From b6898f73c1e804334b26eb5f67578f7e31c99f03 Mon Sep 17 00:00:00 2001
From: DistroBaker <osci-list@redhat.com>
Date: Fri, 11 Dec 2020 12:22:26 +0100
Subject: [PATCH] Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/openjpeg2.git#14c537271510fdc92e4c9cea3c6dd09402aa7e2d
---
 openjpeg2.spec                 | 11 ++++++++++-
 openjpeg2_CVE-2020-27823.patch | 26 ++++++++++++++++++++++++++
 openjpeg2_CVE-2020-27824.patch | 23 +++++++++++++++++++++++
 3 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 openjpeg2_CVE-2020-27823.patch
 create mode 100644 openjpeg2_CVE-2020-27824.patch

diff --git a/openjpeg2.spec b/openjpeg2.spec
index 3406a80..38186b8 100644
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@@ -8,7 +8,7 @@
 
 Name:           openjpeg2
 Version:        2.3.1
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        C-Library for JPEG 2000
 
 # windirent.h is MIT, the rest is BSD
@@ -31,6 +31,12 @@ Patch2:         openjpeg2_CVE-2020-8112.patch
 # Backport patch for CVE-2020-27814
 # https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc
 Patch3:         openjpeg2_CVE-2020-27814.patch
+# Backport patch for CVE-2020-27824
+# https://github.com/uclouvain/openjpeg/pull/1292/commits/6daf5f3e1ec6eff03b7982889874a3de6617db8d
+Patch4:         openjpeg2_CVE-2020-27824.patch
+# Backport patch for CVE-2020-27823
+# https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919
+Patch5:         openjpeg2_CVE-2020-27823.patch
 
 
 BuildRequires:  cmake
@@ -333,6 +339,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer
 
 
 %changelog
+* Thu Dec 10 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-9
+* Backport patches for CVE-2020-27824 and CVE-2020-27823
+
 * Sat Nov 28 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-8
 - Backport patch for CVE-2020-27814
 
diff --git a/openjpeg2_CVE-2020-27823.patch b/openjpeg2_CVE-2020-27823.patch
new file mode 100644
index 0000000..02fa0ac
--- /dev/null
+++ b/openjpeg2_CVE-2020-27823.patch
@@ -0,0 +1,26 @@
+From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:31:51 +0100
+Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
+ used, that would result in a heap buffer overflow (fixes #1284)
+
+---
+ src/bin/jp2/convertpng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
+index 328c91beb..00f596e27 100644
+--- a/src/bin/jp2/convertpng.c
++++ b/src/bin/jp2/convertpng.c
+@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
+     image->x0 = (OPJ_UINT32)params->image_offset_x0;
+     image->y0 = (OPJ_UINT32)params->image_offset_y0;
+     image->x1 = (OPJ_UINT32)(image->x0 + (width  - 1) * (OPJ_UINT32)
+-                             params->subsampling_dx + 1 + image->x0);
++                             params->subsampling_dx + 1);
+     image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)
+-                             params->subsampling_dy + 1 + image->y0);
++                             params->subsampling_dy + 1);
+ 
+     row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32));
+     if (row32s == NULL) {
diff --git a/openjpeg2_CVE-2020-27824.patch b/openjpeg2_CVE-2020-27824.patch
new file mode 100644
index 0000000..8301f7e
--- /dev/null
+++ b/openjpeg2_CVE-2020-27824.patch
@@ -0,0 +1,23 @@
+From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:37:07 +0100
+Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible
+ conversion when too many decomposition levels are specified (fixes #1286)
+
+---
+ src/lib/openjp2/dwt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
+index ee9eb5e63..4164ba090 100644
+--- a/src/lib/openjp2/dwt.c
++++ b/src/lib/openjp2/dwt.c
+@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec)
+         if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {
+             stepsize = 1.0;
+         } else {
+-            OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level];
++            OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient);
+             stepsize = (1 << (gain)) / norm;
+         }
+         opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0),