Commit 987b3e04 authored by Mathieu Malaterre's avatar Mathieu Malaterre

Import Debian changes 2.1.2-1.1+deb9u1

openjpeg2 (2.1.2-1.1+deb9u1) stretch-security; urgency=medium

  * CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
  * CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
  * CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
  * CVE-2016-10504: 397f62c0a838e15d667ef50e27d5d011d2c79c04.patch
parent 9dcc7a58
openjpeg2 (2.1.2-1.1+deb9u1) stretch-security; urgency=medium
* CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
* CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
* CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
* CVE-2016-10504: 397f62c0a838e15d667ef50e27d5d011d2c79c04.patch
-- Mathieu Malaterre <malat@debian.org> Mon, 16 Oct 2017 07:27:49 +0200
openjpeg2 (2.1.2-1.1) unstable; urgency=medium
* Non-maintainer upload.
......
From 11445eddad7e7fa5b273d1c83c91011c44e5d586 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 19:03:13 +0200
Subject: [PATCH] opj_pi_update_decode_poc(): limit layno1 to the number of
layers (CVE-2016-1626 and CVE-2016-1628, #850)
This has been recently fixed in a less elegant way per
80818c39f5bfbac37768fcee95b0ffeceaa77264
---
src/lib/openjp2/pi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1019,7 +1019,8 @@
l_current_pi->poc.precno0 = 0;
l_current_pi->poc.resno1 = l_current_poc->resno1; /* Resolution Level Index #0 (End) */
l_current_pi->poc.compno1 = l_current_poc->compno1; /* Component Index #0 (End) */
- l_current_pi->poc.layno1 = l_current_poc->layno1; /* Layer Index #0 (End) */
+ l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1,
+ p_tcp->numlayers); /* Layer Index #0 (End) */
l_current_pi->poc.precno1 = p_max_precision;
++l_current_pi;
++l_current_poc;
From 397f62c0a838e15d667ef50e27d5d011d2c79c04 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 19:13:49 +0200
Subject: [PATCH] Fix write heap buffer overflow in opj_mqc_byteout().
Discovered by Ke Liu of Tencent's Xuanwu LAB (#835)
---
src/lib/openjp2/tcd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1088,7 +1088,9 @@
{
OPJ_UINT32 l_data_size;
- l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+ /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
if (p_code_block->data) {
From 3fbe71369019df0b47c7a2be4fab8c05768f2f32 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 18:38:16 +0200
Subject: [PATCH] opj_tcd_get_decoded_tile_size(): fix potential UINT32
overflow (#854, CVE-2016-5152)
Fix derived from https://pdfium.googlesource.com/pdfium.git/+/d8cc503575463ff3d81b22dad292665f2c88911e/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch
---
src/lib/openjp2/j2k.c | 3 +++
src/lib/openjp2/tcd.c | 16 +++++++++++++---
2 files changed, 16 insertions(+), 3 deletions(-)
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -41,6 +41,7 @@
*/
#include "opj_includes.h"
+#include <limits.h> /* UINT_MAX */
/** @defgroup J2K J2K - JPEG-2000 codestream reader/writer */
/*@{*/
@@ -8097,6 +8098,9 @@
*p_tile_index = p_j2k->m_current_tile_number;
*p_go_on = OPJ_TRUE;
*p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd);
+ if (*p_data_size == UINT_MAX) {
+ return OPJ_FALSE;
+ }
*p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0;
*p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0;
*p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1;
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -39,6 +39,7 @@
*/
#include "opj_includes.h"
+#include <limits.h> /* UINT_MAX */
/* ----------------------------------------------------------------------- */
@@ -1154,6 +1155,7 @@
opj_tcd_tilecomp_t * l_tile_comp = 00;
opj_tcd_resolution_t * l_res = 00;
OPJ_UINT32 l_size_comp, l_remaining;
+ OPJ_UINT32 l_temp;
l_tile_comp = p_tcd->tcd_image->tiles->comps;
l_img_comp = p_tcd->image->comps;
@@ -1171,7 +1173,17 @@
}
l_res = l_tile_comp->resolutions + l_tile_comp->minimum_num_resolutions - 1;
- l_data_size += l_size_comp * (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_res->y0));
+ l_temp = (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 -
+ l_res->y0)); /* x1*y1 can't overflow */
+ if (l_size_comp && UINT_MAX / l_size_comp < l_temp) {
+ return UINT_MAX;
+ }
+ l_temp *= l_size_comp;
+
+ if (l_temp > UINT_MAX - l_data_size) {
+ return UINT_MAX;
+ }
+ l_data_size += l_temp;
++l_img_comp;
++l_tile_comp;
}
@@ -1366,7 +1378,7 @@
OPJ_UINT32 l_stride, l_width,l_height;
l_data_size = opj_tcd_get_decoded_tile_size(p_tcd);
- if (l_data_size > p_dest_length) {
+ if (l_data_size == UINT_MAX || l_data_size > p_dest_length) {
return OPJ_FALSE;
}
......@@ -10,11 +10,9 @@ Subject: [PATCH] Changes for issues #863 and #862
src/lib/openjp2/j2k.c | 11 ++++++---
4 files changed, 90 insertions(+), 11 deletions(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index deee4f6..6a3f65b 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -906,7 +906,8 @@ int imagetotga(opj_image_t * image, const char *outfile) {
@@ -906,7 +906,8 @@
for (i = 0; i < image->numcomps-1; i++) {
if ((image->comps[0].dx != image->comps[i+1].dx)
||(image->comps[0].dy != image->comps[i+1].dy)
......@@ -24,7 +22,7 @@ index deee4f6..6a3f65b 100644
fclose(fdest);
fprintf(stderr, "Unable to create a tga file with such J2K image charateristics.");
return 1;
@@ -1743,7 +1744,7 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
@@ -1743,7 +1744,7 @@
int *red, *green, *blue, *alpha;
int wr, hr, max;
int i;
......@@ -33,7 +31,7 @@ index deee4f6..6a3f65b 100644
int adjustR, adjustG, adjustB, adjustA;
int fails, two, want_gray, has_alpha, triple;
int prec, v;
@@ -1768,6 +1769,27 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
@@ -1768,6 +1769,27 @@
if(want_gray) ncomp = 1;
......@@ -61,7 +59,7 @@ index deee4f6..6a3f65b 100644
if ((force_split == 0) &&
(ncomp == 2 /* GRAYA */
|| (ncomp > 2 /* RGB, RGBA */
@@ -2126,7 +2148,7 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
@@ -2126,7 +2148,7 @@
{
FILE *rawFile = NULL;
size_t res;
......@@ -70,7 +68,7 @@ index deee4f6..6a3f65b 100644
int w, h, fails;
int line, row, curr, mask;
int *ptr;
@@ -2139,6 +2161,31 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
@@ -2139,6 +2161,31 @@
return 1;
}
......@@ -102,7 +100,7 @@ index deee4f6..6a3f65b 100644
rawFile = fopen(outfile, "wb");
if (!rawFile) {
fprintf(stderr, "Failed to open %s for writing !!\n", outfile);
@@ -2146,9 +2193,9 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
@@ -2146,9 +2193,9 @@
}
fails = 1;
......@@ -114,7 +112,7 @@ index deee4f6..6a3f65b 100644
{
fprintf(stdout,"Component %u characteristics: %dx%dx%d %s\n", compno, image->comps[compno].w,
image->comps[compno].h, image->comps[compno].prec, image->comps[compno].sgnd==1 ? "signed": "unsigned");
@@ -2238,7 +2285,7 @@ static int imagetoraw_common(opj_image_t * image, const char *outfile, OPJ_BOOL
@@ -2238,7 +2285,7 @@
}
else if (image->comps[compno].prec <= 32)
{
......@@ -123,11 +121,9 @@ index deee4f6..6a3f65b 100644
goto fin;
}
else
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index ae83077..8017ba8 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -806,8 +806,35 @@ int imagetobmp(opj_image_t * image, const char *outfile) {
@@ -806,8 +806,35 @@
FILE *fdest = NULL;
int adjustR, adjustG, adjustB;
......@@ -164,11 +160,9 @@ index ae83077..8017ba8 100644
return 1;
}
if (image->numcomps >= 3 && image->comps[0].dx == image->comps[1].dx
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
index 83160c3..c30079b 100644
--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
@@ -1607,7 +1607,7 @@ int main(int argc, char **argv)
@@ -1573,7 +1573,7 @@
if(dirptr->filename_buf) free(dirptr->filename_buf);
free(dirptr);
}
......@@ -177,11 +171,9 @@ index 83160c3..c30079b 100644
fprintf(stdout, "decode time: %d ms\n", (int)( (tCumulative * 1000.0) / (OPJ_FLOAT64)numDecompressedImages));
}
return failed ? EXIT_FAILURE : EXIT_SUCCESS;
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 66802bb..b6daa32 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -2158,7 +2158,7 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k,
@@ -2158,7 +2158,7 @@
i, l_img_comp->dx, l_img_comp->dy);
return OPJ_FALSE;
}
......@@ -190,7 +182,7 @@ index 66802bb..b6daa32 100644
opj_event_msg(p_manager, EVT_ERROR,
"Invalid values for comp = %d : prec=%u (should be between 1 and 38 according to the JPEG2000 norm)\n",
i, l_img_comp->prec);
@@ -10029,7 +10029,11 @@ OPJ_BOOL opj_j2k_decode(opj_j2k_t * p_j2k,
@@ -9975,7 +9975,11 @@
/* Move data and copy one information from codec to output image*/
for (compno = 0; compno < p_image->numcomps; compno++) {
p_image->comps[compno].resno_decoded = p_j2k->m_output_image->comps[compno].resno_decoded;
......@@ -203,7 +195,7 @@ index 66802bb..b6daa32 100644
#if 0
char fn[256];
sprintf( fn, "/tmp/%d.raw", compno );
@@ -10037,7 +10041,6 @@ OPJ_BOOL opj_j2k_decode(opj_j2k_t * p_j2k,
@@ -9983,7 +9987,6 @@
fwrite( p_image->comps[compno].data, sizeof(OPJ_INT32), p_image->comps[compno].w * p_image->comps[compno].h, debug );
fclose( debug );
#endif
......@@ -211,7 +203,7 @@ index 66802bb..b6daa32 100644
}
return OPJ_TRUE;
@@ -10131,6 +10134,8 @@ OPJ_BOOL opj_j2k_get_tile( opj_j2k_t *p_j2k,
@@ -10077,6 +10080,8 @@
p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;
......
From c22cbd8bdf8ff2ae372f94391a4be2d322b36b41 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 30 Jul 2017 18:43:25 +0200
Subject: [PATCH] Avoid heap buffer overflow in function pnmtoimage of
convert.c, and unsigned integer overflow in opj_image_create()
(CVE-2016-9118, #861)
---
src/bin/jp2/convert.c | 10 ++++++++++
src/lib/openjp2/image.c | 8 +++++++-
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index b3eb85816..492911c90 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -41,6 +41,7 @@
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
#include "openjpeg.h"
#include "convert.h"
@@ -1573,6 +1574,15 @@
if(!header_info.ok) { fclose(fp); return NULL; }
+ /* This limitation could be removed by making sure to use size_t below */
+ if (header_info.height != 0 &&
+ header_info.width > INT_MAX / header_info.height) {
+ fprintf(stderr, "pnmtoimage:Image %dx%d too big!\n",
+ header_info.width, header_info.height);
+ fclose(fp);
+ return NULL;
+ }
+
format = header_info.format;
switch(format)
diff --git a/src/lib/openjp2/image.c b/src/lib/openjp2/image.c
index e62b416ca..d00a23701 100644
--- a/src/lib/openjp2/image.c
+++ b/src/lib/openjp2/image.c
@@ -64,7 +64,13 @@
comp->prec = cmptparms[compno].prec;
comp->bpp = cmptparms[compno].bpp;
comp->sgnd = cmptparms[compno].sgnd;
- comp->data = (OPJ_INT32*) opj_calloc(comp->w * comp->h, sizeof(OPJ_INT32));
+ if (comp->h != 0 && (OPJ_SIZE_T)comp->w > SIZE_MAX / comp->h) {
+ // TODO event manager
+ opj_image_destroy(image);
+ return NULL;
+ }
+ comp->data = (OPJ_INT32*) opj_calloc((OPJ_SIZE_T)comp->w * comp->h,
+ sizeof(OPJ_INT32));
if(!comp->data) {
/* TODO replace with event manager, breaks API */
/* fprintf(stderr,"Unable to allocate memory for image.\n"); */
multiarch_path.patch
CVE-2016-9572_CVE-2016-9573.patch
c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
397f62c0a838e15d667ef50e27d5d011d2c79c04.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment