diff options
author | Leo <thinkabit.ukim@gmail.com> | 2019-07-16 17:28:53 -0300 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-07-22 12:50:11 +0200 |
commit | 39308e8b51397113cb0b9426f3bce50e289e896e (patch) | |
tree | dd55a2344ca56301bbc6d4aa44bc4a3ab0bb14a1 | |
parent | 982c3b6a30eca5ff7cf8d069f774084391a699dc (diff) |
main/libjpeg-turbo: backport fix for CVE-2018-14498
-rw-r--r-- | main/libjpeg-turbo/APKBUILD | 8 | ||||
-rw-r--r-- | main/libjpeg-turbo/CVE-2018-14498.patch | 110 |
2 files changed, 116 insertions, 2 deletions
diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD index e12587d21b7..2efe02530a4 100644 --- a/main/libjpeg-turbo/APKBUILD +++ b/main/libjpeg-turbo/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libjpeg-turbo pkgver=1.5.3 -pkgrel=2 +pkgrel=3 pkgdesc="accelerated baseline JPEG compression and decompression library" url="http://libjpeg-turbo.virtualgl.org/" arch="all" @@ -15,9 +15,12 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-utils" source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch CVE-2018-11813.patch + CVE-2018-14498.patch " # secfixes: +# 1.5.3-r3: +# - CVE-2018-14498 # 1.5.3-r2: # - CVE-2018-11813 # 1.5.3-r1: @@ -66,4 +69,5 @@ dev() { sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202 libjpeg-turbo-1.5.3.tar.gz d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch -d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch" +d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch +315aba552a2d66cdc8d83c5602a7e47c995f6709509afd07daf3ffacaf650404dc9f7a4beeb1373cabb5afc915a3d4c704b71dfdfcad3bc25ae5361ed16980d5 CVE-2018-14498.patch" diff --git a/main/libjpeg-turbo/CVE-2018-14498.patch b/main/libjpeg-turbo/CVE-2018-14498.patch new file mode 100644 index 00000000000..edf9365448f --- /dev/null +++ b/main/libjpeg-turbo/CVE-2018-14498.patch @@ -0,0 +1,110 @@ +diff --git a/cderror.h b/cderror.h +index 63de498..92dd2ed 100644 +--- a/cderror.h ++++ b/cderror.h +@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB") + JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported") + JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image") + JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM") ++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file") + JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image") + JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image") + JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image") +@@ -77,6 +78,7 @@ JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB") + JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file") + JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file") + JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file") ++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file") + JMESSAGE(JTRC_PGM, "%ux%u PGM image") + JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image") + JMESSAGE(JTRC_PPM, "%ux%u PPM image") +diff --git a/rdbmp.c b/rdbmp.c +index eaa7086..01fa2bc 100644 +--- a/rdbmp.c ++++ b/rdbmp.c +@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct { + JDIMENSION row_width; /* Physical width of scanlines in file */ + + int bits_per_pixel; /* remembers 8- or 24-bit format */ ++ int cmap_length; /* colormap length */ + } bmp_source_struct; + + +@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + { + bmp_source_ptr source = (bmp_source_ptr) sinfo; + register JSAMPARRAY colormap = source->colormap; ++ int cmaplen = source->cmap_length; + JSAMPARRAY image_ptr; + register int t; + register JSAMPROW inptr, outptr; +@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + outptr = source->pub.buffer[0]; + for (col = cinfo->image_width; col > 0; col--) { + t = GETJSAMPLE(*inptr++); ++ if (t >= cmaplen) ++ ERREXIT(cinfo, JERR_BMP_OUTOFRANGE); + *outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */ + *outptr++ = colormap[1][t]; + *outptr++ = colormap[2][t]; +@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + source->colormap = (*cinfo->mem->alloc_sarray) + ((j_common_ptr) cinfo, JPOOL_IMAGE, + (JDIMENSION) biClrUsed, (JDIMENSION) 3); ++ source->cmap_length = (int)biClrUsed; + /* and read it from the file */ + read_colormap(source, (int) biClrUsed, mapentrysize); + /* account for size of colormap */ +diff --git a/rdppm.c b/rdppm.c +index 33ff749..c0c0962 100644 +--- a/rdppm.c ++++ b/rdppm.c +@@ -69,7 +69,7 @@ typedef struct { + JSAMPROW pixrow; /* compressor input buffer */ + size_t buffer_width; /* width of I/O buffer */ + JSAMPLE *rescale; /* => maxval-remapping array, or NULL */ +- int maxval; ++ unsigned int maxval; + } ppm_source_struct; + + typedef ppm_source_struct *ppm_source_ptr; +@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE *infile, unsigned int maxval) + } + + if (val > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + + return val; + } +@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + *ptr++ = rescale[temp]; + } + return 1; +@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + *ptr++ = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + *ptr++ = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + *ptr++ = rescale[temp]; + } + return 1; + |