60 lines
2.2 KiB
Diff
60 lines
2.2 KiB
Diff
From ac483bbac827694aef13a179c1bffcb2a3dc32b8 Mon Sep 17 00:00:00 2001
|
|
From: DRC <information@libjpeg-turbo.org>
|
|
Date: Tue, 12 Jun 2018 16:08:26 -0500
|
|
Subject: [PATCH] Fix CVE-2018-11813
|
|
|
|
Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
|
|
file (specifically, a file with a valid Targa header but incomplete pixel data)
|
|
would cause cjpeg to generate a JPEG file that was potentially thousands of
|
|
times larger than the input file. The Targa reader in cjpeg was not properly
|
|
detecting that the end of the input file had been reached prematurely, so after
|
|
all valid pixels had been read from the input, the reader injected dummy pixels
|
|
with values of 255 into the JPEG compressor until the number of pixels
|
|
specified in the Targa header had been compressed. The Targa reader in cjpeg
|
|
now behaves like the PPM reader and aborts compression if the end of the input
|
|
file is reached prematurely. Because this issue only affected cjpeg and not
|
|
the underlying library, and because it did not involve any out-of-bounds reads
|
|
or other exploitable behaviors, it was not believed to represent a security
|
|
threat.
|
|
---
|
|
rdtarga.c | 6 ++----
|
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/rdtarga.c b/rdtarga.c
|
|
index b9bbd07..f874ece 100644
|
|
--- a/rdtarga.c
|
|
+++ b/rdtarga.c
|
|
@@ -125,11 +125,10 @@ METHODDEF(void)
|
|
read_non_rle_pixel (tga_source_ptr sinfo)
|
|
/* Read one Targa pixel from the input file; no RLE expansion */
|
|
{
|
|
- register FILE *infile = sinfo->pub.input_file;
|
|
register int i;
|
|
|
|
for (i = 0; i < sinfo->pixel_size; i++) {
|
|
- sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
|
|
+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
|
|
}
|
|
}
|
|
|
|
@@ -138,7 +137,6 @@ METHODDEF(void)
|
|
read_rle_pixel (tga_source_ptr sinfo)
|
|
/* Read one Targa pixel from the input file, expanding RLE data as needed */
|
|
{
|
|
- register FILE *infile = sinfo->pub.input_file;
|
|
register int i;
|
|
|
|
/* Duplicate previously read pixel? */
|
|
@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
|
|
|
|
/* Read next pixel */
|
|
for (i = 0; i < sinfo->pixel_size; i++) {
|
|
- sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
|
|
+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
|
|
}
|
|
}
|
|
|
|
--
|
|
2.17.1
|
|
|