From 6dd49eeff4953456d2d668b4e7653967a44a4972 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 22 Nov 2018 15:53:10 +0000 Subject: main/openjpeg: security fixes (CVE-2017-17480,CVE-2018-18088) also remove unused patches fixes #9680 --- main/openjpeg/APKBUILD | 12 +- main/openjpeg/CVE-2016-7163-1.patch | 33 ----- main/openjpeg/CVE-2016-7163-2.patch | 26 ---- main/openjpeg/CVE-2016-9580-9581.patch | 242 --------------------------------- main/openjpeg/CVE-2017-12982.patch | 25 ---- main/openjpeg/CVE-2017-14040.patch | 80 ----------- main/openjpeg/CVE-2017-14041.patch | 22 --- main/openjpeg/CVE-2017-14151.patch | 43 ------ main/openjpeg/CVE-2017-14152.patch | 35 ----- main/openjpeg/CVE-2017-14164.patch | 86 ------------ main/openjpeg/CVE-2017-17480.patch | 42 ++++++ main/openjpeg/CVE-2018-18088.patch | 34 +++++ 12 files changed, 86 insertions(+), 594 deletions(-) delete mode 100644 main/openjpeg/CVE-2016-7163-1.patch delete mode 100644 main/openjpeg/CVE-2016-7163-2.patch delete mode 100644 main/openjpeg/CVE-2016-9580-9581.patch delete mode 100644 main/openjpeg/CVE-2017-12982.patch delete mode 100644 main/openjpeg/CVE-2017-14040.patch delete mode 100644 main/openjpeg/CVE-2017-14041.patch delete mode 100644 main/openjpeg/CVE-2017-14151.patch delete mode 100644 main/openjpeg/CVE-2017-14152.patch delete mode 100644 main/openjpeg/CVE-2017-14164.patch create mode 100644 main/openjpeg/CVE-2017-17480.patch create mode 100644 main/openjpeg/CVE-2018-18088.patch diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD index 9dc49ec03b..a62b2f8524 100644 --- a/main/openjpeg/APKBUILD +++ b/main/openjpeg/APKBUILD @@ -10,7 +10,10 @@ options="!check" # No test suite. license="BSD-2-Clause-NetBSD" makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake" subpackages="$pkgname-dev $pkgname-tools" -source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz" +source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz + CVE-2017-17480.patch + CVE-2018-18088.patch + " builddir="${srcdir}/$pkgname-$pkgver" build() { @@ -24,6 +27,9 @@ build() { } # secfixes: +# 2.3.0-r1: +# - CVE-2017-17480 +# - CVE-2018-18088 # 2.3.0-r0: # - CVE-2017-14039 # 2.2.0-r2: @@ -49,4 +55,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz" +sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz +15f4292ab6e19ecad1d47772ea28154bc7bbf9b9ba68467c5750e0c823efe3657e5973c08b81456f649fb789b6772ddaf5122f23a530ae0f6a9e5adb61c51c74 CVE-2017-17480.patch +24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch" diff --git a/main/openjpeg/CVE-2016-7163-1.patch b/main/openjpeg/CVE-2016-7163-1.patch deleted file mode 100644 index c7d277a562..0000000000 --- a/main/openjpeg/CVE-2016-7163-1.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c16bc057ba3f125051c9966cf1f5b68a05681de4 Mon Sep 17 00:00:00 2001 -From: trylab -Date: Tue, 6 Sep 2016 13:55:49 +0800 -Subject: [PATCH] Fix an integer overflow issue (#809) - -Prevent an integer overflow issue in function opj_pi_create_decode of -pi.c. ---- - src/lib/openjp2/pi.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c -index cffad66..36e2ff0 100644 ---- a/src/lib/openjp2/pi.c -+++ b/src/lib/openjp2/pi.c -@@ -1237,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, - l_current_pi = l_pi; - - /* memory allocation for include */ -- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); -+ /* prevent an integer overflow issue */ -+ l_current_pi->include = 00; -+ if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U))) -+ { -+ l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); -+ } -+ - if - (!l_current_pi->include) - { --- -2.10.0 - diff --git a/main/openjpeg/CVE-2016-7163-2.patch b/main/openjpeg/CVE-2016-7163-2.patch deleted file mode 100644 index 71af3d7561..0000000000 --- a/main/openjpeg/CVE-2016-7163-2.patch +++ /dev/null @@ -1,26 +0,0 @@ -From ef01f18dfc6780b776d0674ed3e7415c6ef54d24 Mon Sep 17 00:00:00 2001 -From: Matthieu Darbois -Date: Thu, 8 Sep 2016 07:34:46 +0200 -Subject: [PATCH] Cast to size_t before multiplication - -Need to cast to size_t before multiplication otherwise overflow check is useless. ---- - src/lib/openjp2/pi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c -index 36e2ff0..809b33d 100644 ---- a/src/lib/openjp2/pi.c -+++ b/src/lib/openjp2/pi.c -@@ -1241,7 +1241,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, - l_current_pi->include = 00; - if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U))) - { -- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); -+ l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16)); - } - - if --- -2.10.0 - diff --git a/main/openjpeg/CVE-2016-9580-9581.patch b/main/openjpeg/CVE-2016-9580-9581.patch deleted file mode 100644 index 064e7419c3..0000000000 --- a/main/openjpeg/CVE-2016-9580-9581.patch +++ /dev/null @@ -1,242 +0,0 @@ -From cadff5fb6e73398de26a92e96d3d7cac893af255 Mon Sep 17 00:00:00 2001 -From: szukw000 -Date: Fri, 9 Dec 2016 08:29:55 +0100 -Subject: [PATCH] These changes repair bugs of #871 and #872 - ---- - src/bin/jp2/converttif.c | 107 +++++++++++++++++++++++++++++++---------------- - 1 file changed, 70 insertions(+), 37 deletions(-) - -diff --git a/src/bin/jp2/converttif.c b/src/bin/jp2/converttif.c -index 143d3be..c690f8b 100644 ---- a/src/bin/jp2/converttif.c -+++ b/src/bin/jp2/converttif.c -@@ -553,20 +553,18 @@ static void tif_32sto16u(const OPJ_INT32* pSrc, OPJ_UINT16* pDst, OPJ_SIZE_T len - - int imagetotif(opj_image_t * image, const char *outfile) - { -- int width, height; -- int bps,adjust, sgnd; -- int tiPhoto; -+ uint32 width, height, bps, tiPhoto; -+ int adjust, sgnd; - TIFF *tif; - tdata_t buf; -- tsize_t strip_size; -+ tmsize_t strip_size, rowStride; - OPJ_UINT32 i, numcomps; -- OPJ_SIZE_T rowStride; - OPJ_INT32* buffer32s = NULL; - OPJ_INT32 const* planes[4]; - convert_32s_PXCX cvtPxToCx = NULL; - convert_32sXXx_C1R cvt32sToTif = NULL; - -- bps = (int)image->comps[0].prec; -+ bps = (uint32)image->comps[0].prec; - planes[0] = image->comps[0].data; - - numcomps = image->numcomps; -@@ -674,13 +672,13 @@ int imagetotif(opj_image_t * image, const char *outfile) - break; - } - sgnd = (int)image->comps[0].sgnd; -- adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0; -- width = (int)image->comps[0].w; -- height = (int)image->comps[0].h; -+ adjust = sgnd ? (int)(1 << (image->comps[0].prec - 1)) : 0; -+ width = (uint32)image->comps[0].w; -+ height = (uint32)image->comps[0].h; - - TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, width); - TIFFSetField(tif, TIFFTAG_IMAGELENGTH, height); -- TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, numcomps); -+ TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, (uint32)numcomps); - TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, bps); - TIFFSetField(tif, TIFFTAG_ORIENTATION, ORIENTATION_TOPLEFT); - TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); -@@ -688,8 +686,8 @@ int imagetotif(opj_image_t * image, const char *outfile) - TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, 1); - - strip_size = TIFFStripSize(tif); -- rowStride = ((OPJ_SIZE_T)width * numcomps * (OPJ_SIZE_T)bps + 7U) / 8U; -- if (rowStride != (OPJ_SIZE_T)strip_size) { -+ rowStride = (width * numcomps * bps + 7U) / 8U; -+ if (rowStride != strip_size) { - fprintf(stderr, "Invalid TIFF strip size\n"); - TIFFClose(tif); - return 1; -@@ -699,7 +697,7 @@ int imagetotif(opj_image_t * image, const char *outfile) - TIFFClose(tif); - return 1; - } -- buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)width * numcomps * sizeof(OPJ_INT32)); -+ buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(width * numcomps * sizeof(OPJ_INT32))); - if (buffer32s == NULL) { - _TIFFfree(buf); - TIFFClose(tif); -@@ -1211,20 +1209,19 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) - TIFF *tif; - tdata_t buf; - tstrip_t strip; -- tsize_t strip_size; -+ tmsize_t strip_size; - int j, currentPlane, numcomps = 0, w, h; - OPJ_COLOR_SPACE color_space = OPJ_CLRSPC_UNKNOWN; - opj_image_cmptparm_t cmptparm[4]; /* RGBA */ - opj_image_t *image = NULL; - int has_alpha = 0; -- unsigned short tiBps, tiPhoto, tiSf, tiSpp, tiPC; -- unsigned int tiWidth, tiHeight; -+ uint32 tiBps, tiPhoto, tiSf, tiSpp, tiPC, tiWidth, tiHeight; - OPJ_BOOL is_cinema = OPJ_IS_CINEMA(parameters->rsiz); - convert_XXx32s_C1R cvtTifTo32s = NULL; - convert_32s_CXPX cvtCxToPx = NULL; - OPJ_INT32* buffer32s = NULL; - OPJ_INT32* planes[4]; -- OPJ_SIZE_T rowStride; -+ tmsize_t rowStride; - - tif = TIFFOpen(filename, "r"); - -@@ -1243,22 +1240,35 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) - TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp); - TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto); - TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC); -- w= (int)tiWidth; -- h= (int)tiHeight; -- -- if(tiBps > 16U) { -- fprintf(stderr,"tiftoimage: Bits=%d, Only 1 to 16 bits implemented\n",tiBps); -- fprintf(stderr,"\tAborting\n"); -+ -+ if(tiSpp == 0 || tiSpp > 4) { /* should be 1 ... 4 */ -+ fprintf(stderr,"tiftoimage: Bad value for samples per pixel == %hu.\n" -+ "\tAborting.\n", tiSpp); -+ TIFFClose(tif); -+ return NULL; -+ } -+ if(tiBps > 16U || tiBps == 0) { -+ fprintf(stderr,"tiftoimage: Bad values for Bits == %d.\n" -+ "\tMax. 16 Bits are allowed here.\n\tAborting.\n",tiBps); - TIFFClose(tif); - return NULL; - } - if(tiPhoto != PHOTOMETRIC_MINISBLACK && tiPhoto != PHOTOMETRIC_RGB) { -- fprintf(stderr,"tiftoimage: Bad color format %d.\n\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto); -+ fprintf(stderr,"tiftoimage: Bad color format %d.\n" -+ "\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto); - fprintf(stderr,"\tAborting\n"); - TIFFClose(tif); - return NULL; - } -- -+ if(tiWidth == 0 || tiHeight == 0) { -+ fprintf(stderr,"tiftoimage: Bad values for width(%u) " -+ "and/or height(%u)\n\tAborting.\n",tiWidth,tiHeight); -+ TIFFClose(tif); -+ return NULL; -+ } -+ w= (int)tiWidth; -+ h= (int)tiHeight; -+ - switch (tiBps) { - case 1: - case 2: -@@ -1312,7 +1322,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) - - TIFFGetFieldDefaulted(tif, TIFFTAG_EXTRASAMPLES, - &extrasamples, &sampleinfo); -- -+ - if(extrasamples >= 1) - { - switch(sampleinfo[0]) -@@ -1333,7 +1343,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) - else /* extrasamples == 0 */ - if(tiSpp == 4 || tiSpp == 2) has_alpha = 1; - } -- -+ - /* initialize image components */ - memset(&cmptparm[0], 0, 4 * sizeof(opj_image_cmptparm_t)); - -@@ -1346,7 +1356,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) - } else { - is_cinema = 0U; - } -- -+ - if(tiPhoto == PHOTOMETRIC_RGB) /* RGB(A) */ - { - numcomps = 3 + has_alpha; -@@ -1384,10 +1394,24 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) - image->x0 = (OPJ_UINT32)parameters->image_offset_x0; - image->y0 = (OPJ_UINT32)parameters->image_offset_y0; - image->x1 = !image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 : -- image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1; -+ image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1; -+ if(image->x1 <= image->x0) { -+ fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. " -+ "image->x0(%d)\n\tAborting.\n",image->x1,image->x0); -+ TIFFClose(tif); -+ opj_image_destroy(image); -+ return NULL; -+ } - image->y1 = !image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 : -- image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1; -- -+ image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1; -+ if(image->y1 <= image->y0) { -+ fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. " -+ "image->y0(%d)\n\tAborting.\n",image->y1,image->y0); -+ TIFFClose(tif); -+ opj_image_destroy(image); -+ return NULL; -+ } -+ - for(j = 0; j < numcomps; j++) - { - planes[j] = image->comps[j].data; -@@ -1395,15 +1419,15 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) - image->comps[numcomps - 1].alpha = (OPJ_UINT16)(1 - (numcomps & 1)); - - strip_size = TIFFStripSize(tif); -- -+ - buf = _TIFFmalloc(strip_size); - if (buf == NULL) { - TIFFClose(tif); - opj_image_destroy(image); - return NULL; - } -- rowStride = ((OPJ_SIZE_T)w * tiSpp * tiBps + 7U) / 8U; -- buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)w * tiSpp * sizeof(OPJ_INT32)); -+ rowStride = (w * tiSpp * tiBps + 7U) / 8U; -+ buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(w * tiSpp * sizeof(OPJ_INT32))); - if (buffer32s == NULL) { - _TIFFfree(buf); - TIFFClose(tif); -@@ -1421,11 +1445,20 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) - for(; (h > 0) && (strip < TIFFNumberOfStrips(tif)); strip++) - { - const OPJ_UINT8 *dat8; -- OPJ_SIZE_T ssize; -+ tmsize_t ssize; - -- ssize = (OPJ_SIZE_T)TIFFReadEncodedStrip(tif, strip, buf, strip_size); -+ ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size); -+ if(ssize < 1 || ssize > strip_size) { -+ fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) " -+ "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size); -+ _TIFFfree(buf); -+ _TIFFfree(buffer32s); -+ TIFFClose(tif); -+ opj_image_destroy(image); -+ return NULL; -+ } - dat8 = (const OPJ_UINT8*)buf; -- -+ - while (ssize >= rowStride) { - cvtTifTo32s(dat8, buffer32s, (OPJ_SIZE_T)w * tiSpp); - cvtCxToPx(buffer32s, planes, (OPJ_SIZE_T)w); diff --git a/main/openjpeg/CVE-2017-12982.patch b/main/openjpeg/CVE-2017-12982.patch deleted file mode 100644 index 724cf602d1..0000000000 --- a/main/openjpeg/CVE-2017-12982.patch +++ /dev/null @@ -1,25 +0,0 @@ -From baf0c1ad4572daa89caa3b12985bdd93530f0dd7 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 14 Aug 2017 17:26:58 +0200 -Subject: [PATCH] bmp_read_info_header(): reject bmp files with biBitCount == 0 - (#983) - ---- - src/bin/jp2/convertbmp.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c -index b49e7a080..2715fdf24 100644 ---- a/src/bin/jp2/convertbmp.c -+++ b/src/bin/jp2/convertbmp.c -@@ -392,6 +392,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header) - - header->biBitCount = (OPJ_UINT16)getc(IN); - header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8); -+ if (header->biBitCount == 0) { -+ fprintf(stderr, "Error, invalid biBitCount %d\n", 0); -+ return OPJ_FALSE; -+ } - - if (header->biSize >= 40U) { - header->biCompression = (OPJ_UINT32)getc(IN); diff --git a/main/openjpeg/CVE-2017-14040.patch b/main/openjpeg/CVE-2017-14040.patch deleted file mode 100644 index dd9183dad1..0000000000 --- a/main/openjpeg/CVE-2017-14040.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 17 Aug 2017 11:47:40 +0200 -Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and - fixes unaligned load (#995) - ---- - src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------ - 1 file changed, 27 insertions(+), 12 deletions(-) - -diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c -index a4eb81f6a..73dfc8d5f 100644 ---- a/src/bin/jp2/convert.c -+++ b/src/bin/jp2/convert.c -@@ -580,13 +580,10 @@ struct tga_header { - }; - #endif /* INFORMATION_ONLY */ - --static unsigned short get_ushort(const unsigned char *data) -+/* Returns a ushort from a little-endian serialized value */ -+static unsigned short get_tga_ushort(const unsigned char *data) - { -- unsigned short val = *(const unsigned short *)data; --#ifdef OPJ_BIG_ENDIAN -- val = ((val & 0xffU) << 8) | (val >> 8); --#endif -- return val; -+ return data[0] | (data[1] << 8); - } - - #define TGA_HEADER_SIZE 18 -@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel, - id_len = tga[0]; - /*cmap_type = tga[1];*/ - image_type = tga[2]; -- /*cmap_index = get_ushort(&tga[3]);*/ -- cmap_len = get_ushort(&tga[5]); -+ /*cmap_index = get_tga_ushort(&tga[3]);*/ -+ cmap_len = get_tga_ushort(&tga[5]); - cmap_entry_size = tga[7]; - - - #if 0 -- x_origin = get_ushort(&tga[8]); -- y_origin = get_ushort(&tga[10]); -+ x_origin = get_tga_ushort(&tga[8]); -+ y_origin = get_tga_ushort(&tga[10]); - #endif -- image_w = get_ushort(&tga[12]); -- image_h = get_ushort(&tga[14]); -+ image_w = get_tga_ushort(&tga[12]); -+ image_h = get_tga_ushort(&tga[14]); - pixel_depth = tga[16]; - image_desc = tga[17]; - -@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) - color_space = OPJ_CLRSPC_SRGB; - } - -+ /* If the declared file size is > 10 MB, check that the file is big */ -+ /* enough to avoid excessive memory allocations */ -+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) { -+ char ch; -+ OPJ_UINT64 expected_file_size = -+ (OPJ_UINT64)image_width * image_height * numcomps; -+ long curpos = ftell(f); -+ if (expected_file_size > (OPJ_UINT64)INT_MAX) { -+ expected_file_size = (OPJ_UINT64)INT_MAX; -+ } -+ fseek(f, (long)expected_file_size - 1, SEEK_SET); -+ if (fread(&ch, 1, 1, f) != 1) { -+ fclose(f); -+ return NULL; -+ } -+ fseek(f, curpos, SEEK_SET); -+ } -+ - subsampling_dx = parameters->subsampling_dx; - subsampling_dy = parameters->subsampling_dy; - diff --git a/main/openjpeg/CVE-2017-14041.patch b/main/openjpeg/CVE-2017-14041.patch deleted file mode 100644 index ebfe1ad27f..0000000000 --- a/main/openjpeg/CVE-2017-14041.patch +++ /dev/null @@ -1,22 +0,0 @@ -From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Fri, 18 Aug 2017 13:39:20 +0200 -Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997) - ---- - src/bin/jp2/convert.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c -index 5459f7d44..e606c9be7 100644 ---- a/src/bin/jp2/convert.c -+++ b/src/bin/jp2/convert.c -@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) - } - - fseek(f, 0, SEEK_SET); -- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, -+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, - &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { - fclose(f); - fprintf(stderr, diff --git a/main/openjpeg/CVE-2017-14151.patch b/main/openjpeg/CVE-2017-14151.patch deleted file mode 100644 index c8a1fd65f1..0000000000 --- a/main/openjpeg/CVE-2017-14151.patch +++ /dev/null @@ -1,43 +0,0 @@ -From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 14 Aug 2017 17:20:37 +0200 -Subject: [PATCH] Encoder: grow buffer size in - opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in - opj_mqc_flush (#982) - ---- - src/lib/openjp2/tcd.c | 7 +++++-- - tests/nonregression/test_suite.ctest.in | 2 ++ - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c -index 301c7213e..53cdcf64d 100644 ---- a/src/lib/openjp2/tcd.c -+++ b/src/lib/openjp2/tcd.c -@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t * - { - OPJ_UINT32 l_data_size; - -- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ -- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * -+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ -+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ -+ /* TODO: is there a theoretical upper-bound for the compressed code */ -+ /* block size ? */ -+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * - (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); - - if (l_data_size > p_code_block->data_size) { -diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in -index aaf40d7d0..ffd964c2a 100644 ---- a/tests/nonregression/test_suite.ctest.in -+++ b/tests/nonregression/test_suite.ctest.in -@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban - # Same rate as Bretagne2_4.j2k - opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800 - -+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1 -+ - # DECODER TEST SUITE - opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx - opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx diff --git a/main/openjpeg/CVE-2017-14152.patch b/main/openjpeg/CVE-2017-14152.patch deleted file mode 100644 index d165090a1a..0000000000 --- a/main/openjpeg/CVE-2017-14152.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 15 Aug 2017 11:55:58 +0200 -Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in - opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985) - ---- - src/lib/openjp2/j2k.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c -index a2521ebbc..54b490a8c 100644 ---- a/src/lib/openjp2/j2k.c -+++ b/src/lib/openjp2/j2k.c -@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters, - - /* Precincts */ - parameters->csty |= 0x01; -- parameters->res_spec = parameters->numresolution - 1; -- for (i = 0; i < parameters->res_spec; i++) { -- parameters->prcw_init[i] = 256; -- parameters->prch_init[i] = 256; -+ if (parameters->numresolution == 1) { -+ parameters->res_spec = 1; -+ parameters->prcw_init[0] = 128; -+ parameters->prch_init[0] = 128; -+ } else { -+ parameters->res_spec = parameters->numresolution - 1; -+ for (i = 0; i < parameters->res_spec; i++) { -+ parameters->prcw_init[i] = 256; -+ parameters->prch_init[i] = 256; -+ } - } - - /* The progression order shall be CPRL */ diff --git a/main/openjpeg/CVE-2017-14164.patch b/main/openjpeg/CVE-2017-14164.patch deleted file mode 100644 index a61b015180..0000000000 --- a/main/openjpeg/CVE-2017-14164.patch +++ /dev/null @@ -1,86 +0,0 @@ -From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Wed, 16 Aug 2017 17:09:10 +0200 -Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow - (#991) - ---- - src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c -index 54b490a8c..16915452e 100644 ---- a/src/lib/openjp2/j2k.c -+++ b/src/lib/openjp2/j2k.c -@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k, - * Writes the SOT marker (Start of tile-part) - * - * @param p_j2k J2K codec. -- * @param p_data FIXME DOC -- * @param p_data_written FIXME DOC -+ * @param p_data Output buffer -+ * @param p_total_data_size Output buffer size -+ * @param p_data_written Number of bytes written into stream - * @param p_stream the stream to write data to. - * @param p_manager the user event manager. - */ - static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, - OPJ_BYTE * p_data, -+ OPJ_UINT32 p_total_data_size, - OPJ_UINT32 * p_data_written, - const opj_stream_private_t *p_stream, - opj_event_mgr_t * p_manager); -@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k, - - static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, - OPJ_BYTE * p_data, -+ OPJ_UINT32 p_total_data_size, - OPJ_UINT32 * p_data_written, - const opj_stream_private_t *p_stream, - opj_event_mgr_t * p_manager -@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, - OPJ_UNUSED(p_stream); - OPJ_UNUSED(p_manager); - -+ if (p_total_data_size < 12) { -+ opj_event_msg(p_manager, EVT_ERROR, -+ "Not enough bytes in output buffer to write SOT marker\n"); -+ return OPJ_FALSE; -+ } -+ - opj_write_bytes(p_data, J2K_MS_SOT, - 2); /* SOT */ - p_data += 2; -@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k, - - l_current_nb_bytes_written = 0; - l_begin_data = p_data; -- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, -+ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size, -+ &l_current_nb_bytes_written, p_stream, - p_manager)) { - return OPJ_FALSE; - } -@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k, - l_part_tile_size = 0; - l_begin_data = p_data; - -- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, -+ if (! opj_j2k_write_sot(p_j2k, p_data, -+ p_total_data_size, -+ &l_current_nb_bytes_written, -+ p_stream, - p_manager)) { - return OPJ_FALSE; - } -@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k, - l_part_tile_size = 0; - l_begin_data = p_data; - -- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, -+ if (! opj_j2k_write_sot(p_j2k, p_data, -+ p_total_data_size, -+ &l_current_nb_bytes_written, p_stream, - p_manager)) { - return OPJ_FALSE; - } diff --git a/main/openjpeg/CVE-2017-17480.patch b/main/openjpeg/CVE-2017-17480.patch new file mode 100644 index 0000000000..032315c1d2 --- /dev/null +++ b/main/openjpeg/CVE-2017-17480.patch @@ -0,0 +1,42 @@ +From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Mon, 22 Oct 2018 16:59:41 +0200 +Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow + +Missing buffer length formatter in fscanf call might lead to write +stack buffer overflow. + +fixes #1044 (CVE-2017-17480) +--- + src/bin/jp3d/convert.c | 4 ++-- + src/bin/jpwl/convert.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c +index 23fd70b04..acad8f82a 100644 +--- a/src/bin/jp3d/convert.c ++++ b/src/bin/jp3d/convert.c +@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters) + fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]); + + fseek(f, 0, SEEK_SET); +- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2, +- signtmp, &prec, temp, &w, temp, &h); ++ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, ++ &endian2, signtmp, &prec, temp, &w, temp, &h); + + i = 0; + sign = '+'; +diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c +index f3bb670b0..73c1be729 100644 +--- a/src/bin/jpwl/convert.c ++++ b/src/bin/jpwl/convert.c +@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) + } + + fseek(f, 0, SEEK_SET); +- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, ++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, + &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { + fprintf(stderr, + "ERROR: Failed to read the right number of element from the fscanf() function!\n"); diff --git a/main/openjpeg/CVE-2018-18088.patch b/main/openjpeg/CVE-2018-18088.patch new file mode 100644 index 0000000000..e6927dc904 --- /dev/null +++ b/main/openjpeg/CVE-2018-18088.patch @@ -0,0 +1,34 @@ +From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Wed, 7 Nov 2018 18:48:29 +0100 +Subject: [PATCH] jp2: convert: fix null pointer dereference + +Tile components in a JP2 image might have null data pointer by defining a +zero component size (for example using large horizontal or vertical +sampling periods). This null data pointer leads to null image component +data pointer, causing crash when dereferenced without != null check in +imagetopnm. + +Add != null check. + +This commit addresses #1152 (CVE-2018-18088). +--- + src/bin/jp2/convert.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index fa02e31c5..e670cd82f 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split) + opj_version(), wr, hr, max); + + red = image->comps[compno].data; ++ if (!red) { ++ fclose(fdest); ++ continue; ++ } ++ + adjustR = + (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0); + -- cgit v1.2.3