e8d57f
From ac483bbac827694aef13a179c1bffcb2a3dc32b8 Mon Sep 17 00:00:00 2001
e8d57f
From: DRC <information@libjpeg-turbo.org>
e8d57f
Date: Tue, 12 Jun 2018 16:08:26 -0500
e8d57f
Subject: [PATCH] Fix CVE-2018-11813
e8d57f
e8d57f
Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
e8d57f
file (specifically, a file with a valid Targa header but incomplete pixel data)
e8d57f
would cause cjpeg to generate a JPEG file that was potentially thousands of
e8d57f
times larger than the input file.  The Targa reader in cjpeg was not properly
e8d57f
detecting that the end of the input file had been reached prematurely, so after
e8d57f
all valid pixels had been read from the input, the reader injected dummy pixels
e8d57f
with values of 255 into the JPEG compressor until the number of pixels
e8d57f
specified in the Targa header had been compressed.  The Targa reader in cjpeg
e8d57f
now behaves like the PPM reader and aborts compression if the end of the input
e8d57f
file is reached prematurely.  Because this issue only affected cjpeg and not
e8d57f
the underlying library, and because it did not involve any out-of-bounds reads
e8d57f
or other exploitable behaviors, it was not believed to represent a security
e8d57f
threat.
e8d57f
---
e8d57f
 rdtarga.c | 6 ++----
e8d57f
 1 file changed, 2 insertions(+), 4 deletions(-)
e8d57f
e8d57f
diff --git a/rdtarga.c b/rdtarga.c
e8d57f
index b9bbd07..f874ece 100644
e8d57f
--- a/rdtarga.c
e8d57f
+++ b/rdtarga.c
e8d57f
@@ -125,11 +125,10 @@ METHODDEF(void)
e8d57f
 read_non_rle_pixel (tga_source_ptr sinfo)
e8d57f
 /* Read one Targa pixel from the input file; no RLE expansion */
e8d57f
 {
e8d57f
-  register FILE *infile = sinfo->pub.input_file;
e8d57f
   register int i;
e8d57f
 
e8d57f
   for (i = 0; i < sinfo->pixel_size; i++) {
e8d57f
-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
e8d57f
+    sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
e8d57f
   }
e8d57f
 }
e8d57f
 
e8d57f
@@ -138,7 +137,6 @@ METHODDEF(void)
e8d57f
 read_rle_pixel (tga_source_ptr sinfo)
e8d57f
 /* Read one Targa pixel from the input file, expanding RLE data as needed */
e8d57f
 {
e8d57f
-  register FILE *infile = sinfo->pub.input_file;
e8d57f
   register int i;
e8d57f
 
e8d57f
   /* Duplicate previously read pixel? */
e8d57f
@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
e8d57f
 
e8d57f
   /* Read next pixel */
e8d57f
   for (i = 0; i < sinfo->pixel_size; i++) {
e8d57f
-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
e8d57f
+    sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
e8d57f
   }
e8d57f
 }
e8d57f
 
e8d57f
-- 
e8d57f
2.17.1
e8d57f