Commit a62fba09 authored by Jean-Michel Vourgère's avatar Jean-Michel Vourgère Committed by Mathieu Malaterre

Import Debian changes 2.1.0-2.1

openjpeg2 (2.1.0-2.1) unstable; urgency=high

  * Non-maintainer upload.
  * Apache 2.4 transition: (Closes: #786333)
    + d/rules: Added --with apache2.
    + Drop d/libopenjpip-server.install.
    + Drop d/libopenjpip-server.prerm.
    + d/control: Add build-depends on dh-apache2, replace depends on
      apache2.2-bin by ${misc:Recommends}, add recommends on
      libapache2-mod-fastcgi.
    + New d/libopenjpip-server.conf for apache2 fastcgi setup.
    + Drop d/libopenjpip-server.load.
    + New d/libopenjpip-server.apache2 to set up the configuration.
parent 80411a8a
openjpeg2 (2.1.0-2+deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* CVE-2018-14423: Division-by-zero vulnerabilities in the functions
pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
* CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
(closes: #889683).
-- Hugo Lefeuvre <hle@debian.org> Sat, 22 Dec 2018 11:50:11 +0100
openjpeg2 (2.1.0-2+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* CVE-2017-17480: write stack buffer overflow due to missing buffer
length formatter in fscanf call.
* CVE-2018-18088: null pointer dereference caused by null image
components in imagetopnm.
-- Hugo Lefeuvre <hle@debian.org> Mon, 19 Nov 2018 17:23:30 +0100
openjpeg2 (2.1.0-2+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* CVE-2015-1239
Fix for denial of service (process crash) via a crafted PDF.
* CVE-2016-5139
Fix for integer overflows, allowing a denial of service
(heap-based buffer overflow) or possibly have unspecified
other impact via crafted JPEG 2000 data.
-- Thorsten Alteholz <debian@alteholz.de> Thu, 19 Jul 2018 19:03:02 +0200
openjpeg2 (2.1.0-2+deb8u3) jessie-security; urgency=medium
* CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
* CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
* CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
* CVE-2016-10504: not needed
* CVE-2017-14039: CVE-2017-14039.patch
* CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
* CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
* CVE-2017-14151: not needed
* CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
* CVE-2016-5157: CVE-2016-5157.patch
-- Mathieu Malaterre <malat@debian.org> Mon, 23 Oct 2017 20:43:14 +0200
openjpeg2 (2.1.0-2+deb8u2) jessie-security; urgency=medium
* CVE-2016-5159 CVE-2016-8332 CVE-2016-9572 CVE-2016-9573
-- Moritz Muehlenhoff <jmm@debian.org> Sat, 14 Jan 2017 18:50:54 +0100
openjpeg2 (2.1.0-2+deb8u1) jessie-security; urgency=medium
* CVE-2015-6581 CVE-2015-8871 CVE-2016-1924 CVE-2016-7163
-- Moritz Mühlenhoff <jmm@debian.org> Fri, 09 Sep 2016 20:14:50 +0200
openjpeg2 (2.1.0-2.1) unstable; urgency=high
* Non-maintainer upload.
* Apache 2.4 transition: (Closes: #786333)
+ d/rules: Added --with apache2.
+ Drop d/libopenjpip-server.install.
+ Drop d/libopenjpip-server.prerm.
+ d/control: Add build-depends on dh-apache2, replace depends on
apache2.2-bin by ${misc:Recommends}, add recommends on
libapache2-mod-fastcgi.
+ New d/libopenjpip-server.conf for apache2 fastcgi setup.
+ Drop d/libopenjpip-server.load.
+ New d/libopenjpip-server.apache2 to set up the configuration.
-- Jean-Michel Vourgère <nirgal@debian.org> Thu, 21 May 2015 23:05:40 +0200
openjpeg2 (2.1.0-2) unstable; urgency=low
......
......@@ -6,6 +6,7 @@ Homepage: http://www.openjpeg.org
Build-Depends: cmake (>= 2.8.2),
debhelper (>= 9),
default-jdk,
dh-apache2,
help2man,
javahelper (>= 0.37~),
libcurl4-gnutls-dev | libcurl-ssl-dev,
......@@ -118,11 +119,11 @@ Package: libopenjpip-server
Section: graphics
Architecture: any
Multi-Arch: foreign
Depends: apache2.2-bin,
libwww-perl,
Depends: libwww-perl,
spawn-fcgi (>= 1.6.1),
${misc:Depends},
${shlibs:Depends}
Recommends: ${misc:Recommends}, libapache2-mod-fastcgi
Conflicts: openjpip-server
Description: JPIP server for JPEG 2000 files
OpenJPIP software is an implementation of JPEG 2000 Part9: Interactivity tools,
......
conf debian/libopenjpip-server.conf
# This is the config file for openjpip-server
<IfModule mod_fastcgi.c>
FastCGIExternalServer /var/www/html/openjpip -host 127.0.0.1:3000
</IfModule>
#debian/openjpip.conf /etc/apache2/mods-available
#debian/openjpip.load /etc/apache2/mods-available
#!/bin/bash
set -e
#DEBHELPER#
if [ "$1" != "remove" -a "$1" != "purge" ]; then
exit 0
fi
if [ -e /etc/apache2/apache2.conf ]; then
a2dismod openjpip || true
fi
exit 0
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JP3D_COMPRESS "1" "October 2017" "opj_jp3d_compress 2.1.0" "User Commands"
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
.TH OPJ_JP3D_COMPRESS "1" "May 2015" "opj_jp3d_compress 2.1.0" "User Commands"
.SH NAME
opj_jp3d_compress \- Works with JPEG2000 files
.SH DESCRIPTION
......
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JP3D_DECOMPRESS "1" "October 2017" "opj_jp3d_decompress 2.1.0" "User Commands"
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
.TH OPJ_JP3D_DECOMPRESS "1" "May 2015" "opj_jp3d_decompress 2.1.0" "User Commands"
.SH NAME
opj_jp3d_decompress \- Works with JPEG2000 files
.SH DESCRIPTION
......
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JPIP_ADDXML "1" "October 2017" "opj_jpip_addxml 2.1.0" "User Commands"
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
.TH OPJ_JPIP_ADDXML "1" "May 2015" "opj_jpip_addxml 2.1.0" "User Commands"
.SH NAME
opj_jpip_addxml \- Works with JPEG2000 files
.SH DESCRIPTION
......
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JPIP_TEST "1" "October 2017" "opj_jpip_test 2.1.0" "User Commands"
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
.TH OPJ_JPIP_TEST "1" "May 2015" "opj_jpip_test 2.1.0" "User Commands"
.SH NAME
opj_jpip_test \- Works with JPEG2000 files
.SH DESCRIPTION
......
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JPIP_TRANSCODE "1" "October 2017" "opj_jpip_transcode 2.1.0" "User Commands"
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
.TH OPJ_JPIP_TRANSCODE "1" "May 2015" "opj_jpip_transcode 2.1.0" "User Commands"
.SH NAME
opj_jpip_transcode \- Works with JPEG2000 files
.SH DESCRIPTION
......
From 11445eddad7e7fa5b273d1c83c91011c44e5d586 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 19:03:13 +0200
Subject: [PATCH] opj_pi_update_decode_poc(): limit layno1 to the number of
layers (CVE-2016-1626 and CVE-2016-1628, #850)
This has been recently fixed in a less elegant way per
80818c39f5bfbac37768fcee95b0ffeceaa77264
---
src/lib/openjp2/pi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1019,7 +1019,8 @@
l_current_pi->poc.precno0 = 0;
l_current_pi->poc.resno1 = l_current_poc->resno1; /* Resolution Level Index #0 (End) */
l_current_pi->poc.compno1 = l_current_poc->compno1; /* Component Index #0 (End) */
- l_current_pi->poc.layno1 = l_current_poc->layno1; /* Layer Index #0 (End) */
+ l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1,
+ p_tcp->numlayers); /* Layer Index #0 (End) */
l_current_pi->poc.precno1 = p_max_precision;
++l_current_pi;
++l_current_poc;
From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Aug 2017 11:47:40 +0200
Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
fixes unaligned load (#995)
---
src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 12 deletions(-)
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -99,14 +99,10 @@
};
#endif /* INFORMATION_ONLY */
-static unsigned short get_ushort(unsigned short val) {
-
-#ifdef OPJ_BIG_ENDIAN
- return( ((val & 0xff) << 8) + (val >> 8) );
-#else
- return( val );
-#endif
-
+/* Returns a ushort from a little-endian serialized value */
+static unsigned short get_tga_ushort(const unsigned char *data)
+{
+ return data[0] | (data[1] << 8);
}
#define TGA_HEADER_SIZE 18
@@ -133,17 +129,17 @@
id_len = (unsigned char)tga[0];
/*cmap_type = (unsigned char)tga[1];*/
image_type = (unsigned char)tga[2];
- /*cmap_index = get_ushort(*(unsigned short*)(&tga[3]));*/
- cmap_len = get_ushort(*(unsigned short*)(&tga[5]));
+ /*cmap_index = get_tga_ushort(*(unsigned short*)(&tga[3]));*/
+ cmap_len = get_tga_ushort(*(unsigned short*)(&tga[5]));
cmap_entry_size = (unsigned char)tga[7];
#if 0
- x_origin = get_ushort(*(unsigned short*)(&tga[8]));
- y_origin = get_ushort(*(unsigned short*)(&tga[10]));
+ x_origin = get_tga_ushort(*(unsigned short*)(&tga[8]));
+ y_origin = get_tga_ushort(*(unsigned short*)(&tga[10]));
#endif
- image_w = get_ushort(*(unsigned short*)(&tga[12]));
- image_h = get_ushort(*(unsigned short*)(&tga[14]));
+ image_w = get_tga_ushort(*(unsigned short*)(&tga[12]));
+ image_h = get_tga_ushort(*(unsigned short*)(&tga[14]));
pixel_depth = (unsigned char)tga[16];
image_desc = (unsigned char)tga[17];
@@ -302,6 +298,24 @@
color_space = OPJ_CLRSPC_SRGB;
}
+ /* If the declared file size is > 10 MB, check that the file is big */
+ /* enough to avoid excessive memory allocations */
+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
+ char ch;
+ OPJ_UINT64 expected_file_size =
+ (OPJ_UINT64)image_width * image_height * numcomps;
+ long curpos = ftell(f);
+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
+ expected_file_size = (OPJ_UINT64)INT_MAX;
+ }
+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
+ if (fread(&ch, 1, 1, f) != 1) {
+ fclose(f);
+ return NULL;
+ }
+ fseek(f, curpos, SEEK_SET);
+ }
+
subsampling_dx = parameters->subsampling_dx;
subsampling_dy = parameters->subsampling_dy;
From 397f62c0a838e15d667ef50e27d5d011d2c79c04 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 19:13:49 +0200
Subject: [PATCH] Fix write heap buffer overflow in opj_mqc_byteout().
Discovered by Ke Liu of Tencent's Xuanwu LAB (#835)
---
src/lib/openjp2/tcd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1088,7 +1088,9 @@
{
OPJ_UINT32 l_data_size;
- l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+ /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
if (p_code_block->data) {
From 3fbe71369019df0b47c7a2be4fab8c05768f2f32 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 18:38:16 +0200
Subject: [PATCH] opj_tcd_get_decoded_tile_size(): fix potential UINT32
overflow (#854, CVE-2016-5152)
Fix derived from https://pdfium.googlesource.com/pdfium.git/+/d8cc503575463ff3d81b22dad292665f2c88911e/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch
---
src/lib/openjp2/j2k.c | 3 +++
src/lib/openjp2/tcd.c | 16 +++++++++++++---
2 files changed, 16 insertions(+), 3 deletions(-)
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -41,6 +41,7 @@
*/
#include "opj_includes.h"
+#include <limits.h> /* UINT_MAX */
/** @defgroup J2K J2K - JPEG-2000 codestream reader/writer */
/*@{*/
@@ -8097,6 +8098,9 @@
*p_tile_index = p_j2k->m_current_tile_number;
*p_go_on = OPJ_TRUE;
*p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd);
+ if (*p_data_size == UINT_MAX) {
+ return OPJ_FALSE;
+ }
*p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0;
*p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0;
*p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1;
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -39,6 +39,7 @@
*/
#include "opj_includes.h"
+#include <limits.h> /* UINT_MAX */
/* ----------------------------------------------------------------------- */
@@ -1154,6 +1155,7 @@
opj_tcd_tilecomp_t * l_tile_comp = 00;
opj_tcd_resolution_t * l_res = 00;
OPJ_UINT32 l_size_comp, l_remaining;
+ OPJ_UINT32 l_temp;
l_tile_comp = p_tcd->tcd_image->tiles->comps;
l_img_comp = p_tcd->image->comps;
@@ -1171,7 +1173,17 @@
}
l_res = l_tile_comp->resolutions + l_tile_comp->minimum_num_resolutions - 1;
- l_data_size += l_size_comp * (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_res->y0));
+ l_temp = (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 -
+ l_res->y0)); /* x1*y1 can't overflow */
+ if (l_size_comp && UINT_MAX / l_size_comp < l_temp) {
+ return UINT_MAX;
+ }
+ l_temp *= l_size_comp;
+
+ if (l_temp > UINT_MAX - l_data_size) {
+ return UINT_MAX;
+ }
+ l_data_size += l_temp;
++l_img_comp;
++l_tile_comp;
}
@@ -1366,7 +1378,7 @@
OPJ_UINT32 l_stride, l_width,l_height;
l_data_size = opj_tcd_get_decoded_tile_size(p_tcd);
- if (l_data_size > p_dest_length) {
+ if (l_data_size == UINT_MAX || l_data_size > p_dest_length) {
return OPJ_FALSE;
}
Index: openjpeg2-2.1.0/src/lib/openjp2/opj_intmath.h
===================================================================
--- openjpeg2-2.1.0.orig/src/lib/openjp2/opj_intmath.h 2018-07-17 12:53:00.463830392 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/opj_intmath.h 2018-07-17 12:53:00.431830393 +0200
@@ -82,6 +82,15 @@
}
/**
+ Get the saturated sum of two unsigned integers
+ @return Returns saturated sum of a+b
+ */
+static INLINE OPJ_UINT32 opj_uint_adds(OPJ_UINT32 a, OPJ_UINT32 b) {
+ OPJ_UINT64 sum = (OPJ_UINT64)a + (OPJ_UINT64)b;
+ return -(OPJ_UINT32)(sum >> 32) | (OPJ_UINT32)sum;
+}
+
+/**
Clamp an integer inside an interval
@return
<ul>
Index: openjpeg2-2.1.0/src/lib/openjp2/pi.c
===================================================================
--- openjpeg2-2.1.0.orig/src/lib/openjp2/pi.c 2018-07-17 12:53:00.463830392 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/pi.c 2018-07-17 13:15:45.795789463 +0200
@@ -574,6 +574,9 @@
/* position in x and y of tile */
OPJ_UINT32 p, q;
+ /* non-corrected (in regard to image offset) tile offset */
+ OPJ_UINT32 l_tx0, l_ty0;
+
/* preconditions */
assert(p_cp != 00);
assert(p_image != 00);
@@ -589,10 +592,12 @@
q = p_tileno / p_cp->tw;
/* find extent of tile */
- *p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx), (OPJ_INT32)p_image->x0);
- *p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx), (OPJ_INT32)p_image->x1);
- *p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy), (OPJ_INT32)p_image->y0);
- *p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy), (OPJ_INT32)p_image->y1);
+ l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 so won't overflow */
+ *p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0);
+ *p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), p_image->x1);
+ l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 so won't overflow */
+ *p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0);
+ *p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), p_image->y1);
/* max precision is 0 (can only grow) */
*p_max_prec = 0;
@@ -693,6 +698,9 @@
/* position in x and y of tile*/
OPJ_UINT32 p, q;
+ /* non-corrected (in regard to image offset) tile offset */
+ OPJ_UINT32 l_tx0, l_ty0;
+
/* preconditions in debug*/
assert(p_cp != 00);
assert(p_image != 00);
Index: openjpeg2-2.1.0/src/lib/openjp2/tcd.c
===================================================================
--- openjpeg2-2.1.0.orig/src/lib/openjp2/tcd.c 2018-07-17 12:53:00.463830392 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/tcd.c 2018-07-17 13:13:21.000000000 +0200
@@ -640,6 +640,7 @@
OPJ_UINT32 l_pdx, l_pdy; \
OPJ_UINT32 l_gain; \
OPJ_INT32 l_x0b, l_y0b; \
+ OPJ_UINT32 l_tx0, l_ty0; \
/* extent of precincts , top left, bottom right**/ \
OPJ_INT32 l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end, l_br_prc_y_end; \
/* number of precinct for a resolution */ \
@@ -666,11 +667,13 @@
/*fprintf(stderr, "Tile coordinate = %d,%d\n", p, q);*/ \
\
/* 4 borders of the tile rescale on the image if necessary */ \
- l_tile->x0 = opj_int_max((OPJ_INT32)(l_cp->tx0 + p * l_cp->tdx), (OPJ_INT32)l_image->x0); \
- l_tile->y0 = opj_int_max((OPJ_INT32)(l_cp->ty0 + q * l_cp->tdy), (OPJ_INT32)l_image->y0); \
+ l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */ \
+ l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0); \
if (l_tile->x0 < 0 || l_tile->x1 < 0) return OPJ_FALSE; \
- l_tile->x1 = opj_int_min((OPJ_INT32)(l_cp->tx0 + (p + 1) * l_cp->tdx), (OPJ_INT32)l_image->x1); \
- l_tile->y1 = opj_int_min((OPJ_INT32)(l_cp->ty0 + (q + 1) * l_cp->tdy), (OPJ_INT32)l_image->y1); \
+ l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1); \
+ l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */ \
+ l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0); \
+ l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1); \
if (l_tile->y0 < 0 || l_tile->y1 < 0) return OPJ_FALSE; \
/* testcase 1888.pdf.asan.35.988 */ \
if (l_tccp->numresolutions == 0) { \
Backport of 0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 Mon Sep 17 00:00:00 2001
by Matthieu Darbois
--- openjpeg2-2.1.0.orig/src/lib/openjp2/j2k.c
+++ openjpeg2-2.1.0/src/lib/openjp2/j2k.c
@@ -7156,6 +7156,12 @@ static OPJ_BOOL opj_j2k_copy_default_tcp
/* Initialize some values of the current tile coding parameters*/
l_tcp->ppt = 0;
l_tcp->ppt_data = 00;
+ /* Remove memory not owned by this tile in case of early error return. */
+ l_tcp->m_mct_decoding_matrix = 00;
+ l_tcp->m_nb_max_mct_records = 0;
+ l_tcp->m_mct_records = 00;
+ l_tcp->m_nb_max_mcc_records = 0;
+ l_tcp->m_mcc_records = 00;
/* Reconnect the tile-compo coding parameters pointer to the current tile coding parameters*/
l_tcp->tccps = l_current_tccp;
@@ -7193,6 +7199,8 @@ static OPJ_BOOL opj_j2k_copy_default_tcp
++l_src_mct_rec;
++l_dest_mct_rec;
+ /* Update with each pass to free exactly what has been allocated on early return. */
+ l_tcp->m_nb_max_mct_records += 1;
}
/* Get the mcc_record of the dflt_tile_cp and copy them into the current tile cp*/
@@ -7202,6 +7210,7 @@ static OPJ_BOOL opj_j2k_copy_default_tcp
return OPJ_FALSE;
}
memcpy(l_tcp->m_mcc_records,l_default_tcp->m_mcc_records,l_mcc_records_size);
+ l_tcp->m_nb_max_mcc_records = l_default_tcp->m_nb_max_mcc_records;
/* Copy the mcc record data from dflt_tile_cp to the current tile*/
l_src_mcc_rec = l_default_tcp->m_mcc_records;
Backport of 940100c28ae28931722290794889cf84a92c5f6f
--- openjpeg2-2.1.0.orig/src/lib/openjp2/j2k.c
+++ openjpeg2-2.1.0/src/lib/openjp2/j2k.c
@@ -5526,8 +5526,7 @@ OPJ_BOOL opj_j2k_write_mco( opj_j2k_
assert(p_stream != 00);
l_tcp =&(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]);
- l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
-
+
l_mco_size = 5 + l_tcp->m_nb_mcc_records;
if (l_mco_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {
@@ -5542,6 +5541,8 @@ OPJ_BOOL opj_j2k_write_mco( opj_j2k_
p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;
p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_mco_size;
}
+ l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
+
opj_write_bytes(l_current_data,J2K_MS_MCO,2); /* MCO */
l_current_data += 2;
@@ -5553,10 +5554,9 @@ OPJ_BOOL opj_j2k_write_mco( opj_j2k_
++l_current_data;
l_mcc_record = l_tcp->m_mcc_records;
- for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
+ for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
opj_write_bytes(l_current_data,l_mcc_record->m_index,1);/* Imco -> use the mcc indicated by 1*/
++l_current_data;
-
++l_mcc_record;
}
Backport of 1a8318f6c24623189ecb65e049267c6f2e005c0e
--- openjpeg2-2.1.0.orig/src/lib/openjp2/j2k.c
+++ openjpeg2-2.1.0/src/lib/openjp2/j2k.c
@@ -8432,6 +8432,9 @@ OPJ_BOOL opj_j2k_read_SPCod_SPCoc( opj_
opj_read_bytes(l_current_ptr,&l_tccp->cblksty ,1); /* SPcoc (G) */
++l_current_ptr;
+ if (l_tccp->cblksty & 0xC0U) { /* 2 msb are reserved, assume we can't read */
+ return OPJ_FALSE;
+ }
opj_read_bytes(l_current_ptr,&l_tccp->qmfbid ,1); /* SPcoc (H) */
++l_current_ptr;
--- openjpeg2-2.1.0.orig/src/lib/openjp2/t2.c
+++ openjpeg2-2.1.0/src/lib/openjp2/t2.c
@@ -839,9 +839,13 @@ OPJ_BOOL opj_t2_read_packet_header( opj_
/* reset tagtrees */
for (bandno = 0; bandno < l_res->numbands; ++bandno) {
- opj_tcd_precinct_t *l_prc = &l_band->precincts[p_pi->precno];
-
if ( ! ((l_band->x1-l_band->x0 == 0)||(l_band->y1-l_band->y0 == 0)) ) {
+ opj_tcd_precinct_t *l_prc = &l_band->precincts[p_pi->precno];
+ if (!(p_pi->precno < (l_band->precincts_data_size / sizeof(opj_tcd_precinct_t)))) {
+ return OPJ_FALSE;
+ }
+
+
opj_tgt_reset(l_prc->incltree);
opj_tgt_reset(l_prc->imsbtree);
l_cblk = l_prc->cblks.dec;
Index: openjpeg2-2.1.0/src/lib/openjp2/tcd.c
===================================================================
--- openjpeg2-2.1.0.orig/src/lib/openjp2/tcd.c 2018-07-17 12:53:00.451830392 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/tcd.c 2018-07-17 12:58:59.407819632 +0200
@@ -793,7 +793,11 @@
l_res->ph = (l_res->y0 == l_res->y1) ? 0 : (OPJ_UINT32)((l_br_prc_y_end - l_tl_prc_y_start) >> l_pdy); \
/*fprintf(stderr, "\t\t\tres_pw=%d, res_ph=%d\n", l_res->pw, l_res->ph );*/ \
\
+ if (l_res->pw && ((OPJ_UINT32)-1) / l_res->pw < l_res->ph) return OPJ_FALSE; \
+ \
l_nb_precincts = l_res->pw * l_res->ph; \
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_tcd_precinct_t) < l_nb_precincts) return OPJ_FALSE; \
+ \
l_nb_precinct_size = l_nb_precincts * (OPJ_UINT32)sizeof(opj_tcd_precinct_t); \
if (resno == 0) { \
tlcbgxstart = l_tl_prc_x_start; \
Description: <short summary of the patch>
TODO: Put a short summary on the line above and replace this paragraph
with a longer explanation of this change. Complete the meta-information
with other relevant fields (see below for details). To make it easier, the
information below has been extracted from the changelog. Adjust it or drop
it.
.
openjpeg2 (2.1.0-2+deb8u3) jessie-security; urgency=medium
.
* CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
* CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
* CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
* CVE-2016-10504: not needed
* CVE-2017-14039: CVE-2017-14039.patch
* CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
* CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
* CVE-2017-14151: not needed
* CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
Author: Mathieu Malaterre <malat@debian.org>
---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:
Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: https://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: 2017-10-23
--- openjpeg2-2.1.0.orig/src/lib/openjp2/tcd.c
+++ openjpeg2-2.1.0/src/lib/openjp2/tcd.c
@@ -668,8 +668,10 @@ OPJ_BOOL FUNCTION ( opj_tcd_t *p_tcd
/* 4 borders of the tile rescale on the image if necessary */ \
l_tile->x0 = opj_int_max((OPJ_INT32)(l_cp->tx0 + p * l_cp->tdx), (OPJ_INT32)l_image->x0); \
l_tile->y0 = opj_int_max((OPJ_INT32)(l_cp->ty0 + q * l_cp->tdy), (OPJ_INT32)l_image->y0); \
+if (l_tile->x0 < 0 || l_tile->x1 < 0) return OPJ_FALSE; \
l_tile->x1 = opj_int_min((OPJ_INT32)(l_cp->tx0 + (p + 1) * l_cp->tdx), (OPJ_INT32)l_image->x1); \
l_tile->y1 = opj_int_min((OPJ_INT32)(l_cp->ty0 + (q + 1) * l_cp->tdy), (OPJ_INT32)l_image->y1); \
+if (l_tile->y0 < 0 || l_tile->y1 < 0) return OPJ_FALSE; \
/* testcase 1888.pdf.asan.35.988 */ \
if (l_tccp->numresolutions == 0) { \
fprintf(stderr, "tiles require at least one resolution\n"); \
diff -Naur openjpeg2-2.1.0.orig/src/lib/openjp2/dwt.c openjpeg2-2.1.0/src/lib/openjp2/dwt.c
--- openjpeg2-2.1.0.orig/src/lib/openjp2/dwt.c 2014-04-29 09:15:02.000000000 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/dwt.c 2017-01-14 17:33:39.298752651 +0100
@@ -395,7 +395,7 @@
OPJ_INT32 rw; /* width of the resolution level computed */
OPJ_INT32 rh; /* height of the resolution level computed */
- OPJ_UINT32 l_data_size;
+ size_t l_data_size;
opj_tcd_resolution_t * l_cur_res = 0;
opj_tcd_resolution_t * l_last_res = 0;
@@ -407,9 +407,15 @@
l_cur_res = tilec->resolutions + l;
l_last_res = l_cur_res - 1;
- l_data_size = opj_dwt_max_resolution( tilec->resolutions,tilec->numresolutions) * (OPJ_UINT32)sizeof(OPJ_INT32);
- bj = (OPJ_INT32*)opj_malloc((size_t)l_data_size);
- if (! bj) {
+ l_data_size = opj_dwt_max_resolution( tilec->resolutions,tilec->numresolutions);
+ /* overflow check */
+ if (l_data_size > (SIZE_MAX / sizeof(OPJ_INT32))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ l_data_size *= sizeof(OPJ_INT32);
+ bj = (OPJ_INT32*)opj_malloc(l_data_size);
+ if (! bj) {
return OPJ_FALSE;
}
i = l;
@@ -568,6 +574,14 @@
OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
+ size_t h_mem_size;
+ h_mem_size = opj_dwt_max_resolution(tr, numres);
+ /* overflow check */
+ if (h_mem_size > (SIZE_MAX / sizeof(OPJ_INT32))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ h_mem_size *= sizeof(OPJ_INT32);
h.mem = (OPJ_INT32*)
opj_aligned_malloc(opj_dwt_max_resolution(tr, numres) * sizeof(OPJ_INT32));
if (! h.mem){
@@ -841,7 +854,21 @@
OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
- h.wavelet = (opj_v4_t*) opj_aligned_malloc((opj_dwt_max_resolution(res, numres)+5) * sizeof(opj_v4_t));
+ size_t l_data_size;
+
+ l_data_size = opj_dwt_max_resolution(res, numres);
+ /* overflow check */
+ if (l_data_size > (SIZE_MAX - 5U)) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ l_data_size += 5U;
+ /* overflow check */
+ if (l_data_size > (SIZE_MAX / sizeof(opj_v4_t))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ h.wavelet = (opj_v4_t*) opj_aligned_malloc(l_data_size * sizeof(opj_v4_t));
v.wavelet = h.wavelet;
while( --numres) {
diff -Naur openjpeg2-2.1.0.orig/src/lib/openjp2/pi.c openjpeg2-2.1.0/src/lib/openjp2/pi.c
--- openjpeg2-2.1.0.orig/src/lib/openjp2/pi.c 2017-01-14 17:23:21.000000000 +0100
+++ openjpeg2-2.1.0/src/lib/openjp2/pi.c 2017-01-14 17:33:39.302752669 +0100
@@ -1234,14 +1234,14 @@
/* memory allocation for include */
/* prevent an integer overflow issue */
+ /* 0 < l_tcp->numlayers < 65536 c.f. opj_j2k_read_cod in j2k.c */
l_current_pi->include = 00;
if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
{
l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16));
}
- if
- (!l_current_pi->include)
+ if (!l_current_pi->include)
{
opj_free(l_tmp_data);
opj_free(l_tmp_ptr);
diff -Naur openjpeg2-2.1.0.orig/src/lib/openjp2/t1.c openjpeg2-2.1.0/src/lib/openjp2/t1.c
--- openjpeg2-2.1.0.orig/src/lib/openjp2/t1.c 2014-04-29 09:15:02.000000000 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/t1.c 2017-01-14 17:32:33.982500247 +0100
@@ -1163,31 +1163,90 @@
OPJ_UINT32 w,
OPJ_UINT32 h)
{