Commit 1c66dc70 authored by Natanael Copa's avatar Natanael Copa

main/libjpeg-turbo: backport security fix (CVE-2018-11813)

fixes #9431
parent 40f5397f
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libjpeg-turbo
pkgver=1.5.3
pkgrel=1
pkgrel=2
pkgdesc="accelerated baseline JPEG compression and decompression library"
url="http://libjpeg-turbo.virtualgl.org/"
arch="all"
......@@ -14,9 +14,13 @@ install=""
replaces="libjpeg"
subpackages="$pkgname-doc $pkgname-dev $pkgname-utils"
source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz
0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"
0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
CVE-2018-11813.patch
"
# secfixes:
# 1.5.3-r2:
# - CVE-2018-11813
# 1.5.3-r1:
# - CVE-2018-1152
# 1.5.3-r0:
......@@ -72,4 +76,5 @@ dev() {
}
sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202 libjpeg-turbo-1.5.3.tar.gz
d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"
d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch"
From 19074854d9d8bc32dff3ed252eed17ed6cc2ecfc Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 12 Jun 2018 16:08:26 -0500
Subject: [PATCH] Fix CVE-2018-11813
Refer to change log for details.
Fixes #242
---
ChangeLog.md | 14 ++++++++++++++
rdtarga.c | 6 ++----
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/ChangeLog.md b/ChangeLog.md
index bf63eb2dc..3aa41d173 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -24,6 +24,20 @@ an image was passed to `tjDecompressHeader3()`, `tjTransform()`,
`tjDecompressToYUVPlanes()`, `tjDecompressToYUV2()`, or the equivalent Java
methods.
+5. Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
+file (specifically, a file with a valid Targa header but incomplete pixel data)
+would cause cjpeg to generate a JPEG file that was potentially thousands of
+times larger than the input file. The Targa reader in cjpeg was not properly
+detecting that the end of the input file had been reached prematurely, so after
+all valid pixels had been read from the input, the reader injected dummy pixels
+with values of 255 into the JPEG compressor until the number of pixels
+specified in the Targa header had been compressed. The Targa reader in cjpeg
+now behaves like the PPM reader and aborts compression if the end of the input
+file is reached prematurely. Because this issue only affected cjpeg and not
+the underlying library, and because it did not involve any out-of-bounds reads
+or other exploitable behaviors, it was not believed to represent a security
+threat.
+
1.5.3
=====
diff --git a/rdtarga.c b/rdtarga.c
index b9bbd07cb..f874ece67 100644
--- a/rdtarga.c
+++ b/rdtarga.c
@@ -125,11 +125,10 @@ METHODDEF(void)
read_non_rle_pixel (tga_source_ptr sinfo)
/* Read one Targa pixel from the input file; no RLE expansion */
{
- register FILE *infile = sinfo->pub.input_file;
register int i;
for (i = 0; i < sinfo->pixel_size; i++) {
- sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
}
}
@@ -138,7 +137,6 @@ METHODDEF(void)
read_rle_pixel (tga_source_ptr sinfo)
/* Read one Targa pixel from the input file, expanding RLE data as needed */
{
- register FILE *infile = sinfo->pub.input_file;
register int i;
/* Duplicate previously read pixel? */
@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
/* Read next pixel */
for (i = 0; i < sinfo->pixel_size; i++) {
- sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment