP using +djpeg. + +4. Fixed a floating-point exception that occurred when attempting to +decompress a specially-crafted malformed JPEG image with a specified image +width or height of 0 using the C version of TJBench. + + 2.0.1 ===== diff --git a/java/TJBench.java b/java/TJBench.java index bd555626..7829e53c 100644 --- a/java/TJBench.java +++ b/java/TJBench.java @@ -1,5 +1,5 @@ /* - * Copyright (C)2009-2014, 2016-2018 D. R. Commander. All Rights Reserved. + * Copyright (C)2009-2014, 2016-2019 D. R. Commander. All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -202,7 +202,9 @@ final class TJBench { int width = doTile ? Math.min(tilew, w - x) : scaledw; int height = doTile ? Math.min(tileh, h - y) : scaledh; - tjd.setSourceImage(jpegBuf[tile], jpegSize[tile]); + try { + tjd.setSourceImage(jpegBuf[tile], jpegSize[tile]); + } catch (TJException e) { handleTJException(e); } if (doYUV) { yuvImage.setBuf(yuvImage.getBuf(), width, yuvPad, height, subsamp); try { @@ -500,7 +502,9 @@ final class TJBench { tjt = new TJTransformer(); - tjt.setSourceImage(srcBuf, srcSize); + try { + tjt.setSourceImage(srcBuf, srcSize); + } catch (TJException e) { handleTJException(e); } w = tjt.getWidth(); h = tjt.getHeight(); subsamp = tjt.getSubsamp(); @@ -607,7 +611,9 @@ final class TJBench { elapsed = 0.; while (true) { start = getTime(); - tjt.transform(jpegBuf, t, flags); + try { + tjt.transform(jpegBuf, t, flags); + } catch (TJException e) { handleTJException(e); } jpegSize = tjt.getTransformedSizes(); elapsed += getTime() - start; if (iter >= 0) { diff --git a/jversion.h b/jversion.h index 2039f44c..191fb6bb 100644 --- a/jversion.h +++ b/jversion.h @@ -4,7 +4,7 @@ * This file was part of the Independent JPEG Group's software: * Copyright (C) 1991-2012, Thomas G. Lane, Guido Vollbeding. * libjpeg-turbo Modifications: - * Copyright (C) 2010, 2012-2018, D. R. Commander. + * Copyright (C) 2010, 2012-2019, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -36,7 +36,7 @@ */ #define JCOPYRIGHT \ - "Copyright (C) 2009-2018 D. R. Commander\n" \ + "Copyright (C) 2009-2019 D. R. Commander\n" \ "Copyright (C) 2011-2016 Siarhei Siamashka\n" \ "Copyright (C) 2015-2016, 2018 Matthieu Darbois\n" \ "Copyright (C) 2015 Intel Corporation\n" \ @@ -49,4 +49,4 @@ "Copyright (C) 1991-2016 Thomas G. Lane, Guido Vollbeding" #define JCOPYRIGHT_SHORT \ - "Copyright (C) 1991-2018 The libjpeg-turbo Project and many others" + "Copyright (C) 1991-2019 The libjpeg-turbo Project and many others" diff --git a/tjbench.c b/tjbench.c index 863e534f..0eb41d50 100644 --- a/tjbench.c +++ b/tjbench.c @@ -1,5 +1,5 @@ /* - * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved. + * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -541,6 +541,8 @@ int decompTest(char *fileName) if (tjDecompressHeader3(handle, srcBuf, srcSize, &w, &h, &subsamp, &cs) == -1) _throwtj("executing tjDecompressHeader3()"); + if (w < 1 || h < 1) + _throw("reading JPEG header", "Invalid image dimensions"); if (cs == TJCS_YCCK || cs == TJCS_CMYK) { pf = TJPF_CMYK; ps = tjPixelSize[pf]; } diff --git a/turbojpeg.c b/turbojpeg.c index 90a9ce6a..3f7cd640 100644 --- a/turbojpeg.c +++ b/turbojpeg.c @@ -1,5 +1,5 @@ /* - * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved. + * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, int align, int *height, int *pixelFormat, int flags) { - int retval = 0, tempc, pitch; + int retval = 0, tempc; + size_t pitch; tjhandle handle = NULL; tjinstance *this; j_compress_ptr cinfo = NULL; @@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width, *pixelFormat = cs2pf[cinfo->in_color_space]; pitch = PAD((*width) * tjPixelSize[*pixelFormat], align); - if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) + if ((unsigned long long)pitch * (unsigned long long)(*height) > + (unsigned long long)((size_t)-1) || + (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL) _throwg("tjLoadImage(): Memory allocation failure"); if (setjmp(this->jerr.setjmp_buffer)) { diff --git a/wrbmp.c b/wrbmp.c index 38a64e87..239f64eb 100644 --- a/wrbmp.c +++ b/wrbmp.c @@ -5,7 +5,7 @@ * Copyright (C) 1994-1996, Thomas G. Lane. * libjpeg-turbo Modifications: * Copyright (C) 2013, Linaro Limited. - * Copyright (C) 2014-2015, 2017, D. R. Commander. + * Copyright (C) 2014-2015, 2017, 2019, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -303,9 +303,7 @@ write_os2_header(j_decompress_ptr cinfo, bmp_dest_ptr dest) int bits_per_pixel, cmap_entries; /* Compute colormap size and total file size */ - if (cinfo->out_color_space == JCS_RGB || - (cinfo->out_color_space >= JCS_EXT_RGB && - cinfo->out_color_space <= JCS_EXT_ARGB)) { + if (IsExtRGB(cinfo->out_color_space)) { if (cinfo->quantize_colors) { /* Colormapped RGB */ bits_per_pixel = 8; @@ -499,15 +497,14 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2, if (cinfo->out_color_space == JCS_GRAYSCALE) { dest->pub.put_pixel_rows = put_gray_rows; - } else if (cinfo->out_color_space == JCS_RGB || - (cinfo->out_color_space >= JCS_EXT_RGB && - cinfo->out_color_space <= JCS_EXT_ARGB)) { + } else if (IsExtRGB(cinfo->out_color_space)) { if (cinfo->quantize_colors) dest->pub.put_pixel_rows = put_gray_rows; else dest->pub.put_pixel_rows = put_pixel_rows; - } else if (cinfo->out_color_space == JCS_RGB565 || - cinfo->out_color_space == JCS_CMYK) { + } else if (!cinfo->quantize_colors && + (cinfo->out_color_space == JCS_RGB565 || + cinfo->out_color_space == JCS_CMYK)) { dest->pub.put_pixel_rows = put_pixel_rows; } else { ERREXIT(cinfo, JERR_BMP_COLORSPACE);