From 96f9a2d0671eb5aafd3adfa9c56b54d8951ef295 Mon Sep 17 00:00:00 2001
From: Sandro Mani <manisandro@gmail.com>
Date: Thu, 4 Oct 2018 19:10:23 +0200
Subject: [PATCH] Backport patch for CVE-2018-5785 (#1537758)

---
 CVE-2018-5785.patch | 79 +++++++++++++++++++++++++++++++++++++++++++++
 openjpeg2.spec      |  8 ++++-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2018-5785.patch

diff --git a/CVE-2018-5785.patch b/CVE-2018-5785.patch
new file mode 100644
index 0000000..b93515c
--- /dev/null
+++ b/CVE-2018-5785.patch
@@ -0,0 +1,79 @@
+From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Sat, 22 Sep 2018 14:33:19 -0400
+Subject: [PATCH] convertbmp: fix issues with zero bitmasks
+
+In the case where a BMP file declares compression 3 (BI_BITFIELDS)
+with header size <= 56, all bitmask values keep their initialization
+value 0. This may lead to various undefined behavior later e.g. when
+doing 1 << (l_comp->prec - 1).
+
+This issue does not affect files with bit count 16 because of a check
+added in 16240e2 which sets default values to the color masks if they
+are all 0.
+
+This commit adds similar checks for the 32 bit case.
+
+Also, if a BMP file declares compression 3 with header size >= 56 and
+intentional 0 bitmasks, the same issue will be triggered in both the
+16 and 32 bit count case.
+
+This commit adds checks to bmp_read_info_header() rejecting BMP files
+with "intentional" 0 bitmasks. These checks might be removed in the
+future when proper handling of zero bitmasks will be available in
+openjpeg2.
+
+fixes #1057 (CVE-2018-5785)
+---
+ src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 084f70bb7..7fde99ab3 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
+         header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biRedMask) {
++            fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
++            return OPJ_FALSE;
++        }
++
+         header->biGreenMask  = (OPJ_UINT32)getc(IN);
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biGreenMask) {
++            fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
++            return OPJ_FALSE;
++        }
++
+         header->biBlueMask  = (OPJ_UINT32)getc(IN);
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biBlueMask) {
++            fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
++            return OPJ_FALSE;
++        }
++
+         header->biAlphaMask  = (OPJ_UINT32)getc(IN);
+         header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
+@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
+         bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
+                          0x00000000U);
+     } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
++        if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
++                (Info_h.biBlueMask == 0U)) {
++            Info_h.biRedMask   = 0x00FF0000U;
++            Info_h.biGreenMask = 0x0000FF00U;
++            Info_h.biBlueMask  = 0x000000FFU;
++        }
+         bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
+                          Info_h.biBlueMask, Info_h.biAlphaMask);
+     } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
diff --git a/openjpeg2.spec b/openjpeg2.spec
index f20e89d..6c8fb91 100644
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@@ -5,7 +5,7 @@
 
 Name:           openjpeg2
 Version:        2.3.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        C-Library for JPEG 2000
 
 # windirent.h is MIT, the rest is BSD
@@ -23,6 +23,9 @@ Patch0:         openjpeg2_remove-thirdparty.patch
 Patch1:         openjpeg2_install.patch
 # Rename tool names to avoid conflicts with openjpeg-1.x
 Patch2:         openjpeg2_opj2.patch
+# Backport patch for CVE-2018-5785
+# https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975
+Patch3:         CVE-2018-5785.patch
 
 BuildRequires:  cmake
 # The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler
@@ -328,6 +331,9 @@ make test -C %{_target_platform}
 
 
 %changelog
+* Thu Oct 04 2018 Sandro Mani <manisandro@gmail.com> - 2.3.0-9
+- Backport patch for CVE-2018-5785 (#1537758)
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.0-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild