aboutsummaryrefslogtreecommitdiffstats
path: root/main/openjpeg
diff options
context:
space:
mode:
Diffstat (limited to 'main/openjpeg')
-rw-r--r--main/openjpeg/APKBUILD4
-rw-r--r--main/openjpeg/CVE-2017-17480.patch42
-rw-r--r--main/openjpeg/CVE-2018-14423.patch60
-rw-r--r--main/openjpeg/CVE-2018-18088.patch34
-rw-r--r--main/openjpeg/CVE-2018-5785.patch79
-rw-r--r--main/openjpeg/CVE-2018-6616.patch69
6 files changed, 2 insertions, 286 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index d6200bdb88..799857b2b5 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -2,9 +2,9 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=openjpeg
pkgver=2.3.1
-pkgrel=1
+pkgrel=2
pkgdesc="Open-source implementation of JPEG2000 image codec"
-url="http://www.openjpeg.org/"
+url="https://www.openjpeg.org/"
arch="all"
options="!check" # No test suite.
license="BSD-2-Clause-NetBSD"
diff --git a/main/openjpeg/CVE-2017-17480.patch b/main/openjpeg/CVE-2017-17480.patch
deleted file mode 100644
index 032315c1d2..0000000000
--- a/main/openjpeg/CVE-2017-17480.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001
-From: Hugo Lefeuvre <hle@debian.org>
-Date: Mon, 22 Oct 2018 16:59:41 +0200
-Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow
-
-Missing buffer length formatter in fscanf call might lead to write
-stack buffer overflow.
-
-fixes #1044 (CVE-2017-17480)
----
- src/bin/jp3d/convert.c | 4 ++--
- src/bin/jpwl/convert.c | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
-index 23fd70b04..acad8f82a 100644
---- a/src/bin/jp3d/convert.c
-+++ b/src/bin/jp3d/convert.c
-@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
- fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
-
- fseek(f, 0, SEEK_SET);
-- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
-- signtmp, &prec, temp, &w, temp, &h);
-+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
-+ &endian2, signtmp, &prec, temp, &w, temp, &h);
-
- i = 0;
- sign = '+';
-diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
-index f3bb670b0..73c1be729 100644
---- a/src/bin/jpwl/convert.c
-+++ b/src/bin/jpwl/convert.c
-@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
- }
-
- fseek(f, 0, SEEK_SET);
-- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
-+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
- &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
- fprintf(stderr,
- "ERROR: Failed to read the right number of element from the fscanf() function!\n");
diff --git a/main/openjpeg/CVE-2018-14423.patch b/main/openjpeg/CVE-2018-14423.patch
deleted file mode 100644
index 81fcb59345..0000000000
--- a/main/openjpeg/CVE-2018-14423.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001
-From: Young_X <YangX92@hotmail.com>
-Date: Fri, 23 Nov 2018 17:15:05 +0800
-Subject: [PATCH] [JP3D] To avoid divisions by zero / undefined behaviour on
- shift (CVE-2018-14423
-
-Signed-off-by: Young_X <YangX92@hotmail.com>
----
- src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c
-index a03be45e7..a58ebcc7c 100644
---- a/src/lib/openjp3d/pi.c
-+++ b/src/lib/openjp3d/pi.c
-@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi)
- rpx = res->pdx + levelnox;
- rpy = res->pdy + levelnoy;
- rpz = res->pdz + levelnoz;
-+
-+ /* To avoid divisions by zero / undefined behaviour on shift */
-+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
-+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
-+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
-+ continue;
-+ }
-+
- if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
- (trx0 << levelnox) % (1 << rpx)))) {
- continue;
-@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi)
- rpx = res->pdx + levelnox;
- rpy = res->pdy + levelnoy;
- rpz = res->pdz + levelnoz;
-+
-+ /* To avoid divisions by zero / undefined behaviour on shift */
-+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
-+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
-+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
-+ continue;
-+ }
-+
- if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
- (trx0 << levelnox) % (1 << rpx)))) {
- continue;
-@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi)
- rpx = res->pdx + levelnox;
- rpy = res->pdy + levelnoy;
- rpz = res->pdz + levelnoz;
-+
-+ /* To avoid divisions by zero / undefined behaviour on shift */
-+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
-+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
-+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
-+ continue;
-+ }
-+
- if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
- (trx0 << levelnox) % (1 << rpx)))) {
- continue;
diff --git a/main/openjpeg/CVE-2018-18088.patch b/main/openjpeg/CVE-2018-18088.patch
deleted file mode 100644
index e6927dc904..0000000000
--- a/main/openjpeg/CVE-2018-18088.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001
-From: Hugo Lefeuvre <hle@debian.org>
-Date: Wed, 7 Nov 2018 18:48:29 +0100
-Subject: [PATCH] jp2: convert: fix null pointer dereference
-
-Tile components in a JP2 image might have null data pointer by defining a
-zero component size (for example using large horizontal or vertical
-sampling periods). This null data pointer leads to null image component
-data pointer, causing crash when dereferenced without != null check in
-imagetopnm.
-
-Add != null check.
-
-This commit addresses #1152 (CVE-2018-18088).
----
- src/bin/jp2/convert.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index fa02e31c5..e670cd82f 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
- opj_version(), wr, hr, max);
-
- red = image->comps[compno].data;
-+ if (!red) {
-+ fclose(fdest);
-+ continue;
-+ }
-+
- adjustR =
- (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
-
diff --git a/main/openjpeg/CVE-2018-5785.patch b/main/openjpeg/CVE-2018-5785.patch
deleted file mode 100644
index b93515ccd4..0000000000
--- a/main/openjpeg/CVE-2018-5785.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001
-From: Hugo Lefeuvre <hle@debian.org>
-Date: Sat, 22 Sep 2018 14:33:19 -0400
-Subject: [PATCH] convertbmp: fix issues with zero bitmasks
-
-In the case where a BMP file declares compression 3 (BI_BITFIELDS)
-with header size <= 56, all bitmask values keep their initialization
-value 0. This may lead to various undefined behavior later e.g. when
-doing 1 << (l_comp->prec - 1).
-
-This issue does not affect files with bit count 16 because of a check
-added in 16240e2 which sets default values to the color masks if they
-are all 0.
-
-This commit adds similar checks for the 32 bit case.
-
-Also, if a BMP file declares compression 3 with header size >= 56 and
-intentional 0 bitmasks, the same issue will be triggered in both the
-16 and 32 bit count case.
-
-This commit adds checks to bmp_read_info_header() rejecting BMP files
-with "intentional" 0 bitmasks. These checks might be removed in the
-future when proper handling of zero bitmasks will be available in
-openjpeg2.
-
-fixes #1057 (CVE-2018-5785)
----
- src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
-index 084f70bb7..7fde99ab3 100644
---- a/src/bin/jp2/convertbmp.c
-+++ b/src/bin/jp2/convertbmp.c
-@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
- header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
- header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
-
-+ if (!header->biRedMask) {
-+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
-+ return OPJ_FALSE;
-+ }
-+
- header->biGreenMask = (OPJ_UINT32)getc(IN);
- header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
- header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
- header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
-
-+ if (!header->biGreenMask) {
-+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
-+ return OPJ_FALSE;
-+ }
-+
- header->biBlueMask = (OPJ_UINT32)getc(IN);
- header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
- header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
- header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
-
-+ if (!header->biBlueMask) {
-+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
-+ return OPJ_FALSE;
-+ }
-+
- header->biAlphaMask = (OPJ_UINT32)getc(IN);
- header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
- header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
-@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
- bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
- 0x00000000U);
- } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
-+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
-+ (Info_h.biBlueMask == 0U)) {
-+ Info_h.biRedMask = 0x00FF0000U;
-+ Info_h.biGreenMask = 0x0000FF00U;
-+ Info_h.biBlueMask = 0x000000FFU;
-+ }
- bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
- Info_h.biBlueMask, Info_h.biAlphaMask);
- } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
diff --git a/main/openjpeg/CVE-2018-6616.patch b/main/openjpeg/CVE-2018-6616.patch
deleted file mode 100644
index 497aa3aaca..0000000000
--- a/main/openjpeg/CVE-2018-6616.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
-From: Hugo Lefeuvre <hle@debian.org>
-Date: Fri, 14 Dec 2018 04:58:40 +0100
-Subject: [PATCH] convertbmp: detect invalid file dimensions early
-
-width/length dimensions read from bmp headers are not necessarily
-valid. For instance they may have been maliciously set to very large
-values with the intention to cause DoS (large memory allocation, stack
-overflow). In these cases we want to detect the invalid size as early
-as possible.
-
-This commit introduces a counter which verifies that the number of
-written bytes corresponds to the advertized width/length.
-
-Fixes #1059 (CVE-2018-6616).
----
- src/bin/jp2/convertbmp.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
-index 85a47feaf..0af52f816 100644
---- a/src/bin/jp2/convertbmp.c
-+++ b/src/bin/jp2/convertbmp.c
-@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride,
- static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
- OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
- {
-- OPJ_UINT32 x, y;
-+ OPJ_UINT32 x, y, written;
- OPJ_UINT8 *pix;
- const OPJ_UINT8 *beyond;
-
- beyond = pData + stride * height;
- pix = pData;
-
-- x = y = 0U;
-+ x = y = written = 0U;
- while (y < height) {
- int c = getc(IN);
- if (c == EOF) {
-@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
- for (j = 0; (j < c) && (x < width) &&
- ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
- *pix = c1;
-+ written++;
- }
- } else {
- c = getc(IN);
-@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
- }
- c1 = (OPJ_UINT8)c1_int;
- *pix = c1;
-+ written++;
- }
- if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
- c = getc(IN);
-@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
- }
- }
- }/* while() */
-+
-+ if (written != width * height) {
-+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
-+ return OPJ_FALSE;
-+ }
-+
- return OPJ_TRUE;
- }
-