Backport patch for CVE-2018-5785 (#1537758)
This commit is contained in:
Sandro Mani
parent
b2fda7b64a
commit
96f9a2d067
79
CVE-2018-5785.patch
Normal file
79
CVE-2018-5785.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Lefeuvre <hle@debian.org>
|
||||
Date: Sat, 22 Sep 2018 14:33:19 -0400
|
||||
Subject: [PATCH] convertbmp: fix issues with zero bitmasks
|
||||
|
||||
In the case where a BMP file declares compression 3 (BI_BITFIELDS)
|
||||
with header size <= 56, all bitmask values keep their initialization
|
||||
value 0. This may lead to various undefined behavior later e.g. when
|
||||
doing 1 << (l_comp->prec - 1).
|
||||
|
||||
This issue does not affect files with bit count 16 because of a check
|
||||
added in 16240e2 which sets default values to the color masks if they
|
||||
are all 0.
|
||||
|
||||
This commit adds similar checks for the 32 bit case.
|
||||
|
||||
Also, if a BMP file declares compression 3 with header size >= 56 and
|
||||
intentional 0 bitmasks, the same issue will be triggered in both the
|
||||
16 and 32 bit count case.
|
||||
|
||||
This commit adds checks to bmp_read_info_header() rejecting BMP files
|
||||
with "intentional" 0 bitmasks. These checks might be removed in the
|
||||
future when proper handling of zero bitmasks will be available in
|
||||
openjpeg2.
|
||||
|
||||
fixes #1057 (CVE-2018-5785)
|
||||
---
|
||||
src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
|
||||
index 084f70bb7..7fde99ab3 100644
|
||||
--- a/src/bin/jp2/convertbmp.c
|
||||
+++ b/src/bin/jp2/convertbmp.c
|
||||
@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
|
||||
header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biRedMask) {
|
||||
+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biGreenMask = (OPJ_UINT32)getc(IN);
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biGreenMask) {
|
||||
+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biBlueMask = (OPJ_UINT32)getc(IN);
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biBlueMask) {
|
||||
+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biAlphaMask = (OPJ_UINT32)getc(IN);
|
||||
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
|
||||
bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
|
||||
0x00000000U);
|
||||
} else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
|
||||
+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
|
||||
+ (Info_h.biBlueMask == 0U)) {
|
||||
+ Info_h.biRedMask = 0x00FF0000U;
|
||||
+ Info_h.biGreenMask = 0x0000FF00U;
|
||||
+ Info_h.biBlueMask = 0x000000FFU;
|
||||
+ }
|
||||
bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
|
||||
Info_h.biBlueMask, Info_h.biAlphaMask);
|
||||
} else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
|
||||
@ -5,7 +5,7 @@
|
||||
|
||||
Name: openjpeg2
|
||||
Version: 2.3.0
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Summary: C-Library for JPEG 2000
|
||||
|
||||
# windirent.h is MIT, the rest is BSD
|
||||
@ -23,6 +23,9 @@ Patch0: openjpeg2_remove-thirdparty.patch
|
||||
Patch1: openjpeg2_install.patch
|
||||
# Rename tool names to avoid conflicts with openjpeg-1.x
|
||||
Patch2: openjpeg2_opj2.patch
|
||||
# Backport patch for CVE-2018-5785
|
||||
# https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975
|
||||
Patch3: CVE-2018-5785.patch
|
||||
|
||||
BuildRequires: cmake
|
||||
# The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler
|
||||
@ -328,6 +331,9 @@ make test -C %{_target_platform}
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Oct 04 2018 Sandro Mani <manisandro@gmail.com> - 2.3.0-9
|
||||
- Backport patch for CVE-2018-5785 (#1537758)
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.0-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user