Commit 8d198162 authored by Moritz Muehlenhoff's avatar Moritz Muehlenhoff Committed by Mathieu Malaterre

Import Debian changes 2.1.2-1.2

openjpeg2 (2.1.2-1.2) unstable; urgency=medium

  * Non-maintainer upload
  * Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and
    CVE-2016-9118.patch
parent 3f531950
openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
openjpeg2 (2.1.2-1.2) unstable; urgency=medium
* Non-maintainer upload by the Security Team.
* CVE-2018-14423: Division-by-zero vulnerabilities in the functions
pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
* CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
(closes: #889683).
* CVE-2017-17480: Write stack buffer overflow due to missing buffer
length formatter in fscanf call (closes: #884738).
* CVE-2018-18088: Null pointer dereference caused by null image
components in imagetopnm (closes: #910763).
* CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
* Non-maintainer upload
* Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and
CVE-2016-9118.patch
-- Luciano Bello <luciano@debian.org> Thu, 07 Mar 2019 16:41:30 -0500
openjpeg2 (2.1.2-1.1+deb9u2) stretch-security; urgency=medium
* Fix whitespace/indent mess
* CVE-2017-14039: CVE-2017-14039.patch
* CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
* CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
* CVE-2017-14151: afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
* CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
-- Mathieu Malaterre <malat@debian.org> Mon, 16 Oct 2017 21:15:20 +0200
openjpeg2 (2.1.2-1.1+deb9u1) stretch-security; urgency=medium
* CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
* CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
* CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
* CVE-2016-10504: 397f62c0a838e15d667ef50e27d5d011d2c79c04.patch
-- Mathieu Malaterre <malat@debian.org> Mon, 16 Oct 2017 07:27:49 +0200
-- Moritz Muehlenhoff <jmm@debian.org> Fri, 11 Aug 2017 22:17:07 +0200
openjpeg2 (2.1.2-1.1) unstable; urgency=medium
......
From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Aug 2017 11:47:40 +0200
Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
fixes unaligned load (#995)
---
src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 12 deletions(-)
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -559,12 +559,10 @@
};
#endif /* INFORMATION_ONLY */
-static unsigned short get_ushort(const unsigned char *data) {
- unsigned short val = *(const unsigned short *)data;
-#ifdef OPJ_BIG_ENDIAN
- val = ((val & 0xffU) << 8) | (val >> 8);
-#endif
- return val;
+/* Returns a ushort from a little-endian serialized value */
+static unsigned short get_tga_ushort(const unsigned char *data)
+{
+ return data[0] | (data[1] << 8);
}
#define TGA_HEADER_SIZE 18
@@ -590,17 +588,17 @@
id_len = tga[0];
/*cmap_type = tga[1];*/
image_type = tga[2];
- /*cmap_index = get_ushort(&tga[3]);*/
- cmap_len = get_ushort(&tga[5]);
+ /*cmap_index = get_tga_ushort(&tga[3]);*/
+ cmap_len = get_tga_ushort(&tga[5]);
cmap_entry_size = tga[7];
#if 0
- x_origin = get_ushort(&tga[8]);
- y_origin = get_ushort(&tga[10]);
+ x_origin = get_tga_ushort(&tga[8]);
+ y_origin = get_tga_ushort(&tga[10]);
#endif
- image_w = get_ushort(&tga[12]);
- image_h = get_ushort(&tga[14]);
+ image_w = get_tga_ushort(&tga[12]);
+ image_h = get_tga_ushort(&tga[14]);
pixel_depth = tga[16];
image_desc = tga[17];
@@ -764,6 +762,24 @@
color_space = OPJ_CLRSPC_SRGB;
}
+ /* If the declared file size is > 10 MB, check that the file is big */
+ /* enough to avoid excessive memory allocations */
+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
+ char ch;
+ OPJ_UINT64 expected_file_size =
+ (OPJ_UINT64)image_width * image_height * numcomps;
+ long curpos = ftell(f);
+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
+ expected_file_size = (OPJ_UINT64)INT_MAX;
+ }
+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
+ if (fread(&ch, 1, 1, f) != 1) {
+ fclose(f);
+ return NULL;
+ }
+ fseek(f, curpos, SEEK_SET);
+ }
+
subsampling_dx = parameters->subsampling_dx;
subsampling_dy = parameters->subsampling_dy;
From 397f62c0a838e15d667ef50e27d5d011d2c79c04 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 19:13:49 +0200
Subject: [PATCH] Fix write heap buffer overflow in opj_mqc_byteout().
Discovered by Ke Liu of Tencent's Xuanwu LAB (#835)
---
src/lib/openjp2/tcd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1088,7 +1088,9 @@
{
OPJ_UINT32 l_data_size;
- l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+ /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
if (p_code_block->data) {
......@@ -6,19 +6,16 @@ Subject: [PATCH] opj_pi_update_decode_poc(): limit layno1 to the number of
This has been recently fixed in a less elegant way per
80818c39f5bfbac37768fcee95b0ffeceaa77264
---
src/lib/openjp2/pi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1019,7 +1019,8 @@
--- openjpeg2-2.1.2.orig/src/lib/openjp2/pi.c
+++ openjpeg2-2.1.2/src/lib/openjp2/pi.c
@@ -1019,7 +1019,8 @@ static void opj_pi_update_decode_poc (op
l_current_pi->poc.precno0 = 0;
l_current_pi->poc.resno1 = l_current_poc->resno1; /* Resolution Level Index #0 (End) */
l_current_pi->poc.compno1 = l_current_poc->compno1; /* Component Index #0 (End) */
- l_current_pi->poc.layno1 = l_current_poc->layno1; /* Layer Index #0 (End) */
+ l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1,
+ p_tcp->numlayers); /* Layer Index #0 (End) */
+ l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1,
+ p_tcp->numlayers); /* Layer Index #0 (End) */
l_current_pi->poc.precno1 = p_max_precision;
++l_current_pi;
++l_current_poc;
--- openjpeg2-2.1.2.orig/src/lib/openjp2/j2k.c
+++ openjpeg2-2.1.2/src/lib/openjp2/j2k.c
@@ -41,6 +41,7 @@
*/
#include "opj_includes.h"
+#include <limits.h>
/** @defgroup J2K J2K - JPEG-2000 codestream reader/writer */
/*@{*/
--- openjpeg2-2.1.2.orig/src/lib/openmj2/tcd.c
+++ openjpeg2-2.1.2/src/lib/openmj2/tcd.c
@@ -38,6 +38,7 @@
#define _ISOC99_SOURCE /* lrintf is C99 */
#include "opj_includes.h"
+#include <limits.h>
void tcd_dump(FILE *fd, opj_tcd_t *tcd, opj_tcd_image_t * img) {
int tileno, compno, resno, bandno, precno;/*, cblkno;*/
......@@ -5,74 +5,54 @@ Subject: [PATCH] opj_tcd_get_decoded_tile_size(): fix potential UINT32
overflow (#854, CVE-2016-5152)
Fix derived from https://pdfium.googlesource.com/pdfium.git/+/d8cc503575463ff3d81b22dad292665f2c88911e/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch
---
src/lib/openjp2/j2k.c | 3 +++
src/lib/openjp2/tcd.c | 16 +++++++++++++---
2 files changed, 16 insertions(+), 3 deletions(-)
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -41,6 +41,7 @@
*/
#include "opj_includes.h"
+#include <limits.h> /* UINT_MAX */
/** @defgroup J2K J2K - JPEG-2000 codestream reader/writer */
/*@{*/
@@ -8097,6 +8098,9 @@
--- openjpeg2-2.1.2.orig/src/lib/openjp2/j2k.c
+++ openjpeg2-2.1.2/src/lib/openjp2/j2k.c
@@ -8097,6 +8097,9 @@ OPJ_BOOL opj_j2k_read_tile_header(
*p_tile_index = p_j2k->m_current_tile_number;
*p_go_on = OPJ_TRUE;
*p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd);
+ if (*p_data_size == UINT_MAX) {
+ return OPJ_FALSE;
+ }
+ if (*p_data_size == UINT_MAX) {
+ return OPJ_FALSE;
+ }
*p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0;
*p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0;
*p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1;
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -39,6 +39,7 @@
*/
#include "opj_includes.h"
+#include <limits.h> /* UINT_MAX */
/* ----------------------------------------------------------------------- */
@@ -1154,6 +1155,7 @@
--- openjpeg2-2.1.2.orig/src/lib/openjp2/tcd.c
+++ openjpeg2-2.1.2/src/lib/openjp2/tcd.c
@@ -1154,6 +1154,7 @@ OPJ_UINT32 opj_tcd_get_decoded_tile_size
opj_tcd_tilecomp_t * l_tile_comp = 00;
opj_tcd_resolution_t * l_res = 00;
OPJ_UINT32 l_size_comp, l_remaining;
+ OPJ_UINT32 l_temp;
+ OPJ_UINT32 l_temp;
l_tile_comp = p_tcd->tcd_image->tiles->comps;
l_img_comp = p_tcd->image->comps;
@@ -1171,7 +1173,17 @@
@@ -1171,7 +1172,17 @@ OPJ_UINT32 opj_tcd_get_decoded_tile_size
}
l_res = l_tile_comp->resolutions + l_tile_comp->minimum_num_resolutions - 1;
- l_data_size += l_size_comp * (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_res->y0));
+ l_temp = (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 -
+ l_res->y0)); /* x1*y1 can't overflow */
+ if (l_size_comp && UINT_MAX / l_size_comp < l_temp) {
+ return UINT_MAX;
+ }
+ l_temp *= l_size_comp;
+ l_temp = (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 -
+ l_res->y0)); /* x1*y1 can't overflow */
+ if (l_size_comp && UINT_MAX / l_size_comp < l_temp) {
+ return UINT_MAX;
+ }
+ l_temp *= l_size_comp;
+
+ if (l_temp > UINT_MAX - l_data_size) {
+ return UINT_MAX;
+ }
+ l_data_size += l_temp;
+ if (l_temp > UINT_MAX - l_data_size) {
+ return UINT_MAX;
+ }
+ l_data_size += l_temp;
++l_img_comp;
++l_tile_comp;
}
@@ -1366,7 +1378,7 @@
@@ -1366,7 +1377,7 @@ OPJ_BOOL opj_tcd_update_tile_data ( opj_
OPJ_UINT32 l_stride, l_width,l_height;
l_data_size = opj_tcd_get_decoded_tile_size(p_tcd);
- if (l_data_size > p_dest_length) {
+ if (l_data_size == UINT_MAX || l_data_size > p_dest_length) {
+ if (l_data_size == UINT_MAX || l_data_size > p_dest_length) {
return OPJ_FALSE;
}
From d27ccf01c68a31ad62b33d2dc1ba2bb1eeaafe7b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 26 Jul 2017 11:30:56 +0200
Subject: [PATCH] Avoid division by zero in opj_pi_next_rpcl, opj_pi_next_pcrl
and opj_pi_next_cprl (#938)
--- openjpeg2-2.1.2.orig/src/lib/openjp2/pi.c
+++ openjpeg2-2.1.2/src/lib/openjp2/pi.c
@@ -360,6 +360,17 @@ if (!pi->tp_on){
try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno));
rpx = res->pdx + levelno;
rpy = res->pdy + levelno;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ /* in below tests */
+ /* Fixes reading id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 */
+ /* of https://github.com/uclouvain/openjpeg/issues/938 */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
+ continue;
+ }
+ /* See ISO-15441. B.12.1.3 Resolution level-position-component-layer progression */
+
if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
continue;
}
@@ -441,6 +452,17 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno));
rpx = res->pdx + levelno;
rpy = res->pdy + levelno;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ /* in below tests */
+ /* Relates to id:000019,sig:08,src:001098,op:flip1,pos:49 */
+ /* of https://github.com/uclouvain/openjpeg/issues/938 */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
+ continue;
+ }
+
+ /* See ISO-15441. B.12.1.4 Position-component-resolution level-layer progression */
if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
continue;
}
@@ -520,6 +542,17 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno));
rpx = res->pdx + levelno;
rpy = res->pdy + levelno;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ /* in below tests */
+ /* Fixes reading id:000019,sig:08,src:001098,op:flip1,pos:49 */
+ /* of https://github.com/uclouvain/openjpeg/issues/938 */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
+ continue;
+ }
+
+ /* See ISO-15441. B.12.1.5 Component-position-resolution level-layer progression */
if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
continue;
}
......@@ -5,15 +5,8 @@ Subject: [PATCH] Avoid heap buffer overflow in function pnmtoimage of
convert.c, and unsigned integer overflow in opj_image_create()
(CVE-2016-9118, #861)
---
src/bin/jp2/convert.c | 10 ++++++++++
src/lib/openjp2/image.c | 8 +++++++-
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index b3eb85816..492911c90 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
--- openjpeg2-2.1.2.orig/src/bin/jp2/convert.c
+++ openjpeg2-2.1.2/src/bin/jp2/convert.c
@@ -41,6 +41,7 @@
#include <stdlib.h>
#include <string.h>
......@@ -22,7 +15,7 @@ index b3eb85816..492911c90 100644
#include "openjpeg.h"
#include "convert.h"
@@ -1573,6 +1574,15 @@
@@ -1573,6 +1574,15 @@ opj_image_t* pnmtoimage(const char *file
if(!header_info.ok) { fclose(fp); return NULL; }
......@@ -34,26 +27,25 @@ index b3eb85816..492911c90 100644
+ fclose(fp);
+ return NULL;
+ }
+
+
format = header_info.format;
switch(format)
diff --git a/src/lib/openjp2/image.c b/src/lib/openjp2/image.c
index e62b416ca..d00a23701 100644
--- a/src/lib/openjp2/image.c
+++ b/src/lib/openjp2/image.c
@@ -64,7 +64,13 @@
--- openjpeg2-2.1.2.orig/src/lib/openjp2/image.c
+++ openjpeg2-2.1.2/src/lib/openjp2/image.c
@@ -64,7 +64,14 @@ opj_image_t* OPJ_CALLCONV opj_image_crea
comp->prec = cmptparms[compno].prec;
comp->bpp = cmptparms[compno].bpp;
comp->sgnd = cmptparms[compno].sgnd;
- comp->data = (OPJ_INT32*) opj_calloc(comp->w * comp->h, sizeof(OPJ_INT32));
+ if (comp->h != 0 && (OPJ_SIZE_T)comp->w > SIZE_MAX / comp->h) {
+ // TODO event manager
+ opj_image_destroy(image);
+ return NULL;
+ }
+ comp->data = (OPJ_INT32*) opj_calloc((OPJ_SIZE_T)comp->w * comp->h,
+ sizeof(OPJ_INT32));
+ if (comp->h != 0 && (OPJ_SIZE_T)comp->w > SIZE_MAX / comp->h) {
+ // TODO event manager
+ opj_image_destroy(image);
+ return NULL;
+ }
+ comp->data = (OPJ_INT32*) opj_calloc((OPJ_SIZE_T)comp->w * comp->h,
+ sizeof(OPJ_INT32));
+
if(!comp->data) {
/* TODO replace with event manager, breaks API */
/* fprintf(stderr,"Unable to allocate memory for image.\n"); */
......@@ -10,9 +10,11 @@ Subject: [PATCH] Changes for issues #863 and #862
src/lib/openjp2/j2k.c | 11 ++++++---
4 files changed, 90 insertions(+), 11 deletions(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index deee4f6..6a3f65b 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -906,7 +906,8 @@
@@ -906,7 +906,8 @@ int imagetotga(opj_image_t * image, const char *outfile) {
for (i = 0; i < image->numcomps-1; i++) {
if ((image->comps[0].dx != image->comps[i+1].dx)
||(image->comps[0].dy != image->comps[i+1].dy)
......@@ -22,7 +24,7 @@ Subject: [PATCH] Changes for issues #863 and #862
fclose(fdest);
fprintf(stderr, "Unable to create a tga file with such J2K image charateristics.");
return 1;
@@ -1743,7 +1744,7 @@
@@ -1743,7 +1744,7 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
int *red, *green, *blue, *alpha;
int wr, hr, max;
int i;
......@@ -31,7 +33,7 @@ Subject: [PATCH] Changes for issues #863 and #862
int adjustR, adjustG, adjustB, adjustA;
int fails, two, want_gray, has_alpha, triple;
int prec, v;
@@ -1768,6 +1769,27 @@
@@ -1768,6 +1769,27 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
if(want_gray) ncomp = 1;
......@@ -59,7 +61,7 @@ Subject: [PATCH] Changes for issues #863 and #862
if ((force_split == 0) &&
(ncomp == 2 /* GRAYA */
|| (ncomp > 2 /* RGB, RGBA */
@@ -2126,7 +2148,7 @@
@@ -2126,7 +2148,7 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
{
FILE *rawFile = NULL;
size_t res;
......@@ -68,7 +70,7 @@ Subject: [PATCH] Changes for issues #863 and #862
int w, h, fails;
int line, row, curr, mask;
int *ptr;
@@ -2139,6 +2161,31 @@
@@ -2139,6 +2161,31 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
return 1;
}
......@@ -100,7 +102,7 @@ Subject: [PATCH] Changes for issues #863 and #862
rawFile = fopen(outfile, "wb");
if (!rawFile) {
fprintf(stderr, "Failed to open %s for writing !!\n", outfile);
@@ -2146,9 +2193,9 @@
@@ -2146,9 +2193,9 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
}
fails = 1;
......@@ -112,7 +114,7 @@ Subject: [PATCH] Changes for issues #863 and #862
{
fprintf(stdout,"Component %u characteristics: %dx%dx%d %s\n", compno, image->comps[compno].w,
image->comps[compno].h, image->comps[compno].prec, image->comps[compno].sgnd==1 ? "signed": "unsigned");
@@ -2238,7 +2285,7 @@
@@ -2238,7 +2285,7 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
}
else if (image->comps[compno].prec <= 32)
{
......@@ -121,9 +123,11 @@ Subject: [PATCH] Changes for issues #863 and #862
goto fin;
}
else
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index ae83077..8017ba8 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -806,8 +806,35 @@
@@ -806,8 +806,35 @@ int imagetobmp(opj_image_t * image, const char *outfile) {
FILE *fdest = NULL;
int adjustR, adjustG, adjustB;
......@@ -160,9 +164,11 @@ Subject: [PATCH] Changes for issues #863 and #862
return 1;
}
if (image->numcomps >= 3 && image->comps[0].dx == image->comps[1].dx
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
index 83160c3..c30079b 100644
--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
@@ -1573,7 +1573,7 @@
@@ -1607,7 +1607,7 @@ int main(int argc, char **argv)
if(dirptr->filename_buf) free(dirptr->filename_buf);
free(dirptr);
}
......@@ -171,9 +177,11 @@ Subject: [PATCH] Changes for issues #863 and #862
fprintf(stdout, "decode time: %d ms\n", (int)( (tCumulative * 1000.0) / (OPJ_FLOAT64)numDecompressedImages));
}
return failed ? EXIT_FAILURE : EXIT_SUCCESS;
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 66802bb..b6daa32 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -2158,7 +2158,7 @@
@@ -2158,7 +2158,7 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k,
i, l_img_comp->dx, l_img_comp->dy);
return OPJ_FALSE;
}
......@@ -182,7 +190,7 @@ Subject: [PATCH] Changes for issues #863 and #862
opj_event_msg(p_manager, EVT_ERROR,
"Invalid values for comp = %d : prec=%u (should be between 1 and 38 according to the JPEG2000 norm)\n",
i, l_img_comp->prec);
@@ -9975,7 +9975,11 @@
@@ -10029,7 +10029,11 @@ OPJ_BOOL opj_j2k_decode(opj_j2k_t * p_j2k,
/* Move data and copy one information from codec to output image*/
for (compno = 0; compno < p_image->numcomps; compno++) {
p_image->comps[compno].resno_decoded = p_j2k->m_output_image->comps[compno].resno_decoded;
......@@ -195,7 +203,7 @@ Subject: [PATCH] Changes for issues #863 and #862
#if 0
char fn[256];
sprintf( fn, "/tmp/%d.raw", compno );
@@ -9983,7 +9987,6 @@
@@ -10037,7 +10041,6 @@ OPJ_BOOL opj_j2k_decode(opj_j2k_t * p_j2k,
fwrite( p_image->comps[compno].data, sizeof(OPJ_INT32), p_image->comps[compno].w * p_image->comps[compno].h, debug );
fclose( debug );
#endif
......@@ -203,7 +211,7 @@ Subject: [PATCH] Changes for issues #863 and #862
}
return OPJ_TRUE;
@@ -10077,6 +10080,8 @@
@@ -10131,6 +10134,8 @@ OPJ_BOOL opj_j2k_get_tile( opj_j2k_t *p_j2k,
p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;
......
Description: Mix of
4241ae6fbbf1de9658764a80944dc8108f2b4154
and
c535531f03369623b9b833ef41952c62257b507e (partial)
Author: Mathieu Malaterre <malat@debian.org>
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -4309,6 +4309,12 @@
assert(p_manager != 00);
assert(p_stream != 00);
+ if (p_total_data_size < 4) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Not enough bytes in output buffer to write SOD marker\n");
+ return OPJ_FALSE;
+ }
+
opj_write_bytes(p_data,J2K_MS_SOD,2); /* SOD */
p_data += 2;
@@ -6091,10 +6097,16 @@
/* Precincts */
parameters->csty |= 0x01;
- parameters->res_spec = parameters->numresolution-1;
- for (i = 0; i<parameters->res_spec; i++) {
- parameters->prcw_init[i] = 256;
- parameters->prch_init[i] = 256;
+ if (parameters->numresolution == 1) {
+ parameters->res_spec = 1;
+ parameters->prcw_init[0] = 128;
+ parameters->prch_init[0] = 128;
+ } else {
+ parameters->res_spec = parameters->numresolution - 1;
+ for (i = 0; i < parameters->res_spec; i++) {
+ parameters->prcw_init[i] = 256;
+ parameters->prch_init[i] = 256;
+ }
}
/* The progression order shall be CPRL */
Description: jp3d/jpwl convert: fix write stack buffer overflow
Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow. Add missing formatters.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: https://github.com/hlef/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62
Bug-Debian: https://bugs.debian.org/884738
--- a/src/bin/jp3d/convert.c
+++ b/src/bin/jp3d/convert.c
@@ -281,7 +281,7 @@
fprintf(stdout, "[INFO] Loading %s \n",pgxfiles[pos]);
fseek(f, 0, SEEK_SET);
- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h);
+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h);
i=0;
sign='+';
--- a/src/bin/jpwl/convert.c
+++ b/src/bin/jpwl/convert.c
@@ -1296,7 +1296,7 @@
}
fseek(f, 0, SEEK_SET);
- if( fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){
+ if( fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){
fprintf(stderr, "ERROR: Failed to read the right number of element from the fscanf() function!\n");
return NULL;
}
Subject: avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423)
Author: Young_X <YangX92@hotmail.com>
Origin: https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b
Bug: https://github.com/uclouvain/openjpeg/issues/1123
Bug-Debian: https://bugs.debian.org/904873
--- a/src/lib/openjp3d/pi.c 2018-12-22 12:11:03.000000000 +0100
+++ b/src/lib/openjp3d/pi.c 2018-12-22 12:11:36.000000000 +0100
@@ -215,6 +215,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
@@ -309,6 +317,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
@@ -400,6 +416,14 @@
rpx = res->pdx + levelnox;
rpy = res->pdy + levelnoy;
rpz = res->pdz + levelnoz;
+
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+ continue;
+ }
+
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && (trx0 << levelnox) % (1 << rpx)))) {
continue;
}
Description: jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.
.
Add != null check.
Author: Hugo Lefeuvre <hle@debian.org>
Origin: https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2
Bug-Debian: https://bugs.debian.org/910763
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -1982,6 +1982,11 @@
opj_version(), wr, hr, max);
red = image->comps[compno].data;
+ if (!red) {
+ fclose(fdest);
+ continue;
+ }
+
adjustR =
(image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
Description: convertbmp: integer overflow (CVE-2018-5785)
Author: Luciano Bello <luciano@debian.org>
Origin: https://github.com/uclouvain/openjpeg/pull/1148
Bug: https://github.com/uclouvain/openjpeg/issues/1057
Bug-Debian: https://bugs.debian.org/888533
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -418,15 +418,30 @@
header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biRedMask) {
+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
+ return OPJ_FALSE;
+ }
+
header->biGreenMask = (OPJ_UINT32)getc(IN);
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
+ if (!header->biGreenMask) {
+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
+ return OPJ_FALSE;
+ }
+
header->biBlueMask = (OPJ_UINT32)getc(IN);
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
+
+ if (!header->biBlueMask) {
+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
+ return OPJ_FALSE;
+ }
header->biAlphaMask = (OPJ_UINT32)getc(IN);
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
@@ -785,6 +800,11 @@
bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU, 0x00000000U);
}
else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) && (Info_h.biBlueMask == 0U)) {
+ Info_h.biRedMask = 0x00FF0000U;
+ Info_h.biGreenMask = 0x0000FF00U;
+ Info_h.biBlueMask = 0x000000FFU;
+ }
bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask, Info_h.biBlueMask, Info_h.biAlphaMask);
}
else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */