Backport more security fixes, including for CVE-2017-14041 and CVE-2017-14040
This commit is contained in:
Sandro Mani
parent
199c984f5f
commit
5d85a19e22
80
2cd30c2b06ce332dede81cccad8b334cde997281.patch
Normal file
80
2cd30c2b06ce332dede81cccad8b334cde997281.patch
Normal file
@ -0,0 +1,80 @@
|
||||
From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Thu, 17 Aug 2017 11:47:40 +0200
|
||||
Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
|
||||
fixes unaligned load (#995)
|
||||
|
||||
---
|
||||
src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
|
||||
1 file changed, 27 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
|
||||
index a4eb81f6a..73dfc8d5f 100644
|
||||
--- a/src/bin/jp2/convert.c
|
||||
+++ b/src/bin/jp2/convert.c
|
||||
@@ -580,13 +580,10 @@ struct tga_header {
|
||||
};
|
||||
#endif /* INFORMATION_ONLY */
|
||||
|
||||
-static unsigned short get_ushort(const unsigned char *data)
|
||||
+/* Returns a ushort from a little-endian serialized value */
|
||||
+static unsigned short get_tga_ushort(const unsigned char *data)
|
||||
{
|
||||
- unsigned short val = *(const unsigned short *)data;
|
||||
-#ifdef OPJ_BIG_ENDIAN
|
||||
- val = ((val & 0xffU) << 8) | (val >> 8);
|
||||
-#endif
|
||||
- return val;
|
||||
+ return data[0] | (data[1] << 8);
|
||||
}
|
||||
|
||||
#define TGA_HEADER_SIZE 18
|
||||
@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
|
||||
id_len = tga[0];
|
||||
/*cmap_type = tga[1];*/
|
||||
image_type = tga[2];
|
||||
- /*cmap_index = get_ushort(&tga[3]);*/
|
||||
- cmap_len = get_ushort(&tga[5]);
|
||||
+ /*cmap_index = get_tga_ushort(&tga[3]);*/
|
||||
+ cmap_len = get_tga_ushort(&tga[5]);
|
||||
cmap_entry_size = tga[7];
|
||||
|
||||
|
||||
#if 0
|
||||
- x_origin = get_ushort(&tga[8]);
|
||||
- y_origin = get_ushort(&tga[10]);
|
||||
+ x_origin = get_tga_ushort(&tga[8]);
|
||||
+ y_origin = get_tga_ushort(&tga[10]);
|
||||
#endif
|
||||
- image_w = get_ushort(&tga[12]);
|
||||
- image_h = get_ushort(&tga[14]);
|
||||
+ image_w = get_tga_ushort(&tga[12]);
|
||||
+ image_h = get_tga_ushort(&tga[14]);
|
||||
pixel_depth = tga[16];
|
||||
image_desc = tga[17];
|
||||
|
||||
@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
|
||||
color_space = OPJ_CLRSPC_SRGB;
|
||||
}
|
||||
|
||||
+ /* If the declared file size is > 10 MB, check that the file is big */
|
||||
+ /* enough to avoid excessive memory allocations */
|
||||
+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
|
||||
+ char ch;
|
||||
+ OPJ_UINT64 expected_file_size =
|
||||
+ (OPJ_UINT64)image_width * image_height * numcomps;
|
||||
+ long curpos = ftell(f);
|
||||
+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
|
||||
+ expected_file_size = (OPJ_UINT64)INT_MAX;
|
||||
+ }
|
||||
+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
|
||||
+ if (fread(&ch, 1, 1, f) != 1) {
|
||||
+ fclose(f);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ fseek(f, curpos, SEEK_SET);
|
||||
+ }
|
||||
+
|
||||
subsampling_dx = parameters->subsampling_dx;
|
||||
subsampling_dy = parameters->subsampling_dy;
|
||||
|
||||
35
4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
Normal file
35
4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Tue, 15 Aug 2017 11:55:58 +0200
|
||||
Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
|
||||
opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
|
||||
|
||||
---
|
||||
src/lib/openjp2/j2k.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
|
||||
index a2521ebbc..54b490a8c 100644
|
||||
--- a/src/lib/openjp2/j2k.c
|
||||
+++ b/src/lib/openjp2/j2k.c
|
||||
@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
|
||||
|
||||
/* Precincts */
|
||||
parameters->csty |= 0x01;
|
||||
- parameters->res_spec = parameters->numresolution - 1;
|
||||
- for (i = 0; i < parameters->res_spec; i++) {
|
||||
- parameters->prcw_init[i] = 256;
|
||||
- parameters->prch_init[i] = 256;
|
||||
+ if (parameters->numresolution == 1) {
|
||||
+ parameters->res_spec = 1;
|
||||
+ parameters->prcw_init[0] = 128;
|
||||
+ parameters->prch_init[0] = 128;
|
||||
+ } else {
|
||||
+ parameters->res_spec = parameters->numresolution - 1;
|
||||
+ for (i = 0; i < parameters->res_spec; i++) {
|
||||
+ parameters->prcw_init[i] = 256;
|
||||
+ parameters->prch_init[i] = 256;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* The progression order shall be CPRL */
|
||||
43
afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
Normal file
43
afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Mon, 14 Aug 2017 17:20:37 +0200
|
||||
Subject: [PATCH] Encoder: grow buffer size in
|
||||
opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
|
||||
opj_mqc_flush (#982)
|
||||
|
||||
---
|
||||
src/lib/openjp2/tcd.c | 7 +++++--
|
||||
tests/nonregression/test_suite.ctest.in | 2 ++
|
||||
2 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
|
||||
index 301c7213e..53cdcf64d 100644
|
||||
--- a/src/lib/openjp2/tcd.c
|
||||
+++ b/src/lib/openjp2/tcd.c
|
||||
@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
|
||||
{
|
||||
OPJ_UINT32 l_data_size;
|
||||
|
||||
- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
|
||||
- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
|
||||
+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
|
||||
+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
|
||||
+ /* TODO: is there a theoretical upper-bound for the compressed code */
|
||||
+ /* block size ? */
|
||||
+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
|
||||
(p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
|
||||
|
||||
if (l_data_size > p_code_block->data_size) {
|
||||
diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
|
||||
index aaf40d7d0..ffd964c2a 100644
|
||||
--- a/tests/nonregression/test_suite.ctest.in
|
||||
+++ b/tests/nonregression/test_suite.ctest.in
|
||||
@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
|
||||
# Same rate as Bretagne2_4.j2k
|
||||
opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
|
||||
|
||||
+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
|
||||
+
|
||||
# DECODER TEST SUITE
|
||||
opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
|
||||
opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
|
||||
22
e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
Normal file
22
e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
Normal file
@ -0,0 +1,22 @@
|
||||
From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Fri, 18 Aug 2017 13:39:20 +0200
|
||||
Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
|
||||
|
||||
---
|
||||
src/bin/jp2/convert.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
|
||||
index 5459f7d44..e606c9be7 100644
|
||||
--- a/src/bin/jp2/convert.c
|
||||
+++ b/src/bin/jp2/convert.c
|
||||
@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
|
||||
}
|
||||
|
||||
fseek(f, 0, SEEK_SET);
|
||||
- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
|
||||
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
|
||||
&endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
|
||||
fclose(f);
|
||||
fprintf(stderr,
|
||||
@ -5,7 +5,7 @@
|
||||
|
||||
Name: openjpeg2
|
||||
Version: 2.2.0
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: C-Library for JPEG 2000
|
||||
|
||||
# windirent.h is MIT, the rest is BSD
|
||||
@ -19,8 +19,16 @@ Source1: data.tar.xz
|
||||
|
||||
# Remove bundled libraries
|
||||
Patch0: openjpeg2_remove-thirdparty.patch
|
||||
# Backport: bmp_read_info_header(): reject bmp files with biBitCount == 0 (CVE-2017-12982)
|
||||
# Backport fix for CVE-2017-12982
|
||||
Patch1: baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch
|
||||
# Backport fix for CVE-2017-14041
|
||||
Patch2: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
|
||||
# Backport fix for CVE-2017-14040
|
||||
Patch3: 2cd30c2b06ce332dede81cccad8b334cde997281.patch
|
||||
# Backport fix for Heap-based buffer overflow in opj_write_bytes_LE in cio.c
|
||||
Patch4: 4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
|
||||
# Backport fix for Heap-based buffer overflow in opj_mqc_flush in mqc.c
|
||||
Patch5: afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
|
||||
|
||||
BuildRequires: cmake
|
||||
BuildRequires: zlib-devel
|
||||
@ -328,6 +336,9 @@ make test -C %{_target_platform}
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Aug 31 2017 Sandro Mani <manisandro@gmail.com> - 2.2.0-3
|
||||
- Backport more security fixes, including for CVE-2017-14041 and CVE-2017-14040
|
||||
|
||||
* Thu Aug 31 2017 Sandro Mani <manisandro@gmail.com> - 2.2.0-2
|
||||
- Backport patch for CVE-2017-12982
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user