gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.

* gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/image.scm (libjpeg-turbo/fixed): New variable.
(libjpeg-turbo)[replacement]: New field.

1 files changed, 31 insertions, 0 deletions

diff --git a/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
new file mode 100644
index 0000000000..35f2bf5963
--- /dev/null
+++ b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
@@ -0,0 +1,31 @@
+Fix integer overflow which can potentially lead to RCE.
+
+https://www.openwall.com/lists/oss-security/2019/11/11/1
+https://nvd.nist.gov/vuln/detail/CVE-2019-2201
+
+The problem was partially fixed in 2.0.3.  This patch is a follow-up.
+https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad
+
+diff --git a/tjbench.c b/tjbench.c
+index a7d397318..13a5bde62 100644
+--- a/tjbench.c
++++ b/tjbench.c
+@@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
+   }
+   /* Set the destination buffer to gray so we know whether the decompressor
+      attempted to write to it */
+-  memset(dstBuf, 127, pitch * scaledh);
++  memset(dstBuf, 127, (size_t)pitch * scaledh);
+ 
+   if (doYUV) {
+     int width = doTile ? tilew : scaledw;
+@@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
+     double start = getTime();
+ 
+     for (row = 0, dstPtr = dstBuf; row < ntilesh;
+-         row++, dstPtr += pitch * tileh) {
++         row++, dstPtr += (size_t)pitch * tileh) {
+       for (col = 0, dstPtr2 = dstPtr; col < ntilesw;
+            col++, tile++, dstPtr2 += ps * tilew) {
+         int width = doTile ? min(tilew, w - col * tilew) : scaledw;