main/openjpeg: security fixes

- CVE-2017-14040 - CVE-2017-14041 - CVE-2017-14151 - CVE-2017-14152 - CVE-2017-14164 Fixes partially #7825. Not yet fixed CVE-2017-14039 since patch is not available for 2.2.0
author: Francesco Colista <fcolista@alpinelinux.org> 2017-09-21 08:18:29 +0000
committer: Francesco Colista <fcolista@alpinelinux.org> 2017-09-21 08:18:29 +0000
commit: 9513e587b007defbb6ef3590945ff49cbd73a270 (patch)
tree: f59e4e8fc09d834b5cf11006eab3fc6d7c8df40f /main/openjpeg
parent: 31f54779460bab8576eb569250b8543dca14ba6f (diff)
download: aports-9513e587b007defbb6ef3590945ff49cbd73a270.tar.bz2
aports-9513e587b007defbb6ef3590945ff49cbd73a270.tar.xz
6 files changed, 286 insertions, 3 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index bc3a38e750..970f81666b 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=openjpeg
 pkgver=2.2.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Open-source implementation of JPEG2000 image codec"
 url="http://www.openjpeg.org/"
 arch="all"
@@ -13,7 +13,13 @@ makedepends="$depends_dev libpng-dev tiff-dev lcms-dev doxygen cmake"
 install=""
 subpackages="$pkgname-dev $pkgname-tools"
 source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
-	CVE-2017-12982.patch"
+	CVE-2017-12982.patch
+	CVE-2017-14040.patch
+	CVE-2017-14041.patch
+	CVE-2017-14151.patch
+	CVE-2017-14152.patch
+	CVE-2017-14164.patch"
+
 builddir="${srcdir}/$pkgname-$pkgver"
 
 build() {
@@ -28,6 +34,12 @@ build() {
 }
 
 # secfixes:
+#   2.2.0-r2:
+#     - CVE-2017-14040
+#     - CVE-2017-14041
+#     - CVE-2017-14151
+#     - CVE-2017-14152
+#     - CVE-2017-14164
 #   2.2.0-r1:
 #     - CVE-2017-12982
 #   2.1.2-r1:
@@ -46,4 +58,9 @@ tools() {
 }
 
 sha512sums="20651c380bee582ab1950994c424cc00061ad852e9c5438fb32a9809e3f275571a4cc7e92589add0d91debf2394262e58f441c2dd918809fc1c602ed68396a3a  openjpeg-2.2.0.tar.gz
-0e0ce7bdf53c4b6f1b2e9e5f855186763a1bea39b70bdc1fd5b60a5516036a04562cb43030e9946972009e3733d0efadb8ba4825939e32ba6b9419d6428ee9ad  CVE-2017-12982.patch"
+0e0ce7bdf53c4b6f1b2e9e5f855186763a1bea39b70bdc1fd5b60a5516036a04562cb43030e9946972009e3733d0efadb8ba4825939e32ba6b9419d6428ee9ad  CVE-2017-12982.patch
+532c268346ad6993d7085652fbebe65ec0412a8d12771b86c325ef9f1cb6e0f7252ac95dfb976fa00ecfffd7b140ddc74b2964b04764e0803fb7e8c344a2b58a  CVE-2017-14040.patch
+d22735e20c7b08bb292bfda03a659481466a152294c388854aed3623ff769aed6c6491a8e6286b4dfdc8212a465b1596232e51fe8e8ba3a608ebf27b32d33d56  CVE-2017-14041.patch
+66019c7a30a6b6303992d518b8184e57b58824f8b63bc8857436aa404257bf1f1d64ab6100a5f0ed18fa1b41c09501e77230207ca028bc16db35fc2d834a6506  CVE-2017-14151.patch
+c244e0e4db1473583ffac6b31808b70bd3554e6eba7b357891aca7f8ad0ab687d433aac3d3f210349507cc54981b0171eb9a72e4a890925beaa2c9d9ee877dfd  CVE-2017-14152.patch
+640cd731f5ee3a5fecbc8ca7c78d626c383155dbefe3a240319bcea81b5bc9996e028055ff64df192b5ed02e3a9e18b681b2ab4f106c3d555b68c93115dc6d01  CVE-2017-14164.patch"
diff --git a/main/openjpeg/CVE-2017-14040.patch b/main/openjpeg/CVE-2017-14040.patch
new file mode 100644
index 0000000000..dd9183dad1
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14040.patch
@@ -0,0 +1,80 @@
+From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Aug 2017 11:47:40 +0200
+Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
+ fixes unaligned load (#995)
+
+---
+ src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index a4eb81f6a..73dfc8d5f 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -580,13 +580,10 @@ struct tga_header {
+ };
+ #endif /* INFORMATION_ONLY */
+ 
+-static unsigned short get_ushort(const unsigned char *data)
++/* Returns a ushort from a little-endian serialized value */
++static unsigned short get_tga_ushort(const unsigned char *data)
+ {
+-    unsigned short val = *(const unsigned short *)data;
+-#ifdef OPJ_BIG_ENDIAN
+-    val = ((val & 0xffU) << 8) | (val >> 8);
+-#endif
+-    return val;
++    return data[0] | (data[1] << 8);
+ }
+ 
+ #define TGA_HEADER_SIZE 18
+@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
+     id_len = tga[0];
+     /*cmap_type = tga[1];*/
+     image_type = tga[2];
+-    /*cmap_index = get_ushort(&tga[3]);*/
+-    cmap_len = get_ushort(&tga[5]);
++    /*cmap_index = get_tga_ushort(&tga[3]);*/
++    cmap_len = get_tga_ushort(&tga[5]);
+     cmap_entry_size = tga[7];
+ 
+ 
+ #if 0
+-    x_origin = get_ushort(&tga[8]);
+-    y_origin = get_ushort(&tga[10]);
++    x_origin = get_tga_ushort(&tga[8]);
++    y_origin = get_tga_ushort(&tga[10]);
+ #endif
+-    image_w = get_ushort(&tga[12]);
+-    image_h = get_ushort(&tga[14]);
++    image_w = get_tga_ushort(&tga[12]);
++    image_h = get_tga_ushort(&tga[14]);
+     pixel_depth = tga[16];
+     image_desc  = tga[17];
+ 
+@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
+         color_space = OPJ_CLRSPC_SRGB;
+     }
+ 
++    /* If the declared file size is > 10 MB, check that the file is big */
++    /* enough to avoid excessive memory allocations */
++    if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
++        char ch;
++        OPJ_UINT64 expected_file_size =
++            (OPJ_UINT64)image_width * image_height * numcomps;
++        long curpos = ftell(f);
++        if (expected_file_size > (OPJ_UINT64)INT_MAX) {
++            expected_file_size = (OPJ_UINT64)INT_MAX;
++        }
++        fseek(f, (long)expected_file_size - 1, SEEK_SET);
++        if (fread(&ch, 1, 1, f) != 1) {
++            fclose(f);
++            return NULL;
++        }
++        fseek(f, curpos, SEEK_SET);
++    }
++
+     subsampling_dx = parameters->subsampling_dx;
+     subsampling_dy = parameters->subsampling_dy;
+ 
diff --git a/main/openjpeg/CVE-2017-14041.patch b/main/openjpeg/CVE-2017-14041.patch
new file mode 100644
index 0000000000..ebfe1ad27f
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14041.patch
@@ -0,0 +1,22 @@
+From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 18 Aug 2017 13:39:20 +0200
+Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
+
+---
+ src/bin/jp2/convert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index 5459f7d44..e606c9be7 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
+     }
+ 
+     fseek(f, 0, SEEK_SET);
+-    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
++    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+         fclose(f);
+         fprintf(stderr,
diff --git a/main/openjpeg/CVE-2017-14151.patch b/main/openjpeg/CVE-2017-14151.patch
new file mode 100644
index 0000000000..c8a1fd65f1
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14151.patch
@@ -0,0 +1,43 @@
+From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 14 Aug 2017 17:20:37 +0200
+Subject: [PATCH] Encoder: grow buffer size in
+ opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
+ opj_mqc_flush (#982)
+
+---
+ src/lib/openjp2/tcd.c                   | 7 +++++--
+ tests/nonregression/test_suite.ctest.in | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index 301c7213e..53cdcf64d 100644
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
+ {
+     OPJ_UINT32 l_data_size;
+ 
+-    /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+-    l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++    /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
++    /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
++    /* TODO: is there a theoretical upper-bound for the compressed code */
++    /* block size ? */
++    l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+                                    (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+ 
+     if (l_data_size > p_code_block->data_size) {
+diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
+index aaf40d7d0..ffd964c2a 100644
+--- a/tests/nonregression/test_suite.ctest.in
++++ b/tests/nonregression/test_suite.ctest.in
+@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
+ # Same rate as Bretagne2_4.j2k
+ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
+ 
++opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
++
+ # DECODER TEST SUITE
+ opj_decompress -i  @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
+ opj_decompress -i  @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/main/openjpeg/CVE-2017-14152.patch b/main/openjpeg/CVE-2017-14152.patch
new file mode 100644
index 0000000000..d165090a1a
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14152.patch
@@ -0,0 +1,35 @@
+From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 15 Aug 2017 11:55:58 +0200
+Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
+ opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
+
+---
+ src/lib/openjp2/j2k.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index a2521ebbc..54b490a8c 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
+ 
+     /* Precincts */
+     parameters->csty |= 0x01;
+-    parameters->res_spec = parameters->numresolution - 1;
+-    for (i = 0; i < parameters->res_spec; i++) {
+-        parameters->prcw_init[i] = 256;
+-        parameters->prch_init[i] = 256;
++    if (parameters->numresolution == 1) {
++        parameters->res_spec = 1;
++        parameters->prcw_init[0] = 128;
++        parameters->prch_init[0] = 128;
++    } else {
++        parameters->res_spec = parameters->numresolution - 1;
++        for (i = 0; i < parameters->res_spec; i++) {
++            parameters->prcw_init[i] = 256;
++            parameters->prch_init[i] = 256;
++        }
+     }
+ 
+     /* The progression order shall be CPRL */
diff --git a/main/openjpeg/CVE-2017-14164.patch b/main/openjpeg/CVE-2017-14164.patch
new file mode 100644
index 0000000000..a61b015180
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14164.patch
@@ -0,0 +1,86 @@
+From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 16 Aug 2017 17:09:10 +0200
+Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
+ (#991)
+
+---
+ src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 54b490a8c..16915452e 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+  * Writes the SOT marker (Start of tile-part)
+  *
+  * @param       p_j2k            J2K codec.
+- * @param       p_data           FIXME DOC
+- * @param       p_data_written   FIXME DOC
++ * @param       p_data           Output buffer
++ * @param       p_total_data_size Output buffer size
++ * @param       p_data_written   Number of bytes written into stream
+  * @param       p_stream         the stream to write data to.
+  * @param       p_manager        the user event manager.
+ */
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+                                   OPJ_BYTE * p_data,
++                                  OPJ_UINT32 p_total_data_size,
+                                   OPJ_UINT32 * p_data_written,
+                                   const opj_stream_private_t *p_stream,
+                                   opj_event_mgr_t * p_manager);
+@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+ 
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+                                   OPJ_BYTE * p_data,
++                                  OPJ_UINT32 p_total_data_size,
+                                   OPJ_UINT32 * p_data_written,
+                                   const opj_stream_private_t *p_stream,
+                                   opj_event_mgr_t * p_manager
+@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+     OPJ_UNUSED(p_stream);
+     OPJ_UNUSED(p_manager);
+ 
++    if (p_total_data_size < 12) {
++        opj_event_msg(p_manager, EVT_ERROR,
++                      "Not enough bytes in output buffer to write SOT marker\n");
++        return OPJ_FALSE;
++    }
++
+     opj_write_bytes(p_data, J2K_MS_SOT,
+                     2);                                 /* SOT */
+     p_data += 2;
+@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
+ 
+     l_current_nb_bytes_written = 0;
+     l_begin_data = p_data;
+-    if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++    if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
++                            &l_current_nb_bytes_written, p_stream,
+                             p_manager)) {
+         return OPJ_FALSE;
+     }
+@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+         l_part_tile_size = 0;
+         l_begin_data = p_data;
+ 
+-        if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++        if (! opj_j2k_write_sot(p_j2k, p_data,
++                                p_total_data_size,
++                                &l_current_nb_bytes_written,
++                                p_stream,
+                                 p_manager)) {
+             return OPJ_FALSE;
+         }
+@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+             l_part_tile_size = 0;
+             l_begin_data = p_data;
+ 
+-            if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++            if (! opj_j2k_write_sot(p_j2k, p_data,
++                                    p_total_data_size,
++                                    &l_current_nb_bytes_written, p_stream,
+                                     p_manager)) {
+                 return OPJ_FALSE;
+             }
author	Francesco Colista <fcolista@alpinelinux.org>	2017-09-21 08:18:29 +0000
committer	Francesco Colista <fcolista@alpinelinux.org>	2017-09-21 08:18:29 +0000
commit	9513e587b007defbb6ef3590945ff49cbd73a270 (patch)
tree	f59e4e8fc09d834b5cf11006eab3fc6d7c8df40f /main/openjpeg
parent	31f54779460bab8576eb569250b8543dca14ba6f (diff)
download	aports-9513e587b007defbb6ef3590945ff49cbd73a270.tar.bz2 aports-9513e587b007defbb6ef3590945ff49cbd73a270.tar.xz