Commit 39308e8b authored by Leo's avatar Leo Committed by Natanael Copa

main/libjpeg-turbo: backport fix for CVE-2018-14498

parent 982c3b6a
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libjpeg-turbo
pkgver=1.5.3
pkgrel=2
pkgrel=3
pkgdesc="accelerated baseline JPEG compression and decompression library"
url="http://libjpeg-turbo.virtualgl.org/"
arch="all"
......@@ -15,9 +15,12 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-utils"
source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz
0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
CVE-2018-11813.patch
CVE-2018-14498.patch
"
# secfixes:
# 1.5.3-r3:
# - CVE-2018-14498
# 1.5.3-r2:
# - CVE-2018-11813
# 1.5.3-r1:
......@@ -66,4 +69,5 @@ dev() {
sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202 libjpeg-turbo-1.5.3.tar.gz
d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch"
d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch
315aba552a2d66cdc8d83c5602a7e47c995f6709509afd07daf3ffacaf650404dc9f7a4beeb1373cabb5afc915a3d4c704b71dfdfcad3bc25ae5361ed16980d5 CVE-2018-14498.patch"
diff --git a/cderror.h b/cderror.h
index 63de498..92dd2ed 100644
--- a/cderror.h
+++ b/cderror.h
@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB")
JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
+JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file")
JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")
@@ -77,6 +78,7 @@ JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB")
JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file")
JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file")
JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file")
+JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file")
JMESSAGE(JTRC_PGM, "%ux%u PGM image")
JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image")
JMESSAGE(JTRC_PPM, "%ux%u PPM image")
diff --git a/rdbmp.c b/rdbmp.c
index eaa7086..01fa2bc 100644
--- a/rdbmp.c
+++ b/rdbmp.c
@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
JDIMENSION row_width; /* Physical width of scanlines in file */
int bits_per_pixel; /* remembers 8- or 24-bit format */
+ int cmap_length; /* colormap length */
} bmp_source_struct;
@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
{
bmp_source_ptr source = (bmp_source_ptr) sinfo;
register JSAMPARRAY colormap = source->colormap;
+ int cmaplen = source->cmap_length;
JSAMPARRAY image_ptr;
register int t;
register JSAMPROW inptr, outptr;
@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
outptr = source->pub.buffer[0];
for (col = cinfo->image_width; col > 0; col--) {
t = GETJSAMPLE(*inptr++);
+ if (t >= cmaplen)
+ ERREXIT(cinfo, JERR_BMP_OUTOFRANGE);
*outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */
*outptr++ = colormap[1][t];
*outptr++ = colormap[2][t];
@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
source->colormap = (*cinfo->mem->alloc_sarray)
((j_common_ptr) cinfo, JPOOL_IMAGE,
(JDIMENSION) biClrUsed, (JDIMENSION) 3);
+ source->cmap_length = (int)biClrUsed;
/* and read it from the file */
read_colormap(source, (int) biClrUsed, mapentrysize);
/* account for size of colormap */
diff --git a/rdppm.c b/rdppm.c
index 33ff749..c0c0962 100644
--- a/rdppm.c
+++ b/rdppm.c
@@ -69,7 +69,7 @@ typedef struct {
JSAMPROW pixrow; /* compressor input buffer */
size_t buffer_width; /* width of I/O buffer */
JSAMPLE *rescale; /* => maxval-remapping array, or NULL */
- int maxval;
+ unsigned int maxval;
} ppm_source_struct;
typedef ppm_source_struct *ppm_source_ptr;
@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE *infile, unsigned int maxval)
}
if (val > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
return val;
}
@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
*ptr++ = rescale[temp];
}
return 1;
@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
*ptr++ = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
*ptr++ = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
if (temp > maxval)
- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
+ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
*ptr++ = rescale[temp];
}
return 1;
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment