Skip to content
Snippets Groups Projects
Commit c2dfa69c authored by J0WI's avatar J0WI Committed by Natanael Copa
Browse files

main/openjpeg: cleanup patches and update url 

(cherry picked from commit 18df15db)
parent 5a5ab516
No related merge requests found
Hide whitespace changes
Inline Side-by-side
main/openjpeg/APKBUILD
+ 2
2
View file @ c2dfa69c
......@@ -2,9 +2,9 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=openjpeg
pkgver=2.3.1
pkgrel=1
pkgrel=2
pkgdesc="Open-source implementation of JPEG2000 image codec"
url="http://www.openjpeg.org/"
url="https://www.openjpeg.org/"
arch="all"
options="!check" # No test suite.
license="BSD-2-Clause-NetBSD"
......
main/openjpeg/CVE-2017-17480.patch deleted 100644 → 0
+ 0
42
View file @ 5a5ab516
From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 22 Oct 2018 16:59:41 +0200
Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow
Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow.
fixes #1044 (CVE-2017-17480)
---
src/bin/jp3d/convert.c | 4 ++--
src/bin/jpwl/convert.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
index 23fd70b04..acad8f82a 100644
--- a/src/bin/jp3d/convert.c
+++ b/src/bin/jp3d/convert.c
@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
fseek(f, 0, SEEK_SET);
- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
- signtmp, &prec, temp, &w, temp, &h);
+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h);
i = 0;
sign = '+';
diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
index f3bb670b0..73c1be729 100644
--- a/src/bin/jpwl/convert.c
+++ b/src/bin/jpwl/convert.c
@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
}
fseek(f, 0, SEEK_SET);
- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
&endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
fprintf(stderr,
"ERROR: Failed to read the right number of element from the fscanf() function!\n");
main/openjpeg/CVE-2018-14423.patch deleted 100644 → 0
+ 0
60
View file @ 5a5ab516
From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Fri, 23 Nov 2018 17:15:05 +0800
Subject: [PATCH] [JP3D] To avoid divisions by zero / undefined behaviour on
shift (CVE-2018-14423
Signed-off-by: Young_X <YangX92@hotmail.com>
---
src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c
index a03be45e7..a58ebcc7c 100644
--- a/src/lib/openjp3d/pi.c
+++ b/src/lib/openjp3d/pi.c
@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi)
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi)
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi)
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
main/openjpeg/CVE-2018-18088.patch deleted 100644 → 0
+ 0
34
View file @ 5a5ab516
From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Wed, 7 Nov 2018 18:48:29 +0100
Subject: [PATCH] jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.
Add != null check.
This commit addresses #1152 (CVE-2018-18088).
---
src/bin/jp2/convert.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index fa02e31c5..e670cd82f 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
opj_version(), wr, hr, max);
red = image->comps[compno].data;
+ if (!red) {
+ fclose(fdest);
+ continue;
+ }
+
adjustR =
(image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
main/openjpeg/CVE-2018-5785.patch deleted 100644 → 0
+ 0
79
View file @ 5a5ab516
From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Sat, 22 Sep 2018 14:33:19 -0400
Subject: [PATCH] convertbmp: fix issues with zero bitmasks
In the case where a BMP file declares compression 3 (BI_BITFIELDS)
with header size <= 56, all bitmask values keep their initialization
value 0. This may lead to various undefined behavior later e.g. when
doing 1 << (l_comp->prec - 1).
This issue does not affect files with bit count 16 because of a check
added in 16240e2 which sets default values to the color masks if they
are all 0.
This commit adds similar checks for the 32 bit case.
Also, if a BMP file declares compression 3 with header size >= 56 and
intentional 0 bitmasks, the same issue will be triggered in both the
16 and 32 bit count case.
This commit adds checks to bmp_read_info_header() rejecting BMP files
with "intentional" 0 bitmasks. These checks might be removed in the
future when proper handling of zero bitmasks will be available in
openjpeg2.
fixes #1057 (CVE-2018-5785)
---
src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index 084f70bb7..7fde99ab3 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biRedMask) {
+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
+ return OPJ_FALSE;
+ }
+
header->biGreenMask = (OPJ_UINT32)getc(IN);
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biGreenMask) {
+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
+ return OPJ_FALSE;
+ }
+
header->biBlueMask = (OPJ_UINT32)getc(IN);
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biBlueMask) {
+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
+ return OPJ_FALSE;
+ }
+
header->biAlphaMask = (OPJ_UINT32)getc(IN);
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
0x00000000U);
} else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
+ (Info_h.biBlueMask == 0U)) {
+ Info_h.biRedMask = 0x00FF0000U;
+ Info_h.biGreenMask = 0x0000FF00U;
+ Info_h.biBlueMask = 0x000000FFU;
+ }
bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
Info_h.biBlueMask, Info_h.biAlphaMask);
} else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
main/openjpeg/CVE-2018-6616.patch deleted 100644 → 0
+ 0
69
View file @ 5a5ab516
From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 14 Dec 2018 04:58:40 +0100
Subject: [PATCH] convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Fixes #1059 (CVE-2018-6616).
---
src/bin/jp2/convertbmp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index 85a47feaf..0af52f816 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride,
static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = c1;
+ written++;
}
} else {
c = getc(IN);
@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
}
c1 = (OPJ_UINT8)c1_int;
*pix = c1;
+ written++;
}
if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
c = getc(IN);
@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
}
}
}/* while() */
+
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
+
return OPJ_TRUE;
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment