main/openjpeg: security fixes

- CVE-2018-14423
- CVE-2018-6616

this commit fixes #9800

3 files changed, 137 insertions, 2 deletions

diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index f3476faeb8..66ef7f5166 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=openjpeg
 pkgver=2.3.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Open-source implementation of JPEG2000 image codec"
 url="http://www.openjpeg.org/"
 arch="all"
@@ -12,6 +12,8 @@ subpackages="$pkgname-dev $pkgname-tools"
 source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
 	CVE-2017-17480.patch
 	CVE-2018-18088.patch
+	CVE-2018-14423.patch
+	CVE-2018-6616.patch
 	"
 builddir="${srcdir}/$pkgname-$pkgver"
 
@@ -27,6 +29,8 @@ build() {
 
 # secfixes:
 #   2.3.0-r1:
+#     - CVE-2018-14423
+#     - CVE-2018-6616
 #     - CVE-2017-17480
 #     - CVE-2018-18088
 #   2.3.0-r0:
@@ -56,4 +60,6 @@ tools() {
 
 sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568  openjpeg-2.3.0.tar.gz
 15f4292ab6e19ecad1d47772ea28154bc7bbf9b9ba68467c5750e0c823efe3657e5973c08b81456f649fb789b6772ddaf5122f23a530ae0f6a9e5adb61c51c74  CVE-2017-17480.patch
-24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb  CVE-2018-18088.patch"
+24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb  CVE-2018-18088.patch
+4292a05e63ec1ba1ec30e02cd981e9aab617e42831a799bc777b03174bcbc4c49d8b45534668a5237f06c0361865b0ff9bd71f40e2fcab370af6cf9c256c8537  CVE-2018-14423.patch
+9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222  CVE-2018-6616.patch"
diff --git a/main/openjpeg/CVE-2018-14423.patch b/main/openjpeg/CVE-2018-14423.patch
new file mode 100644
index 0000000000..81fcb59345
--- /dev/null
+++ b/main/openjpeg/CVE-2018-14423.patch
@@ -0,0 +1,60 @@
+From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Fri, 23 Nov 2018 17:15:05 +0800
+Subject: [PATCH]  [JP3D] To avoid divisions by zero / undefined behaviour on
+ shift (CVE-2018-14423
+
+Signed-off-by: Young_X <YangX92@hotmail.com>
+---
+ src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c
+index a03be45e7..a58ebcc7c 100644
+--- a/src/lib/openjp3d/pi.c
++++ b/src/lib/openjp3d/pi.c
+@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi)
+                         rpx = res->pdx + levelnox;
+                         rpy = res->pdy + levelnoy;
+                         rpz = res->pdz + levelnoz;
++
++                        /* To avoid divisions by zero / undefined behaviour on shift */
++                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++                            continue;
++                        }
++
+                         if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+                                 (trx0 << levelnox) % (1 << rpx)))) {
+                             continue;
+@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi)
+                         rpx = res->pdx + levelnox;
+                         rpy = res->pdy + levelnoy;
+                         rpz = res->pdz + levelnoz;
++
++                        /* To avoid divisions by zero / undefined behaviour on shift */
++                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++                            continue;
++                        }
++
+                         if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+                                 (trx0 << levelnox) % (1 << rpx)))) {
+                             continue;
+@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi)
+                         rpx = res->pdx + levelnox;
+                         rpy = res->pdy + levelnoy;
+                         rpz = res->pdz + levelnoz;
++
++                        /* To avoid divisions by zero / undefined behaviour on shift */
++                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++                            continue;
++                        }
++
+                         if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+                                 (trx0 << levelnox) % (1 << rpx)))) {
+                             continue;
diff --git a/main/openjpeg/CVE-2018-6616.patch b/main/openjpeg/CVE-2018-6616.patch
new file mode 100644
index 0000000000..497aa3aaca
--- /dev/null
+++ b/main/openjpeg/CVE-2018-6616.patch
@@ -0,0 +1,69 @@
+From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Fri, 14 Dec 2018 04:58:40 +0100
+Subject: [PATCH] convertbmp: detect invalid file dimensions early
+
+width/length dimensions read from bmp headers are not necessarily
+valid. For instance they may have been maliciously set to very large
+values with the intention to cause DoS (large memory allocation, stack
+overflow). In these cases we want to detect the invalid size as early
+as possible.
+
+This commit introduces a counter which verifies that the number of
+written bytes corresponds to the advertized width/length.
+
+Fixes #1059 (CVE-2018-6616).
+---
+ src/bin/jp2/convertbmp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 85a47feaf..0af52f816 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride,
+ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+                                    OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
+ {
+-    OPJ_UINT32 x, y;
++    OPJ_UINT32 x, y, written;
+     OPJ_UINT8 *pix;
+     const OPJ_UINT8 *beyond;
+ 
+     beyond = pData + stride * height;
+     pix = pData;
+ 
+-    x = y = 0U;
++    x = y = written = 0U;
+     while (y < height) {
+         int c = getc(IN);
+         if (c == EOF) {
+@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+             for (j = 0; (j < c) && (x < width) &&
+                     ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+                 *pix = c1;
++                written++;
+             }
+         } else {
+             c = getc(IN);
+@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+                     }
+                     c1 = (OPJ_UINT8)c1_int;
+                     *pix = c1;
++                    written++;
+                 }
+                 if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
+                     c = getc(IN);
+@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+             }
+         }
+     }/* while() */
++
++    if (written != width * height) {
++        fprintf(stderr, "warning, image's actual size does not match advertized one\n");
++        return OPJ_FALSE;
++    }
++
+     return OPJ_TRUE;
+ }
+