Commit 9d26e332 authored by Leo's avatar Leo

main/openjpeg: fix CVE-2019-12973 and CVE-2020-15389

See: #11955
parent 6f980c12
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=openjpeg
pkgver=2.3.1
pkgrel=4
pkgrel=5
pkgdesc="Open-source implementation of JPEG2000 image codec"
url="https://www.openjpeg.org/"
arch="all"
......@@ -13,11 +13,11 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v
fix-cmakelists.patch
CVE-2020-6851.patch
CVE-2020-8112.patch
CVE-2019-12973.patch
CVE-2020-15389.patch
"
builddir="${srcdir}/$pkgname-$pkgver"
build() {
cd "$builddir"
cmake . \
-DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_BUILD_TYPE=None \
......@@ -26,6 +26,9 @@ build() {
}
# secfixes:
# 2.3.1-r5:
# - CVE-2019-12973
# - CVE-2020-15389
# 2.3.1-r3:
# - CVE-2020-6851
# - CVE-2020-8112
......@@ -52,7 +55,6 @@ build() {
# - CVE-2016-9581
package() {
cd "$builddir"
make DESTDIR="$pkgdir" install
}
......@@ -65,4 +67,6 @@ tools() {
sha512sums="339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03 openjpeg-2.3.1.tar.gz
b50cd382d08647db18f202769aae7df87613a18143a30e360e8f00aba1ec1b7fd0a153685dbea3950bc5623b06c314326777c4fb7aff56adfc6b17bc74c933e5 fix-cmakelists.patch
c8ffc926d91392b38250fd4e00fff5f93fbf5e17487d0e4a0184c9bd191aa2233c5c5dcf097dd62824714097bba2d8cc865bed31193d1a072aa954f216011297 CVE-2020-6851.patch
9659e04087e0d80bf53555e9807aae59205adef2d49d7a49e05bf250c484a2e92132d471ec6076e57ca69b5ce98fd81462a6a8c01205ca7096781eec06e401cc CVE-2020-8112.patch"
9659e04087e0d80bf53555e9807aae59205adef2d49d7a49e05bf250c484a2e92132d471ec6076e57ca69b5ce98fd81462a6a8c01205ca7096781eec06e401cc CVE-2020-8112.patch
472deba1d521553f9c7af805ba3d0c4fc31564fd36e37c598646f468b7d05bf5f81d2320fd6fadf8c0e3344ebce7bc0d04cece55a1b3cec2ef693a6e65bd2516 CVE-2019-12973.patch
f36ea384272b3918d194f7d64bcc321a66fa6ebb2d73ece3d69225f883ec8a2777284f633902cf954f9a847bd758da2c36c74d8ef28c4cd82a3bf076e326c611 CVE-2020-15389.patch"
From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001
From: Young Xiao <YangX92@hotmail.com>
Date: Sat, 16 Mar 2019 19:57:27 +0800
Subject: [PATCH 1/2] convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
See commit 8ee335227bbc for details.
Signed-off-by: Young Xiao <YangX92@hotmail.com>
---
src/bin/jp2/convertbmp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index 0af52f816..ec34f535b 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
}
} else { /* absolute mode */
c = getc(IN);
@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
c1 = (OPJ_UINT8)getc(IN);
}
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
}
if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
getc(IN);
@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
}
}
} /* while(y < height) */
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
return OPJ_TRUE;
}
From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001
From: Young Xiao <YangX92@hotmail.com>
Date: Sat, 16 Mar 2019 20:09:59 +0800
Subject: [PATCH 2/2] bmp_read_rle4_data(): avoid potential infinite loop
---
src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index ec34f535b..2fc4e9bc4 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
while (y < height) {
int c = getc(IN);
if (c == EOF) {
- break;
+ return OPJ_FALSE;
}
if (c) { /* encoded mode */
- int j;
- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN);
+ int j, c1_int;
+ OPJ_UINT8 c1;
+
+ c1_int = getc(IN);
+ if (c1_int == EOF) {
+ return OPJ_FALSE;
+ }
+ c1 = (OPJ_UINT8)c1_int;
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
} else { /* absolute mode */
c = getc(IN);
if (c == EOF) {
- break;
+ return OPJ_FALSE;
}
if (c == 0x00) { /* EOL */
@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
break;
} else if (c == 0x02) { /* MOVE by dxdy */
c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
x += (OPJ_UINT32)c;
c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
y += (OPJ_UINT32)c;
pix = pData + y * stride + x;
} else { /* 03 .. 255 : absolute mode */
@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
if ((j & 1) == 0) {
- c1 = (OPJ_UINT8)getc(IN);
+ int c1_int;
+ c1_int = getc(IN);
+ if (c1_int == EOF) {
+ return OPJ_FALSE;
+ }
+ c1 = (OPJ_UINT8)c1_int;
}
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
written++;
}
if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
- getc(IN);
+ c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
}
}
}
From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 28 Jun 2020 14:19:59 +0200
Subject: [PATCH] opj_decompress: fix double-free on input directory with mix
of valid and invalid images (CVE-2020-15389)
Fixes #1261
Credits to @Ruia-ruia for reporting and analysis.
---
src/bin/jp2/opj_decompress.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
index 7eeb0952f..2634907f0 100644
--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original)
int main(int argc, char **argv)
{
opj_decompress_parameters parameters; /* decompression parameters */
- opj_image_t* image = NULL;
- opj_stream_t *l_stream = NULL; /* Stream */
- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */
- opj_codestream_index_t* cstr_index = NULL;
OPJ_INT32 num_images, imageno;
img_fol_t img_fol;
@@ -1393,6 +1389,10 @@ int main(int argc, char **argv)
/*Decoding image one by one*/
for (imageno = 0; imageno < num_images ; imageno++) {
+ opj_image_t* image = NULL;
+ opj_stream_t *l_stream = NULL; /* Stream */
+ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */
+ opj_codestream_index_t* cstr_index = NULL;
if (!parameters.quiet) {
fprintf(stderr, "\n");
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment