diff options
Diffstat (limited to 'main/openjpeg/CVE-2018-6616.patch')
| -rw-r--r-- | main/openjpeg/CVE-2018-6616.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/main/openjpeg/CVE-2018-6616.patch b/main/openjpeg/CVE-2018-6616.patch new file mode 100644 index 0000000000..497aa3aaca --- /dev/null +++ b/main/openjpeg/CVE-2018-6616.patch @@ -0,0 +1,69 @@ +From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre <hle@debian.org> +Date: Fri, 14 Dec 2018 04:58:40 +0100 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +Fixes #1059 (CVE-2018-6616). +--- + src/bin/jp2/convertbmp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 85a47feaf..0af52f816 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, + static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; + +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = c1; ++ written++; + } + } else { + c = getc(IN); +@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + } + c1 = (OPJ_UINT8)c1_int; + *pix = c1; ++ written++; + } + if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ + c = getc(IN); +@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + } + } + }/* while() */ ++ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } ++ + return OPJ_TRUE; + } + |