rpms/openjpeg2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI openjpeg2-2.4.0-8.el9

Browse Source
This commit is contained in:
eabdullin 2025-05-13 14:46:22 +00:00
parent 91d430caa8
commit b75c22566d
4 changed files with 153 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
SOURCES/openjpeg2-2.5.2-cve-2024-56826.patch Normal file
View File

@ -0,0 +1,108 @@
diff --git a/src/bin/common/color.c b/src/bin/common/color.c
index ae5d648da..e4924a152 100644
--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
{
int *d0, *d1, *d2, *r, *g, *b;
const int *y, *cb, *cr;
- size_t maxw, maxh, max, offx, loopmaxw;
+ size_t maxw, maxh, max, offx, loopmaxw, comp12w;
int offset, upb;
size_t i;
@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
upb = (1 << upb) - 1;
maxw = (size_t)img->comps[0].w;
+ comp12w = (size_t)img->comps[1].w;
maxh = (size_t)img->comps[0].h;
max = maxw * maxh;
@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
++cr;
}
if (j < loopmaxw) {
- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
++y;
++r;
++g;
++b;
- ++cb;
- ++cr;
+ if (j / 2 < comp12w) {
+ ++cb;
+ ++cr;
+ }
}
}
@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
{
int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
const int *y, *cb, *cr, *ny;
- size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
+ size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
int offset, upb;
size_t i;
@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
upb = (1 << upb) - 1;
maxw = (size_t)img->comps[0].w;
+ comp12w = (size_t)img->comps[1].w;
maxh = (size_t)img->comps[0].h;
max = maxw * maxh;
@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
++cr;
}
if (j < loopmaxw) {
- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
++y;
++r;
++g;
++b;
- sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
+ } else {
+ sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+ }
++ny;
++nr;
++ng;
++nb;
- ++cb;
- ++cr;
+ if (j / 2 < comp12w) {
+ ++cb;
+ ++cr;
+ }
}
y += maxw;
r += maxw;
@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
++cr;
}
if (j < loopmaxw) {
- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
}
}

14
SOURCES/openjpeg2-2.5.2-cve-2024-56827.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 7dc389fa2..b5903a59c 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -8456,7 +8456,8 @@ static OPJ_BOOL opj_j2k_add_tlmarker(OPJ_UINT32 tileno,
if (type == J2K_MS_SOT) {
OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno;
- if (cstr_index->tile_index[tileno].tp_index) {
+ if (cstr_index->tile_index[tileno].tp_index &&
+ l_current_tile_part < cstr_index->tile_index[tileno].nb_tps) {
cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos;
}

49
SOURCES/openjpeg2-CVE-2021-3575.patch
View File

@ -1,35 +1,30 @@
From 409907d89878222cf9dea80f0add8f73e9383834 Mon Sep 17 00:00:00 2001
From: Mehdi Sabwat <mehdisabwat@gmail.com>
Date: Fri, 7 May 2021 01:50:37 +0200
Subject: [PATCH] fix heap buffer overflow #1347
---
src/bin/common/color.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/bin/common/color.c b/src/bin/common/color.c
index 27f15f1..935fa44 100644
index 27f15f137..ae5d648da 100644
--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t *img)
@@ -358,7 +358,15 @@ static void sycc420_to_rgb(opj_image_t *img)
if (i < loopmaxh) {
size_t j;
- for (j = 0U; j < (maxw & ~(size_t)1U); j += 2U) {
+ if (offx > 0U) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ ++y;
+ ++r;
+ ++g;
+ ++b;
+ }
+
+ for (j = 0U; j < (loopmaxw & ~(size_t)1U); j += 2U) {
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
- ++y;
+ if (*y != img->comps[0].data[loopmaxh])
+ ++y;
++r;
++g;
++b;
- ++cb;
- ++cr;
+ if (*cb != img->comps[1].data[loopmaxh])
+ ++cb;
+ if (*cr != img->comps[2].data[loopmaxh])
+ ++cr;
++y;
@@ -375,7 +383,7 @@ static void sycc420_to_rgb(opj_image_t *img)
++cb;
++cr;
}
if (j < maxw) {
- if (j < maxw) {
+ if (j < loopmaxw) {
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
--
2.31.1
}
}

11
SPECS/openjpeg2.spec
View File

@ -8,7 +8,7 @@
Name: openjpeg2
Version: 2.4.0
Release: 7%{?dist}
Release: 8%{?dist}
Summary: C-Library for JPEG 2000
# windirent.h is MIT, the rest is BSD
@ -24,9 +24,13 @@ Source1: data.tar.xz
Patch0: openjpeg2_opj2.patch
# Fix CVE-2021-29338
Patch1: openjpeg2-CVE-2021-29338.patch
# Fix CVE-2021-3575
# Fix CVE-2021-3575 https://github.com/uclouvain/openjpeg/commit/7bd884f8750892de4f50bf4642fcfbe7011c6bdf
Patch2: openjpeg2-CVE-2021-3575.patch
Patch3: openjpeg2-CVE-2022-1122.patch
# https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2 for < 2.5.3
Patch4: openjpeg2-2.5.2-cve-2024-56826.patch
# https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8 for < 2.5.3
Patch5: openjpeg2-2.5.2-cve-2024-56827.patch
BuildRequires: cmake
# The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler
@ -328,6 +332,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer
%changelog
* Thu Jan 23 2025 Michal Hlavinka <mhlavink@redhat.com> - 2.4.0-8
- fix two heap buffer overflows CVE-2024-56826 and CVE-2024-52827 (RHEL-72519,RHEL-72521)
* Wed Jun 15 2022 Matej Mužila <mmuzila@redhat.com> - 2.4.0-7
- Fix CVE-2022-1122