|
 |
e8d57f |
From ac483bbac827694aef13a179c1bffcb2a3dc32b8 Mon Sep 17 00:00:00 2001
|
|
|
e8d57f |
From: DRC <information@libjpeg-turbo.org>
|
|
|
e8d57f |
Date: Tue, 12 Jun 2018 16:08:26 -0500
|
|
|
e8d57f |
Subject: [PATCH] Fix CVE-2018-11813
|
|
|
e8d57f |
|
|
|
e8d57f |
Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
|
|
|
e8d57f |
file (specifically, a file with a valid Targa header but incomplete pixel data)
|
|
|
e8d57f |
would cause cjpeg to generate a JPEG file that was potentially thousands of
|
|
|
e8d57f |
times larger than the input file. The Targa reader in cjpeg was not properly
|
|
|
e8d57f |
detecting that the end of the input file had been reached prematurely, so after
|
|
|
e8d57f |
all valid pixels had been read from the input, the reader injected dummy pixels
|
|
|
e8d57f |
with values of 255 into the JPEG compressor until the number of pixels
|
|
|
e8d57f |
specified in the Targa header had been compressed. The Targa reader in cjpeg
|
|
|
e8d57f |
now behaves like the PPM reader and aborts compression if the end of the input
|
|
|
e8d57f |
file is reached prematurely. Because this issue only affected cjpeg and not
|
|
|
e8d57f |
the underlying library, and because it did not involve any out-of-bounds reads
|
|
|
e8d57f |
or other exploitable behaviors, it was not believed to represent a security
|
|
|
e8d57f |
threat.
|
|
|
e8d57f |
---
|
|
|
e8d57f |
rdtarga.c | 6 ++----
|
|
|
e8d57f |
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
|
e8d57f |
|
|
|
e8d57f |
diff --git a/rdtarga.c b/rdtarga.c
|
|
|
e8d57f |
index b9bbd07..f874ece 100644
|
|
|
e8d57f |
--- a/rdtarga.c
|
|
|
e8d57f |
+++ b/rdtarga.c
|
|
|
e8d57f |
@@ -125,11 +125,10 @@ METHODDEF(void)
|
|
|
e8d57f |
read_non_rle_pixel (tga_source_ptr sinfo)
|
|
|
e8d57f |
/* Read one Targa pixel from the input file; no RLE expansion */
|
|
|
e8d57f |
{
|
|
|
e8d57f |
- register FILE *infile = sinfo->pub.input_file;
|
|
|
e8d57f |
register int i;
|
|
|
e8d57f |
|
|
|
e8d57f |
for (i = 0; i < sinfo->pixel_size; i++) {
|
|
|
e8d57f |
- sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
|
|
|
e8d57f |
+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
|
|
|
e8d57f |
}
|
|
|
e8d57f |
}
|
|
|
e8d57f |
|
|
|
e8d57f |
@@ -138,7 +137,6 @@ METHODDEF(void)
|
|
|
e8d57f |
read_rle_pixel (tga_source_ptr sinfo)
|
|
|
e8d57f |
/* Read one Targa pixel from the input file, expanding RLE data as needed */
|
|
|
e8d57f |
{
|
|
|
e8d57f |
- register FILE *infile = sinfo->pub.input_file;
|
|
|
e8d57f |
register int i;
|
|
|
e8d57f |
|
|
|
e8d57f |
/* Duplicate previously read pixel? */
|
|
|
e8d57f |
@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
|
|
|
e8d57f |
|
|
|
e8d57f |
/* Read next pixel */
|
|
|
e8d57f |
for (i = 0; i < sinfo->pixel_size; i++) {
|
|
|
e8d57f |
- sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
|
|
|
e8d57f |
+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
|
|
|
e8d57f |
}
|
|
|
e8d57f |
}
|
|
|
e8d57f |
|
|
|
e8d57f |
--
|
|
|
e8d57f |
2.17.1
|
|
|
e8d57f |
|