Commit 27c4e5a6 authored by Francesco Colista's avatar Francesco Colista

main/openjpeg: security fixes

- CVE-2018-14423
- CVE-2018-6616

this commit fixes #9799
parent 13da5daf
......@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=openjpeg
pkgver=2.3.0
pkgrel=0
pkgrel=1
pkgdesc="Open-source implementation of JPEG2000 image codec"
url="http://www.openjpeg.org/"
arch="all"
......@@ -12,6 +12,8 @@ subpackages="$pkgname-dev $pkgname-tools"
source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
CVE-2017-17480.patch
CVE-2018-18088.patch
CVE-2018-14423.patch
CVE-2018-6616.patch
"
builddir="${srcdir}/$pkgname-$pkgver"
......@@ -27,6 +29,8 @@ build() {
# secfixes:
# 2.3.0-r1:
# - CVE-2018-14423
# - CVE-2018-6616
# - CVE-2017-17480
# - CVE-2018-18088
# 2.3.0-r0:
......@@ -56,4 +60,6 @@ tools() {
sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz
15f4292ab6e19ecad1d47772ea28154bc7bbf9b9ba68467c5750e0c823efe3657e5973c08b81456f649fb789b6772ddaf5122f23a530ae0f6a9e5adb61c51c74 CVE-2017-17480.patch
24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch"
24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch
4292a05e63ec1ba1ec30e02cd981e9aab617e42831a799bc777b03174bcbc4c49d8b45534668a5237f06c0361865b0ff9bd71f40e2fcab370af6cf9c256c8537 CVE-2018-14423.patch
9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222 CVE-2018-6616.patch"
From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Fri, 23 Nov 2018 17:15:05 +0800
Subject: [PATCH] [JP3D] To avoid divisions by zero / undefined behaviour on
shift (CVE-2018-14423
Signed-off-by: Young_X <YangX92@hotmail.com>
---
src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c
index a03be45e7..a58ebcc7c 100644
--- a/src/lib/openjp3d/pi.c
+++ b/src/lib/openjp3d/pi.c
@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi)
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi)
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi)
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 14 Dec 2018 04:58:40 +0100
Subject: [PATCH] convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Fixes #1059 (CVE-2018-6616).
---
src/bin/jp2/convertbmp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index 85a47feaf..0af52f816 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride,
static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = c1;
+ written++;
}
} else {
c = getc(IN);
@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
}
c1 = (OPJ_UINT8)c1_int;
*pix = c1;
+ written++;
}
if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
c = getc(IN);
@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
}
}
}/* while() */
+
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
+
return OPJ_TRUE;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment