summaryrefslogtreecommitdiffstats
path: root/patches/source/libjpeg/jpeg.CVE-2013-6629.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/libjpeg/jpeg.CVE-2013-6629.diff')
-rw-r--r--patches/source/libjpeg/jpeg.CVE-2013-6629.diff32
1 files changed, 32 insertions, 0 deletions
diff --git a/patches/source/libjpeg/jpeg.CVE-2013-6629.diff b/patches/source/libjpeg/jpeg.CVE-2013-6629.diff
new file mode 100644
index 00000000..37c267a1
--- /dev/null
+++ b/patches/source/libjpeg/jpeg.CVE-2013-6629.diff
@@ -0,0 +1,32 @@
+From f457207b57d0e234cf7a174d20a7db424b82173d Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Fri, 22 Nov 2013
+Subject: CVE-2013-6629
+
+get_sos() in jdmarker.c does not check for duplication of component data
+while reading segments following Start Of Scan (SOS) JPEG markers. This
+allows remote attackers to obtain sensitive information from uninitialized
+memory locations via crafted JPEG images.
+
+Adapted from:
+https://codereview.chromium.org/download/issue31603002_1.diff
+
+---
+ jdmarker.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/jdmarker.c
++++ b/jdmarker.c
+@@ -347,6 +347,12 @@ get_sos (j_decompress_ptr cinfo)
+
+ TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc,
+ compptr->dc_tbl_no, compptr->ac_tbl_no);
++
++ /* This CSi (cc) should differ from the previous CSi */
++ for (ci = 0; ci < i; ci++) {
++ if (cinfo->cur_comp_info[ci] == compptr)
++ ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
++ }
+ }
+
+ /* Collect the additional scan parameters Ss, Se, Ah/Al. */