rpms/libjpeg-turbo
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2018-11813 (#1588804)

Browse Source
This commit is contained in:
Nikola Forró 2018-06-15 13:04:16 +02:00
parent 00790f8027
commit a2d36ac1a0
2 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
libjpeg-turbo-CVE-2018-11813.patch Normal file
View File

@ -0,0 +1,59 @@
From fccf53aed0093a626fca15f0d25f46fb6ed3e770 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Tue, 12 Jun 2018 16:08:26 -0500
Subject: [PATCH] Fix CVE-2018-11813
Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
file (specifically, a file with a valid Targa header but incomplete pixel data)
would cause cjpeg to generate a JPEG file that was potentially thousands of
times larger than the input file. The Targa reader in cjpeg was not properly
detecting that the end of the input file had been reached prematurely, so after
all valid pixels had been read from the input, the reader injected dummy pixels
with values of 255 into the JPEG compressor until the number of pixels
specified in the Targa header had been compressed. The Targa reader in cjpeg
now behaves like the PPM reader and aborts compression if the end of the input
file is reached prematurely. Because this issue only affected cjpeg and not
the underlying library, and because it did not involve any out-of-bounds reads
or other exploitable behaviors, it was not believed to represent a security
threat.
---
rdtarga.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/rdtarga.c b/rdtarga.c
index ecb4219..e0c6947 100644
--- a/rdtarga.c
+++ b/rdtarga.c
@@ -126,11 +126,10 @@ METHODDEF(void)
read_non_rle_pixel(tga_source_ptr sinfo)
/* Read one Targa pixel from the input file; no RLE expansion */
{
- register FILE *infile = sinfo->pub.input_file;
register int i;
for (i = 0; i < sinfo->pixel_size; i++) {
- sinfo->tga_pixel[i] = (U_CHAR)getc(infile);
+ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
}
}
@@ -139,7 +138,6 @@ METHODDEF(void)
read_rle_pixel(tga_source_ptr sinfo)
/* Read one Targa pixel from the input file, expanding RLE data as needed */
{
- register FILE *infile = sinfo->pub.input_file;
register int i;
/* Duplicate previously read pixel? */
@@ -161,7 +159,7 @@ read_rle_pixel(tga_source_ptr sinfo)
/* Read next pixel */
for (i = 0; i < sinfo->pixel_size; i++) {
- sinfo->tga_pixel[i] = (U_CHAR)getc(infile);
+ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
}
}
--
2.17.1

7
libjpeg-turbo.spec
View File

@ -1,12 +1,13 @@
Name: libjpeg-turbo Name: libjpeg-turbo
Version: 1.5.90 Version: 1.5.90
Release: 1%{?dist} Release: 2%{?dist}
Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
License: IJG License: IJG
URL: http://sourceforge.net/projects/libjpeg-turbo URL: http://sourceforge.net/projects/libjpeg-turbo
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Patch0: libjpeg-turbo-cmake.patch Patch0: libjpeg-turbo-cmake.patch
Patch1: libjpeg-turbo-CVE-2018-11813.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: cmake BuildRequires: cmake
@ -69,6 +70,7 @@ manipulate JPEG files using the TurboJPEG library.
%prep %prep
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1
%build %build
%{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \ %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
@ -168,6 +170,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
%{_libdir}/pkgconfig/libturbojpeg.pc %{_libdir}/pkgconfig/libturbojpeg.pc
%changelog %changelog
* Fri Jun 15 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-2
- Fix CVE-2018-11813 (#1588804)
* Wed Mar 28 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-1 * Wed Mar 28 2018 Nikola Forró <nforro@redhat.com> - 1.5.90-1
- New upstream release 1.5.90 (#1560219) - New upstream release 1.5.90 (#1560219)