openjpeg2: add patches to fix several security vulnerabilities
CVE-2017-17480 CVE-2018-5785 CVE-2018-6616 CVE-2018-14423 CVE-2018-18088
This commit is contained in:
parent
33fb03813f
commit
e75e2d45d6
|
@ -0,0 +1,42 @@
|
|||
From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Lefeuvre <hle@debian.org>
|
||||
Date: Mon, 22 Oct 2018 16:59:41 +0200
|
||||
Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow
|
||||
|
||||
Missing buffer length formatter in fscanf call might lead to write
|
||||
stack buffer overflow.
|
||||
|
||||
fixes #1044 (CVE-2017-17480)
|
||||
---
|
||||
src/bin/jp3d/convert.c | 4 ++--
|
||||
src/bin/jpwl/convert.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
|
||||
index 23fd70b04..acad8f82a 100644
|
||||
--- src/bin/jp3d/convert.c
|
||||
+++ src/bin/jp3d/convert.c
|
||||
@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
|
||||
fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
|
||||
|
||||
fseek(f, 0, SEEK_SET);
|
||||
- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
|
||||
- signtmp, &prec, temp, &w, temp, &h);
|
||||
+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
|
||||
+ &endian2, signtmp, &prec, temp, &w, temp, &h);
|
||||
|
||||
i = 0;
|
||||
sign = '+';
|
||||
diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
|
||||
index f3bb670b0..73c1be729 100644
|
||||
--- src/bin/jpwl/convert.c
|
||||
+++ src/bin/jpwl/convert.c
|
||||
@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
|
||||
}
|
||||
|
||||
fseek(f, 0, SEEK_SET);
|
||||
- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
|
||||
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
|
||||
&endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
|
||||
fprintf(stderr,
|
||||
"ERROR: Failed to read the right number of element from the fscanf() function!\n");
|
|
@ -0,0 +1,60 @@
|
|||
From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001
|
||||
From: Young_X <YangX92@hotmail.com>
|
||||
Date: Fri, 23 Nov 2018 17:15:05 +0800
|
||||
Subject: [PATCH] [JP3D] To avoid divisions by zero / undefined behaviour on
|
||||
shift (CVE-2018-14423
|
||||
|
||||
Signed-off-by: Young_X <YangX92@hotmail.com>
|
||||
---
|
||||
src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++
|
||||
1 file changed, 24 insertions(+)
|
||||
|
||||
diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c
|
||||
index a03be45e7..a58ebcc7c 100644
|
||||
--- src/lib/openjp3d/pi.c
|
||||
+++ src/lib/openjp3d/pi.c
|
||||
@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi)
|
||||
rpx = res->pdx + levelnox;
|
||||
rpy = res->pdy + levelnoy;
|
||||
rpz = res->pdz + levelnoz;
|
||||
+
|
||||
+ /* To avoid divisions by zero / undefined behaviour on shift */
|
||||
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
|
||||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
|
||||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
|
||||
(trx0 << levelnox) % (1 << rpx)))) {
|
||||
continue;
|
||||
@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi)
|
||||
rpx = res->pdx + levelnox;
|
||||
rpy = res->pdy + levelnoy;
|
||||
rpz = res->pdz + levelnoz;
|
||||
+
|
||||
+ /* To avoid divisions by zero / undefined behaviour on shift */
|
||||
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
|
||||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
|
||||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
|
||||
(trx0 << levelnox) % (1 << rpx)))) {
|
||||
continue;
|
||||
@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi)
|
||||
rpx = res->pdx + levelnox;
|
||||
rpy = res->pdy + levelnoy;
|
||||
rpz = res->pdz + levelnoz;
|
||||
+
|
||||
+ /* To avoid divisions by zero / undefined behaviour on shift */
|
||||
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
|
||||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
|
||||
+ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
|
||||
(trx0 << levelnox) % (1 << rpx)))) {
|
||||
continue;
|
|
@ -0,0 +1,34 @@
|
|||
From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Lefeuvre <hle@debian.org>
|
||||
Date: Wed, 7 Nov 2018 18:48:29 +0100
|
||||
Subject: [PATCH] jp2: convert: fix null pointer dereference
|
||||
|
||||
Tile components in a JP2 image might have null data pointer by defining a
|
||||
zero component size (for example using large horizontal or vertical
|
||||
sampling periods). This null data pointer leads to null image component
|
||||
data pointer, causing crash when dereferenced without != null check in
|
||||
imagetopnm.
|
||||
|
||||
Add != null check.
|
||||
|
||||
This commit addresses #1152 (CVE-2018-18088).
|
||||
---
|
||||
src/bin/jp2/convert.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
|
||||
index fa02e31c5..e670cd82f 100644
|
||||
--- src/bin/jp2/convert.c
|
||||
+++ src/bin/jp2/convert.c
|
||||
@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
|
||||
opj_version(), wr, hr, max);
|
||||
|
||||
red = image->comps[compno].data;
|
||||
+ if (!red) {
|
||||
+ fclose(fdest);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
adjustR =
|
||||
(image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
|
||||
|
|
@ -0,0 +1,79 @@
|
|||
From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Lefeuvre <hle@debian.org>
|
||||
Date: Sat, 22 Sep 2018 14:33:19 -0400
|
||||
Subject: [PATCH] convertbmp: fix issues with zero bitmasks
|
||||
|
||||
In the case where a BMP file declares compression 3 (BI_BITFIELDS)
|
||||
with header size <= 56, all bitmask values keep their initialization
|
||||
value 0. This may lead to various undefined behavior later e.g. when
|
||||
doing 1 << (l_comp->prec - 1).
|
||||
|
||||
This issue does not affect files with bit count 16 because of a check
|
||||
added in 16240e2 which sets default values to the color masks if they
|
||||
are all 0.
|
||||
|
||||
This commit adds similar checks for the 32 bit case.
|
||||
|
||||
Also, if a BMP file declares compression 3 with header size >= 56 and
|
||||
intentional 0 bitmasks, the same issue will be triggered in both the
|
||||
16 and 32 bit count case.
|
||||
|
||||
This commit adds checks to bmp_read_info_header() rejecting BMP files
|
||||
with "intentional" 0 bitmasks. These checks might be removed in the
|
||||
future when proper handling of zero bitmasks will be available in
|
||||
openjpeg2.
|
||||
|
||||
fixes #1057 (CVE-2018-5785)
|
||||
---
|
||||
src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
|
||||
index 084f70bb7..7fde99ab3 100644
|
||||
--- src/bin/jp2/convertbmp.c
|
||||
+++ src/bin/jp2/convertbmp.c
|
||||
@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
|
||||
header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biRedMask) {
|
||||
+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biGreenMask = (OPJ_UINT32)getc(IN);
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biGreenMask) {
|
||||
+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biBlueMask = (OPJ_UINT32)getc(IN);
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biBlueMask) {
|
||||
+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biAlphaMask = (OPJ_UINT32)getc(IN);
|
||||
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
|
||||
bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
|
||||
0x00000000U);
|
||||
} else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
|
||||
+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
|
||||
+ (Info_h.biBlueMask == 0U)) {
|
||||
+ Info_h.biRedMask = 0x00FF0000U;
|
||||
+ Info_h.biGreenMask = 0x0000FF00U;
|
||||
+ Info_h.biBlueMask = 0x000000FFU;
|
||||
+ }
|
||||
bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
|
||||
Info_h.biBlueMask, Info_h.biAlphaMask);
|
||||
} else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
|
|
@ -0,0 +1,69 @@
|
|||
From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Lefeuvre <hle@debian.org>
|
||||
Date: Fri, 14 Dec 2018 04:58:40 +0100
|
||||
Subject: [PATCH] convertbmp: detect invalid file dimensions early
|
||||
|
||||
width/length dimensions read from bmp headers are not necessarily
|
||||
valid. For instance they may have been maliciously set to very large
|
||||
values with the intention to cause DoS (large memory allocation, stack
|
||||
overflow). In these cases we want to detect the invalid size as early
|
||||
as possible.
|
||||
|
||||
This commit introduces a counter which verifies that the number of
|
||||
written bytes corresponds to the advertized width/length.
|
||||
|
||||
Fixes #1059 (CVE-2018-6616).
|
||||
---
|
||||
src/bin/jp2/convertbmp.c | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
|
||||
index 85a47feaf..0af52f816 100644
|
||||
--- src/bin/jp2/convertbmp.c
|
||||
+++ src/bin/jp2/convertbmp.c
|
||||
@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride,
|
||||
static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
|
||||
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
|
||||
{
|
||||
- OPJ_UINT32 x, y;
|
||||
+ OPJ_UINT32 x, y, written;
|
||||
OPJ_UINT8 *pix;
|
||||
const OPJ_UINT8 *beyond;
|
||||
|
||||
beyond = pData + stride * height;
|
||||
pix = pData;
|
||||
|
||||
- x = y = 0U;
|
||||
+ x = y = written = 0U;
|
||||
while (y < height) {
|
||||
int c = getc(IN);
|
||||
if (c == EOF) {
|
||||
@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
|
||||
for (j = 0; (j < c) && (x < width) &&
|
||||
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
|
||||
*pix = c1;
|
||||
+ written++;
|
||||
}
|
||||
} else {
|
||||
c = getc(IN);
|
||||
@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
|
||||
}
|
||||
c1 = (OPJ_UINT8)c1_int;
|
||||
*pix = c1;
|
||||
+ written++;
|
||||
}
|
||||
if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
|
||||
c = getc(IN);
|
||||
@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
|
||||
}
|
||||
}
|
||||
}/* while() */
|
||||
+
|
||||
+ if (written != width * height) {
|
||||
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
return OPJ_TRUE;
|
||||
}
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# Template file for 'openjpeg2'
|
||||
pkgname=openjpeg2
|
||||
version=2.3.0
|
||||
revision=2
|
||||
revision=3
|
||||
wrksrc="openjpeg-${version}"
|
||||
build_style=cmake
|
||||
makedepends="libpng-devel lcms2-devel tiff-devel"
|
||||
|
|
Loading…
Reference in New Issue