From 1e3413751e64bd39d7f3e99519dca06b07d463c2 Mon Sep 17 00:00:00 2001
From: Euan Harris <euan.harris@docker.com>
Date: Thu, 13 Sep 2018 13:40:04 +0100
Subject: main/libjpeg-turbo: Backport fix for CVE-2018-1152

Cherry-pick commit f1322ac from the 1.5.x branch

Signed-off-by: Euan Harris <euan.harris@docker.com>
(cherry picked from commit 8d429487fdfea72fe6b0e45659274a62fa8c89bd)
---
 ...dImage-Fix-FPE-triggered-by-malformed-BMP.patch | 49 ++++++++++++++++++++++
 main/libjpeg-turbo/APKBUILD                        | 14 +++++--
 2 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 main/libjpeg-turbo/0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch

diff --git a/main/libjpeg-turbo/0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch b/main/libjpeg-turbo/0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
new file mode 100644
index 0000000000..f700d67cb1
--- /dev/null
+++ b/main/libjpeg-turbo/0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
@@ -0,0 +1,49 @@
+From f1322acf6cdc8c25db0075d7d32dc2f25ed9d477 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 12 Jun 2018 20:27:00 -0500
+Subject: [PATCH] rdbmp.c: Fix FPE triggered by malformed BMP
+
+In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
+when allocating the row buffer, because since BMP files have 32-bit
+width and height fields, the value of biWidth can be up to 4294967295.
+Specifically, high values of biWidth could cause the samplesperrow
+argument in alloc_sarray() to wrap around to 0, triggering a division by
+zero error at line 460 in jmemmgr.c, or to wrap around to a small
+number, likely triggering a buffer overflow.
+
+This fix is not documented in the change log for this branch, because
+the bug was exposed using the tjLoadImage() function in the 2.0.x
+branch.  However, it is posited that the issue could be triggered using
+TJBench in this branch.
+---
+ rdbmp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/rdbmp.c b/rdbmp.c
+index eaa7086..6b73f7c 100644
+--- a/rdbmp.c
++++ b/rdbmp.c
+@@ -6,7 +6,7 @@
+  * Modified 2009-2010 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+  * Modified 2011 by Siarhei Siamashka.
+- * Copyright (C) 2015, D. R. Commander.
++ * Copyright (C) 2015, 2018, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -434,6 +434,11 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     progress->total_extra_passes++; /* count file input as separate pass */
+   }
+ 
++  /* Ensure that biWidth * 3 doesn't exceed the maximum value of the
++     JDIMENSION type.  This is only a danger with BMP files, since their width
++     and height fields are 32-bit integers. */
++  if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL)
++    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+   /* Allocate one-row buffer for returned data */
+   source->pub.buffer = (*cinfo->mem->alloc_sarray)
+     ((j_common_ptr) cinfo, JPOOL_IMAGE,
+-- 
+2.17.1
+
diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD
index d39fb59f0c..cc4380274c 100644
--- a/main/libjpeg-turbo/APKBUILD
+++ b/main/libjpeg-turbo/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libjpeg-turbo
 pkgver=1.5.3
-pkgrel=0
+pkgrel=1
 pkgdesc="accelerated baseline JPEG compression and decompression library"
 url="http://libjpeg-turbo.virtualgl.org/"
 arch="all"
@@ -12,7 +12,14 @@ depends_dev=""
 makedepends="$depends_dev nasm"
 replaces="libjpeg"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-utils"
-source="http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz"
+source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz
+        0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"
+
+# secfixes:
+#   1.5.3-r1:
+#   - CVE-2018-1152
+#   1.5.3-r0:
+#   - CVE-2017-15232
 
 builddir="$srcdir"/libjpeg-turbo-$pkgver
 
@@ -53,4 +60,5 @@ dev() {
 	replaces="jpeg-dev"
 }
 
-sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202  libjpeg-turbo-1.5.3.tar.gz"
+sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202  libjpeg-turbo-1.5.3.tar.gz
+d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74  0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"
-- 
cgit v1.2.3