File libjpeg-turbo-CVE-2018-14498.patch of Package libjpeg62-turbo.15341

Index: libjpeg-turbo-1.5.3/rdbmp.c
===================================================================
--- libjpeg-turbo-1.5.3.orig/rdbmp.c	2019-03-13 13:37:49.875319725 +0100
+++ libjpeg-turbo-1.5.3/rdbmp.c	2019-03-13 13:37:49.883319763 +0100
@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
   JDIMENSION row_width;         /* Physical width of scanlines in file */
 
   int bits_per_pixel;           /* remembers 8- or 24-bit format */
+  int cmap_length;              /* colormap length */
 } bmp_source_struct;
 
 
@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpe
 {
   bmp_source_ptr source = (bmp_source_ptr) sinfo;
   register JSAMPARRAY colormap = source->colormap;
+  int cmaplen = source->cmap_length;
   JSAMPARRAY image_ptr;
   register int t;
   register JSAMPROW inptr, outptr;
@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpe
   outptr = source->pub.buffer[0];
   for (col = cinfo->image_width; col > 0; col--) {
     t = GETJSAMPLE(*inptr++);
+    if (t >= cmaplen)
+      ERREXIT(cinfo, JERR_BMP_TOOLARGE);
     *outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */
     *outptr++ = colormap[1][t];
     *outptr++ = colormap[2][t];
@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, c
     source->colormap = (*cinfo->mem->alloc_sarray)
       ((j_common_ptr) cinfo, JPOOL_IMAGE,
        (JDIMENSION) biClrUsed, (JDIMENSION) 3);
+    source->cmap_length = (int)biClrUsed;
     /* and read it from the file */
     read_colormap(source, (int) biClrUsed, mapentrysize);
     /* account for size of colormap */
Index: libjpeg-turbo-1.5.3/rdppm.c
===================================================================
--- libjpeg-turbo-1.5.3.orig/rdppm.c	2017-12-14 05:39:01.000000000 +0100
+++ libjpeg-turbo-1.5.3/rdppm.c	2019-03-13 13:37:49.883319763 +0100
@@ -69,7 +69,7 @@ typedef struct {
   JSAMPROW pixrow;              /* compressor input buffer */
   size_t buffer_width;          /* width of I/O buffer */
   JSAMPLE *rescale;             /* => maxval-remapping array, or NULL */
-  int maxval;
+  unsigned int maxval;
 } ppm_source_struct;
 
 typedef ppm_source_struct *ppm_source_ptr;
Index: libjpeg-turbo-1.5.3/cderror.h
===================================================================
--- libjpeg-turbo-1.5.3.orig/cderror.h	2017-12-14 05:39:01.000000000 +0100
+++ libjpeg-turbo-1.5.3/cderror.h	2019-03-13 13:38:20.039463041 +0100
@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP outpu
 JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
 JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
 JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
+JMESSAGE(JERR_BMP_TOOLARGE, "Integer value too large in BMP file")
 JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
 JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
 JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")