libjpeg-turbo: heap-based buffer over-read in get_rgb_row() in rdppm.c (CVE-2020-13790)

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

References:

• https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433
• https://nvd.nist.gov/vuln/detail/CVE-2020-13790

Patch:

https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a

Affected branches:

• master
• 3.12-stable
• 3.11-stable
• 3.10-stable