Commit 6fc12df0 authored by Hugo Lefeuvre's avatar Hugo Lefeuvre Committed by Mathieu Malaterre

Import Debian changes 2.1.0-2+deb8u5

openjpeg2 (2.1.0-2+deb8u5) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * CVE-2017-17480: write stack buffer overflow due to missing buffer
    length formatter in fscanf call.
  * CVE-2018-18088: null pointer dereference caused by null image
    components in imagetopnm.
parent 114dac2e
openjpeg2 (2.1.0-2+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* CVE-2017-17480: write stack buffer overflow due to missing buffer
length formatter in fscanf call.
* CVE-2018-18088: null pointer dereference caused by null image
components in imagetopnm.
-- Hugo Lefeuvre <hle@debian.org> Mon, 19 Nov 2018 17:23:30 +0100
openjpeg2 (2.1.0-2+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
......
Description: jp3d/jpwl convert: fix write stack buffer overflow
Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow. Add missing formatters.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: https://github.com/hlef/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62
--- a/src/bin/jp3d/convert.c 2014-04-29 09:15:02.000000000 +0200
+++ b/src/bin/jp3d/convert.c 2018-11-19 18:05:07.877139185 +0100
@@ -281,7 +281,7 @@
fprintf(stdout, "[INFO] Loading %s \n",pgxfiles[pos]);
fseek(f, 0, SEEK_SET);
- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h);
+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h);
i=0;
sign='+';
--- a/src/bin/jpwl/convert.c 2014-04-29 09:15:03.000000000 +0200
+++ b/src/bin/jpwl/convert.c 2018-11-19 18:06:40.754635606 +0100
@@ -1297,7 +1297,7 @@
}
fseek(f, 0, SEEK_SET);
- if( fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){
+ if( fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){
fprintf(stderr, "ERROR: Failed to read the right number of element from the fscanf() function!\n");
return NULL;
}
Description: jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.
.
Add != null check.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2
--- a/src/bin/jp2/convert.c 2018-11-19 18:01:08.609286887 +0100
+++ b/src/bin/jp2/convert.c 2018-11-19 18:13:43.402868647 +0100
@@ -2184,6 +2184,11 @@
opj_version(), wr, hr, max);
red = image->comps[compno].data;
+ if (!red) {
+ fclose(fdest);
+ continue;
+ }
+
adjustR =
(image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
......@@ -20,3 +20,6 @@ CVE-2016-5157.patch
CVE-2015-1239.patch
CVE-2016-5139.patch
CVE-2017-17480.patch
CVE-2018-18088.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment