Commit b890b9dc authored by Francesco Colista's avatar Francesco Colista
Browse files

main/openjpeg: security fix for CVE-2018-21010. Ref. #11087

parent ba5bb4ce
......@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=openjpeg
pkgver=2.3.0
pkgrel=2
pkgrel=3
pkgdesc="Open-source implementation of JPEG2000 image codec"
url="http://www.openjpeg.org/"
arch="all"
......@@ -16,6 +16,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v
CVE-2018-14423.patch
CVE-2018-6616.patch
CVE-2018-5785.patch
CVE-2018-21010.patch
"
builddir="${srcdir}/$pkgname-$pkgver"
......@@ -30,6 +31,8 @@ build() {
}
# secfixes:
# 2.3.0-r3:
# - CVE-2018-21010
# 2.3.0-r2:
# - CVE-2018-5785
# 2.3.0-r1:
......@@ -67,4 +70,5 @@ sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520
24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch
4292a05e63ec1ba1ec30e02cd981e9aab617e42831a799bc777b03174bcbc4c49d8b45534668a5237f06c0361865b0ff9bd71f40e2fcab370af6cf9c256c8537 CVE-2018-14423.patch
9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222 CVE-2018-6616.patch
ec48472de6c6d34abff949bbae1ae1e92e0b59939c13345a3a69c8219fdf91ea2c07dda59fe212a88212b3116cae1fb8c47aa5d12b84af669a28aa52864f55de CVE-2018-5785.patch"
ec48472de6c6d34abff949bbae1ae1e92e0b59939c13345a3a69c8219fdf91ea2c07dda59fe212a88212b3116cae1fb8c47aa5d12b84af669a28aa52864f55de CVE-2018-5785.patch
544828e20f50dc7e4a3367de646dc69f70fff48d66a6bbc1b27c317778e7739e276891e84a76435144e697605796c77a47b0a3424e0fa3eeb2e647480c1c034a CVE-2018-21010.patch"
From 2e5ab1d9987831c981ff05862e8ccf1381ed58ea Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 27 Nov 2018 23:31:30 +0100
Subject: [PATCH] color_apply_icc_profile: avoid potential heap buffer overflow
Derived from a patch by Thuan Pham
---
src/bin/common/color.c | 154 ++++++++++++++++++++++-------------------
1 file changed, 82 insertions(+), 72 deletions(-)
diff --git a/src/bin/common/color.c b/src/bin/common/color.c
index a97d49f12..d3a2f38d7 100644
--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
@@ -597,82 +597,92 @@ void color_apply_icc_profile(opj_image_t *image)
}
if (image->numcomps > 2) { /* RGB, RGBA */
- if (prec <= 8) {
- unsigned char *inbuf, *outbuf, *in, *out;
-
- max = max_w * max_h;
- nr_samples = (size_t)(max * 3U * sizeof(unsigned char));
- in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
- out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
-
- if (inbuf == NULL || outbuf == NULL) {
- goto fails0;
- }
-
- r = image->comps[0].data;
- g = image->comps[1].data;
- b = image->comps[2].data;
-
- for (i = 0U; i < max; ++i) {
- *in++ = (unsigned char) * r++;
- *in++ = (unsigned char) * g++;
- *in++ = (unsigned char) * b++;
- }
-
- cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
-
- r = image->comps[0].data;
- g = image->comps[1].data;
- b = image->comps[2].data;
-
- for (i = 0U; i < max; ++i) {
- *r++ = (int) * out++;
- *g++ = (int) * out++;
- *b++ = (int) * out++;
- }
- ok = 1;
+ if ((image->comps[0].w == image->comps[1].w &&
+ image->comps[0].w == image->comps[2].w) &&
+ (image->comps[0].h == image->comps[1].h &&
+ image->comps[0].h == image->comps[2].h)) {
+ if (prec <= 8) {
+ unsigned char *inbuf, *outbuf, *in, *out;
+
+ max = max_w * max_h;
+ nr_samples = (size_t)(max * 3U * sizeof(unsigned char));
+ in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
+ out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
+
+ if (inbuf == NULL || outbuf == NULL) {
+ goto fails0;
+ }
+
+ r = image->comps[0].data;
+ g = image->comps[1].data;
+ b = image->comps[2].data;
+
+ for (i = 0U; i < max; ++i) {
+ *in++ = (unsigned char) * r++;
+ *in++ = (unsigned char) * g++;
+ *in++ = (unsigned char) * b++;
+ }
+
+ cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
+
+ r = image->comps[0].data;
+ g = image->comps[1].data;
+ b = image->comps[2].data;
+
+ for (i = 0U; i < max; ++i) {
+ *r++ = (int) * out++;
+ *g++ = (int) * out++;
+ *b++ = (int) * out++;
+ }
+ ok = 1;
fails0:
- opj_image_data_free(inbuf);
- opj_image_data_free(outbuf);
- } else { /* prec > 8 */
- unsigned short *inbuf, *outbuf, *in, *out;
-
- max = max_w * max_h;
- nr_samples = (size_t)(max * 3U * sizeof(unsigned short));
- in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
- out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
-
- if (inbuf == NULL || outbuf == NULL) {
- goto fails1;
- }
-
- r = image->comps[0].data;
- g = image->comps[1].data;
- b = image->comps[2].data;
-
- for (i = 0U ; i < max; ++i) {
- *in++ = (unsigned short) * r++;
- *in++ = (unsigned short) * g++;
- *in++ = (unsigned short) * b++;
- }
-
- cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
-
- r = image->comps[0].data;
- g = image->comps[1].data;
- b = image->comps[2].data;
-
- for (i = 0; i < max; ++i) {
- *r++ = (int) * out++;
- *g++ = (int) * out++;
- *b++ = (int) * out++;
- }
- ok = 1;
+ opj_image_data_free(inbuf);
+ opj_image_data_free(outbuf);
+ } else { /* prec > 8 */
+ unsigned short *inbuf, *outbuf, *in, *out;
+
+ max = max_w * max_h;
+ nr_samples = (size_t)(max * 3U * sizeof(unsigned short));
+ in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
+ out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
+
+ if (inbuf == NULL || outbuf == NULL) {
+ goto fails1;
+ }
+
+ r = image->comps[0].data;
+ g = image->comps[1].data;
+ b = image->comps[2].data;
+
+ for (i = 0U ; i < max; ++i) {
+ *in++ = (unsigned short) * r++;
+ *in++ = (unsigned short) * g++;
+ *in++ = (unsigned short) * b++;
+ }
+
+ cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
+
+ r = image->comps[0].data;
+ g = image->comps[1].data;
+ b = image->comps[2].data;
+
+ for (i = 0; i < max; ++i) {
+ *r++ = (int) * out++;
+ *g++ = (int) * out++;
+ *b++ = (int) * out++;
+ }
+ ok = 1;
fails1:
- opj_image_data_free(inbuf);
- opj_image_data_free(outbuf);
+ opj_image_data_free(inbuf);
+ opj_image_data_free(outbuf);
+ }
+ } else {
+ fprintf(stderr,
+ "[ERROR] Image components should have the same width and height\n");
+ cmsDeleteTransform(transform);
+ return;
}
} else { /* image->numcomps <= 2 : GRAY, GRAYA */
if (prec <= 8) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment