Log Message:
libjpeg-turbo: updated to 2.0.4

2.0.4

Fixed a regression in the Windows packaging system (introduced by 2.0 beta1[2]) \ 
whereby, if both the 64-bit libjpeg-turbo SDK for GCC and the 64-bit \ 
libjpeg-turbo SDK for Visual C++ were installed on the same system, only one of \ 
them could be uninstalled.

Fixed a signed integer overflow and subsequent segfault that occurred when \ 
attempting to decompress images with more than 715827882 pixels using the 64-bit \ 
C version of TJBench.

Fixed out-of-bounds write in tjDecompressToYUV2() and tjDecompressToYUVPlanes() \ 
(sometimes manifesting as a double free) that occurred when attempting to \ 
decompress grayscale JPEG images that were compressed with a sampling factor \ 
other than 1 (for instance, with cjpeg -grayscale -sample 2x2).

Fixed a regression introduced by 2.0.2[5] that caused the TurboJPEG API to \ 
incorrectly identify some JPEG images with unusual sampling factors as 4:4:4 \ 
JPEG images. This was known to cause a buffer overflow when attempting to \ 
decompress some such images using tjDecompressToYUV2() or \ 
tjDecompressToYUVPlanes().

Fixed an issue, detected by ASan, whereby attempting to losslessly transform a \ 
specially-crafted malformed JPEG image containing an extremely-high-frequency \ 
coefficient block (junk image data that could never be generated by a legitimate \ 
JPEG compressor) could cause the Huffman encoder's local buffer to be overrun. \ 
(Refer to 1.4.0[9] and 1.4beta1[15].) Given that the buffer overrun was fully \ 
contained within the stack and did not cause a segfault or other user-visible \ 
errant behavior, and given that the lossless transformer (unlike the \ 
decompressor) is not generally exposed to arbitrary data exploits, this issue \ 
did not likely pose a security risk.

The ARM 64-bit (ARMv8) NEON SIMD assembly code now stores constants in a \ 
separate read-only data section rather than in the text section, to support \ 
execute-only memory layouts.

2.0.3

Fixed "using JNI after critical get" errors that occurred on Android \ 
platforms when passing invalid arguments to certain methods in the TurboJPEG \ 
Java API.

Fixed a regression in the SIMD feature detection code, introduced by the AVX2 \ 
SIMD extensions (2.0 beta1[1]), that was known to cause an illegal instruction \ 
exception, in rare cases, on CPUs that lack support for CPUID leaf 07H (or on \ 
which the maximum CPUID leaf has been limited by way of a BIOS setting.)

The 4:4:0 (h1v2) fancy (smooth) chroma upsampling algorithm in the decompressor \ 
now uses a similar bias pattern to that of the 4:2:2 (h2v1) fancy chroma \ 
upsampling algorithm, rounding up or down the upsampled result for alternate \ 
pixels rather than always rounding down. This ensures that, regardless of \ 
whether a 4:2:2 JPEG image is rotated or transposed prior to decompression (in \ 
the frequency domain) or after decompression (in the spatial domain), the final \ 
image will be similar.

Fixed an integer overflow and subsequent segfault that occurred when attempting \ 
to compress or decompress images with more than 1 billion pixels using the \ 
TurboJPEG API.

Fixed a regression introduced by 2.0 beta1[15] whereby attempting to generate a \ 
progressive JPEG image on an SSE2-capable CPU using a scan script containing one \ 
or more scans with lengths divisible by 16 would result in an error \ 
("Missing Huffman code table entry") and an invalid JPEG image.

Fixed an issue whereby tjDecodeYUV() and tjDecodeYUVPlanes() would throw an \ 
error ("Invalid progressive parameters") or a warning \ 
("Inconsistent progression sequence") if passed a TurboJPEG instance \ 
that was previously used to decompress a progressive JPEG image.

2.0.2

Fixed a regression introduced by 2.0.1[5] that prevented a runtime search path \ 
(rpath) from being embedded in the libjpeg-turbo shared libraries and \ 
executables for macOS and iOS. This caused a fatal error of the form "dyld: \ 
Library not loaded" when attempting to use one of the executables, unless \ 
DYLD_LIBRARY_PATH was explicitly set to the location of the libjpeg-turbo shared \ 
libraries.

Fixed an integer overflow and subsequent segfault (CVE-2018-20330) that occurred \ 
when attempting to load a BMP file with more than 1 billion pixels using the \ 
tjLoadImage() function.

Fixed a buffer overrun (CVE-2018-19664) that occurred when attempting to \ 
decompress a specially-crafted malformed JPEG image to a 256-color BMP using \ 
djpeg.

Fixed a floating point exception that occurred when attempting to decompress a \ 
specially-crafted malformed JPEG image with a specified image width or height of \ 
0 using the C version of TJBench.

The TurboJPEG API will now decompress 4:4:4 JPEG images with 2x1, 1x2, 3x1, or \ 
1x3 luminance and chrominance sampling factors. This is a non-standard way of \ 
specifying 1x subsampling (normally 4:4:4 JPEGs have 1x1 luminance and \ 
chrominance sampling factors), but the JPEG format and the libjpeg API both \ 
allow it.

Fixed a regression introduced by 2.0 beta1[7] that caused djpeg to generate \ 
incorrect PPM images when used with the -colors option.

Fixed an issue whereby a static build of libjpeg-turbo (a build in which \ 
ENABLE_SHARED is 0) could not be installed using the Visual Studio IDE.

Fixed a severe performance issue in the Loongson MMI SIMD extensions that \ 
occurred when compressing RGB images whose image rows were not 64-bit-aligned.

2.0.1

Fixed a regression introduced with the new CMake-based Un*x build system, \ 
whereby jconfig.h could cause compiler warnings of the form "HAVE_*_H" \ 
redefined if it was included by downstream Autotools-based projects that used \ 
AC_CHECK_HEADERS() to check for the existence of locale.h, stddef.h, or \ 
stdlib.h.

The jsimd_quantize_float_dspr2() and jsimd_convsamp_float_dspr2() functions in \ 
the MIPS DSPr2 SIMD extensions are now disabled at compile time if the soft \ 
float ABI is enabled. Those functions use instructions that are incompatible \ 
with the soft float ABI.

Fixed a regression in the SIMD feature detection code, introduced by the AVX2 \ 
SIMD extensions (2.0 beta1[1]), that caused libjpeg-turbo to crash on Windows 7 \ 
if Service Pack 1 was not installed.

Fixed out-of-bounds read in cjpeg that occurred when attempting to compress a \ 
specially-crafted malformed color-index (8-bit-per-sample) Targa file in which \ 
some of the samples (color indices) exceeded the bounds of the Targa file's \ 
color table.

Fixed an issue whereby installing a fully static build of libjpeg-turbo (a build \ 
in which CFLAGS contains -static and ENABLE_SHARED is 0) would fail with \ 
"No valid ELF RPATH or RUNPATH entry exists in the file."

2.0.0

The TurboJPEG API can now decompress CMYK JPEG images that have subsampled M and \ 
Y components (not to be confused with YCCK JPEG images, in which the C/M/Y \ 
components have been transformed into luma and chroma.) Previously, an error was \ 
generated ("Could not determine subsampling type for JPEG image") when \ 
such an image was passed to tjDecompressHeader3(), tjTransform(), \ 
tjDecompressToYUVPlanes(), tjDecompressToYUV2(), or the equivalent Java methods.

Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input file \ 
(specifically, a file with a valid Targa header but incomplete pixel data) would \ 
cause cjpeg to generate a JPEG file that was potentially thousands of times \ 
larger than the input file. The Targa reader in cjpeg was not properly detecting \ 
that the end of the input file had been reached prematurely, so after all valid \ 
pixels had been read from the input, the reader injected dummy pixels with \ 
values of 255 into the JPEG compressor until the number of pixels specified in \ 
the Targa header had been compressed. The Targa reader in cjpeg now behaves like \ 
the PPM reader and aborts compression if the end of the input file is reached \ 
prematurely. Because this issue only affected cjpeg and not the underlying \ 
library, and because it did not involve any out-of-bounds reads or other \ 
exploitable behaviors, it was not believed to represent a security threat.

Fixed an issue whereby the tjLoadImage() and tjSaveImage() functions would \ 
produce a "Bogus message code" error message if the underlying bitmap \ 
and PPM readers/writers threw an error that was specific to the readers/writers \ 
(as opposed to a general libjpeg API error.)

Fixed an issue (CVE-2018-1152) whereby a specially-crafted malformed BMP file, \ 
one in which the header specified an image width of 1073741824 pixels, would \ 
trigger a floating point exception (division by zero) in the tjLoadImage() \ 
function when attempting to load the BMP file into a 4-component image buffer.

Fixed an issue whereby certain combinations of calls to jpeg_skip_scanlines() \ 
and jpeg_read_scanlines() could trigger an infinite loop when decompressing \ 
progressive JPEG images that use vertical chroma subsampling (for instance, \ 
4:2:0 or 4:4:0.)

Fixed a segfault in jpeg_skip_scanlines() that occurred when decompressing a \ 
4:2:2 or 4:2:0 JPEG image using the merged (non-fancy) upsampling algorithms \ 
(that is, when setting cinfo.do_fancy_upsampling to FALSE.)

The new CMake-based build system will now disable the MIPS DSPr2 SIMD extensions \ 
if it detects that the compiler does not support DSPr2 instructions.

Fixed out-of-bounds read in cjpeg (CVE-2018-14498) that occurred when attempting \ 
to compress a specially-crafted malformed color-index (8-bit-per-sample) BMP \ 
file in which some of the samples (color indices) exceeded the bounds of the BMP \ 
file's color table.

Fixed a signed integer overflow in the progressive Huffman decoder, detected by \ 
the Clang and GCC undefined behavior sanitizers, that could be triggered by \ 
attempting to decompress a specially-crafted malformed JPEG image. This issue \ 
did not pose a security threat, but removing the warning made it easier to \ 
detect actual security issues, should they arise in the future.