From 19c974f3bbda8e56f55fdeccae144b76e5e5aa99 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Fri, 20 May 2022 22:16:51 +0200 Subject: [PATCH] Update to 2.5.0 --- .gitignore | 1 + CVE-2021-29338.patch | 147 ------------------------------------- CVE-2022-1122.patch | 12 --- heap-buffer-overflow.patch | 22 ------ openjpeg2.spec | 59 ++++++++------- openjpeg2_opj2.patch | 6 +- sources | 2 +- 7 files changed, 37 insertions(+), 212 deletions(-) delete mode 100644 CVE-2021-29338.patch delete mode 100644 CVE-2022-1122.patch delete mode 100644 heap-buffer-overflow.patch diff --git a/.gitignore b/.gitignore index d7ce3bc..e72d436 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /openjpeg-2.3.0.tar.gz /openjpeg-2.3.1.tar.gz /openjpeg-2.4.0.tar.gz +/openjpeg-2.5.0.tar.gz diff --git a/CVE-2021-29338.patch b/CVE-2021-29338.patch deleted file mode 100644 index 373f6d6..0000000 --- a/CVE-2021-29338.patch +++ /dev/null @@ -1,147 +0,0 @@ -diff -rupN --no-dereference openjpeg-2.4.0/src/bin/jp2/opj_compress.c openjpeg-2.4.0-new/src/bin/jp2/opj_compress.c ---- openjpeg-2.4.0/src/bin/jp2/opj_compress.c 2020-12-28 21:59:39.000000000 +0100 -+++ openjpeg-2.4.0-new/src/bin/jp2/opj_compress.c 2021-05-27 23:46:46.916130437 +0200 -@@ -543,8 +543,8 @@ static char * get_file_name(char *name) - static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, - opj_cparameters_t *parameters) - { -- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], -- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; -+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], -+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; - char *temp_p, temp1[OPJ_PATH_LEN] = ""; - - strcpy(image_filename, dirptr->filename[imageno]); -@@ -553,7 +553,7 @@ static char get_next_file(int imageno, d - if (parameters->decod_format == -1) { - return 1; - } -- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename); -+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename); - if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile), - infilename) != 0) { - return 1; -@@ -566,7 +566,7 @@ static char get_next_file(int imageno, d - sprintf(temp1, ".%s", temp_p); - } - if (img_fol->set_out_format == 1) { -- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, -+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, - img_fol->out_format); - if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), - outfilename) != 0) { -@@ -1910,9 +1910,9 @@ int main(int argc, char **argv) - num_images = get_num_images(img_fol.imgdirpath); - dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); - if (dirptr) { -- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof( -+ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof( - char)); /* Stores at max 10 image file names*/ -- dirptr->filename = (char**) malloc(num_images * sizeof(char*)); -+ dirptr->filename = (char**) calloc(num_images, sizeof(char*)); - if (!dirptr->filename_buf) { - ret = 0; - goto fin; -diff -rupN --no-dereference openjpeg-2.4.0/src/bin/jp2/opj_decompress.c openjpeg-2.4.0-new/src/bin/jp2/opj_decompress.c ---- openjpeg-2.4.0/src/bin/jp2/opj_decompress.c 2020-12-28 21:59:39.000000000 +0100 -+++ openjpeg-2.4.0-new/src/bin/jp2/opj_decompress.c 2021-05-27 23:46:46.916130437 +0200 -@@ -455,13 +455,13 @@ const char* path_separator = "/"; - char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, - opj_decompress_parameters *parameters) - { -- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], -- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; -+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], -+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; - char *temp_p, temp1[OPJ_PATH_LEN] = ""; - - strcpy(image_filename, dirptr->filename[imageno]); - fprintf(stderr, "File Number %d \"%s\"\n", imageno, image_filename); -- sprintf(infilename, "%s%s%s", img_fol->imgdirpath, path_separator, -+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s%s%s", img_fol->imgdirpath, path_separator, - image_filename); - parameters->decod_format = infile_format(infilename); - if (parameters->decod_format == -1) { -@@ -479,7 +479,7 @@ char get_next_file(int imageno, dircnt_t - sprintf(temp1, ".%s", temp_p); - } - if (img_fol->set_out_format == 1) { -- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, -+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, - img_fol->out_format); - if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), - outfilename) != 0) { -@@ -1357,14 +1357,13 @@ int main(int argc, char **argv) - return EXIT_FAILURE; - } - /* Stores at max 10 image file names */ -- dirptr->filename_buf = (char*)malloc(sizeof(char) * -- (size_t)num_images * OPJ_PATH_LEN); -+ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN); - if (!dirptr->filename_buf) { - failed = 1; - goto fin; - } - -- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); -+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); - - if (!dirptr->filename) { - failed = 1; -diff -rupN --no-dereference openjpeg-2.4.0/src/bin/jp2/opj_dump.c openjpeg-2.4.0-new/src/bin/jp2/opj_dump.c ---- openjpeg-2.4.0/src/bin/jp2/opj_dump.c 2020-12-28 21:59:39.000000000 +0100 -+++ openjpeg-2.4.0-new/src/bin/jp2/opj_dump.c 2021-05-27 23:46:46.917130437 +0200 -@@ -201,8 +201,8 @@ static int get_file_format(const char *f - static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, - opj_dparameters_t *parameters) - { -- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], -- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; -+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], -+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; - char *temp_p, temp1[OPJ_PATH_LEN] = ""; - - strcpy(image_filename, dirptr->filename[imageno]); -@@ -211,7 +211,7 @@ static char get_next_file(int imageno, d - if (parameters->decod_format == -1) { - return 1; - } -- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename); -+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename); - if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile), - infilename) != 0) { - return 1; -@@ -224,7 +224,7 @@ static char get_next_file(int imageno, d - sprintf(temp1, ".%s", temp_p); - } - if (img_fol->set_out_format == 1) { -- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, -+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, - img_fol->out_format); - if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), - outfilename) != 0) { -@@ -457,7 +457,7 @@ int main(int argc, char *argv[]) - opj_codestream_info_v2_t* cstr_info = NULL; - opj_codestream_index_t* cstr_index = NULL; - -- OPJ_INT32 num_images, imageno; -+ int num_images, imageno; - img_fol_t img_fol; - dircnt_t *dirptr = NULL; - -@@ -486,13 +486,13 @@ int main(int argc, char *argv[]) - if (!dirptr) { - return EXIT_FAILURE; - } -- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof( -+ dirptr->filename_buf = (char*) calloc((size_t) num_images, OPJ_PATH_LEN * sizeof( - char)); /* Stores at max 10 image file names*/ - if (!dirptr->filename_buf) { - free(dirptr); - return EXIT_FAILURE; - } -- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); -+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); - - if (!dirptr->filename) { - goto fails; diff --git a/CVE-2022-1122.patch b/CVE-2022-1122.patch deleted file mode 100644 index 7b3f905..0000000 --- a/CVE-2022-1122.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rupN --no-dereference openjpeg-2.4.0/src/bin/jp2/opj_decompress.c openjpeg-2.4.0-new/src/bin/jp2/opj_decompress.c ---- openjpeg-2.4.0/src/bin/jp2/opj_decompress.c 2022-03-28 22:01:04.615605223 +0200 -+++ openjpeg-2.4.0-new/src/bin/jp2/opj_decompress.c 2022-03-28 22:01:04.662605454 +0200 -@@ -1351,7 +1351,7 @@ int main(int argc, char **argv) - int it_image; - num_images = get_num_images(img_fol.imgdirpath); - -- dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); -+ dirptr = (dircnt_t*)calloc(1, sizeof(dircnt_t)); - if (!dirptr) { - destroy_parameters(¶meters); - return EXIT_FAILURE; diff --git a/heap-buffer-overflow.patch b/heap-buffer-overflow.patch deleted file mode 100644 index 6dcd51a..0000000 --- a/heap-buffer-overflow.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -rupN --no-dereference openjpeg-2.4.0/src/bin/common/color.c openjpeg-2.4.0-new/src/bin/common/color.c ---- openjpeg-2.4.0/src/bin/common/color.c 2020-12-28 21:59:39.000000000 +0100 -+++ openjpeg-2.4.0-new/src/bin/common/color.c 2021-05-27 23:46:46.961130438 +0200 -@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t * - - sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); - -- ++y; -+ if (*y != img->comps[0].data[loopmaxh]) -+ ++y; - ++r; - ++g; - ++b; -- ++cb; -- ++cr; -+ if (*cb != img->comps[1].data[loopmaxh]) -+ ++cb; -+ if (*cr != img->comps[2].data[loopmaxh]) -+ ++cr; - } - if (j < maxw) { - sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); diff --git a/openjpeg2.spec b/openjpeg2.spec index 9ec01ec..19c6605 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -13,8 +13,8 @@ %endif Name: openjpeg2 -Version: 2.4.0 -Release: 11%{?dist} +Version: 2.5.0 +Release: 1%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -28,28 +28,24 @@ Source1: data.tar.xz # Rename tool names to avoid conflicts with openjpeg-1.x Patch0: openjpeg2_opj2.patch -# Backport proposed patch for CVE-2021-29338 -# See https://github.com/uclouvain/openjpeg/issues/1338 -# and https://github.com/uclouvain/openjpeg/pull/1346 -Patch1: CVE-2021-29338.patch # Backport proposed patch for heap buffer overflow (#1957616) # See https://github.com/uclouvain/openjpeg/issues/1347 -Patch2: heap-buffer-overflow.patch -# Backport patch for CVE-2022-1122 -# See https://github.com/uclouvain/openjpeg/commit/0afbdcf3e6d0d2bd2e16a0c4d513ee3cf86e460d -Patch3: CVE-2022-1122.patch +Patch1: heap-buffer-overflow.patch BuildRequires: cmake +BuildRequires: doxygen # The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler BuildRequires: gcc-c++ BuildRequires: make -BuildRequires: zlib-devel +BuildRequires: jbigkit-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-turbo-devel BuildRequires: libpng-devel BuildRequires: libtiff-devel -BuildRequires: lcms2-devel -BuildRequires: doxygen - +BuildRequires: libwebp-devel +BuildRequires: libzstd-devel +BuildRequires: zlib-devel %if 0%{?optional_components} BuildRequires: java-devel BuildRequires: xerces-j2 @@ -58,17 +54,23 @@ BuildRequires: xerces-j2 %if %{with mingw} BuildRequires: mingw32-filesystem >= 95 BuildRequires: mingw32-gcc -BuildRequires: mingw32-zlib +BuildRequires: mingw32-lcms2 +BuildRequires: mingw32-libjpeg-turbo BuildRequires: mingw32-libpng BuildRequires: mingw32-libtiff -BuildRequires: mingw32-lcms2 +BuildRequires: mingw32-libwebp +BuildRequires: mingw32-zlib +BuildRequires: mingw32-zstd BuildRequires: mingw64-filesystem >= 95 BuildRequires: mingw64-gcc -BuildRequires: mingw64-zlib +BuildRequires: mingw64-lcms2 +BuildRequires: mingw64-libjpeg-turbo BuildRequires: mingw64-libpng BuildRequires: mingw64-libtiff -BuildRequires: mingw64-lcms2 +BuildRequires: mingw64-libwebp +BuildRequires: mingw64-zlib +BuildRequires: mingw64-zstd %endif @@ -348,12 +350,12 @@ rm -rf %{buildroot}%{mingw64_datadir}/doc %{_mandir}/man3/libopenjp2.3* %files devel -%dir %{_includedir}/openjpeg-2.4/ -%{_includedir}/openjpeg-2.4/openjpeg.h -%{_includedir}/openjpeg-2.4/opj_config.h -%{_includedir}/openjpeg-2.4/opj_stdint.h +%dir %{_includedir}/openjpeg-2.5/ +%{_includedir}/openjpeg-2.5/openjpeg.h +%{_includedir}/openjpeg-2.5/opj_config.h +%{_includedir}/openjpeg-2.5/opj_stdint.h %{_libdir}/libopenjp2.so -%{_libdir}/openjpeg-2.4/ +%{_libdir}/openjpeg-2.5/ %{_libdir}/pkgconfig/libopenjp2.pc %files devel-docs @@ -416,8 +418,8 @@ rm -rf %{buildroot}%{mingw64_datadir}/doc %license LICENSE %{mingw32_bindir}/libopenjp2.dll %{mingw32_libdir}/libopenjp2.dll.a -%{mingw32_includedir}/openjpeg-2.4/ -%{mingw32_libdir}/openjpeg-2.4/ +%{mingw32_includedir}/openjpeg-2.5/ +%{mingw32_libdir}/openjpeg-2.5/ %{mingw32_libdir}/pkgconfig/libopenjp2.pc %files -n mingw32-%{name}-tools @@ -429,8 +431,8 @@ rm -rf %{buildroot}%{mingw64_datadir}/doc %license LICENSE %{mingw64_bindir}/libopenjp2.dll %{mingw64_libdir}/libopenjp2.dll.a -%{mingw64_includedir}/openjpeg-2.4/ -%{mingw64_libdir}/openjpeg-2.4/ +%{mingw64_includedir}/openjpeg-2.5/ +%{mingw64_libdir}/openjpeg-2.5/ %{mingw64_libdir}/pkgconfig/libopenjp2.pc %files -n mingw64-%{name}-tools @@ -441,6 +443,9 @@ rm -rf %{buildroot}%{mingw64_datadir}/doc %changelog +* Mon May 16 2022 Sandro Mani - 2.5.0-1 +- Update to 2.5.0 + * Fri May 13 2022 Tomas Popela - 2.4.0-11 - Introduce a switch for mingw builds and turn it off when building the flatpaks (flatpak-common module) diff --git a/openjpeg2_opj2.patch b/openjpeg2_opj2.patch index e38c818..0ae7f66 100644 --- a/openjpeg2_opj2.patch +++ b/openjpeg2_opj2.patch @@ -1,6 +1,6 @@ -diff -rupN --no-dereference openjpeg-2.4.0/src/bin/jp2/CMakeLists.txt openjpeg-2.4.0-new/src/bin/jp2/CMakeLists.txt ---- openjpeg-2.4.0/src/bin/jp2/CMakeLists.txt 2020-12-28 21:59:39.000000000 +0100 -+++ openjpeg-2.4.0-new/src/bin/jp2/CMakeLists.txt 2021-05-27 23:46:46.878130437 +0200 +diff -rupN --no-dereference openjpeg-2.5.0/src/bin/jp2/CMakeLists.txt openjpeg-2.5.0-new/src/bin/jp2/CMakeLists.txt +--- openjpeg-2.5.0/src/bin/jp2/CMakeLists.txt 2022-05-13 18:54:29.000000000 +0200 ++++ openjpeg-2.5.0-new/src/bin/jp2/CMakeLists.txt 2022-05-16 10:23:47.026551355 +0200 @@ -44,6 +44,8 @@ endif() # Loop over all executables: foreach(exe opj_decompress opj_compress opj_dump) diff --git a/sources b/sources index bfa7830..c1152a2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openjpeg-2.4.0.tar.gz) = 55daab47d33823af94e32e5d345b52c251a5410f0c8e0a13b693f17899eedc8b2bb107489ddcba9ab78ef17dfd7cd80d3c5ec80c1e429189cb041124b67e07a8 +SHA512 (openjpeg-2.5.0.tar.gz) = 08975a2dd79f1e29fd1824249a5fbe66026640ed787b3a3aa8807c2c69f994240ff33e2132f8bf15bbc2202bef7001f98e42d487231d4eebc8e503538658049a