From 61e65acf07fd26940430c2b33381d6c36456790e Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Tue, 25 Sep 2018 10:59:50 +0000
Subject: main/libjpeg-turbo: backport security fix (CVE-2018-11813)

fixes #9428
---
 main/libjpeg-turbo/APKBUILD             | 11 +++--
 main/libjpeg-turbo/CVE-2018-11813.patch | 72 +++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+), 3 deletions(-)
 create mode 100644 main/libjpeg-turbo/CVE-2018-11813.patch

diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD
index 8b9267229e..8a1aeb1b4c 100644
--- a/main/libjpeg-turbo/APKBUILD
+++ b/main/libjpeg-turbo/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libjpeg-turbo
 pkgver=1.5.3
-pkgrel=2
+pkgrel=3
 pkgdesc="accelerated baseline JPEG compression and decompression library"
 url="https://libjpeg-turbo.org/"
 arch="all"
@@ -12,9 +12,13 @@ makedepends="nasm"
 replaces="libjpeg"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-utils"
 source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz
-        0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"
+	0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
+	CVE-2018-11813.patch
+	"
 
 # secfixes:
+#   1.5.3-r3:
+#   - CVE-2018-11813
 #   1.5.3-r2:
 #   - CVE-2018-1152
 
@@ -63,4 +67,5 @@ dev() {
 }
 
 sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202  libjpeg-turbo-1.5.3.tar.gz
-d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74  0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"
+d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74  0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
+d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a  CVE-2018-11813.patch"
diff --git a/main/libjpeg-turbo/CVE-2018-11813.patch b/main/libjpeg-turbo/CVE-2018-11813.patch
new file mode 100644
index 0000000000..194a4f8e13
--- /dev/null
+++ b/main/libjpeg-turbo/CVE-2018-11813.patch
@@ -0,0 +1,72 @@
+From 19074854d9d8bc32dff3ed252eed17ed6cc2ecfc Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 12 Jun 2018 16:08:26 -0500
+Subject: [PATCH] Fix CVE-2018-11813
+
+Refer to change log for details.
+
+Fixes #242
+---
+ ChangeLog.md | 14 ++++++++++++++
+ rdtarga.c    |  6 ++----
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index bf63eb2dc..3aa41d173 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -24,6 +24,20 @@ an image was passed to `tjDecompressHeader3()`, `tjTransform()`,
+ `tjDecompressToYUVPlanes()`, `tjDecompressToYUV2()`, or the equivalent Java
+ methods.
+ 
++5. Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input
++file (specifically, a file with a valid Targa header but incomplete pixel data)
++would cause cjpeg to generate a JPEG file that was potentially thousands of
++times larger than the input file.  The Targa reader in cjpeg was not properly
++detecting that the end of the input file had been reached prematurely, so after
++all valid pixels had been read from the input, the reader injected dummy pixels
++with values of 255 into the JPEG compressor until the number of pixels
++specified in the Targa header had been compressed.  The Targa reader in cjpeg
++now behaves like the PPM reader and aborts compression if the end of the input
++file is reached prematurely.  Because this issue only affected cjpeg and not
++the underlying library, and because it did not involve any out-of-bounds reads
++or other exploitable behaviors, it was not believed to represent a security
++threat.
++
+ 
+ 1.5.3
+ =====
+diff --git a/rdtarga.c b/rdtarga.c
+index b9bbd07cb..f874ece67 100644
+--- a/rdtarga.c
++++ b/rdtarga.c
+@@ -125,11 +125,10 @@ METHODDEF(void)
+ read_non_rle_pixel (tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file; no RLE expansion */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
++    sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
+   }
+ }
+ 
+@@ -138,7 +137,6 @@ METHODDEF(void)
+ read_rle_pixel (tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file, expanding RLE data as needed */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   /* Duplicate previously read pixel? */
+@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
+ 
+   /* Read next pixel */
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
++    sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
+   }
+ }
+ 
-- 
cgit v1.2.3