- 2020.08.16 14:27 "Re: [Tiff] Disable Old JPEG in libtiff by default!", by John
- 2020.08.16 14:41 "Re: [Tiff] Disable Old JPEG in libtiff by default!", by Toby Thain
- 2020.08.16 15:02 "Re: [Tiff] Disable Old JPEG in libtiff by default!", by Leonard Rosenthol
- 2020.08.16 15:52 "Re: [Tiff] Disable Old JPEG in libtiff by default!", by Even Rouault
2020.08.16 16:02 "Re: [Tiff] Disable Old JPEG in libtiff by default!", by Bob Friesenhahn
Regarding security issues in the codec, the last things I looked at were false positive with the memory sanitizer due to libjpeg-turbo using by default hand-written assembly for SIMD acceleration, which cannot be instrumented by MSAN at build time. There's an env variable in libjpegturbo to disable those SIMD accelerated routines when debugging this kind of issues.
While they are not actually "security" issues, oss-fuzz did discover some OJPEG files which cause GraphicsMagick to run longer than oss-fuzz's short attention span allows. It is not clear to me that the attack vector is specific to OJPEG though. It might also effect ordinary JPEG compression depending on how the codec responds to issues.
The OJPEG decoder is happy to forge ahead although libjpeg reports oodles of failures to read strips or tiles due to insufficient data.
Bob
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt