Commit 3f531950 authored by Luciano Bello's avatar Luciano Bello Committed by Mathieu Malaterre

Import Debian changes 2.1.2-1.1+deb9u3

openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium

  * Non-maintainer upload by the Security Team.
  * CVE-2018-14423: Division-by-zero vulnerabilities in the functions
    pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
  * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
    (closes: #889683).
  * CVE-2017-17480: Write stack buffer overflow due to missing buffer
    length formatter in fscanf call (closes: #884738).
  * CVE-2018-18088: Null pointer dereference caused by null image
    components in imagetopnm (closes: #910763).
  * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
parent 13c7e6c2
openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
* Non-maintainer upload by the Security Team.
* CVE-2018-14423: Division-by-zero vulnerabilities in the functions
pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
* CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
(closes: #889683).
* CVE-2017-17480: Write stack buffer overflow due to missing buffer
length formatter in fscanf call (closes: #884738).
* CVE-2018-18088: Null pointer dereference caused by null image
components in imagetopnm (closes: #910763).
* CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
-- Luciano Bello <luciano@debian.org> Thu, 07 Mar 2019 16:41:30 -0500
openjpeg2 (2.1.2-1.1+deb9u2) stretch-security; urgency=medium
* Fix whitespace/indent mess
......
Description: jp3d/jpwl convert: fix write stack buffer overflow
Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow. Add missing formatters.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: https://github.com/hlef/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62
Bug-Debian: https://bugs.debian.org/884738
--- a/src/bin/jp3d/convert.c
+++ b/src/bin/jp3d/convert.c
@@ -281,7 +281,7 @@
fprintf(stdout, "[INFO] Loading %s \n",pgxfiles[pos]);
fseek(f, 0, SEEK_SET);
- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h);
+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h);
i=0;
sign='+';
--- a/src/bin/jpwl/convert.c
+++ b/src/bin/jpwl/convert.c
@@ -1296,7 +1296,7 @@
}
fseek(f, 0, SEEK_SET);
- if( fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){
+ if( fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){
fprintf(stderr, "ERROR: Failed to read the right number of element from the fscanf() function!\n");
return NULL;
}
Subject: avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423)
Author: Young_X <YangX92@hotmail.com>
Origin: https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b
Bug: https://github.com/uclouvain/openjpeg/issues/1123
Bug-Debian: https://bugs.debian.org/904873
--- a/src/lib/openjp3d/pi.c 2018-12-22 12:11:03.000000000 +0100
+++ b/src/lib/openjp3d/pi.c 2018-12-22 12:11:36.000000000 +0100
@@ -215,6 +215,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
@@ -309,6 +317,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
@@ -400,6 +416,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
Description: jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.
.
Add != null check.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2
Bug-Debian: https://bugs.debian.org/910763
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -1982,6 +1982,11 @@
opj_version(), wr, hr, max);
red = image->comps[compno].data;
+ if (!red) {
+ fclose(fdest);
+ continue;
+ }
+
adjustR =
(image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
Description: convertbmp: integer overflow (CVE-2018-5785)
Author: Luciano Bello <luciano@debian.org>
Origin: https://github.com/uclouvain/openjpeg/pull/1148
Bug: https://github.com/uclouvain/openjpeg/issues/1057
Bug-Debian: https://bugs.debian.org/888533
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -418,15 +418,30 @@
header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biRedMask) {
+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
+ return OPJ_FALSE;
+ }
+
header->biGreenMask = (OPJ_UINT32)getc(IN);
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biGreenMask) {
+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
+ return OPJ_FALSE;
+ }
+
header->biBlueMask = (OPJ_UINT32)getc(IN);
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
+
+ if (!header->biBlueMask) {
+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
+ return OPJ_FALSE;
+ }
header->biAlphaMask = (OPJ_UINT32)getc(IN);
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
@@ -785,6 +800,11 @@
bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU, 0x00000000U);
}
else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) && (Info_h.biBlueMask == 0U)) {
+ Info_h.biRedMask = 0x00FF0000U;
+ Info_h.biGreenMask = 0x0000FF00U;
+ Info_h.biBlueMask = 0x000000FFU;
+ }
bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask, Info_h.biBlueMask, Info_h.biAlphaMask);
}
else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
Description: convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3
Bug: https://github.com/uclouvain/openjpeg/issues/1059
Bug-Debian: https://bugs.debian.org/889683
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -499,14 +499,14 @@
static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height)
{
int c = getc(IN);
@@ -517,6 +517,7 @@
for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = c1;
+ written++;
}
}
else {
@@ -543,6 +544,7 @@
{
OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN);
*pix = c1;
+ written++;
}
if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
getc(IN);
@@ -550,6 +552,12 @@
}
}
}/* while() */
+
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
+
return OPJ_TRUE;
}
......@@ -9,3 +9,9 @@ CVE-2017-14039.patch
e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
CVE-2017-17480.patch
CVE-2018-18088.patch
CVE-2018-6616.patch
CVE-2018-14423.patch
CVE-2018-5785.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment