Commit 13c7e6c2 authored by Mathieu Malaterre's avatar Mathieu Malaterre

Import Debian changes 2.1.2-1.1+deb9u2

openjpeg2 (2.1.2-1.1+deb9u2) stretch-security; urgency=medium

  * Fix whitespace/indent mess
  * CVE-2017-14039: CVE-2017-14039.patch
  * CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
  * CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
  * CVE-2017-14151: afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
  * CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
parent 987b3e04
openjpeg2 (2.1.2-1.1+deb9u2) stretch-security; urgency=medium
* Fix whitespace/indent mess
* CVE-2017-14039: CVE-2017-14039.patch
* CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
* CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
* CVE-2017-14151: afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
* CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
-- Mathieu Malaterre <malat@debian.org> Mon, 16 Oct 2017 21:15:20 +0200
openjpeg2 (2.1.2-1.1+deb9u1) stretch-security; urgency=medium
* CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
......
From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Aug 2017 11:47:40 +0200
Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
fixes unaligned load (#995)
---
src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 12 deletions(-)
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -559,12 +559,10 @@
};
#endif /* INFORMATION_ONLY */
-static unsigned short get_ushort(const unsigned char *data) {
- unsigned short val = *(const unsigned short *)data;
-#ifdef OPJ_BIG_ENDIAN
- val = ((val & 0xffU) << 8) | (val >> 8);
-#endif
- return val;
+/* Returns a ushort from a little-endian serialized value */
+static unsigned short get_tga_ushort(const unsigned char *data)
+{
+ return data[0] | (data[1] << 8);
}
#define TGA_HEADER_SIZE 18
@@ -590,17 +588,17 @@
id_len = tga[0];
/*cmap_type = tga[1];*/
image_type = tga[2];
- /*cmap_index = get_ushort(&tga[3]);*/
- cmap_len = get_ushort(&tga[5]);
+ /*cmap_index = get_tga_ushort(&tga[3]);*/
+ cmap_len = get_tga_ushort(&tga[5]);
cmap_entry_size = tga[7];
#if 0
- x_origin = get_ushort(&tga[8]);
- y_origin = get_ushort(&tga[10]);
+ x_origin = get_tga_ushort(&tga[8]);
+ y_origin = get_tga_ushort(&tga[10]);
#endif
- image_w = get_ushort(&tga[12]);
- image_h = get_ushort(&tga[14]);
+ image_w = get_tga_ushort(&tga[12]);
+ image_h = get_tga_ushort(&tga[14]);
pixel_depth = tga[16];
image_desc = tga[17];
@@ -764,6 +762,24 @@
color_space = OPJ_CLRSPC_SRGB;
}
+ /* If the declared file size is > 10 MB, check that the file is big */
+ /* enough to avoid excessive memory allocations */
+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
+ char ch;
+ OPJ_UINT64 expected_file_size =
+ (OPJ_UINT64)image_width * image_height * numcomps;
+ long curpos = ftell(f);
+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
+ expected_file_size = (OPJ_UINT64)INT_MAX;
+ }
+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
+ if (fread(&ch, 1, 1, f) != 1) {
+ fclose(f);
+ return NULL;
+ }
+ fseek(f, curpos, SEEK_SET);
+ }
+
subsampling_dx = parameters->subsampling_dx;
subsampling_dy = parameters->subsampling_dy;
Description: Mix of
4241ae6fbbf1de9658764a80944dc8108f2b4154
and
c535531f03369623b9b833ef41952c62257b507e (partial)
Author: Mathieu Malaterre <malat@debian.org>
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -4309,6 +4309,12 @@
assert(p_manager != 00);
assert(p_stream != 00);
+ if (p_total_data_size < 4) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Not enough bytes in output buffer to write SOD marker\n");
+ return OPJ_FALSE;
+ }
+
opj_write_bytes(p_data,J2K_MS_SOD,2); /* SOD */
p_data += 2;
@@ -6091,10 +6097,16 @@
/* Precincts */
parameters->csty |= 0x01;
- parameters->res_spec = parameters->numresolution-1;
- for (i = 0; i<parameters->res_spec; i++) {
- parameters->prcw_init[i] = 256;
- parameters->prch_init[i] = 256;
+ if (parameters->numresolution == 1) {
+ parameters->res_spec = 1;
+ parameters->prcw_init[0] = 128;
+ parameters->prch_init[0] = 128;
+ } else {
+ parameters->res_spec = parameters->numresolution - 1;
+ for (i = 0; i < parameters->res_spec; i++) {
+ parameters->prcw_init[i] = 256;
+ parameters->prch_init[i] = 256;
+ }
}
/* The progression order shall be CPRL */
From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 14 Aug 2017 17:20:37 +0200
Subject: [PATCH] Encoder: grow buffer size in
opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
opj_mqc_flush (#982)
---
src/lib/openjp2/tcd.c | 7 +++++--
tests/nonregression/test_suite.ctest.in | 2 ++
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1089,8 +1089,11 @@
{
OPJ_UINT32 l_data_size;
- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+ /* TODO: is there a theoretical upper-bound for the compressed code */
+ /* block size ? */
+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
(p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 16 Aug 2017 17:09:10 +0200
Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
(#991)
---
src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -827,6 +827,7 @@
*/
static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k,
OPJ_BYTE * p_data,
+ OPJ_UINT32 p_total_data_size,
OPJ_UINT32 * p_data_written,
const opj_stream_private_t *p_stream,
opj_event_mgr_t * p_manager );
@@ -3964,6 +3965,7 @@
static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k,
OPJ_BYTE * p_data,
+ OPJ_UINT32 p_total_data_size,
OPJ_UINT32 * p_data_written,
const opj_stream_private_t *p_stream,
opj_event_mgr_t * p_manager
@@ -3974,6 +3976,12 @@
assert(p_manager != 00);
assert(p_stream != 00);
+ if (p_total_data_size < 12) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Not enough bytes in output buffer to write SOT marker\n");
+ return OPJ_FALSE;
+ }
+
opj_write_bytes(p_data,J2K_MS_SOT,2); /* SOT */
p_data += 2;
@@ -10642,8 +10650,9 @@
l_current_nb_bytes_written = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager))
- {
+ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
+ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
return OPJ_FALSE;
}
@@ -10729,7 +10738,11 @@
l_part_tile_size = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) {
+ if (! opj_j2k_write_sot(p_j2k, p_data,
+ p_total_data_size,
+ &l_current_nb_bytes_written,
+ p_stream,
+ p_manager)) {
return OPJ_FALSE;
}
@@ -10769,7 +10782,10 @@
l_part_tile_size = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) {
+ if (! opj_j2k_write_sot(p_j2k, p_data,
+ p_total_data_size,
+ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
return OPJ_FALSE;
}
From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 18 Aug 2017 13:39:20 +0200
Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
---
src/bin/jp2/convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index 5459f7d44..e606c9be7 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -1117,7 +1117,8 @@
}
fseek(f, 0, SEEK_SET);
- if( fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
fclose(f);
fprintf(stderr, "ERROR: Failed to read the right number of element from the fscanf() function!\n");
return NULL;
......@@ -4,3 +4,8 @@ c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
397f62c0a838e15d667ef50e27d5d011d2c79c04.patch
CVE-2017-14039.patch
2cd30c2b06ce332dede81cccad8b334cde997281.patch
e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment