File libjpeg-turbo-CVE-2018-14498.patch of Package libjpeg-turbo.22196
Index: libjpeg-turbo-1.5.3/rdbmp.c
===================================================================
--- libjpeg-turbo-1.5.3.orig/rdbmp.c 2019-03-13 13:37:49.875319725 +0100
+++ libjpeg-turbo-1.5.3/rdbmp.c 2019-03-13 13:37:49.883319763 +0100
@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
JDIMENSION row_width; /* Physical width of scanlines in file */
int bits_per_pixel; /* remembers 8- or 24-bit format */
+ int cmap_length; /* colormap length */
} bmp_source_struct;
@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpe
{
bmp_source_ptr source = (bmp_source_ptr) sinfo;
register JSAMPARRAY colormap = source->colormap;
+ int cmaplen = source->cmap_length;
JSAMPARRAY image_ptr;
register int t;
register JSAMPROW inptr, outptr;
@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpe
outptr = source->pub.buffer[0];
for (col = cinfo->image_width; col > 0; col--) {
t = GETJSAMPLE(*inptr++);
+ if (t >= cmaplen)
+ ERREXIT(cinfo, JERR_BMP_TOOLARGE);
*outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */
*outptr++ = colormap[1][t];
*outptr++ = colormap[2][t];
@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, c
source->colormap = (*cinfo->mem->alloc_sarray)
((j_common_ptr) cinfo, JPOOL_IMAGE,
(JDIMENSION) biClrUsed, (JDIMENSION) 3);
+ source->cmap_length = (int)biClrUsed;
/* and read it from the file */
read_colormap(source, (int) biClrUsed, mapentrysize);
/* account for size of colormap */
Index: libjpeg-turbo-1.5.3/rdppm.c
===================================================================
--- libjpeg-turbo-1.5.3.orig/rdppm.c 2017-12-14 05:39:01.000000000 +0100
+++ libjpeg-turbo-1.5.3/rdppm.c 2019-03-13 13:37:49.883319763 +0100
@@ -69,7 +69,7 @@ typedef struct {
JSAMPROW pixrow; /* compressor input buffer */
size_t buffer_width; /* width of I/O buffer */
JSAMPLE *rescale; /* => maxval-remapping array, or NULL */
- int maxval;
+ unsigned int maxval;
} ppm_source_struct;
typedef ppm_source_struct *ppm_source_ptr;
Index: libjpeg-turbo-1.5.3/cderror.h
===================================================================
--- libjpeg-turbo-1.5.3.orig/cderror.h 2017-12-14 05:39:01.000000000 +0100
+++ libjpeg-turbo-1.5.3/cderror.h 2019-03-13 13:38:20.039463041 +0100
@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP outpu
JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
+JMESSAGE(JERR_BMP_TOOLARGE, "Integer value too large in BMP file")
JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")