Commit 18085d65 authored by Moritz Muehlenhoff's avatar Moritz Muehlenhoff Committed by Mathieu Malaterre

Import Debian changes 2.1.0-2+deb8u1

openjpeg2 (2.1.0-2+deb8u1) jessie-security; urgency=medium

  * CVE-2015-6581 CVE-2015-8871 CVE-2016-1924 CVE-2016-7163
parent 3bd11a6e
openjpeg2 (2.1.0-2+deb8u1) jessie-security; urgency=medium
* CVE-2015-6581 CVE-2015-8871 CVE-2016-1924 CVE-2016-7163
-- Moritz Mühlenhoff <jmm@debian.org> Fri, 09 Sep 2016 20:14:50 +0200
openjpeg2 (2.1.0-2) unstable; urgency=low
* Install *.pc files. Closes: #762251
......
Backport of 0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 Mon Sep 17 00:00:00 2001
by Matthieu Darbois
--- openjpeg2-2.1.0.orig/src/lib/openjp2/j2k.c
+++ openjpeg2-2.1.0/src/lib/openjp2/j2k.c
@@ -7156,6 +7156,12 @@ static OPJ_BOOL opj_j2k_copy_default_tcp
/* Initialize some values of the current tile coding parameters*/
l_tcp->ppt = 0;
l_tcp->ppt_data = 00;
+ /* Remove memory not owned by this tile in case of early error return. */
+ l_tcp->m_mct_decoding_matrix = 00;
+ l_tcp->m_nb_max_mct_records = 0;
+ l_tcp->m_mct_records = 00;
+ l_tcp->m_nb_max_mcc_records = 0;
+ l_tcp->m_mcc_records = 00;
/* Reconnect the tile-compo coding parameters pointer to the current tile coding parameters*/
l_tcp->tccps = l_current_tccp;
@@ -7193,6 +7199,8 @@ static OPJ_BOOL opj_j2k_copy_default_tcp
++l_src_mct_rec;
++l_dest_mct_rec;
+ /* Update with each pass to free exactly what has been allocated on early return. */
+ l_tcp->m_nb_max_mct_records += 1;
}
/* Get the mcc_record of the dflt_tile_cp and copy them into the current tile cp*/
@@ -7202,6 +7210,7 @@ static OPJ_BOOL opj_j2k_copy_default_tcp
return OPJ_FALSE;
}
memcpy(l_tcp->m_mcc_records,l_default_tcp->m_mcc_records,l_mcc_records_size);
+ l_tcp->m_nb_max_mcc_records = l_default_tcp->m_nb_max_mcc_records;
/* Copy the mcc record data from dflt_tile_cp to the current tile*/
l_src_mcc_rec = l_default_tcp->m_mcc_records;
Backport of 940100c28ae28931722290794889cf84a92c5f6f
--- openjpeg2-2.1.0.orig/src/lib/openjp2/j2k.c
+++ openjpeg2-2.1.0/src/lib/openjp2/j2k.c
@@ -5526,8 +5526,7 @@ OPJ_BOOL opj_j2k_write_mco( opj_j2k_
assert(p_stream != 00);
l_tcp =&(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]);
- l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
-
+
l_mco_size = 5 + l_tcp->m_nb_mcc_records;
if (l_mco_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {
@@ -5542,6 +5541,8 @@ OPJ_BOOL opj_j2k_write_mco( opj_j2k_
p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;
p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_mco_size;
}
+ l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
+
opj_write_bytes(l_current_data,J2K_MS_MCO,2); /* MCO */
l_current_data += 2;
@@ -5553,10 +5554,9 @@ OPJ_BOOL opj_j2k_write_mco( opj_j2k_
++l_current_data;
l_mcc_record = l_tcp->m_mcc_records;
- for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
+ for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
opj_write_bytes(l_current_data,l_mcc_record->m_index,1);/* Imco -> use the mcc indicated by 1*/
++l_current_data;
-
++l_mcc_record;
}
Backport of 1a8318f6c24623189ecb65e049267c6f2e005c0e
--- openjpeg2-2.1.0.orig/src/lib/openjp2/j2k.c
+++ openjpeg2-2.1.0/src/lib/openjp2/j2k.c
@@ -8432,6 +8432,9 @@ OPJ_BOOL opj_j2k_read_SPCod_SPCoc( opj_
opj_read_bytes(l_current_ptr,&l_tccp->cblksty ,1); /* SPcoc (G) */
++l_current_ptr;
+ if (l_tccp->cblksty & 0xC0U) { /* 2 msb are reserved, assume we can't read */
+ return OPJ_FALSE;
+ }
opj_read_bytes(l_current_ptr,&l_tccp->qmfbid ,1); /* SPcoc (H) */
++l_current_ptr;
--- openjpeg2-2.1.0.orig/src/lib/openjp2/t2.c
+++ openjpeg2-2.1.0/src/lib/openjp2/t2.c
@@ -839,9 +839,13 @@ OPJ_BOOL opj_t2_read_packet_header( opj_
/* reset tagtrees */
for (bandno = 0; bandno < l_res->numbands; ++bandno) {
- opj_tcd_precinct_t *l_prc = &l_band->precincts[p_pi->precno];
-
if ( ! ((l_band->x1-l_band->x0 == 0)||(l_band->y1-l_band->y0 == 0)) ) {
+ opj_tcd_precinct_t *l_prc = &l_band->precincts[p_pi->precno];
+ if (!(p_pi->precno < (l_band->precincts_data_size / sizeof(opj_tcd_precinct_t)))) {
+ return OPJ_FALSE;
+ }
+
+
opj_tgt_reset(l_prc->incltree);
opj_tgt_reset(l_prc->imsbtree);
l_cblk = l_prc->cblks.dec;
Backport of c16bc057ba3f125051c9966cf1f5b68a05681de4 and
ef01f18dfc6780b776d0674ed3e7415c6ef54d24
--- openjpeg2-2.1.0.orig/src/lib/openjp2/pi.c
+++ openjpeg2-2.1.0/src/lib/openjp2/pi.c
@@ -1233,7 +1233,13 @@ opj_pi_iterator_t *opj_pi_create_decode(
l_current_pi = l_pi;
/* memory allocation for include */
- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+ /* prevent an integer overflow issue */
+ l_current_pi->include = 00;
+ if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
+ {
+ l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16));
+ }
+
if
(!l_current_pi->include)
{
fix_typos.patch
multiarch_path.patch
CVE-2015-6581.patch
CVE-2015-8871.patch
CVE-2016-1924.patch
CVE-2016-7163.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment