Commit 114dac2e authored by Thorsten Alteholz's avatar Thorsten Alteholz Committed by Mathieu Malaterre

Import Debian changes 2.1.0-2+deb8u4

openjpeg2 (2.1.0-2+deb8u4) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team. 
  * CVE-2015-1239
    Fix for denial of service (process crash) via a crafted PDF.
  * CVE-2016-5139
    Fix for integer overflows, allowing a denial of service
    (heap-based buffer overflow) or possibly have unspecified
    other impact via crafted JPEG 2000 data.
parent ac9f2622
openjpeg2 (2.1.0-2+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* CVE-2015-1239
Fix for denial of service (process crash) via a crafted PDF.
* CVE-2016-5139
Fix for integer overflows, allowing a denial of service
(heap-based buffer overflow) or possibly have unspecified
other impact via crafted JPEG 2000 data.
-- Thorsten Alteholz <debian@alteholz.de> Thu, 19 Jul 2018 19:03:02 +0200
openjpeg2 (2.1.0-2+deb8u3) jessie-security; urgency=medium
* CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
......
Index: openjpeg2-2.1.0/src/lib/openjp2/opj_intmath.h
===================================================================
--- openjpeg2-2.1.0.orig/src/lib/openjp2/opj_intmath.h 2018-07-17 12:53:00.463830392 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/opj_intmath.h 2018-07-17 12:53:00.431830393 +0200
@@ -82,6 +82,15 @@
}
/**
+ Get the saturated sum of two unsigned integers
+ @return Returns saturated sum of a+b
+ */
+static INLINE OPJ_UINT32 opj_uint_adds(OPJ_UINT32 a, OPJ_UINT32 b) {
+ OPJ_UINT64 sum = (OPJ_UINT64)a + (OPJ_UINT64)b;
+ return -(OPJ_UINT32)(sum >> 32) | (OPJ_UINT32)sum;
+}
+
+/**
Clamp an integer inside an interval
@return
<ul>
Index: openjpeg2-2.1.0/src/lib/openjp2/pi.c
===================================================================
--- openjpeg2-2.1.0.orig/src/lib/openjp2/pi.c 2018-07-17 12:53:00.463830392 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/pi.c 2018-07-17 13:15:45.795789463 +0200
@@ -574,6 +574,9 @@
/* position in x and y of tile */
OPJ_UINT32 p, q;
+ /* non-corrected (in regard to image offset) tile offset */
+ OPJ_UINT32 l_tx0, l_ty0;
+
/* preconditions */
assert(p_cp != 00);
assert(p_image != 00);
@@ -589,10 +592,12 @@
q = p_tileno / p_cp->tw;
/* find extent of tile */
- *p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx), (OPJ_INT32)p_image->x0);
- *p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx), (OPJ_INT32)p_image->x1);
- *p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy), (OPJ_INT32)p_image->y0);
- *p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy), (OPJ_INT32)p_image->y1);
+ l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 so won't overflow */
+ *p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0);
+ *p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), p_image->x1);
+ l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 so won't overflow */
+ *p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0);
+ *p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), p_image->y1);
/* max precision is 0 (can only grow) */
*p_max_prec = 0;
@@ -693,6 +698,9 @@
/* position in x and y of tile*/
OPJ_UINT32 p, q;
+ /* non-corrected (in regard to image offset) tile offset */
+ OPJ_UINT32 l_tx0, l_ty0;
+
/* preconditions in debug*/
assert(p_cp != 00);
assert(p_image != 00);
Index: openjpeg2-2.1.0/src/lib/openjp2/tcd.c
===================================================================
--- openjpeg2-2.1.0.orig/src/lib/openjp2/tcd.c 2018-07-17 12:53:00.463830392 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/tcd.c 2018-07-17 13:13:21.000000000 +0200
@@ -640,6 +640,7 @@
OPJ_UINT32 l_pdx, l_pdy; \
OPJ_UINT32 l_gain; \
OPJ_INT32 l_x0b, l_y0b; \
+ OPJ_UINT32 l_tx0, l_ty0; \
/* extent of precincts , top left, bottom right**/ \
OPJ_INT32 l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end, l_br_prc_y_end; \
/* number of precinct for a resolution */ \
@@ -666,11 +667,13 @@
/*fprintf(stderr, "Tile coordinate = %d,%d\n", p, q);*/ \
\
/* 4 borders of the tile rescale on the image if necessary */ \
- l_tile->x0 = opj_int_max((OPJ_INT32)(l_cp->tx0 + p * l_cp->tdx), (OPJ_INT32)l_image->x0); \
- l_tile->y0 = opj_int_max((OPJ_INT32)(l_cp->ty0 + q * l_cp->tdy), (OPJ_INT32)l_image->y0); \
+ l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */ \
+ l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0); \
if (l_tile->x0 < 0 || l_tile->x1 < 0) return OPJ_FALSE; \
- l_tile->x1 = opj_int_min((OPJ_INT32)(l_cp->tx0 + (p + 1) * l_cp->tdx), (OPJ_INT32)l_image->x1); \
- l_tile->y1 = opj_int_min((OPJ_INT32)(l_cp->ty0 + (q + 1) * l_cp->tdy), (OPJ_INT32)l_image->y1); \
+ l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1); \
+ l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */ \
+ l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0); \
+ l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1); \
if (l_tile->y0 < 0 || l_tile->y1 < 0) return OPJ_FALSE; \
/* testcase 1888.pdf.asan.35.988 */ \
if (l_tccp->numresolutions == 0) { \
Index: openjpeg2-2.1.0/src/lib/openjp2/tcd.c
===================================================================
--- openjpeg2-2.1.0.orig/src/lib/openjp2/tcd.c 2018-07-17 12:53:00.451830392 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/tcd.c 2018-07-17 12:58:59.407819632 +0200
@@ -793,7 +793,11 @@
l_res->ph = (l_res->y0 == l_res->y1) ? 0 : (OPJ_UINT32)((l_br_prc_y_end - l_tl_prc_y_start) >> l_pdy); \
/*fprintf(stderr, "\t\t\tres_pw=%d, res_ph=%d\n", l_res->pw, l_res->ph );*/ \
\
+ if (l_res->pw && ((OPJ_UINT32)-1) / l_res->pw < l_res->ph) return OPJ_FALSE; \
+ \
l_nb_precincts = l_res->pw * l_res->ph; \
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_tcd_precinct_t) < l_nb_precincts) return OPJ_FALSE; \
+ \
l_nb_precinct_size = l_nb_precincts * (OPJ_UINT32)sizeof(opj_tcd_precinct_t); \
if (resno == 0) { \
tlcbgxstart = l_tl_prc_x_start; \
......@@ -17,3 +17,6 @@ e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
#afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
CVE-2016-5157.patch
CVE-2015-1239.patch
CVE-2016-5139.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment