Commit ac9f2622 authored by Mathieu Malaterre's avatar Mathieu Malaterre

Import Debian changes 2.1.0-2+deb8u3

openjpeg2 (2.1.0-2+deb8u3) jessie-security; urgency=medium

  * CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
  * CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
  * CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
  * CVE-2016-10504: not needed
  * CVE-2017-14039: CVE-2017-14039.patch
  * CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
  * CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
  * CVE-2017-14151: not needed
  * CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
  * CVE-2016-5157: CVE-2016-5157.patch
parent aae62fea
openjpeg2 (2.1.0-2+deb8u3) jessie-security; urgency=medium
* CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
* CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
* CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
* CVE-2016-10504: not needed
* CVE-2017-14039: CVE-2017-14039.patch
* CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
* CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
* CVE-2017-14151: not needed
* CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
* CVE-2016-5157: CVE-2016-5157.patch
-- Mathieu Malaterre <malat@debian.org> Mon, 23 Oct 2017 20:43:14 +0200
openjpeg2 (2.1.0-2+deb8u2) jessie-security; urgency=medium
* CVE-2016-5159 CVE-2016-8332 CVE-2016-9572 CVE-2016-9573
......
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JP3D_COMPRESS "1" "October 2017" "opj_jp3d_compress 2.1.0" "User Commands"
.SH NAME
opj_jp3d_compress \- Works with JPEG2000 files
.SH DESCRIPTION
List of parameters for the JPEG2000 Part 10 encoder:
\fB\-\-\-\-\-\-\-\-\-\-\-\-\fR
.PP
Required Parameters (except with \fB\-h\fR):
.PP
\fB\-i\fR : source file (\fB\-i\fR source.bin or source*.pgx)
.PP
\fB\-m\fR : source characteristics file (\fB\-m\fR imgfile.img)
.PP
\fB\-o\fR : destination file (\fB\-o\fR dest.jp3d)
.PP
Optional Parameters:
.PP
\fB\-h\fR : display the help information
.PP
\fB\-n\fR : number of resolutions (\fB\-n\fR 3,3,3)
.PP
\fB\-I\fR : use the irreversible transforms: ICT + DWT 9\-7 (\fB\-I\fR)
.PP
\fB\-C\fR : coding algorithm (\fB\-C\fR 2EB) [2EB, 3EB]
.PP
\fB\-r\fR : different compression ratios for successive layers (\fB\-r\fR 20,10,5)
.IP
\- The rate specified for each quality level is the desired compression factor.
\- Rate 1 means lossless compression
.IP
(options \fB\-r\fR and \fB\-q\fR cannot be used together)
.PP
\fB\-q\fR : different psnr for successive layers (\fB\-q\fR 30,40,50)
.IP
(options \fB\-r\fR and \fB\-q\fR cannot be used together)
.PP
\fB\-b\fR : size of code block (\fB\-b\fR 32,32,32)
.PP
\fB\-c\fR : size of precinct (\fB\-c\fR 128,128,128)
.PP
\fB\-t\fR : size of tile (\fB\-t\fR 512,512,512)
.PP
\fB\-p\fR : progression order (\fB\-p\fR LRCP) [LRCP, RLCP, RPCL, PCRL, CPRL]
.PP
\fB\-s\fR : subsampling factor (\fB\-s\fR 2,2,2) [\-s X,Y,Z]
.IP
\- Remark: subsampling bigger than 2 can produce error
.PP
\fB\-SOP\fR : write SOP marker before each packet
.PP
\fB\-EPH\fR : write EPH marker after each header packet
.PP
\fB\-M\fR : code\-block style (\fB\-M\fR 0) [1=BYPASS(LAZY) 2=RESET 4=RESTART(TERMALL)
.IP
8=VSC 16=PTERM 32=SEGSYM 64=3DCTXT]
Indicate multiple modes by adding their values.
ex: RESTART(4) + RESET(2) + SEGMARK(32) = \fB\-M\fR 38
.PP
\fB\-D\fR : define DC offset (\fB\-D\fR 12)
.PP
\fB\-x\fR : create an index file *.Idx (\fB\-x\fR index_name.Idx)
.PP
\fB\-ROI\fR : c=%d,U=%d : quantization indices upshifted
.IP
for component c=%d [%d = 0,1,2]
with a value of U=%d [0 <= %d <= 37] (i.e. \fB\-ROI\fR:c=0,U=25)
.PP
\fB\-d\fR : offset of the origin of the volume (\fB\-d\fR 150,300,100)
.PP
\fB\-l\fR : offset of the origin of the tiles (\fB\-l\fR 100,75,25)
.PP
DEFAULT CODING:
\fB\-\-\-\-\-\-\-\-\-\-\-\-\fR
.IP
* Lossless
* 1 tile
* Size of precinct : 2^15 x 2^15 x 2^15 (means 1 precinct)
* Size of code\-block : 64 x 64 x 64
* Number of resolutions in x, y and z axis: 3
* No SOP marker in the codestream
* No EPH marker in the codestream
* No sub\-sampling in x, y or z direction
* No mode switch activated
* Progression order: LRCP
* No index file
* No ROI upshifted
* No offset of the origin of the volume
* No offset of the origin of the tiles
* Reversible DWT 5\-3 on each 2D slice
* Coding algorithm: 2D\-EBCOT
.PP
REMARKS:
\fB\-\-\-\-\-\-\-\-\-\fR
.PP
\- The markers written to the main_header are : SOC SIZ COD QCD COM.
\- COD and QCD markers will never appear in the tile_header.
.PP
\- You need enough disk space memory (twice the original) to encode
the volume,i.e. for a 1.5 GB volume you need a minimum of 3GB of disk memory)
.PP
\- When loading *.pgx files, a relative path to directory is needed for input argument
.IP
followed by the common prefix of the slices and a '*' character representing sequential numeration.
.PP
( \fB\-i\fR relativepath/slices*.pgx )
.IP
\- The index file has the structure below:
.IP
Image_height Image_width Image_depth
Progression order: 0 (LRCP)
Tiles_size_X Tiles_size_Y Tiles_size_Z
Components_nb
Layers_nb
Decomposition_levels
[Precincts_size_X_res_Nr Precincts_size_Y_res_Nr Precincts_size_Z_res_Nr]
.IP
\&...
.IP
[Precincts_size_X_res_0 Precincts_size_Y_res_0 Precincts_size_Z_res_0]
Main_header_end_position
Codestream_size
Tile_0 [start_pos end_header end_pos TotalDisto NumPix MaxMSE]
\&...
Tile_Nt [ '' '' '' '' '' '' ]
.IP
Tpacket_0 [Tile layer res. comp. prec. start_pos end_pos disto]
\&...
Tpacket_Np ['' '' '' '' '' '' '' '' ]
MaxDisto
TotalDisto
.SH AUTHOR
This manual page was written by Mathieu Malaterre <malat@debian.org> for
the Debian GNU/Linux system, but may be used by others.
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JP3D_DECOMPRESS "1" "October 2017" "opj_jp3d_decompress 2.1.0" "User Commands"
.SH NAME
opj_jp3d_decompress \- Works with JPEG2000 files
.SH DESCRIPTION
HELP
\fB\-\-\-\-\fR
.PP
\- the \fB\-h\fR option displays this help information on screen
.PP
List of parameters for the JPEG 2000 encoder:
.IP
Required arguments
\fB\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\fR
.HP
\fB\-i\fR <compressed file> ( *.jp3d, *.j3d )
.IP
Currently accepts J3D\-files. The file type is identified based on its suffix.
.HP
\fB\-o\fR <decompressed file> ( *.pgx, *.bin )
.IP
Currently accepts PGX\-files and BIN\-files. Binary data is written to the file (not ascii).
If a PGX filename is given, there will be as many output files as slices;
an indice starting from 0 will then be appended to the output filename,
just before the "pgx" extension.
.HP
\fB\-m\fR <characteristics file> ( *.img )
.IP
Required only for BIN\-files. Ascii data of volume characteristics is written.
.IP
Optional
\fB\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\fR
.HP
\fB\-h\fR
.IP
Display the help information
.HP
\fB\-r\fR <RFx,RFy,RFz>
.IP
Set the number of highest resolution levels to be discarded on each dimension.
The volume resolution is effectively divided by 2 to the power of the
number of discarded levels. The reduce factor is limited by the
smallest total number of decomposition levels among tiles.
.HP
\fB\-l\fR <number of quality layers to decode>
.IP
Set the maximum number of quality layers to decode. If there are
less quality layers than the specified number, all the quality layers
are decoded.
.HP
\fB\-O\fR original\-file
.IP
This option offers the possibility to compute some quality results
for the decompressed volume, like the PSNR value achieved or the global SSIM value.
Needs the original file in order to compare with the new one.
NOTE: Only valid when \fB\-r\fR option is 0,0,0 (both original and decompressed volumes have same resolutions)
NOTE: If original file is .BIN file, the volume characteristics file shall be defined with the \fB\-m\fR option.
(i.e. \fB\-O\fR original\-BIN\-file \fB\-m\fR original\-IMG\-file)
.HP
\fB\-BE\fR
.IP
Define that the recovered volume data will be saved with big endian byte order.
By default, little endian byte order is used.
.SH AUTHOR
This manual page was written by Mathieu Malaterre <malat@debian.org> for
the Debian GNU/Linux system, but may be used by others.
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JPIP_ADDXML "1" "October 2017" "opj_jpip_addxml 2.1.0" "User Commands"
.SH NAME
opj_jpip_addxml \- Works with JPEG2000 files
.SH DESCRIPTION
USAGE: opj_jpip_addxml modifing.jp2 adding.xml
.SH AUTHOR
This manual page was written by Mathieu Malaterre <malat@debian.org> for
the Debian GNU/Linux system, but may be used by others.
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JPIP_TEST "1" "October 2017" "opj_jpip_test 2.1.0" "User Commands"
.SH NAME
opj_jpip_test \- Works with JPEG2000 files
.SH DESCRIPTION
Error: Target \fB\-h\fR not found
.SH AUTHOR
This manual page was written by Mathieu Malaterre <malat@debian.org> for
the Debian GNU/Linux system, but may be used by others.
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4.
.TH OPJ_JPIP_TRANSCODE "1" "October 2017" "opj_jpip_transcode 2.1.0" "User Commands"
.SH NAME
opj_jpip_transcode \- Works with JPEG2000 files
.SH DESCRIPTION
.SS "Too few arguments:"
.TP
\- input
jpt or jpp file
.IP
\- output j2k file
.SH AUTHOR
This manual page was written by Mathieu Malaterre <malat@debian.org> for
the Debian GNU/Linux system, but may be used by others.
From 11445eddad7e7fa5b273d1c83c91011c44e5d586 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 19:03:13 +0200
Subject: [PATCH] opj_pi_update_decode_poc(): limit layno1 to the number of
layers (CVE-2016-1626 and CVE-2016-1628, #850)
This has been recently fixed in a less elegant way per
80818c39f5bfbac37768fcee95b0ffeceaa77264
---
src/lib/openjp2/pi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1019,7 +1019,8 @@
l_current_pi->poc.precno0 = 0;
l_current_pi->poc.resno1 = l_current_poc->resno1; /* Resolution Level Index #0 (End) */
l_current_pi->poc.compno1 = l_current_poc->compno1; /* Component Index #0 (End) */
- l_current_pi->poc.layno1 = l_current_poc->layno1; /* Layer Index #0 (End) */
+ l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1,
+ p_tcp->numlayers); /* Layer Index #0 (End) */
l_current_pi->poc.precno1 = p_max_precision;
++l_current_pi;
++l_current_poc;
From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Aug 2017 11:47:40 +0200
Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
fixes unaligned load (#995)
---
src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 12 deletions(-)
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -99,14 +99,10 @@
};
#endif /* INFORMATION_ONLY */
-static unsigned short get_ushort(unsigned short val) {
-
-#ifdef OPJ_BIG_ENDIAN
- return( ((val & 0xff) << 8) + (val >> 8) );
-#else
- return( val );
-#endif
-
+/* Returns a ushort from a little-endian serialized value */
+static unsigned short get_tga_ushort(const unsigned char *data)
+{
+ return data[0] | (data[1] << 8);
}
#define TGA_HEADER_SIZE 18
@@ -133,17 +129,17 @@
id_len = (unsigned char)tga[0];
/*cmap_type = (unsigned char)tga[1];*/
image_type = (unsigned char)tga[2];
- /*cmap_index = get_ushort(*(unsigned short*)(&tga[3]));*/
- cmap_len = get_ushort(*(unsigned short*)(&tga[5]));
+ /*cmap_index = get_tga_ushort(*(unsigned short*)(&tga[3]));*/
+ cmap_len = get_tga_ushort(*(unsigned short*)(&tga[5]));
cmap_entry_size = (unsigned char)tga[7];
#if 0
- x_origin = get_ushort(*(unsigned short*)(&tga[8]));
- y_origin = get_ushort(*(unsigned short*)(&tga[10]));
+ x_origin = get_tga_ushort(*(unsigned short*)(&tga[8]));
+ y_origin = get_tga_ushort(*(unsigned short*)(&tga[10]));
#endif
- image_w = get_ushort(*(unsigned short*)(&tga[12]));
- image_h = get_ushort(*(unsigned short*)(&tga[14]));
+ image_w = get_tga_ushort(*(unsigned short*)(&tga[12]));
+ image_h = get_tga_ushort(*(unsigned short*)(&tga[14]));
pixel_depth = (unsigned char)tga[16];
image_desc = (unsigned char)tga[17];
@@ -302,6 +298,24 @@
color_space = OPJ_CLRSPC_SRGB;
}
+ /* If the declared file size is > 10 MB, check that the file is big */
+ /* enough to avoid excessive memory allocations */
+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
+ char ch;
+ OPJ_UINT64 expected_file_size =
+ (OPJ_UINT64)image_width * image_height * numcomps;
+ long curpos = ftell(f);
+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
+ expected_file_size = (OPJ_UINT64)INT_MAX;
+ }
+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
+ if (fread(&ch, 1, 1, f) != 1) {
+ fclose(f);
+ return NULL;
+ }
+ fseek(f, curpos, SEEK_SET);
+ }
+
subsampling_dx = parameters->subsampling_dx;
subsampling_dy = parameters->subsampling_dy;
From 397f62c0a838e15d667ef50e27d5d011d2c79c04 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 19:13:49 +0200
Subject: [PATCH] Fix write heap buffer overflow in opj_mqc_byteout().
Discovered by Ke Liu of Tencent's Xuanwu LAB (#835)
---
src/lib/openjp2/tcd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1088,7 +1088,9 @@
{
OPJ_UINT32 l_data_size;
- l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+ /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
if (p_code_block->data) {
From 3fbe71369019df0b47c7a2be4fab8c05768f2f32 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 18:38:16 +0200
Subject: [PATCH] opj_tcd_get_decoded_tile_size(): fix potential UINT32
overflow (#854, CVE-2016-5152)
Fix derived from https://pdfium.googlesource.com/pdfium.git/+/d8cc503575463ff3d81b22dad292665f2c88911e/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch
---
src/lib/openjp2/j2k.c | 3 +++
src/lib/openjp2/tcd.c | 16 +++++++++++++---
2 files changed, 16 insertions(+), 3 deletions(-)
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -41,6 +41,7 @@
*/
#include "opj_includes.h"
+#include <limits.h> /* UINT_MAX */
/** @defgroup J2K J2K - JPEG-2000 codestream reader/writer */
/*@{*/
@@ -8097,6 +8098,9 @@
*p_tile_index = p_j2k->m_current_tile_number;
*p_go_on = OPJ_TRUE;
*p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd);
+ if (*p_data_size == UINT_MAX) {
+ return OPJ_FALSE;
+ }
*p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0;
*p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0;
*p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1;
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -39,6 +39,7 @@
*/
#include "opj_includes.h"
+#include <limits.h> /* UINT_MAX */
/* ----------------------------------------------------------------------- */
@@ -1154,6 +1155,7 @@
opj_tcd_tilecomp_t * l_tile_comp = 00;
opj_tcd_resolution_t * l_res = 00;
OPJ_UINT32 l_size_comp, l_remaining;
+ OPJ_UINT32 l_temp;
l_tile_comp = p_tcd->tcd_image->tiles->comps;
l_img_comp = p_tcd->image->comps;
@@ -1171,7 +1173,17 @@
}
l_res = l_tile_comp->resolutions + l_tile_comp->minimum_num_resolutions - 1;
- l_data_size += l_size_comp * (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_res->y0));
+ l_temp = (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 -
+ l_res->y0)); /* x1*y1 can't overflow */
+ if (l_size_comp && UINT_MAX / l_size_comp < l_temp) {
+ return UINT_MAX;
+ }
+ l_temp *= l_size_comp;
+
+ if (l_temp > UINT_MAX - l_data_size) {
+ return UINT_MAX;
+ }
+ l_data_size += l_temp;
++l_img_comp;
++l_tile_comp;
}
@@ -1366,7 +1378,7 @@
OPJ_UINT32 l_stride, l_width,l_height;
l_data_size = opj_tcd_get_decoded_tile_size(p_tcd);
- if (l_data_size > p_dest_length) {
+ if (l_data_size == UINT_MAX || l_data_size > p_dest_length) {
return OPJ_FALSE;
}
Description: <short summary of the patch>
TODO: Put a short summary on the line above and replace this paragraph
with a longer explanation of this change. Complete the meta-information
with other relevant fields (see below for details). To make it easier, the
information below has been extracted from the changelog. Adjust it or drop
it.
.
openjpeg2 (2.1.0-2+deb8u3) jessie-security; urgency=medium
.
* CVE-2016-9118: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch
* CVE-2016-5152: 3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch
* CVE-2016-1628: 11445eddad7e7fa5b273d1c83c91011c44e5d586.patch
* CVE-2016-10504: not needed
* CVE-2017-14039: CVE-2017-14039.patch
* CVE-2017-14040: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
* CVE-2017-14041: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
* CVE-2017-14151: not needed
* CVE-2017-14152: dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
Author: Mathieu Malaterre <malat@debian.org>
---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:
Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: https://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: 2017-10-23
--- openjpeg2-2.1.0.orig/src/lib/openjp2/tcd.c
+++ openjpeg2-2.1.0/src/lib/openjp2/tcd.c
@@ -668,8 +668,10 @@ OPJ_BOOL FUNCTION ( opj_tcd_t *p_tcd
/* 4 borders of the tile rescale on the image if necessary */ \
l_tile->x0 = opj_int_max((OPJ_INT32)(l_cp->tx0 + p * l_cp->tdx), (OPJ_INT32)l_image->x0); \
l_tile->y0 = opj_int_max((OPJ_INT32)(l_cp->ty0 + q * l_cp->tdy), (OPJ_INT32)l_image->y0); \
+if (l_tile->x0 < 0 || l_tile->x1 < 0) return OPJ_FALSE; \
l_tile->x1 = opj_int_min((OPJ_INT32)(l_cp->tx0 + (p + 1) * l_cp->tdx), (OPJ_INT32)l_image->x1); \
l_tile->y1 = opj_int_min((OPJ_INT32)(l_cp->ty0 + (q + 1) * l_cp->tdy), (OPJ_INT32)l_image->y1); \
+if (l_tile->y0 < 0 || l_tile->y1 < 0) return OPJ_FALSE; \
/* testcase 1888.pdf.asan.35.988 */ \
if (l_tccp->numresolutions == 0) { \
fprintf(stderr, "tiles require at least one resolution\n"); \
Description: Mix of
4241ae6fbbf1de9658764a80944dc8108f2b4154
and
c535531f03369623b9b833ef41952c62257b507e (partial)
Author: Mathieu Malaterre <malat@debian.org>
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -4309,6 +4309,12 @@
assert(p_manager != 00);
assert(p_stream != 00);
+ if (p_total_data_size < 4) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Not enough bytes in output buffer to write SOD marker\n");
+ return OPJ_FALSE;
+ }
+
opj_write_bytes(p_data,J2K_MS_SOD,2); /* SOD */
p_data += 2;
@@ -6091,10 +6097,16 @@
/* Precincts */
parameters->csty |= 0x01;
- parameters->res_spec = parameters->numresolution-1;
- for (i = 0; i<parameters->res_spec; i++) {
- parameters->prcw_init[i] = 256;
- parameters->prch_init[i] = 256;
+ if (parameters->numresolution == 1) {
+ parameters->res_spec = 1;
+ parameters->prcw_init[0] = 128;
+ parameters->prch_init[0] = 128;
+ } else {
+ parameters->res_spec = parameters->numresolution - 1;
+ for (i = 0; i < parameters->res_spec; i++) {
+ parameters->prcw_init[i] = 256;
+ parameters->prch_init[i] = 256;
+ }
}
/* The progression order shall be CPRL */
From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 14 Aug 2017 17:20:37 +0200
Subject: [PATCH] Encoder: grow buffer size in
opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
opj_mqc_flush (#982)
---
src/lib/openjp2/tcd.c | 7 +++++--
tests/nonregression/test_suite.ctest.in | 2 ++
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1089,8 +1089,11 @@
{
OPJ_UINT32 l_data_size;
- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+ /* TODO: is there a theoretical upper-bound for the compressed code */
+ /* block size ? */
+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
(p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
From c22cbd8bdf8ff2ae372f94391a4be2d322b36b41 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 30 Jul 2017 18:43:25 +0200
Subject: [PATCH] Avoid heap buffer overflow in function pnmtoimage of
convert.c, and unsigned integer overflow in opj_image_create()
(CVE-2016-9118, #861)
---
src/bin/jp2/convert.c | 10 ++++++++++
src/lib/openjp2/image.c | 8 +++++++-
2 files changed, 17 insertions(+), 1 deletion(-)
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -41,6 +41,7 @@
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
#ifdef OPJ_HAVE_LIBTIFF
#include <tiffio.h>
@@ -1782,6 +1783,15 @@
if(!header_info.ok) { fclose(fp); return NULL; }
+ /* This limitation could be removed by making sure to use size_t below */
+ if (header_info.height != 0 &&
+ header_info.width > INT_MAX / header_info.height) {
+ fprintf(stderr, "pnmtoimage:Image %dx%d too big!\n",
+ header_info.width, header_info.height);
+ fclose(fp);
+ return NULL;
+ }
+
format = header_info.format;
switch(format)
--- a/src/lib/openjp2/image.c
+++ b/src/lib/openjp2/image.c
@@ -63,7 +63,13 @@
comp->prec = cmptparms[compno].prec;
comp->bpp = cmptparms[compno].bpp;
comp->sgnd = cmptparms[compno].sgnd;
- comp->data = (OPJ_INT32*) opj_calloc(comp->w * comp->h, sizeof(OPJ_INT32));
+ if (comp->h != 0 && (OPJ_SIZE_T)comp->w > SIZE_MAX / comp->h) {
+ // TODO event manager
+ opj_image_destroy(image);
+ return NULL;
+ }
+ comp->data = (OPJ_INT32*) opj_calloc((OPJ_SIZE_T)comp->w * comp->h,
+ sizeof(OPJ_INT32));
if(!comp->data) {
fprintf(stderr,"Unable to allocate memory for image.\n");
opj_image_destroy(image);
From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 16 Aug 2017 17:09:10 +0200
Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
(#991)
---
src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -766,6 +766,7 @@
*/
static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k,
OPJ_BYTE * p_data,
+ OPJ_UINT32 p_total_data_size,
OPJ_UINT32 * p_data_written,
const opj_stream_private_t *p_stream,
opj_event_mgr_t * p_manager );
@@ -3902,6 +3903,7 @@
OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k,
OPJ_BYTE * p_data,
+ OPJ_UINT32 p_total_data_size,
OPJ_UINT32 * p_data_written,
const opj_stream_private_t *p_stream,
opj_event_mgr_t * p_manager
@@ -3912,6 +3914,12 @@
assert(p_manager != 00);
assert(p_stream != 00);
+ if (p_total_data_size < 12) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Not enough bytes in output buffer to write SOT marker\n");
+ return OPJ_FALSE;
+ }
+
opj_write_bytes(p_data,J2K_MS_SOT,2); /* SOT */
p_data += 2;
@@ -9995,8 +10003,9 @@
l_current_nb_bytes_written = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager))
- {
+ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
+ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
return OPJ_FALSE;
}
@@ -10083,7 +10092,11 @@
l_part_tile_size = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) {
+ if (! opj_j2k_write_sot(p_j2k, p_data,
+ p_total_data_size,
+ &l_current_nb_bytes_written,
+ p_stream,
+ p_manager)) {
return OPJ_FALSE;
}
@@ -10123,7 +10136,10 @@
l_part_tile_size = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) {
+ if (! opj_j2k_write_sot(p_j2k, p_data,
+ p_total_data_size,
+ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
return OPJ_FALSE;
}
From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 18 Aug 2017 13:39:20 +0200
Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
---
src/bin/jp2/convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -1335,7 +1335,8 @@
}
fseek(f, 0, SEEK_SET);
- if( fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
fprintf(stderr, "ERROR: Failed to read the right number of element from the fscanf() function!\n");
return NULL;
}
......@@ -7,3 +7,13 @@ CVE-2016-7163.patch
CVE-2016-5159.patch