diff --git a/openjpeg2_CVE-2020-27841.patch b/openjpeg2_CVE-2020-27841.patch new file mode 100644 index 0000000..1d827bc --- /dev/null +++ b/openjpeg2_CVE-2020-27841.patch @@ -0,0 +1,226 @@ +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/pi.c openjpeg-2.3.1-new/src/lib/openjp2/pi.c +--- openjpeg-2.3.1/src/lib/openjp2/pi.c 2019-04-02 14:45:15.000000000 +0200 ++++ openjpeg-2.3.1-new/src/lib/openjp2/pi.c 2020-12-17 16:25:44.923030342 +0100 +@@ -192,10 +192,12 @@ static void opj_get_all_encoding_paramet + * @param p_image the image used to initialize the packet iterator (in fact only the number of components is relevant. + * @param p_cp the coding parameters. + * @param tileno the index of the tile from which creating the packet iterator. ++ * @param manager Event manager + */ + static opj_pi_iterator_t * opj_pi_create(const opj_image_t *p_image, + const opj_cp_t *p_cp, +- OPJ_UINT32 tileno); ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager); + /** + * FIXME DOC + */ +@@ -230,12 +232,6 @@ static OPJ_BOOL opj_pi_check_next_level( + ========================================================== + */ + +-static void opj_pi_emit_error(opj_pi_iterator_t * pi, const char* msg) +-{ +- (void)pi; +- (void)msg; +-} +- + static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi) + { + opj_pi_comp_t *comp = NULL; +@@ -272,7 +268,7 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + /* include should be resized when a POC arises, or */ + /* the POC should be rejected */ + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -318,7 +314,7 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -449,7 +445,7 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -473,6 +469,13 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_pcrl(): invalid compno0/compno1"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -580,7 +583,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -604,6 +607,13 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_cprl(): invalid compno0/compno1"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -708,7 +718,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -981,7 +991,8 @@ static void opj_get_all_encoding_paramet + + static opj_pi_iterator_t * opj_pi_create(const opj_image_t *image, + const opj_cp_t *cp, +- OPJ_UINT32 tileno) ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager) + { + /* loop*/ + OPJ_UINT32 pino, compno; +@@ -1015,6 +1026,8 @@ static opj_pi_iterator_t * opj_pi_create + l_current_pi = l_pi; + for (pino = 0; pino < l_poc_bound ; ++pino) { + ++ l_current_pi->manager = manager; ++ + l_current_pi->comps = (opj_pi_comp_t*) opj_calloc(image->numcomps, + sizeof(opj_pi_comp_t)); + if (! l_current_pi->comps) { +@@ -1352,7 +1365,8 @@ static OPJ_BOOL opj_pi_check_next_level( + */ + opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, + opj_cp_t *p_cp, +- OPJ_UINT32 p_tile_no) ++ OPJ_UINT32 p_tile_no, ++ opj_event_mgr_t* manager) + { + OPJ_UINT32 numcomps = p_image->numcomps; + +@@ -1407,7 +1421,7 @@ opj_pi_iterator_t *opj_pi_create_decode( + } + + /* memory allocation for pi */ +- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); ++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); + if (!l_pi) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +@@ -1552,7 +1566,8 @@ opj_pi_iterator_t *opj_pi_create_decode( + opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, + opj_cp_t *p_cp, + OPJ_UINT32 p_tile_no, +- J2K_T2_MODE p_t2_mode) ++ J2K_T2_MODE p_t2_mode, ++ opj_event_mgr_t* manager) + { + OPJ_UINT32 numcomps = p_image->numcomps; + +@@ -1606,7 +1621,7 @@ opj_pi_iterator_t *opj_pi_initialise_enc + } + + /* memory allocation for pi*/ +- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); ++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); + if (!l_pi) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/pi.h openjpeg-2.3.1-new/src/lib/openjp2/pi.h +--- openjpeg-2.3.1/src/lib/openjp2/pi.h 2019-04-02 14:45:15.000000000 +0200 ++++ openjpeg-2.3.1-new/src/lib/openjp2/pi.h 2020-12-17 16:25:44.923030342 +0100 +@@ -107,6 +107,8 @@ typedef struct opj_pi_iterator { + OPJ_INT32 x, y; + /** FIXME DOC*/ + OPJ_UINT32 dx, dy; ++ /** event manager */ ++ opj_event_mgr_t* manager; + } opj_pi_iterator_t; + + /** @name Exported functions */ +@@ -119,13 +121,15 @@ typedef struct opj_pi_iterator { + * @param cp the coding parameters. + * @param tileno index of the tile being encoded. + * @param t2_mode the type of pass for generating the packet iterator ++ * @param manager Event manager + * + * @return a list of packet iterator that points to the first packet of the tile (not true). + */ + opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *image, + opj_cp_t *cp, + OPJ_UINT32 tileno, +- J2K_T2_MODE t2_mode); ++ J2K_T2_MODE t2_mode, ++ opj_event_mgr_t* manager); + + /** + * Updates the encoding parameters of the codec. +@@ -161,12 +165,14 @@ Create a packet iterator for Decoder + @param image Raw image for which the packets will be listed + @param cp Coding parameters + @param tileno Number that identifies the tile for which to list the packets ++@param manager Event manager + @return Returns a packet iterator that points to the first packet of the tile + @see opj_pi_destroy + */ + opj_pi_iterator_t *opj_pi_create_decode(opj_image_t * image, + opj_cp_t * cp, +- OPJ_UINT32 tileno); ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager); + /** + * Destroys a packet iterator array. + * +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/t2.c openjpeg-2.3.1-new/src/lib/openjp2/t2.c +--- openjpeg-2.3.1/src/lib/openjp2/t2.c 2019-04-02 14:45:15.000000000 +0200 ++++ openjpeg-2.3.1-new/src/lib/openjp2/t2.c 2020-12-17 16:25:44.923030342 +0100 +@@ -244,7 +244,7 @@ OPJ_BOOL opj_t2_encode_packets(opj_t2_t* + l_image->numcomps : 1; + OPJ_UINT32 l_nb_pocs = l_tcp->numpocs + 1; + +- l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode); ++ l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode, p_manager); + if (!l_pi) { + return OPJ_FALSE; + } +@@ -405,7 +405,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t + #endif + + /* create a packet iterator */ +- l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no); ++ l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no, p_manager); + if (!l_pi) { + return OPJ_FALSE; + } diff --git a/openjpeg2_CVE-2020-27842.patch b/openjpeg2_CVE-2020-27842.patch new file mode 100644 index 0000000..f85a52f --- /dev/null +++ b/openjpeg2_CVE-2020-27842.patch @@ -0,0 +1,19 @@ +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/t2.c openjpeg-2.3.1-new/src/lib/openjp2/t2.c +--- openjpeg-2.3.1/src/lib/openjp2/t2.c 2020-12-17 16:25:44.967030302 +0100 ++++ openjpeg-2.3.1-new/src/lib/openjp2/t2.c 2020-12-17 16:25:44.969030300 +0100 +@@ -711,6 +711,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ + continue; + } + ++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1294 */ ++ /* but likely not a proper fix. */ ++ if (precno >= res->pw * res->ph) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", ++ precno, res->pw * res->ph); ++ return OPJ_FALSE; ++ } ++ + prc = &band->precincts[precno]; + opj_tgt_reset(prc->incltree); + opj_tgt_reset(prc->imsbtree); diff --git a/openjpeg2_CVE-2020-27843.patch b/openjpeg2_CVE-2020-27843.patch new file mode 100644 index 0000000..d4705d6 --- /dev/null +++ b/openjpeg2_CVE-2020-27843.patch @@ -0,0 +1,19 @@ +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/t2.c openjpeg-2.3.1-new/src/lib/openjp2/t2.c +--- openjpeg-2.3.1/src/lib/openjp2/t2.c 2020-12-17 16:25:45.009030263 +0100 ++++ openjpeg-2.3.1-new/src/lib/openjp2/t2.c 2020-12-17 16:25:45.011030261 +0100 +@@ -787,6 +787,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ + continue; + } + ++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1297 */ ++ /* but likely not a proper fix. */ ++ if (precno >= res->pw * res->ph) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", ++ precno, res->pw * res->ph); ++ return OPJ_FALSE; ++ } ++ + prc = &band->precincts[precno]; + l_nb_blocks = prc->cw * prc->ch; + cblk = prc->cblks.enc; diff --git a/openjpeg2_CVE-2020-27845.patch b/openjpeg2_CVE-2020-27845.patch new file mode 100644 index 0000000..1b8f41f --- /dev/null +++ b/openjpeg2_CVE-2020-27845.patch @@ -0,0 +1,63 @@ +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/pi.c openjpeg-2.3.1-new/src/lib/openjp2/pi.c +--- openjpeg-2.3.1/src/lib/openjp2/pi.c 2020-12-17 16:25:44.966030303 +0100 ++++ openjpeg-2.3.1-new/src/lib/openjp2/pi.c 2020-12-17 16:25:45.053030223 +0100 +@@ -238,6 +238,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_lrcp(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -291,6 +298,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_rlcp(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -337,6 +351,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_rpcl(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + goto LABEL_SKIP; + } else { +@@ -472,7 +493,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + if (pi->poc.compno0 >= pi->numcomps || + pi->poc.compno1 >= pi->numcomps + 1) { + opj_event_msg(pi->manager, EVT_ERROR, +- "opj_pi_next_pcrl(): invalid compno0/compno1"); ++ "opj_pi_next_pcrl(): invalid compno0/compno1\n"); + return OPJ_FALSE; + } + +@@ -610,7 +631,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + if (pi->poc.compno0 >= pi->numcomps || + pi->poc.compno1 >= pi->numcomps + 1) { + opj_event_msg(pi->manager, EVT_ERROR, +- "opj_pi_next_cprl(): invalid compno0/compno1"); ++ "opj_pi_next_cprl(): invalid compno0/compno1\n"); + return OPJ_FALSE; + } +