update previous patch

Resolves: RHEL-87364

libjpeg-turbo-CVE-2020-13790.patch

@@ -1,24 +1,17 @@
-From 3de15e0c344d11d4b90f4a47136467053eb2d09a Mon Sep 17 00:00:00 2001
-From: DRC <information@libjpeg-turbo.org>
-Date: Tue, 2 Jun 2020 14:15:37 -0500
-Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
+diff -up libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c.CVE-2020-13790 libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c
+--- libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c.CVE-2020-13790	2025-05-07 12:07:29.982772307 +0200
++++ libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c	2025-05-07 12:11:13.911892476 +0200
+@@ -55,6 +55,9 @@ typedef char U_CHAR;
+ #endif
+ #endif /* HAVE_UNSIGNED_CHAR */
  
-This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
-include binary PPM files with maximum values < 255, thus preventing a
-malformed binary PPM input file with those specifications from
-triggering an overrun of the rescale array and potentially crashing
-cjpeg, TJBench, or any program that uses the tjLoadImage() function.
++#ifndef MAX
++#define MAX(a, b)       ((a) > (b) ? (a) : (b))
++#endif
  
-Fixes #433
----
- rdppm.c      |  4 ++--
- 2 files changed, 12 insertions(+), 6 deletions(-)
+ #define ReadOK(file,buffer,len) (JFREAD(file,buffer,len) == ((size_t) (len)))
  
-diff --git a/rdppm.c b/rdppm.c
-index 87bc33090..a8507b902 100644
---- a/rdppm.c
-+++ b/rdppm.c
-@ -425,7 +425,7 @@ start_input_ppm (j_compress_ptr cinfo, c
+@@ -424,7 +427,7 @@ start_input_ppm (j_compress_ptr cinfo, c
      /* On 16-bit-int machines we have to be careful of maxval = 65535 */
      source->rescale = (JSAMPLE *)
        (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,

libjpeg-turbo-CVE-2020-13790pre.patch

@@ -0,0 +1,17 @@
+diff -up libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c.CVE-2020-13790p2of3 libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c
+--- libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c.CVE-2020-13790p2of3	2025-05-06 17:38:26.175241021 +0200
++++ libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c	2025-05-06 17:38:26.177038002 +0200
+@@ -116,11 +116,10 @@ read_pbm_integer (j_compress_ptr cinfo,
+   while ((ch = pbm_getc(infile)) >= '0' && ch <= '9') {
+     val *= 10;
+     val += ch - '0';
++    if (val > maxval)
++      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+   }
+ 
+-  if (val > maxval)
+-    ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+-
+   return val;
+ }
+ 

libjpeg-turbo.spec

@@ -1,6 +1,6 @@
 Name:           libjpeg-turbo
 Version:        1.5.3
-Release:        13%{?dist}
+Release:        14%{?dist}
 Summary:        A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
 License:        IJG
 URL:            http://sourceforge.net/projects/libjpeg-turbo
@@ -17,7 +17,9 @@ Patch7:         libjpeg-turbo-CVE-2018-14498.patch
 Patch8:         libjpeg-turbo-CVE-2020-17541.patch
 # from upstream, for < 2.0.5, RHEL-87364
 # https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a
-Patch9:         libjpeg-turbo-CVE-2020-13790.patch
+# https://github.com/libjpeg-turbo/libjpeg-turbo/commit/dd830b3ffe30a76fbe8c1f13ebc7483c9ff792e5
+Patch9:         libjpeg-turbo-CVE-2020-13790pre.patch
+Patch10:        libjpeg-turbo-CVE-2020-13790.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -88,7 +90,8 @@ manipulate JPEG files using the TurboJPEG library.
 %patch -P 6 -p1 -b .CET
 %patch -P 7 -p1 -b .CVE-2018-14498
 %patch -P 8 -p1 -b .CVE-2020-17541
-%patch -P 9 -p1 -b .CVE-2020-13790
+%patch -P 9 -p2 -b .CVE-2020-13790pre
+%patch -P 10 -p2 -b .CVE-2020-13790
 
 %build
 autoreconf -vif
@@ -192,6 +195,9 @@ make test %{?_smp_mflags}
 %{_libdir}/pkgconfig/libturbojpeg.pc
 
 %changelog
+* Tue May 06 2025 Michal Hlavinka <mhlavink@redhat.com> - 1.5.3-14
+- updated previous fix (RHEL-87364)
+
 * Tue Apr 22 2025 Michal Hlavinka <mhlavink@redhat.com> - 1.5.3-13
 - fix CVE-2020-13790: heap-based buffer over-read in get_rgb_row (RHEL-87364)