aboutsummaryrefslogtreecommitdiffstats
path: root/main/libjpeg-turbo/CVE-2018-14498.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/libjpeg-turbo/CVE-2018-14498.patch')
-rw-r--r--main/libjpeg-turbo/CVE-2018-14498.patch110
1 files changed, 110 insertions, 0 deletions
diff --git a/main/libjpeg-turbo/CVE-2018-14498.patch b/main/libjpeg-turbo/CVE-2018-14498.patch
new file mode 100644
index 0000000000..edf9365448
--- /dev/null
+++ b/main/libjpeg-turbo/CVE-2018-14498.patch
@@ -0,0 +1,110 @@
+diff --git a/cderror.h b/cderror.h
+index 63de498..92dd2ed 100644
+--- a/cderror.h
++++ b/cderror.h
+@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB")
+ JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
+ JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
+ JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file")
+ JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
+ JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
+ JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")
+@@ -77,6 +78,7 @@ JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB")
+ JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file")
+ JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file")
+ JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file")
++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file")
+ JMESSAGE(JTRC_PGM, "%ux%u PGM image")
+ JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image")
+ JMESSAGE(JTRC_PPM, "%ux%u PPM image")
+diff --git a/rdbmp.c b/rdbmp.c
+index eaa7086..01fa2bc 100644
+--- a/rdbmp.c
++++ b/rdbmp.c
+@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
+ JDIMENSION row_width; /* Physical width of scanlines in file */
+
+ int bits_per_pixel; /* remembers 8- or 24-bit format */
++ int cmap_length; /* colormap length */
+ } bmp_source_struct;
+
+
+@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ {
+ bmp_source_ptr source = (bmp_source_ptr) sinfo;
+ register JSAMPARRAY colormap = source->colormap;
++ int cmaplen = source->cmap_length;
+ JSAMPARRAY image_ptr;
+ register int t;
+ register JSAMPROW inptr, outptr;
+@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ outptr = source->pub.buffer[0];
+ for (col = cinfo->image_width; col > 0; col--) {
+ t = GETJSAMPLE(*inptr++);
++ if (t >= cmaplen)
++ ERREXIT(cinfo, JERR_BMP_OUTOFRANGE);
+ *outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */
+ *outptr++ = colormap[1][t];
+ *outptr++ = colormap[2][t];
+@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ source->colormap = (*cinfo->mem->alloc_sarray)
+ ((j_common_ptr) cinfo, JPOOL_IMAGE,
+ (JDIMENSION) biClrUsed, (JDIMENSION) 3);
++ source->cmap_length = (int)biClrUsed;
+ /* and read it from the file */
+ read_colormap(source, (int) biClrUsed, mapentrysize);
+ /* account for size of colormap */
+diff --git a/rdppm.c b/rdppm.c
+index 33ff749..c0c0962 100644
+--- a/rdppm.c
++++ b/rdppm.c
+@@ -69,7 +69,7 @@ typedef struct {
+ JSAMPROW pixrow; /* compressor input buffer */
+ size_t buffer_width; /* width of I/O buffer */
+ JSAMPLE *rescale; /* => maxval-remapping array, or NULL */
+- int maxval;
++ unsigned int maxval;
+ } ppm_source_struct;
+
+ typedef ppm_source_struct *ppm_source_ptr;
+@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE *infile, unsigned int maxval)
+ }
+
+ if (val > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+
+ return val;
+ }
+@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ temp = UCH(*bufferptr++) << 8;
+ temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ *ptr++ = rescale[temp];
+ }
+ return 1;
+@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ temp = UCH(*bufferptr++) << 8;
+ temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ *ptr++ = rescale[temp];
+ temp = UCH(*bufferptr++) << 8;
+ temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ *ptr++ = rescale[temp];
+ temp = UCH(*bufferptr++) << 8;
+ temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+- ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ *ptr++ = rescale[temp];
+ }
+ return 1;
+