[pkgsrc/trunk]: pkgsrc/graphics/jpeg add patch for CVE-2018-11813 from mozjpe...

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/3f18a6b9fec5
branches:  trunk
changeset: 320766:3f18a6b9fec5
user:      spz <spz%pkgsrc.org@localhost>
date:      Sun Mar 10 11:22:43 2019 +0000

description:
add patch for CVE-2018-11813 from mozjpeg, which has an easily found
development source tree.

diffstat:

 graphics/jpeg/Makefile                |   3 +-
 graphics/jpeg/distinfo                |   3 +-
 graphics/jpeg/patches/patch-rdtarga.c |  37 +++++++++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+), 2 deletions(-)

diffs (71 lines):

diff -r 04cb624b19e9 -r 3f18a6b9fec5 graphics/jpeg/Makefile
--- a/graphics/jpeg/Makefile    Sun Mar 10 10:51:30 2019 +0000
+++ b/graphics/jpeg/Makefile    Sun Mar 10 11:22:43 2019 +0000
@@ -1,10 +1,11 @@
-# $NetBSD: Makefile,v 1.54 2018/04/07 06:27:13 wiz Exp $
+# $NetBSD: Makefile,v 1.55 2019/03/10 11:22:43 spz Exp $
 
 DISTNAME=      jpegsrc.v9c
 PKGNAME=       ${DISTNAME:S/src.v/-/}
 CATEGORIES=    graphics
 MASTER_SITES=  http://www.ijg.org/files/
 DIST_SUBDIR=   jpeg-9c-v2
+PKGREVISION=   1
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=      http://www.ijg.org/
diff -r 04cb624b19e9 -r 3f18a6b9fec5 graphics/jpeg/distinfo
--- a/graphics/jpeg/distinfo    Sun Mar 10 10:51:30 2019 +0000
+++ b/graphics/jpeg/distinfo    Sun Mar 10 11:22:43 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2018/04/07 06:27:13 wiz Exp $
+$NetBSD: distinfo,v 1.24 2019/03/10 11:22:43 spz Exp $
 
 SHA1 (jpeg-9c-v2/jpegsrc.v9c.tar.gz) = 2ce111c8c0ac828a44b13ad28c265e954a342d07
 RMD160 (jpeg-9c-v2/jpegsrc.v9c.tar.gz) = c181cc66d03d96ffcca85724938551bb089fd519
@@ -8,3 +8,4 @@
 SHA1 (patch-ag) = 46164c00386d1968356f1b61d144bc9168410654
 SHA1 (patch-jmorecfg.h) = c00f81ba94e2ad6b55ca9892553eedbe4eca3ad1
 SHA1 (patch-jpeglib.h) = 635453c5a2b1223ef5af729edcbfcfa3ed78a8b5
+SHA1 (patch-rdtarga.c) = eaec399d67ffb5d33b32131d01a052132bb5bae2
diff -r 04cb624b19e9 -r 3f18a6b9fec5 graphics/jpeg/patches/patch-rdtarga.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/jpeg/patches/patch-rdtarga.c     Sun Mar 10 11:22:43 2019 +0000
@@ -0,0 +1,37 @@
+$NetBSD: patch-rdtarga.c,v 1.1 2019/03/10 11:22:43 spz Exp $
+
+fix for CVE-2018-11813 from
+https://github.com/mozilla/mozjpeg/commit/909a8cfc7bca9b2e6707425bdb74da997e8fa499
+
+--- rdtarga.c.orig     2017-09-16 11:12:46.000000000 +0000
++++ rdtarga.c
+@@ -125,11 +125,10 @@ METHODDEF(void)
+ read_non_rle_pixel (tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file; no RLE expansion */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
++    sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
+   }
+ }
+ 
+@@ -138,7 +137,6 @@ METHODDEF(void)
+ read_rle_pixel (tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file, expanding RLE data as needed */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   /* Duplicate previously read pixel? */
+@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
+ 
+   /* Read next pixel */
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
++    sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo);
+   }
+ }
+