Commit 69dd71e5 authored by Mathieu Malaterre's avatar Mathieu Malaterre

Import Debian changes 2.3.0-2

openjpeg2 (2.3.0-2) unstable; urgency=high

  [ Hugo Lefeuvre ]
  * CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in
    jp3d/convert.c (Closes: #884738).
  * CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and
    pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873).
  * CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c
    (Closes: #910763).
  * CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the
    opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533).
  * CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of
    openjp2/t1.c (Closes: #889683).

  [ Mathieu Malaterre ]
  * Add Hugo as Uploader
parent 9647efee
openjpeg2 (2.3.0-2) unstable; urgency=high
[ Hugo Lefeuvre ]
* CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in
jp3d/convert.c (Closes: #884738).
* CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and
pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873).
* CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c
(Closes: #910763).
* CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the
opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533).
* CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of
openjp2/t1.c (Closes: #889683).
[ Mathieu Malaterre ]
* Add Hugo as Uploader
-- Mathieu Malaterre <malat@debian.org> Sun, 10 Mar 2019 18:34:51 +0100
openjpeg2 (2.3.0-1.1) unstable; urgency=medium
* Non-maintainer upload.
......
Source: openjpeg2
Priority: optional
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Uploaders: Mathieu Malaterre <malat@debian.org>
Uploaders: Mathieu Malaterre <malat@debian.org>, Hugo Lefeuvre <hle@debian.org>
Homepage: http://www.openjpeg.org
Build-Depends: cmake (>= 2.8.2),
debhelper (>= 9),
......
Description: jp3d/jpwl convert: fix write stack buffer overflow
Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: upstream, https://github.com/uclouvain/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62
--- a/src/bin/jp3d/convert.c 2017-10-05 00:23:14.000000000 +0200
+++ b/src/bin/jp3d/convert.c 2019-03-04 12:58:37.362461916 +0100
@@ -297,8 +297,8 @@
fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
fseek(f, 0, SEEK_SET);
- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
- signtmp, &prec, temp, &w, temp, &h);
+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h);
i = 0;
sign = '+';
--- a/src/bin/jpwl/convert.c 2017-10-05 00:23:14.000000000 +0200
+++ b/src/bin/jpwl/convert.c 2019-03-04 12:58:37.362461916 +0100
@@ -1348,7 +1348,7 @@
}
fseek(f, 0, SEEK_SET);
- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
&endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
fprintf(stderr,
"ERROR: Failed to read the right number of element from the fscanf() function!\n");
Description: jp3d: avoid divisions by zero / undefined behaviour on shift
Author: Young_X <YangX92@hotmail.com>
Origin: upstream, https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b
--- a/src/lib/openjp3d/pi.c 2017-10-05 00:23:14.000000000 +0200
+++ b/src/lib/openjp3d/pi.c 2019-03-04 13:10:50.383000628 +0100
@@ -223,6 +223,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
@@ -329,6 +337,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
@@ -432,6 +448,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
Description: jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.
.
Add != null check.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: upstream, https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2
--- a/src/bin/jp2/convert.c 2017-10-05 00:23:14.000000000 +0200
+++ b/src/bin/jp2/convert.c 2019-03-04 13:17:42.184753185 +0100
@@ -2210,6 +2210,11 @@
opj_version(), wr, hr, max);
red = image->comps[compno].data;
+ if (!red) {
+ fclose(fdest);
+ continue;
+ }
+
adjustR =
(image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
Description: convertbmp: fix issues with zero bitmasks
In the case where a BMP file declares compression 3 (BI_BITFIELDS)
with header size <= 56, all bitmask values keep their initialization
value 0. This may lead to various undefined behavior later e.g. when
doing 1 << (l_comp->prec - 1).
.
This issue does not affect files with bit count 16 because of a check
added in 16240e2 which sets default values to the color masks if they
are all 0.
.
This commit adds similar checks for the 32 bit case.
.
Also, if a BMP file declares compression 3 with header size >= 56 and
intentional 0 bitmasks, the same issue will be triggered in both the
16 and 32 bit count case.
.
This commit adds checks to bmp_read_info_header() rejecting BMP files
with "intentional" 0 bitmasks. These checks might be removed in the
future when proper handling of zero bitmasks will be available in
openjpeg2.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: upstream, https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975
--- a/src/bin/jp2/convertbmp.c 2017-10-05 00:23:14.000000000 +0200
+++ b/src/bin/jp2/convertbmp.c 2019-03-04 13:21:18.182489081 +0100
@@ -435,16 +435,31 @@
header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biRedMask) {
+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
+ return OPJ_FALSE;
+ }
+
header->biGreenMask = (OPJ_UINT32)getc(IN);
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biGreenMask) {
+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
+ return OPJ_FALSE;
+ }
+
header->biBlueMask = (OPJ_UINT32)getc(IN);
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biBlueMask) {
+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
+ return OPJ_FALSE;
+ }
+
header->biAlphaMask = (OPJ_UINT32)getc(IN);
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
@@ -831,6 +846,12 @@
bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
0x00000000U);
} else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
+ (Info_h.biBlueMask == 0U)) {
+ Info_h.biRedMask = 0x00FF0000U;
+ Info_h.biGreenMask = 0x0000FF00U;
+ Info_h.biBlueMask = 0x000000FFU;
+ }
bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
Info_h.biBlueMask, Info_h.biAlphaMask);
} else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
Description: convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: upstream, https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3
--- a/src/bin/jp2/convertbmp.c 2019-03-04 13:28:27.107134602 +0100
+++ b/src/bin/jp2/convertbmp.c 2019-03-04 13:29:15.778697169 +0100
@@ -534,14 +534,14 @@
static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -561,6 +561,7 @@
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = c1;
+ written++;
}
} else {
c = getc(IN);
@@ -598,6 +599,7 @@
}
c1 = (OPJ_UINT8)c1_int;
*pix = c1;
+ written++;
}
if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
c = getc(IN);
@@ -608,6 +610,12 @@
}
}
}/* while() */
+
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
+
return OPJ_TRUE;
}
multiarch_path.patch
java9.patch
CVE-2017-17480.patch
CVE-2018-14423.patch
CVE-2018-18088.patch
CVE-2018-5785.patch
CVE-2018-6616.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment