diff options
Diffstat (limited to 'main/openjpeg')
-rw-r--r-- | main/openjpeg/APKBUILD | 4 | ||||
-rw-r--r-- | main/openjpeg/CVE-2017-17480.patch | 42 | ||||
-rw-r--r-- | main/openjpeg/CVE-2018-14423.patch | 60 | ||||
-rw-r--r-- | main/openjpeg/CVE-2018-18088.patch | 34 | ||||
-rw-r--r-- | main/openjpeg/CVE-2018-5785.patch | 79 | ||||
-rw-r--r-- | main/openjpeg/CVE-2018-6616.patch | 69 |
6 files changed, 2 insertions, 286 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD index d6200bdb88..799857b2b5 100644 --- a/main/openjpeg/APKBUILD +++ b/main/openjpeg/APKBUILD @@ -2,9 +2,9 @@ # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=openjpeg pkgver=2.3.1 -pkgrel=1 +pkgrel=2 pkgdesc="Open-source implementation of JPEG2000 image codec" -url="http://www.openjpeg.org/" +url="https://www.openjpeg.org/" arch="all" options="!check" # No test suite. license="BSD-2-Clause-NetBSD" diff --git a/main/openjpeg/CVE-2017-17480.patch b/main/openjpeg/CVE-2017-17480.patch deleted file mode 100644 index 032315c1d2..0000000000 --- a/main/openjpeg/CVE-2017-17480.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre <hle@debian.org> -Date: Mon, 22 Oct 2018 16:59:41 +0200 -Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow - -Missing buffer length formatter in fscanf call might lead to write -stack buffer overflow. - -fixes #1044 (CVE-2017-17480) ---- - src/bin/jp3d/convert.c | 4 ++-- - src/bin/jpwl/convert.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c -index 23fd70b04..acad8f82a 100644 ---- a/src/bin/jp3d/convert.c -+++ b/src/bin/jp3d/convert.c -@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters) - fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]); - - fseek(f, 0, SEEK_SET); -- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2, -- signtmp, &prec, temp, &w, temp, &h); -+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, -+ &endian2, signtmp, &prec, temp, &w, temp, &h); - - i = 0; - sign = '+'; -diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c -index f3bb670b0..73c1be729 100644 ---- a/src/bin/jpwl/convert.c -+++ b/src/bin/jpwl/convert.c -@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) - } - - fseek(f, 0, SEEK_SET); -- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, -+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, - &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { - fprintf(stderr, - "ERROR: Failed to read the right number of element from the fscanf() function!\n"); diff --git a/main/openjpeg/CVE-2018-14423.patch b/main/openjpeg/CVE-2018-14423.patch deleted file mode 100644 index 81fcb59345..0000000000 --- a/main/openjpeg/CVE-2018-14423.patch +++ /dev/null @@ -1,60 +0,0 @@ -From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001 -From: Young_X <YangX92@hotmail.com> -Date: Fri, 23 Nov 2018 17:15:05 +0800 -Subject: [PATCH] [JP3D] To avoid divisions by zero / undefined behaviour on - shift (CVE-2018-14423 - -Signed-off-by: Young_X <YangX92@hotmail.com> ---- - src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c -index a03be45e7..a58ebcc7c 100644 ---- a/src/lib/openjp3d/pi.c -+++ b/src/lib/openjp3d/pi.c -@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi) - rpx = res->pdx + levelnox; - rpy = res->pdy + levelnoy; - rpz = res->pdz + levelnoz; -+ -+ /* To avoid divisions by zero / undefined behaviour on shift */ -+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || -+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || -+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { -+ continue; -+ } -+ - if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && - (trx0 << levelnox) % (1 << rpx)))) { - continue; -@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi) - rpx = res->pdx + levelnox; - rpy = res->pdy + levelnoy; - rpz = res->pdz + levelnoz; -+ -+ /* To avoid divisions by zero / undefined behaviour on shift */ -+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || -+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || -+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { -+ continue; -+ } -+ - if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && - (trx0 << levelnox) % (1 << rpx)))) { - continue; -@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi) - rpx = res->pdx + levelnox; - rpy = res->pdy + levelnoy; - rpz = res->pdz + levelnoz; -+ -+ /* To avoid divisions by zero / undefined behaviour on shift */ -+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || -+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || -+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { -+ continue; -+ } -+ - if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && - (trx0 << levelnox) % (1 << rpx)))) { - continue; diff --git a/main/openjpeg/CVE-2018-18088.patch b/main/openjpeg/CVE-2018-18088.patch deleted file mode 100644 index e6927dc904..0000000000 --- a/main/openjpeg/CVE-2018-18088.patch +++ /dev/null @@ -1,34 +0,0 @@ -From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre <hle@debian.org> -Date: Wed, 7 Nov 2018 18:48:29 +0100 -Subject: [PATCH] jp2: convert: fix null pointer dereference - -Tile components in a JP2 image might have null data pointer by defining a -zero component size (for example using large horizontal or vertical -sampling periods). This null data pointer leads to null image component -data pointer, causing crash when dereferenced without != null check in -imagetopnm. - -Add != null check. - -This commit addresses #1152 (CVE-2018-18088). ---- - src/bin/jp2/convert.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c -index fa02e31c5..e670cd82f 100644 ---- a/src/bin/jp2/convert.c -+++ b/src/bin/jp2/convert.c -@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split) - opj_version(), wr, hr, max); - - red = image->comps[compno].data; -+ if (!red) { -+ fclose(fdest); -+ continue; -+ } -+ - adjustR = - (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0); - diff --git a/main/openjpeg/CVE-2018-5785.patch b/main/openjpeg/CVE-2018-5785.patch deleted file mode 100644 index b93515ccd4..0000000000 --- a/main/openjpeg/CVE-2018-5785.patch +++ /dev/null @@ -1,79 +0,0 @@ -From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre <hle@debian.org> -Date: Sat, 22 Sep 2018 14:33:19 -0400 -Subject: [PATCH] convertbmp: fix issues with zero bitmasks - -In the case where a BMP file declares compression 3 (BI_BITFIELDS) -with header size <= 56, all bitmask values keep their initialization -value 0. This may lead to various undefined behavior later e.g. when -doing 1 << (l_comp->prec - 1). - -This issue does not affect files with bit count 16 because of a check -added in 16240e2 which sets default values to the color masks if they -are all 0. - -This commit adds similar checks for the 32 bit case. - -Also, if a BMP file declares compression 3 with header size >= 56 and -intentional 0 bitmasks, the same issue will be triggered in both the -16 and 32 bit count case. - -This commit adds checks to bmp_read_info_header() rejecting BMP files -with "intentional" 0 bitmasks. These checks might be removed in the -future when proper handling of zero bitmasks will be available in -openjpeg2. - -fixes #1057 (CVE-2018-5785) ---- - src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c -index 084f70bb7..7fde99ab3 100644 ---- a/src/bin/jp2/convertbmp.c -+++ b/src/bin/jp2/convertbmp.c -@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header) - header->biRedMask |= (OPJ_UINT32)getc(IN) << 16; - header->biRedMask |= (OPJ_UINT32)getc(IN) << 24; - -+ if (!header->biRedMask) { -+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask); -+ return OPJ_FALSE; -+ } -+ - header->biGreenMask = (OPJ_UINT32)getc(IN); - header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8; - header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16; - header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24; - -+ if (!header->biGreenMask) { -+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask); -+ return OPJ_FALSE; -+ } -+ - header->biBlueMask = (OPJ_UINT32)getc(IN); - header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8; - header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16; - header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24; - -+ if (!header->biBlueMask) { -+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask); -+ return OPJ_FALSE; -+ } -+ - header->biAlphaMask = (OPJ_UINT32)getc(IN); - header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8; - header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16; -@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters) - bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU, - 0x00000000U); - } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */ -+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) && -+ (Info_h.biBlueMask == 0U)) { -+ Info_h.biRedMask = 0x00FF0000U; -+ Info_h.biGreenMask = 0x0000FF00U; -+ Info_h.biBlueMask = 0x000000FFU; -+ } - bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask, - Info_h.biBlueMask, Info_h.biAlphaMask); - } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */ diff --git a/main/openjpeg/CVE-2018-6616.patch b/main/openjpeg/CVE-2018-6616.patch deleted file mode 100644 index 497aa3aaca..0000000000 --- a/main/openjpeg/CVE-2018-6616.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre <hle@debian.org> -Date: Fri, 14 Dec 2018 04:58:40 +0100 -Subject: [PATCH] convertbmp: detect invalid file dimensions early - -width/length dimensions read from bmp headers are not necessarily -valid. For instance they may have been maliciously set to very large -values with the intention to cause DoS (large memory allocation, stack -overflow). In these cases we want to detect the invalid size as early -as possible. - -This commit introduces a counter which verifies that the number of -written bytes corresponds to the advertized width/length. - -Fixes #1059 (CVE-2018-6616). ---- - src/bin/jp2/convertbmp.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c -index 85a47feaf..0af52f816 100644 ---- a/src/bin/jp2/convertbmp.c -+++ b/src/bin/jp2/convertbmp.c -@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, - static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) - { -- OPJ_UINT32 x, y; -+ OPJ_UINT32 x, y, written; - OPJ_UINT8 *pix; - const OPJ_UINT8 *beyond; - - beyond = pData + stride * height; - pix = pData; - -- x = y = 0U; -+ x = y = written = 0U; - while (y < height) { - int c = getc(IN); - if (c == EOF) { -@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - for (j = 0; (j < c) && (x < width) && - ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { - *pix = c1; -+ written++; - } - } else { - c = getc(IN); -@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - } - c1 = (OPJ_UINT8)c1_int; - *pix = c1; -+ written++; - } - if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ - c = getc(IN); -@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - } - } - }/* while() */ -+ -+ if (written != width * height) { -+ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); -+ return OPJ_FALSE; -+ } -+ - return OPJ_TRUE; - } - |