Commit c1056d67 authored by Natanael Copa's avatar Natanael Copa

main/openjpeg: security fixes (CVE-2017-17480,CVE-2018-18088)

also remove unused patches

fixes #9681
parent 07b44d0a
......@@ -9,7 +9,10 @@ arch="all"
license="BSD"
makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake"
subpackages="$pkgname-dev $pkgname-tools"
source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz"
source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
CVE-2017-17480.patch
CVE-2018-18088.patch
"
builddir="${srcdir}/$pkgname-$pkgver"
build() {
......@@ -23,6 +26,9 @@ build() {
}
# secfixes:
# 2.3.0-r1:
# - CVE-2017-17480
# - CVE-2018-18088
# 2.3.0-r0:
# - CVE-2017-14039
# 2.2.0-r2:
......@@ -48,4 +54,6 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz"
sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz
15f4292ab6e19ecad1d47772ea28154bc7bbf9b9ba68467c5750e0c823efe3657e5973c08b81456f649fb789b6772ddaf5122f23a530ae0f6a9e5adb61c51c74 CVE-2017-17480.patch
24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch"
From c16bc057ba3f125051c9966cf1f5b68a05681de4 Mon Sep 17 00:00:00 2001
From: trylab <trylab@users.noreply.github.com>
Date: Tue, 6 Sep 2016 13:55:49 +0800
Subject: [PATCH] Fix an integer overflow issue (#809)
Prevent an integer overflow issue in function opj_pi_create_decode of
pi.c.
---
src/lib/openjp2/pi.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index cffad66..36e2ff0 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1237,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
l_current_pi = l_pi;
/* memory allocation for include */
- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+ /* prevent an integer overflow issue */
+ l_current_pi->include = 00;
+ if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
+ {
+ l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+ }
+
if
(!l_current_pi->include)
{
--
2.10.0
From ef01f18dfc6780b776d0674ed3e7415c6ef54d24 Mon Sep 17 00:00:00 2001
From: Matthieu Darbois <mayeut@users.noreply.github.com>
Date: Thu, 8 Sep 2016 07:34:46 +0200
Subject: [PATCH] Cast to size_t before multiplication
Need to cast to size_t before multiplication otherwise overflow check is useless.
---
src/lib/openjp2/pi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index 36e2ff0..809b33d 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1241,7 +1241,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
l_current_pi->include = 00;
if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
{
- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+ l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16));
}
if
--
2.10.0
From cadff5fb6e73398de26a92e96d3d7cac893af255 Mon Sep 17 00:00:00 2001
From: szukw000 <szukw000@arcor.de>
Date: Fri, 9 Dec 2016 08:29:55 +0100
Subject: [PATCH] These changes repair bugs of #871 and #872
---
src/bin/jp2/converttif.c | 107 +++++++++++++++++++++++++++++++----------------
1 file changed, 70 insertions(+), 37 deletions(-)
diff --git a/src/bin/jp2/converttif.c b/src/bin/jp2/converttif.c
index 143d3be..c690f8b 100644
--- a/src/bin/jp2/converttif.c
+++ b/src/bin/jp2/converttif.c
@@ -553,20 +553,18 @@ static void tif_32sto16u(const OPJ_INT32* pSrc, OPJ_UINT16* pDst, OPJ_SIZE_T len
int imagetotif(opj_image_t * image, const char *outfile)
{
- int width, height;
- int bps,adjust, sgnd;
- int tiPhoto;
+ uint32 width, height, bps, tiPhoto;
+ int adjust, sgnd;
TIFF *tif;
tdata_t buf;
- tsize_t strip_size;
+ tmsize_t strip_size, rowStride;
OPJ_UINT32 i, numcomps;
- OPJ_SIZE_T rowStride;
OPJ_INT32* buffer32s = NULL;
OPJ_INT32 const* planes[4];
convert_32s_PXCX cvtPxToCx = NULL;
convert_32sXXx_C1R cvt32sToTif = NULL;
- bps = (int)image->comps[0].prec;
+ bps = (uint32)image->comps[0].prec;
planes[0] = image->comps[0].data;
numcomps = image->numcomps;
@@ -674,13 +672,13 @@ int imagetotif(opj_image_t * image, const char *outfile)
break;
}
sgnd = (int)image->comps[0].sgnd;
- adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0;
- width = (int)image->comps[0].w;
- height = (int)image->comps[0].h;
+ adjust = sgnd ? (int)(1 << (image->comps[0].prec - 1)) : 0;
+ width = (uint32)image->comps[0].w;
+ height = (uint32)image->comps[0].h;
TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, width);
TIFFSetField(tif, TIFFTAG_IMAGELENGTH, height);
- TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, numcomps);
+ TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, (uint32)numcomps);
TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, bps);
TIFFSetField(tif, TIFFTAG_ORIENTATION, ORIENTATION_TOPLEFT);
TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
@@ -688,8 +686,8 @@ int imagetotif(opj_image_t * image, const char *outfile)
TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, 1);
strip_size = TIFFStripSize(tif);
- rowStride = ((OPJ_SIZE_T)width * numcomps * (OPJ_SIZE_T)bps + 7U) / 8U;
- if (rowStride != (OPJ_SIZE_T)strip_size) {
+ rowStride = (width * numcomps * bps + 7U) / 8U;
+ if (rowStride != strip_size) {
fprintf(stderr, "Invalid TIFF strip size\n");
TIFFClose(tif);
return 1;
@@ -699,7 +697,7 @@ int imagetotif(opj_image_t * image, const char *outfile)
TIFFClose(tif);
return 1;
}
- buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)width * numcomps * sizeof(OPJ_INT32));
+ buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(width * numcomps * sizeof(OPJ_INT32)));
if (buffer32s == NULL) {
_TIFFfree(buf);
TIFFClose(tif);
@@ -1211,20 +1209,19 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
TIFF *tif;
tdata_t buf;
tstrip_t strip;
- tsize_t strip_size;
+ tmsize_t strip_size;
int j, currentPlane, numcomps = 0, w, h;
OPJ_COLOR_SPACE color_space = OPJ_CLRSPC_UNKNOWN;
opj_image_cmptparm_t cmptparm[4]; /* RGBA */
opj_image_t *image = NULL;
int has_alpha = 0;
- unsigned short tiBps, tiPhoto, tiSf, tiSpp, tiPC;
- unsigned int tiWidth, tiHeight;
+ uint32 tiBps, tiPhoto, tiSf, tiSpp, tiPC, tiWidth, tiHeight;
OPJ_BOOL is_cinema = OPJ_IS_CINEMA(parameters->rsiz);
convert_XXx32s_C1R cvtTifTo32s = NULL;
convert_32s_CXPX cvtCxToPx = NULL;
OPJ_INT32* buffer32s = NULL;
OPJ_INT32* planes[4];
- OPJ_SIZE_T rowStride;
+ tmsize_t rowStride;
tif = TIFFOpen(filename, "r");
@@ -1243,22 +1240,35 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto);
TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC);
- w= (int)tiWidth;
- h= (int)tiHeight;
-
- if(tiBps > 16U) {
- fprintf(stderr,"tiftoimage: Bits=%d, Only 1 to 16 bits implemented\n",tiBps);
- fprintf(stderr,"\tAborting\n");
+
+ if(tiSpp == 0 || tiSpp > 4) { /* should be 1 ... 4 */
+ fprintf(stderr,"tiftoimage: Bad value for samples per pixel == %hu.\n"
+ "\tAborting.\n", tiSpp);
+ TIFFClose(tif);
+ return NULL;
+ }
+ if(tiBps > 16U || tiBps == 0) {
+ fprintf(stderr,"tiftoimage: Bad values for Bits == %d.\n"
+ "\tMax. 16 Bits are allowed here.\n\tAborting.\n",tiBps);
TIFFClose(tif);
return NULL;
}
if(tiPhoto != PHOTOMETRIC_MINISBLACK && tiPhoto != PHOTOMETRIC_RGB) {
- fprintf(stderr,"tiftoimage: Bad color format %d.\n\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto);
+ fprintf(stderr,"tiftoimage: Bad color format %d.\n"
+ "\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto);
fprintf(stderr,"\tAborting\n");
TIFFClose(tif);
return NULL;
}
-
+ if(tiWidth == 0 || tiHeight == 0) {
+ fprintf(stderr,"tiftoimage: Bad values for width(%u) "
+ "and/or height(%u)\n\tAborting.\n",tiWidth,tiHeight);
+ TIFFClose(tif);
+ return NULL;
+ }
+ w= (int)tiWidth;
+ h= (int)tiHeight;
+
switch (tiBps) {
case 1:
case 2:
@@ -1312,7 +1322,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
TIFFGetFieldDefaulted(tif, TIFFTAG_EXTRASAMPLES,
&extrasamples, &sampleinfo);
-
+
if(extrasamples >= 1)
{
switch(sampleinfo[0])
@@ -1333,7 +1343,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
else /* extrasamples == 0 */
if(tiSpp == 4 || tiSpp == 2) has_alpha = 1;
}
-
+
/* initialize image components */
memset(&cmptparm[0], 0, 4 * sizeof(opj_image_cmptparm_t));
@@ -1346,7 +1356,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
} else {
is_cinema = 0U;
}
-
+
if(tiPhoto == PHOTOMETRIC_RGB) /* RGB(A) */
{
numcomps = 3 + has_alpha;
@@ -1384,10 +1394,24 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
image->x0 = (OPJ_UINT32)parameters->image_offset_x0;
image->y0 = (OPJ_UINT32)parameters->image_offset_y0;
image->x1 = !image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 :
- image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
+ image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
+ if(image->x1 <= image->x0) {
+ fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. "
+ "image->x0(%d)\n\tAborting.\n",image->x1,image->x0);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
image->y1 = !image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 :
- image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
-
+ image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
+ if(image->y1 <= image->y0) {
+ fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. "
+ "image->y0(%d)\n\tAborting.\n",image->y1,image->y0);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
+
for(j = 0; j < numcomps; j++)
{
planes[j] = image->comps[j].data;
@@ -1395,15 +1419,15 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
image->comps[numcomps - 1].alpha = (OPJ_UINT16)(1 - (numcomps & 1));
strip_size = TIFFStripSize(tif);
-
+
buf = _TIFFmalloc(strip_size);
if (buf == NULL) {
TIFFClose(tif);
opj_image_destroy(image);
return NULL;
}
- rowStride = ((OPJ_SIZE_T)w * tiSpp * tiBps + 7U) / 8U;
- buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)w * tiSpp * sizeof(OPJ_INT32));
+ rowStride = (w * tiSpp * tiBps + 7U) / 8U;
+ buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(w * tiSpp * sizeof(OPJ_INT32)));
if (buffer32s == NULL) {
_TIFFfree(buf);
TIFFClose(tif);
@@ -1421,11 +1445,20 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
for(; (h > 0) && (strip < TIFFNumberOfStrips(tif)); strip++)
{
const OPJ_UINT8 *dat8;
- OPJ_SIZE_T ssize;
+ tmsize_t ssize;
- ssize = (OPJ_SIZE_T)TIFFReadEncodedStrip(tif, strip, buf, strip_size);
+ ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
+ if(ssize < 1 || ssize > strip_size) {
+ fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) "
+ "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size);
+ _TIFFfree(buf);
+ _TIFFfree(buffer32s);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
dat8 = (const OPJ_UINT8*)buf;
-
+
while (ssize >= rowStride) {
cvtTifTo32s(dat8, buffer32s, (OPJ_SIZE_T)w * tiSpp);
cvtCxToPx(buffer32s, planes, (OPJ_SIZE_T)w);
From baf0c1ad4572daa89caa3b12985bdd93530f0dd7 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 14 Aug 2017 17:26:58 +0200
Subject: [PATCH] bmp_read_info_header(): reject bmp files with biBitCount == 0
(#983)
---
src/bin/jp2/convertbmp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index b49e7a080..2715fdf24 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -392,6 +392,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
header->biBitCount = (OPJ_UINT16)getc(IN);
header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8);
+ if (header->biBitCount == 0) {
+ fprintf(stderr, "Error, invalid biBitCount %d\n", 0);
+ return OPJ_FALSE;
+ }
if (header->biSize >= 40U) {
header->biCompression = (OPJ_UINT32)getc(IN);
From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Aug 2017 11:47:40 +0200
Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
fixes unaligned load (#995)
---
src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 12 deletions(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index a4eb81f6a..73dfc8d5f 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -580,13 +580,10 @@ struct tga_header {
};
#endif /* INFORMATION_ONLY */
-static unsigned short get_ushort(const unsigned char *data)
+/* Returns a ushort from a little-endian serialized value */
+static unsigned short get_tga_ushort(const unsigned char *data)
{
- unsigned short val = *(const unsigned short *)data;
-#ifdef OPJ_BIG_ENDIAN
- val = ((val & 0xffU) << 8) | (val >> 8);
-#endif
- return val;
+ return data[0] | (data[1] << 8);
}
#define TGA_HEADER_SIZE 18
@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
id_len = tga[0];
/*cmap_type = tga[1];*/
image_type = tga[2];
- /*cmap_index = get_ushort(&tga[3]);*/
- cmap_len = get_ushort(&tga[5]);
+ /*cmap_index = get_tga_ushort(&tga[3]);*/
+ cmap_len = get_tga_ushort(&tga[5]);
cmap_entry_size = tga[7];
#if 0
- x_origin = get_ushort(&tga[8]);
- y_origin = get_ushort(&tga[10]);
+ x_origin = get_tga_ushort(&tga[8]);
+ y_origin = get_tga_ushort(&tga[10]);
#endif
- image_w = get_ushort(&tga[12]);
- image_h = get_ushort(&tga[14]);
+ image_w = get_tga_ushort(&tga[12]);
+ image_h = get_tga_ushort(&tga[14]);
pixel_depth = tga[16];
image_desc = tga[17];
@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
color_space = OPJ_CLRSPC_SRGB;
}
+ /* If the declared file size is > 10 MB, check that the file is big */
+ /* enough to avoid excessive memory allocations */
+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
+ char ch;
+ OPJ_UINT64 expected_file_size =
+ (OPJ_UINT64)image_width * image_height * numcomps;
+ long curpos = ftell(f);
+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
+ expected_file_size = (OPJ_UINT64)INT_MAX;
+ }
+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
+ if (fread(&ch, 1, 1, f) != 1) {
+ fclose(f);
+ return NULL;
+ }
+ fseek(f, curpos, SEEK_SET);
+ }
+
subsampling_dx = parameters->subsampling_dx;
subsampling_dy = parameters->subsampling_dy;
From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 18 Aug 2017 13:39:20 +0200
Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
---
src/bin/jp2/convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index 5459f7d44..e606c9be7 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
}
fseek(f, 0, SEEK_SET);
- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
&endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
fclose(f);
fprintf(stderr,
From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 14 Aug 2017 17:20:37 +0200
Subject: [PATCH] Encoder: grow buffer size in
opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
opj_mqc_flush (#982)
---
src/lib/openjp2/tcd.c | 7 +++++--
tests/nonregression/test_suite.ctest.in | 2 ++
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index 301c7213e..53cdcf64d 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
{
OPJ_UINT32 l_data_size;
- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+ /* TODO: is there a theoretical upper-bound for the compressed code */
+ /* block size ? */
+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
(p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
index aaf40d7d0..ffd964c2a 100644
--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
# Same rate as Bretagne2_4.j2k
opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
+
# DECODER TEST SUITE
opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 15 Aug 2017 11:55:58 +0200
Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
---
src/lib/openjp2/j2k.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index a2521ebbc..54b490a8c 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
/* Precincts */
parameters->csty |= 0x01;
- parameters->res_spec = parameters->numresolution - 1;
- for (i = 0; i < parameters->res_spec; i++) {
- parameters->prcw_init[i] = 256;
- parameters->prch_init[i] = 256;
+ if (parameters->numresolution == 1) {
+ parameters->res_spec = 1;
+ parameters->prcw_init[0] = 128;
+ parameters->prch_init[0] = 128;
+ } else {
+ parameters->res_spec = parameters->numresolution - 1;
+ for (i = 0; i < parameters->res_spec; i++) {
+ parameters->prcw_init[i] = 256;
+ parameters->prch_init[i] = 256;
+ }
}
/* The progression order shall be CPRL */
From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 16 Aug 2017 17:09:10 +0200
Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
(#991)
---
src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 54b490a8c..16915452e 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
* Writes the SOT marker (Start of tile-part)
*
* @param p_j2k J2K codec.
- * @param p_data FIXME DOC
- * @param p_data_written FIXME DOC
+ * @param p_data Output buffer
+ * @param p_total_data_size Output buffer size
+ * @param p_data_written Number of bytes written into stream
* @param p_stream the stream to write data to.
* @param p_manager the user event manager.
*/
static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
OPJ_BYTE * p_data,
+ OPJ_UINT32 p_total_data_size,
OPJ_UINT32 * p_data_written,
const opj_stream_private_t *p_stream,
opj_event_mgr_t * p_manager);
@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
OPJ_BYTE * p_data,
+ OPJ_UINT32 p_total_data_size,
OPJ_UINT32 * p_data_written,
const opj_stream_private_t *p_stream,
opj_event_mgr_t * p_manager
@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
OPJ_UNUSED(p_stream);
OPJ_UNUSED(p_manager);
+ if (p_total_data_size < 12) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Not enough bytes in output buffer to write SOT marker\n");
+ return OPJ_FALSE;
+ }
+
opj_write_bytes(p_data, J2K_MS_SOT,
2); /* SOT */
p_data += 2;
@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
l_current_nb_bytes_written = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
+ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
+ &l_current_nb_bytes_written, p_stream,
p_manager)) {
return OPJ_FALSE;
}
@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
l_part_tile_size = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
+ if (! opj_j2k_write_sot(p_j2k, p_data,
+ p_total_data_size,
+ &l_current_nb_bytes_written,
+ p_stream,
p_manager)) {
return OPJ_FALSE;
}
@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
l_part_tile_size = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
+ if (! opj_j2k_write_sot(p_j2k, p_data,
+ p_total_data_size,
+ &l_current_nb_bytes_written, p_stream,
p_manager)) {
return OPJ_FALSE;
}
From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 22 Oct 2018 16:59:41 +0200
Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow
Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow.
fixes #1044 (CVE-2017-17480)
---
src/bin/jp3d/convert.c | 4 ++--
src/bin/jpwl/convert.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
index 23fd70b04..acad8f82a 100644
--- a/src/bin/jp3d/convert.c
+++ b/src/bin/jp3d/convert.c
@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
fseek(f, 0, SEEK_SET);
- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
- signtmp, &prec, temp, &w, temp, &h);
+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h);
i = 0;
sign = '+';
diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
index f3bb670b0..73c1be729 100644
--- a/src/bin/jpwl/convert.c
+++ b/src/bin/jpwl/convert.c
@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
}
fseek(f, 0, SEEK_SET);
- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
&endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
fprintf(stderr,
"ERROR: Failed to read the right number of element from the fscanf() function!\n");
From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Wed, 7 Nov 2018 18:48:29 +0100
Subject: [PATCH] jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.
Add != null check.
This commit addresses #1152 (CVE-2018-18088).
---
src/bin/jp2/convert.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index fa02e31c5..e670cd82f 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
opj_version(), wr, hr, max);
red = image->comps[compno].data;
+ if (!red) {
+ fclose(fdest);
+ continue;
+ }
+
adjustR =
(image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment