diff options
author | Francesco Colista <fcolista@alpinelinux.org> | 2019-12-26 16:17:48 +0000 |
---|---|---|
committer | Francesco Colista <fcolista@alpinelinux.org> | 2019-12-26 16:17:48 +0000 |
commit | 02b786c1a49d83b3716c25c5c9d16e75760a7c2f (patch) | |
tree | 821cd777d53864e73b600134ee86f096abef2daf /main | |
parent | d2ad91c7e3ded723ce9e34e95e66ad524f11833d (diff) | |
download | aports-02b786c1a49d83b3716c25c5c9d16e75760a7c2f.tar.bz2 aports-02b786c1a49d83b3716c25c5c9d16e75760a7c2f.tar.xz |
main/openjpeg: security fix for CVE-2018-21010. Ref. #11087
Diffstat (limited to 'main')
-rw-r--r-- | main/openjpeg/APKBUILD | 8 | ||||
-rw-r--r-- | main/openjpeg/CVE-2018-21010.patch | 179 |
2 files changed, 185 insertions, 2 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD index 4847320d68..f34aee835c 100644 --- a/main/openjpeg/APKBUILD +++ b/main/openjpeg/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=openjpeg pkgver=2.3.0 -pkgrel=3 +pkgrel=4 pkgdesc="Open-source implementation of JPEG2000 image codec" url="http://www.openjpeg.org/" arch="all" @@ -16,6 +16,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v CVE-2018-14423.patch CVE-2018-6616.patch CVE-2018-5785.patch + CVE-2018-21010.patch " builddir="${srcdir}/$pkgname-$pkgver" @@ -30,6 +31,8 @@ build() { } # secfixes: +# 2.3.0-r4: +# - CVE-2018-21010 # 2.3.0-r3: # - CVE-2018-5785 # 2.3.0-r2: @@ -68,4 +71,5 @@ sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520 24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch 4292a05e63ec1ba1ec30e02cd981e9aab617e42831a799bc777b03174bcbc4c49d8b45534668a5237f06c0361865b0ff9bd71f40e2fcab370af6cf9c256c8537 CVE-2018-14423.patch 9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222 CVE-2018-6616.patch -ec48472de6c6d34abff949bbae1ae1e92e0b59939c13345a3a69c8219fdf91ea2c07dda59fe212a88212b3116cae1fb8c47aa5d12b84af669a28aa52864f55de CVE-2018-5785.patch" +ec48472de6c6d34abff949bbae1ae1e92e0b59939c13345a3a69c8219fdf91ea2c07dda59fe212a88212b3116cae1fb8c47aa5d12b84af669a28aa52864f55de CVE-2018-5785.patch +544828e20f50dc7e4a3367de646dc69f70fff48d66a6bbc1b27c317778e7739e276891e84a76435144e697605796c77a47b0a3424e0fa3eeb2e647480c1c034a CVE-2018-21010.patch" diff --git a/main/openjpeg/CVE-2018-21010.patch b/main/openjpeg/CVE-2018-21010.patch new file mode 100644 index 0000000000..d0ae536f41 --- /dev/null +++ b/main/openjpeg/CVE-2018-21010.patch @@ -0,0 +1,179 @@ +From 2e5ab1d9987831c981ff05862e8ccf1381ed58ea Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 27 Nov 2018 23:31:30 +0100 +Subject: [PATCH] color_apply_icc_profile: avoid potential heap buffer overflow + +Derived from a patch by Thuan Pham +--- + src/bin/common/color.c | 154 ++++++++++++++++++++++------------------- + 1 file changed, 82 insertions(+), 72 deletions(-) + +diff --git a/src/bin/common/color.c b/src/bin/common/color.c +index a97d49f12..d3a2f38d7 100644 +--- a/src/bin/common/color.c ++++ b/src/bin/common/color.c +@@ -597,82 +597,92 @@ void color_apply_icc_profile(opj_image_t *image) + } + + if (image->numcomps > 2) { /* RGB, RGBA */ +- if (prec <= 8) { +- unsigned char *inbuf, *outbuf, *in, *out; +- +- max = max_w * max_h; +- nr_samples = (size_t)(max * 3U * sizeof(unsigned char)); +- in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples); +- out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples); +- +- if (inbuf == NULL || outbuf == NULL) { +- goto fails0; +- } +- +- r = image->comps[0].data; +- g = image->comps[1].data; +- b = image->comps[2].data; +- +- for (i = 0U; i < max; ++i) { +- *in++ = (unsigned char) * r++; +- *in++ = (unsigned char) * g++; +- *in++ = (unsigned char) * b++; +- } +- +- cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); +- +- r = image->comps[0].data; +- g = image->comps[1].data; +- b = image->comps[2].data; +- +- for (i = 0U; i < max; ++i) { +- *r++ = (int) * out++; +- *g++ = (int) * out++; +- *b++ = (int) * out++; +- } +- ok = 1; ++ if ((image->comps[0].w == image->comps[1].w && ++ image->comps[0].w == image->comps[2].w) && ++ (image->comps[0].h == image->comps[1].h && ++ image->comps[0].h == image->comps[2].h)) { ++ if (prec <= 8) { ++ unsigned char *inbuf, *outbuf, *in, *out; ++ ++ max = max_w * max_h; ++ nr_samples = (size_t)(max * 3U * sizeof(unsigned char)); ++ in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples); ++ out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples); ++ ++ if (inbuf == NULL || outbuf == NULL) { ++ goto fails0; ++ } ++ ++ r = image->comps[0].data; ++ g = image->comps[1].data; ++ b = image->comps[2].data; ++ ++ for (i = 0U; i < max; ++i) { ++ *in++ = (unsigned char) * r++; ++ *in++ = (unsigned char) * g++; ++ *in++ = (unsigned char) * b++; ++ } ++ ++ cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); ++ ++ r = image->comps[0].data; ++ g = image->comps[1].data; ++ b = image->comps[2].data; ++ ++ for (i = 0U; i < max; ++i) { ++ *r++ = (int) * out++; ++ *g++ = (int) * out++; ++ *b++ = (int) * out++; ++ } ++ ok = 1; + + fails0: +- opj_image_data_free(inbuf); +- opj_image_data_free(outbuf); +- } else { /* prec > 8 */ +- unsigned short *inbuf, *outbuf, *in, *out; +- +- max = max_w * max_h; +- nr_samples = (size_t)(max * 3U * sizeof(unsigned short)); +- in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples); +- out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples); +- +- if (inbuf == NULL || outbuf == NULL) { +- goto fails1; +- } +- +- r = image->comps[0].data; +- g = image->comps[1].data; +- b = image->comps[2].data; +- +- for (i = 0U ; i < max; ++i) { +- *in++ = (unsigned short) * r++; +- *in++ = (unsigned short) * g++; +- *in++ = (unsigned short) * b++; +- } +- +- cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); +- +- r = image->comps[0].data; +- g = image->comps[1].data; +- b = image->comps[2].data; +- +- for (i = 0; i < max; ++i) { +- *r++ = (int) * out++; +- *g++ = (int) * out++; +- *b++ = (int) * out++; +- } +- ok = 1; ++ opj_image_data_free(inbuf); ++ opj_image_data_free(outbuf); ++ } else { /* prec > 8 */ ++ unsigned short *inbuf, *outbuf, *in, *out; ++ ++ max = max_w * max_h; ++ nr_samples = (size_t)(max * 3U * sizeof(unsigned short)); ++ in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples); ++ out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples); ++ ++ if (inbuf == NULL || outbuf == NULL) { ++ goto fails1; ++ } ++ ++ r = image->comps[0].data; ++ g = image->comps[1].data; ++ b = image->comps[2].data; ++ ++ for (i = 0U ; i < max; ++i) { ++ *in++ = (unsigned short) * r++; ++ *in++ = (unsigned short) * g++; ++ *in++ = (unsigned short) * b++; ++ } ++ ++ cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); ++ ++ r = image->comps[0].data; ++ g = image->comps[1].data; ++ b = image->comps[2].data; ++ ++ for (i = 0; i < max; ++i) { ++ *r++ = (int) * out++; ++ *g++ = (int) * out++; ++ *b++ = (int) * out++; ++ } ++ ok = 1; + + fails1: +- opj_image_data_free(inbuf); +- opj_image_data_free(outbuf); ++ opj_image_data_free(inbuf); ++ opj_image_data_free(outbuf); ++ } ++ } else { ++ fprintf(stderr, ++ "[ERROR] Image components should have the same width and height\n"); ++ cmsDeleteTransform(transform); ++ return; + } + } else { /* image->numcomps <= 2 : GRAY, GRAYA */ + if (prec <= 8) { |