Commit aae62fea authored by Moritz Muehlenhoff's avatar Moritz Muehlenhoff Committed by Mathieu Malaterre

Import Debian changes 2.1.0-2+deb8u2

openjpeg2 (2.1.0-2+deb8u2) jessie-security; urgency=medium

  * CVE-2016-5159 CVE-2016-8332 CVE-2016-9572 CVE-2016-9573
parent 18085d65
openjpeg2 (2.1.0-2+deb8u2) jessie-security; urgency=medium
* CVE-2016-5159 CVE-2016-8332 CVE-2016-9572 CVE-2016-9573
-- Moritz Muehlenhoff <jmm@debian.org> Sat, 14 Jan 2017 18:50:54 +0100
openjpeg2 (2.1.0-2+deb8u1) jessie-security; urgency=medium
* CVE-2015-6581 CVE-2015-8871 CVE-2016-1924 CVE-2016-7163
......
diff -Naur openjpeg2-2.1.0.orig/src/lib/openjp2/dwt.c openjpeg2-2.1.0/src/lib/openjp2/dwt.c
--- openjpeg2-2.1.0.orig/src/lib/openjp2/dwt.c 2014-04-29 09:15:02.000000000 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/dwt.c 2017-01-14 17:33:39.298752651 +0100
@@ -395,7 +395,7 @@
OPJ_INT32 rw; /* width of the resolution level computed */
OPJ_INT32 rh; /* height of the resolution level computed */
- OPJ_UINT32 l_data_size;
+ size_t l_data_size;
opj_tcd_resolution_t * l_cur_res = 0;
opj_tcd_resolution_t * l_last_res = 0;
@@ -407,9 +407,15 @@
l_cur_res = tilec->resolutions + l;
l_last_res = l_cur_res - 1;
- l_data_size = opj_dwt_max_resolution( tilec->resolutions,tilec->numresolutions) * (OPJ_UINT32)sizeof(OPJ_INT32);
- bj = (OPJ_INT32*)opj_malloc((size_t)l_data_size);
- if (! bj) {
+ l_data_size = opj_dwt_max_resolution( tilec->resolutions,tilec->numresolutions);
+ /* overflow check */
+ if (l_data_size > (SIZE_MAX / sizeof(OPJ_INT32))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ l_data_size *= sizeof(OPJ_INT32);
+ bj = (OPJ_INT32*)opj_malloc(l_data_size);
+ if (! bj) {
return OPJ_FALSE;
}
i = l;
@@ -568,6 +574,14 @@
OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
+ size_t h_mem_size;
+ h_mem_size = opj_dwt_max_resolution(tr, numres);
+ /* overflow check */
+ if (h_mem_size > (SIZE_MAX / sizeof(OPJ_INT32))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ h_mem_size *= sizeof(OPJ_INT32);
h.mem = (OPJ_INT32*)
opj_aligned_malloc(opj_dwt_max_resolution(tr, numres) * sizeof(OPJ_INT32));
if (! h.mem){
@@ -841,7 +854,21 @@
OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
- h.wavelet = (opj_v4_t*) opj_aligned_malloc((opj_dwt_max_resolution(res, numres)+5) * sizeof(opj_v4_t));
+ size_t l_data_size;
+
+ l_data_size = opj_dwt_max_resolution(res, numres);
+ /* overflow check */
+ if (l_data_size > (SIZE_MAX - 5U)) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ l_data_size += 5U;
+ /* overflow check */
+ if (l_data_size > (SIZE_MAX / sizeof(opj_v4_t))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ h.wavelet = (opj_v4_t*) opj_aligned_malloc(l_data_size * sizeof(opj_v4_t));
v.wavelet = h.wavelet;
while( --numres) {
diff -Naur openjpeg2-2.1.0.orig/src/lib/openjp2/pi.c openjpeg2-2.1.0/src/lib/openjp2/pi.c
--- openjpeg2-2.1.0.orig/src/lib/openjp2/pi.c 2017-01-14 17:23:21.000000000 +0100
+++ openjpeg2-2.1.0/src/lib/openjp2/pi.c 2017-01-14 17:33:39.302752669 +0100
@@ -1234,14 +1234,14 @@
/* memory allocation for include */
/* prevent an integer overflow issue */
+ /* 0 < l_tcp->numlayers < 65536 c.f. opj_j2k_read_cod in j2k.c */
l_current_pi->include = 00;
if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
{
l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16));
}
- if
- (!l_current_pi->include)
+ if (!l_current_pi->include)
{
opj_free(l_tmp_data);
opj_free(l_tmp_ptr);
diff -Naur openjpeg2-2.1.0.orig/src/lib/openjp2/t1.c openjpeg2-2.1.0/src/lib/openjp2/t1.c
--- openjpeg2-2.1.0.orig/src/lib/openjp2/t1.c 2014-04-29 09:15:02.000000000 +0200
+++ openjpeg2-2.1.0/src/lib/openjp2/t1.c 2017-01-14 17:32:33.982500247 +0100
@@ -1163,31 +1163,90 @@
OPJ_UINT32 w,
OPJ_UINT32 h)
{
- OPJ_UINT32 datasize=w * h;
- OPJ_UINT32 flagssize;
+ size_t datasize;
+
+#if (SIZE_MAX / 0xFFFFFFFFU) < 0xFFFFFFFFU /* UINT32_MAX */
+ /* Overflow check */
+ if ((w > 0U) && ((size_t)h > (SIZE_MAX / (size_t)w))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+#endif
+ datasize = (size_t)w * h;
+
+ /* Overflow check */
+ if (datasize > (SIZE_MAX / sizeof(OPJ_INT32))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
- if(datasize > t1->datasize){
+ if(datasize > (size_t)t1->datasize){
opj_aligned_free(t1->data);
t1->data = (OPJ_INT32*) opj_aligned_malloc(datasize * sizeof(OPJ_INT32));
if(!t1->data){
return OPJ_FALSE;
}
- t1->datasize=datasize;
+#if SIZE_MAX > 0xFFFFFFFFU /* UINT32_MAX */
+ /* TODO remove this if t1->datasize type changes to size_t */
+ /* Overflow check */
+ if (datasize > (size_t)0xFFFFFFFFU /* UINT32_MAX */) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+#endif
+ t1->datasize = (OPJ_UINT32)datasize;
}
- memset(t1->data,0,datasize * sizeof(OPJ_INT32));
+ memset(t1->data, 0, datasize * sizeof(OPJ_INT32));
+
+ {
+ size_t flagssize;
- t1->flags_stride=w+2;
- flagssize=t1->flags_stride * (h+2);
+ /* Overflow check */
+ if (w > (0xFFFFFFFFU /* UINT32_MAX */ - 2U)) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ t1->flags_stride = w + 2U; /* can't be 0U */
- if(flagssize > t1->flagssize){
- opj_aligned_free(t1->flags);
- t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
- if(!t1->flags){
+#if (SIZE_MAX - 3U) < 0xFFFFFFFFU /* UINT32_MAX */
+ /* Overflow check */
+ if (h > (0xFFFFFFFFU /* UINT32_MAX */ - 3U)) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+#endif
+ flagssize = (size_t)h + 3U;
+
+ /* Overflow check */
+ if (flagssize > (SIZE_MAX / (size_t)t1->flags_stride)) {
return OPJ_FALSE;
}
- t1->flagssize=flagssize;
+ flagssize *= (size_t)t1->flags_stride;
+
+ if(flagssize > (size_t)t1->flagssize){
+ /* Overflow check */
+ if (flagssize > (SIZE_MAX / sizeof(opj_flag_t))) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+ opj_aligned_free(t1->flags);
+ t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
+ if(!t1->flags){
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+#if SIZE_MAX > 0xFFFFFFFFU /* UINT32_MAX */
+ /* TODO remove this if t1->flagssize type changes to size_t */
+ /* Overflow check */
+ if (flagssize > (size_t)0xFFFFFFFFU /* UINT32_MAX */) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+ }
+#endif
+ t1->flagssize = (OPJ_UINT32)flagssize;
+ }
+ memset(t1->flags, 0, flagssize * sizeof(opj_flag_t));
}
- memset(t1->flags,0,flagssize * sizeof(opj_flag_t));
t1->w=w;
t1->h=h;
From 734d57d5f7842aa7c2c9f36d62131ab4d8bd6c87 Mon Sep 17 00:00:00 2001
From: Matthieu Darbois <mayeut@users.noreply.github.com>
Date: Tue, 6 Sep 2016 22:33:26 +0200
Subject: [PATCH] fix incrementing of "l_tcp->m_nb_mcc_records" in
opj_j2k_read_mcc (#820)
---
src/lib/openjp2/j2k.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 01d1a4f..1cff598 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -5405,6 +5405,7 @@ static OPJ_BOOL opj_j2k_read_mcc ( opj_j2k_t *p_j2k,
OPJ_UINT32 l_nb_collections;
OPJ_UINT32 l_nb_comps;
OPJ_UINT32 l_nb_bytes_by_comp;
+ OPJ_BOOL l_new_mcc = OPJ_FALSE;
/* preconditions */
assert(p_header_data != 00);
@@ -5466,6 +5467,7 @@ static OPJ_BOOL opj_j2k_read_mcc ( opj_j2k_t *p_j2k,
memset(l_mcc_record,0,(l_tcp->m_nb_max_mcc_records-l_tcp->m_nb_mcc_records) * sizeof(opj_simple_mcc_decorrelation_data_t));
}
l_mcc_record = l_tcp->m_mcc_records + l_tcp->m_nb_mcc_records;
+ l_new_mcc = OPJ_TRUE;
}
l_mcc_record->m_index = l_indix;
@@ -5601,7 +5603,9 @@ static OPJ_BOOL opj_j2k_read_mcc ( opj_j2k_t *p_j2k,
return OPJ_FALSE;
}
- ++l_tcp->m_nb_mcc_records;
+ if (l_new_mcc) {
+ ++l_tcp->m_nb_mcc_records;
+ }
return OPJ_TRUE;
}
diff -Naur openjpeg2-2.1.0.orig/src/bin/jp2/convert.c openjpeg2-2.1.0/src/bin/jp2/convert.c
--- openjpeg2-2.1.0.orig/src/bin/jp2/convert.c 2014-04-29 09:15:02.000000000 +0200
+++ openjpeg2-2.1.0/src/bin/jp2/convert.c 2017-01-14 18:03:38.635775336 +0100
@@ -433,7 +433,8 @@
for (i = 0; i < image->numcomps-1; i++) {
if ((image->comps[0].dx != image->comps[i+1].dx)
||(image->comps[0].dy != image->comps[i+1].dy)
- ||(image->comps[0].prec != image->comps[i+1].prec)) {
+ ||(image->comps[0].prec != image->comps[i+1].prec)
+ ||(image->comps[0].sgnd != image->comps[i+1].sgnd)) {
fprintf(stderr, "Unable to create a tga file with such J2K image charateristics.");
return 1;
}
@@ -1951,7 +1952,7 @@
int *red, *green, *blue, *alpha;
int wr, hr, max;
int i;
- unsigned int compno, ncomp;
+ unsigned int compno, ncomp, ui;
int adjustR, adjustG, adjustB, adjustA;
int fails, two, want_gray, has_alpha, triple;
int prec, v;
@@ -1976,6 +1977,27 @@
if(want_gray) ncomp = 1;
+ for (ui = 1; ui < ncomp; ++ui) {
+ if (image->comps[0].dx != image->comps[ui].dx) {
+ break;
+ }
+ if (image->comps[0].dy != image->comps[ui].dy) {
+ break;
+ }
+ if (image->comps[0].prec != image->comps[ui].prec) {
+ break;
+ }
+ if (image->comps[0].sgnd != image->comps[ui].sgnd) {
+ break;
+ }
+ }
+ if (ui != ncomp) {
+ fprintf(stderr,"imagetopnm: All components\n shall have "
+ "the same subsampling, same bit depth, same sign.\n"
+ " Aborting\n");
+ return 1;
+ }
+
if (ncomp == 2 /* GRAYA */
|| (ncomp > 2 /* RGB, RGBA */
&& image->comps[0].dx == image->comps[1].dx
@@ -3081,7 +3103,7 @@
{
FILE *rawFile = NULL;
size_t res;
- unsigned int compno;
+ unsigned int compno, numcomps;
int w, h, fails;
int line, row, curr, mask;
int *ptr;
@@ -3094,6 +3116,31 @@
return 1;
}
+ numcomps = image->numcomps;
+
+ if (numcomps > 4) {
+ numcomps = 4;
+ }
+ for (compno = 1; compno < numcomps; ++compno) {
+ if (image->comps[0].dx != image->comps[compno].dx) {
+ break;
+ }
+ if (image->comps[0].dy != image->comps[compno].dy) {
+ break;
+ }
+ if (image->comps[0].prec != image->comps[compno].prec) {
+ break;
+ }
+ if (image->comps[0].sgnd != image->comps[compno].sgnd) {
+ break;
+ }
+ }
+ if (compno != numcomps) {
+ fprintf(stderr,"imagetoraw_common: All components shall have the same subsampling, same bit depth, same sign.\n");
+ fprintf(stderr,"\tAborting\n");
+ return 1;
+ }
+
rawFile = fopen(outfile, "wb");
if (!rawFile) {
fprintf(stderr, "Failed to open %s for writing !!\n", outfile);
@@ -3101,9 +3148,9 @@
}
fails = 1;
- fprintf(stdout,"Raw image characteristics: %d components\n", image->numcomps);
+ fprintf(stdout,"Raw image characteristics: %d components\n", numcomps);
- for(compno = 0; compno < image->numcomps; compno++)
+ for(compno = 0; compno < numcomps; compno++)
{
fprintf(stdout,"Component %d characteristics: %dx%dx%d %s\n", compno, image->comps[compno].w,
image->comps[compno].h, image->comps[compno].prec, image->comps[compno].sgnd==1 ? "signed": "unsigned");
@@ -3193,7 +3240,7 @@
}
else if (image->comps[compno].prec <= 32)
{
- fprintf(stderr,"More than 16 bits per component no handled yet\n");
+ fprintf(stderr,"More than 16 bits per component not handled yet\n");
goto fin;
}
else
diff -Naur openjpeg2-2.1.0.orig/src/lib/openjp2/j2k.c openjpeg2-2.1.0/src/lib/openjp2/j2k.c
--- openjpeg2-2.1.0.orig/src/lib/openjp2/j2k.c 2017-01-14 17:23:21.000000000 +0100
+++ openjpeg2-2.1.0/src/lib/openjp2/j2k.c 2017-01-14 18:03:38.639775323 +0100
@@ -9444,7 +9444,11 @@
/* Move data and copy one information from codec to output image*/
for (compno = 0; compno < p_image->numcomps; compno++) {
p_image->comps[compno].resno_decoded = p_j2k->m_output_image->comps[compno].resno_decoded;
- p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;
+ p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;
+
+ if(p_image->comps[compno].data == NULL) return OPJ_FALSE;
+
+ p_j2k->m_output_image->comps[compno].data = NULL;
#if 0
char fn[256];
sprintf( fn, "/tmp/%d.raw", compno );
@@ -9452,7 +9456,6 @@
fwrite( p_image->comps[compno].data, sizeof(OPJ_INT32), p_image->comps[compno].w * p_image->comps[compno].h, debug );
fclose( debug );
#endif
- p_j2k->m_output_image->comps[compno].data = NULL;
}
return OPJ_TRUE;
@@ -9546,6 +9549,8 @@
p_image->comps[compno].data = p_j2k->m_output_image->comps[compno].data;
+ if (p_image->comps[compno].data == NULL) return OPJ_FALSE;
+
p_j2k->m_output_image->comps[compno].data = NULL;
}
......@@ -4,3 +4,6 @@ CVE-2015-6581.patch
CVE-2015-8871.patch
CVE-2016-1924.patch
CVE-2016-7163.patch
CVE-2016-5159.patch
CVE-2016-8332.patch
CVE-2016-9572_CVE-2016-9573.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment