Path to this page:
Subject: CVS commit: pkgsrc/graphics/libjpeg-turbo
From: Adam Ciarcinski
Date: 2020-04-12 08:17:06
Message id: 20200412061706.AAFD4FB27@cvs.NetBSD.org
Log Message:
libjpeg-turbo: updated to 2.0.4
2.0.4
Fixed a regression in the Windows packaging system (introduced by 2.0 beta1[2]) \
whereby, if both the 64-bit libjpeg-turbo SDK for GCC and the 64-bit \
libjpeg-turbo SDK for Visual C++ were installed on the same system, only one of \
them could be uninstalled.
Fixed a signed integer overflow and subsequent segfault that occurred when \
attempting to decompress images with more than 715827882 pixels using the 64-bit \
C version of TJBench.
Fixed out-of-bounds write in tjDecompressToYUV2() and tjDecompressToYUVPlanes() \
(sometimes manifesting as a double free) that occurred when attempting to \
decompress grayscale JPEG images that were compressed with a sampling factor \
other than 1 (for instance, with cjpeg -grayscale -sample 2x2).
Fixed a regression introduced by 2.0.2[5] that caused the TurboJPEG API to \
incorrectly identify some JPEG images with unusual sampling factors as 4:4:4 \
JPEG images. This was known to cause a buffer overflow when attempting to \
decompress some such images using tjDecompressToYUV2() or \
tjDecompressToYUVPlanes().
Fixed an issue, detected by ASan, whereby attempting to losslessly transform a \
specially-crafted malformed JPEG image containing an extremely-high-frequency \
coefficient block (junk image data that could never be generated by a legitimate \
JPEG compressor) could cause the Huffman encoder's local buffer to be overrun. \
(Refer to 1.4.0[9] and 1.4beta1[15].) Given that the buffer overrun was fully \
contained within the stack and did not cause a segfault or other user-visible \
errant behavior, and given that the lossless transformer (unlike the \
decompressor) is not generally exposed to arbitrary data exploits, this issue \
did not likely pose a security risk.
The ARM 64-bit (ARMv8) NEON SIMD assembly code now stores constants in a \
separate read-only data section rather than in the text section, to support \
execute-only memory layouts.
2.0.3
Fixed "using JNI after critical get" errors that occurred on Android \
platforms when passing invalid arguments to certain methods in the TurboJPEG \
Java API.
Fixed a regression in the SIMD feature detection code, introduced by the AVX2 \
SIMD extensions (2.0 beta1[1]), that was known to cause an illegal instruction \
exception, in rare cases, on CPUs that lack support for CPUID leaf 07H (or on \
which the maximum CPUID leaf has been limited by way of a BIOS setting.)
The 4:4:0 (h1v2) fancy (smooth) chroma upsampling algorithm in the decompressor \
now uses a similar bias pattern to that of the 4:2:2 (h2v1) fancy chroma \
upsampling algorithm, rounding up or down the upsampled result for alternate \
pixels rather than always rounding down. This ensures that, regardless of \
whether a 4:2:2 JPEG image is rotated or transposed prior to decompression (in \
the frequency domain) or after decompression (in the spatial domain), the final \
image will be similar.
Fixed an integer overflow and subsequent segfault that occurred when attempting \
to compress or decompress images with more than 1 billion pixels using the \
TurboJPEG API.
Fixed a regression introduced by 2.0 beta1[15] whereby attempting to generate a \
progressive JPEG image on an SSE2-capable CPU using a scan script containing one \
or more scans with lengths divisible by 16 would result in an error \
("Missing Huffman code table entry") and an invalid JPEG image.
Fixed an issue whereby tjDecodeYUV() and tjDecodeYUVPlanes() would throw an \
error ("Invalid progressive parameters") or a warning \
("Inconsistent progression sequence") if passed a TurboJPEG instance \
that was previously used to decompress a progressive JPEG image.
2.0.2
Fixed a regression introduced by 2.0.1[5] that prevented a runtime search path \
(rpath) from being embedded in the libjpeg-turbo shared libraries and \
executables for macOS and iOS. This caused a fatal error of the form "dyld: \
Library not loaded" when attempting to use one of the executables, unless \
DYLD_LIBRARY_PATH was explicitly set to the location of the libjpeg-turbo shared \
libraries.
Fixed an integer overflow and subsequent segfault (CVE-2018-20330) that occurred \
when attempting to load a BMP file with more than 1 billion pixels using the \
tjLoadImage() function.
Fixed a buffer overrun (CVE-2018-19664) that occurred when attempting to \
decompress a specially-crafted malformed JPEG image to a 256-color BMP using \
djpeg.
Fixed a floating point exception that occurred when attempting to decompress a \
specially-crafted malformed JPEG image with a specified image width or height of \
0 using the C version of TJBench.
The TurboJPEG API will now decompress 4:4:4 JPEG images with 2x1, 1x2, 3x1, or \
1x3 luminance and chrominance sampling factors. This is a non-standard way of \
specifying 1x subsampling (normally 4:4:4 JPEGs have 1x1 luminance and \
chrominance sampling factors), but the JPEG format and the libjpeg API both \
allow it.
Fixed a regression introduced by 2.0 beta1[7] that caused djpeg to generate \
incorrect PPM images when used with the -colors option.
Fixed an issue whereby a static build of libjpeg-turbo (a build in which \
ENABLE_SHARED is 0) could not be installed using the Visual Studio IDE.
Fixed a severe performance issue in the Loongson MMI SIMD extensions that \
occurred when compressing RGB images whose image rows were not 64-bit-aligned.
2.0.1
Fixed a regression introduced with the new CMake-based Un*x build system, \
whereby jconfig.h could cause compiler warnings of the form "HAVE_*_H" \
redefined if it was included by downstream Autotools-based projects that used \
AC_CHECK_HEADERS() to check for the existence of locale.h, stddef.h, or \
stdlib.h.
The jsimd_quantize_float_dspr2() and jsimd_convsamp_float_dspr2() functions in \
the MIPS DSPr2 SIMD extensions are now disabled at compile time if the soft \
float ABI is enabled. Those functions use instructions that are incompatible \
with the soft float ABI.
Fixed a regression in the SIMD feature detection code, introduced by the AVX2 \
SIMD extensions (2.0 beta1[1]), that caused libjpeg-turbo to crash on Windows 7 \
if Service Pack 1 was not installed.
Fixed out-of-bounds read in cjpeg that occurred when attempting to compress a \
specially-crafted malformed color-index (8-bit-per-sample) Targa file in which \
some of the samples (color indices) exceeded the bounds of the Targa file's \
color table.
Fixed an issue whereby installing a fully static build of libjpeg-turbo (a build \
in which CFLAGS contains -static and ENABLE_SHARED is 0) would fail with \
"No valid ELF RPATH or RUNPATH entry exists in the file."
2.0.0
The TurboJPEG API can now decompress CMYK JPEG images that have subsampled M and \
Y components (not to be confused with YCCK JPEG images, in which the C/M/Y \
components have been transformed into luma and chroma.) Previously, an error was \
generated ("Could not determine subsampling type for JPEG image") when \
such an image was passed to tjDecompressHeader3(), tjTransform(), \
tjDecompressToYUVPlanes(), tjDecompressToYUV2(), or the equivalent Java methods.
Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input file \
(specifically, a file with a valid Targa header but incomplete pixel data) would \
cause cjpeg to generate a JPEG file that was potentially thousands of times \
larger than the input file. The Targa reader in cjpeg was not properly detecting \
that the end of the input file had been reached prematurely, so after all valid \
pixels had been read from the input, the reader injected dummy pixels with \
values of 255 into the JPEG compressor until the number of pixels specified in \
the Targa header had been compressed. The Targa reader in cjpeg now behaves like \
the PPM reader and aborts compression if the end of the input file is reached \
prematurely. Because this issue only affected cjpeg and not the underlying \
library, and because it did not involve any out-of-bounds reads or other \
exploitable behaviors, it was not believed to represent a security threat.
Fixed an issue whereby the tjLoadImage() and tjSaveImage() functions would \
produce a "Bogus message code" error message if the underlying bitmap \
and PPM readers/writers threw an error that was specific to the readers/writers \
(as opposed to a general libjpeg API error.)
Fixed an issue (CVE-2018-1152) whereby a specially-crafted malformed BMP file, \
one in which the header specified an image width of 1073741824 pixels, would \
trigger a floating point exception (division by zero) in the tjLoadImage() \
function when attempting to load the BMP file into a 4-component image buffer.
Fixed an issue whereby certain combinations of calls to jpeg_skip_scanlines() \
and jpeg_read_scanlines() could trigger an infinite loop when decompressing \
progressive JPEG images that use vertical chroma subsampling (for instance, \
4:2:0 or 4:4:0.)
Fixed a segfault in jpeg_skip_scanlines() that occurred when decompressing a \
4:2:2 or 4:2:0 JPEG image using the merged (non-fancy) upsampling algorithms \
(that is, when setting cinfo.do_fancy_upsampling to FALSE.)
The new CMake-based build system will now disable the MIPS DSPr2 SIMD extensions \
if it detects that the compiler does not support DSPr2 instructions.
Fixed out-of-bounds read in cjpeg (CVE-2018-14498) that occurred when attempting \
to compress a specially-crafted malformed color-index (8-bit-per-sample) BMP \
file in which some of the samples (color indices) exceeded the bounds of the BMP \
file's color table.
Fixed a signed integer overflow in the progressive Huffman decoder, detected by \
the Clang and GCC undefined behavior sanitizers, that could be triggered by \
attempting to decompress a specially-crafted malformed JPEG image. This issue \
did not pose a security threat, but removing the warning made it easier to \
detect actual security issues, should they arise in the future.
Files: