CVS commit: pkgsrc/graphics/jpeg

["S.P.Zeidler" <spz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   spz
Date:           Sun Mar 10 11:22:43 UTC 2019

Modified Files:
        pkgsrc/graphics/jpeg: Makefile distinfo
Added Files:
        pkgsrc/graphics/jpeg/patches: patch-rdtarga.c

Log Message:
add patch for CVE-2018-11813 from mozjpeg, which has an easily found
development source tree.


To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.55 pkgsrc/graphics/jpeg/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/graphics/jpeg/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/graphics/jpeg/patches/patch-rdtarga.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/jpeg/Makefile
diff -u pkgsrc/graphics/jpeg/Makefile:1.54 pkgsrc/graphics/jpeg/Makefile:1.55
--- pkgsrc/graphics/jpeg/Makefile:1.54  Sat Apr  7 06:27:13 2018
+++ pkgsrc/graphics/jpeg/Makefile       Sun Mar 10 11:22:43 2019
@@ -1,10 +1,11 @@
-# $NetBSD: Makefile,v 1.54 2018/04/07 06:27:13 wiz Exp $
+# $NetBSD: Makefile,v 1.55 2019/03/10 11:22:43 spz Exp $
 
 DISTNAME=      jpegsrc.v9c
 PKGNAME=       ${DISTNAME:S/src.v/-/}
 CATEGORIES=    graphics
 MASTER_SITES=  http://www.ijg.org/files/
 DIST_SUBDIR=   jpeg-9c-v2
+PKGREVISION=   1
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=      http://www.ijg.org/

Index: pkgsrc/graphics/jpeg/distinfo
diff -u pkgsrc/graphics/jpeg/distinfo:1.23 pkgsrc/graphics/jpeg/distinfo:1.24
--- pkgsrc/graphics/jpeg/distinfo:1.23  Sat Apr  7 06:27:13 2018
+++ pkgsrc/graphics/jpeg/distinfo       Sun Mar 10 11:22:43 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2018/04/07 06:27:13 wiz Exp $
+$NetBSD: distinfo,v 1.24 2019/03/10 11:22:43 spz Exp $
 
 SHA1 (jpeg-9c-v2/jpegsrc.v9c.tar.gz) = 2ce111c8c0ac828a44b13ad28c265e954a342d07
 RMD160 (jpeg-9c-v2/jpegsrc.v9c.tar.gz) = c181cc66d03d96ffcca85724938551bb089fd519
@@ -8,3 +8,4 @@ SHA1 (patch-af) = 925604706574009aacd452
 SHA1 (patch-ag) = 46164c00386d1968356f1b61d144bc9168410654
 SHA1 (patch-jmorecfg.h) = c00f81ba94e2ad6b55ca9892553eedbe4eca3ad1
 SHA1 (patch-jpeglib.h) = 635453c5a2b1223ef5af729edcbfcfa3ed78a8b5
+SHA1 (patch-rdtarga.c) = eaec399d67ffb5d33b32131d01a052132bb5bae2

Added files:

Index: pkgsrc/graphics/jpeg/patches/patch-rdtarga.c
diff -u /dev/null pkgsrc/graphics/jpeg/patches/patch-rdtarga.c:1.1
--- /dev/null   Sun Mar 10 11:22:43 2019
+++ pkgsrc/graphics/jpeg/patches/patch-rdtarga.c        Sun Mar 10 11:22:43 2019
@@ -0,0 +1,37 @@
+$NetBSD: patch-rdtarga.c,v 1.1 2019/03/10 11:22:43 spz Exp $
+
+fix for CVE-2018-11813 from
+https://github.com/mozilla/mozjpeg/commit/909a8cfc7bca9b2e6707425bdb74da997e8fa499
+
+--- rdtarga.c.orig     2017-09-16 11:12:46.000000000 +0000
++++ rdtarga.c
+@@ -125,11 +125,10 @@ METHODDEF(void)
+ read_non_rle_pixel (tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file; no RLE expansion */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
++    sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
+   }
+ }
+ 
+@@ -138,7 +137,6 @@ METHODDEF(void)
+ read_rle_pixel (tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file, expanding RLE data as needed */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   /* Duplicate previously read pixel? */
+@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
+ 
+   /* Read next pixel */
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
++    sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
+   }
+ }
+