From ac483bbac827694aef13a179c1bffcb2a3dc32b8 Mon Sep 17 00:00:00 2001 From: DRC Date: Tue, 12 Jun 2018 16:08:26 -0500 Subject: [PATCH] Fix CVE-2018-11813 Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input file (specifically, a file with a valid Targa header but incomplete pixel data) would cause cjpeg to generate a JPEG file that was potentially thousands of times larger than the input file. The Targa reader in cjpeg was not properly detecting that the end of the input file had been reached prematurely, so after all valid pixels had been read from the input, the reader injected dummy pixels with values of 255 into the JPEG compressor until the number of pixels specified in the Targa header had been compressed. The Targa reader in cjpeg now behaves like the PPM reader and aborts compression if the end of the input file is reached prematurely. Because this issue only affected cjpeg and not the underlying library, and because it did not involve any out-of-bounds reads or other exploitable behaviors, it was not believed to represent a security threat. --- rdtarga.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rdtarga.c b/rdtarga.c index b9bbd07..f874ece 100644 --- a/rdtarga.c +++ b/rdtarga.c @@ -125,11 +125,10 @@ METHODDEF(void) read_non_rle_pixel (tga_source_ptr sinfo) /* Read one Targa pixel from the input file; no RLE expansion */ { - register FILE *infile = sinfo->pub.input_file; register int i; for (i = 0; i < sinfo->pixel_size; i++) { - sinfo->tga_pixel[i] = (U_CHAR) getc(infile); + sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo); } } @@ -138,7 +137,6 @@ METHODDEF(void) read_rle_pixel (tga_source_ptr sinfo) /* Read one Targa pixel from the input file, expanding RLE data as needed */ { - register FILE *infile = sinfo->pub.input_file; register int i; /* Duplicate previously read pixel? */ @@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo) /* Read next pixel */ for (i = 0; i < sinfo->pixel_size; i++) { - sinfo->tga_pixel[i] = (U_CHAR) getc(infile); + sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo); } } -- 2.17.1