diff options
Diffstat (limited to 'main/openjpeg/CVE-2018-6616.patch')
| -rw-r--r-- | main/openjpeg/CVE-2018-6616.patch | 69 |
1 files changed, 0 insertions, 69 deletions
diff --git a/main/openjpeg/CVE-2018-6616.patch b/main/openjpeg/CVE-2018-6616.patch deleted file mode 100644 index 497aa3aaca..0000000000 --- a/main/openjpeg/CVE-2018-6616.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre <hle@debian.org> -Date: Fri, 14 Dec 2018 04:58:40 +0100 -Subject: [PATCH] convertbmp: detect invalid file dimensions early - -width/length dimensions read from bmp headers are not necessarily -valid. For instance they may have been maliciously set to very large -values with the intention to cause DoS (large memory allocation, stack -overflow). In these cases we want to detect the invalid size as early -as possible. - -This commit introduces a counter which verifies that the number of -written bytes corresponds to the advertized width/length. - -Fixes #1059 (CVE-2018-6616). ---- - src/bin/jp2/convertbmp.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c -index 85a47feaf..0af52f816 100644 ---- a/src/bin/jp2/convertbmp.c -+++ b/src/bin/jp2/convertbmp.c -@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, - static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) - { -- OPJ_UINT32 x, y; -+ OPJ_UINT32 x, y, written; - OPJ_UINT8 *pix; - const OPJ_UINT8 *beyond; - - beyond = pData + stride * height; - pix = pData; - -- x = y = 0U; -+ x = y = written = 0U; - while (y < height) { - int c = getc(IN); - if (c == EOF) { -@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - for (j = 0; (j < c) && (x < width) && - ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { - *pix = c1; -+ written++; - } - } else { - c = getc(IN); -@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - } - c1 = (OPJ_UINT8)c1_int; - *pix = c1; -+ written++; - } - if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ - c = getc(IN); -@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - } - } - }/* while() */ -+ -+ if (written != width * height) { -+ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); -+ return OPJ_FALSE; -+ } -+ - return OPJ_TRUE; - } - |