Commit 80411a8a authored by Hugo Lefeuvre's avatar Hugo Lefeuvre Committed by Mathieu Malaterre

Import Debian changes 2.1.0-2+deb8u6

openjpeg2 (2.1.0-2+deb8u6) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * CVE-2018-14423: Division-by-zero vulnerabilities in the functions
    pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
  * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
    (closes: #889683).
parent 6fc12df0
openjpeg2 (2.1.0-2+deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* CVE-2018-14423: Division-by-zero vulnerabilities in the functions
pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
* CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
(closes: #889683).
-- Hugo Lefeuvre <hle@debian.org> Sat, 22 Dec 2018 11:50:11 +0100
openjpeg2 (2.1.0-2+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
......
Subject: avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423)
Author: Young_X <YangX92@hotmail.com>
Origin: https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b
Bug: https://github.com/uclouvain/openjpeg/issues/1123
--- a/src/lib/openjp3d/pi.c 2018-12-22 12:11:03.000000000 +0100
+++ b/src/lib/openjp3d/pi.c 2018-12-22 12:11:36.000000000 +0100
@@ -215,6 +215,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
@@ -309,6 +317,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
@@ -400,6 +416,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
Description: convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3
Bug: https://github.com/uclouvain/openjpeg/issues/1059
--- a/src/bin/jp2/convert.c 2018-12-22 12:13:11.286980110 +0100
+++ b/src/bin/jp2/convert.c 2018-12-22 12:14:10.826794958 +0100
@@ -886,7 +886,7 @@
{
unsigned char *pix, *beyond;
int *gray, *red, *green, *blue;
- unsigned int max;
+ unsigned int max, written;
int c, c1;
unsigned char uc;
@@ -954,7 +954,7 @@
RGB = (unsigned char *) calloc(1, W * H * sizeof(unsigned char));
beyond = RGB + W * H;
pix = beyond - W;
- x = y = 0;
+ x = y = written = 0;
while (y < H)
{
@@ -966,6 +966,7 @@
for (i = 0; i < c && x < W && pix < beyond; i++, x++, pix++)
*pix = (unsigned char)c1;
+ written++;
}
else
{
@@ -994,6 +995,7 @@
{
c1 = getc(IN);
*pix = (unsigned char)c1;
+ written++;
}
if (c & 1) /* skip padding byte */
getc(IN);
@@ -1001,6 +1003,11 @@
}
}/* while() */
+ if (written != W * H) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
+
if (gray_scale)
{
gray = image->comps[0].data;
......@@ -23,3 +23,5 @@ CVE-2016-5139.patch
CVE-2017-17480.patch
CVE-2018-18088.patch
CVE-2018-6616.patch
CVE-2018-14423.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment