-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-based buffer over-read in get_rgb_row() in rdppm.c #433
Comments
This issue got CVE-2020-13790 assigned. |
Added CVE ID to the change log. Thanks. |
dcommander
added a commit
that referenced
this issue
Jun 3, 2020
This extends the fix in 1e81b0c to include binary PPM files with maximum values < 255, thus preventing a malformed binary PPM input file with those specifications from triggering an overrun of the rescale array and potentially crashing cjpeg, TJBench, or any program that uses the tjLoadImage() function. Fixes #433
dcommander
added a commit
that referenced
this issue
Jun 3, 2020
This extends the fix in 1e81b0c to include binary PPM files with maximum values < 255, thus preventing a malformed binary PPM input file with those specifications from triggering an overrun of the rescale array and potentially crashing cjpeg, TJBench, or any program that uses the tjLoadImage() function. Fixes #433
dcommander
added a commit
that referenced
this issue
Jun 3, 2020
This extends the fix in 1e81b0c to include binary PPM files with maximum values < 255, thus preventing a malformed binary PPM input file with those specifications from triggering an overrun of the rescale array and potentially crashing cjpeg, TJBench, or any program that uses the tjLoadImage() function. Fixes #433
3 tasks
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Have you searched the existing issues (both open and closed) in the libjpeg-turbo issue tracker to ensure that this bug report is not a duplicate?
Yes
Does this bug report describe one of the two known and unsolvable issues with the JPEG format?
No
Clear and concise description of the bug:
Heap-based buffer over-read in get_rgb_row() in rdppm.c
Steps to reproduce the bug (using only libjpeg-turbo):
Compile with Address Sanitizer (ASan) :
./cjpeg ./reproducer
Without ASan:
valgrind -q ./cjpeg ./reproducer
Image(s) needed in order to reproduce the bug (if applicable):
reproducer.zip
Expected behavior:
Observed behavior:
Platform(s) (compiler version, operating system version, CPU) on which the bug was observed:
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0, Linux 5.3.0-51-generic
libjpeg-turbo release(s), commit(s), or branch(es) in which the bug was observed (always test the tip of the master branch or the latest stable pre-release to verify that the bug hasn't already been fixed):
libjpeg-turbo version 2.0.5 (master)
If the bug is a regression, the specific commit that introduced the regression (use
git bisect
to determine this):Additional information:
The text was updated successfully, but these errors were encountered: