Backport fix for use after free vulnerability (#1263359)

2015-09-15 18:15:00 +02:00 · 2015-09-15 18:15:00 +02:00 · b90a7240fe
commit b90a7240fe
parent 9f066f19b5
2 changed files with 41 additions and 1 deletions
--- a/940100c28ae28931722290794889cf84a92c5f6f.patch
+++ b/940100c28ae28931722290794889cf84a92c5f6f.patch
@ -0,0 +1,34 @@
+diff -rupN openjpeg-version.2.1/src/lib/openjp2/j2k.c openjpeg-version.2.1-new/src/lib/openjp2/j2k.c
+--- openjpeg-version.2.1/src/lib/openjp2/j2k.c	2014-04-29 14:58:10.000000000 +0200
+++ openjpeg-version.2.1-new/src/lib/openjp2/j2k.c	2015-09-15 18:12:52.394986909 +0200
+@@ -5526,8 +5526,7 @@ OPJ_BOOL opj_j2k_write_mco(     opj_j2k_
+         assert(p_stream != 00);
+ 
+         l_tcp =&(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]);
+-        l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
+-
+	
+         l_mco_size = 5 + l_tcp->m_nb_mcc_records;
+         if (l_mco_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {
+ 
+@@ -5542,6 +5541,8 @@ OPJ_BOOL opj_j2k_write_mco(     opj_j2k_
+                 p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;
+                 p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_mco_size;
+         }
+        l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
+
+ 
+         opj_write_bytes(l_current_data,J2K_MS_MCO,2);                   /* MCO */
+         l_current_data += 2;
+@@ -5553,10 +5554,9 @@ OPJ_BOOL opj_j2k_write_mco(     opj_j2k_
+         ++l_current_data;
+ 
+         l_mcc_record = l_tcp->m_mcc_records;
+-        for     (i=0;i<l_tcp->m_nb_mcc_records;++i) {
+        for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
+                 opj_write_bytes(l_current_data,l_mcc_record->m_index,1);/* Imco -> use the mcc indicated by 1*/
+                 ++l_current_data;
+-
+                 ++l_mcc_record;
+         }
+ 
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -10,7 +10,7 @@

 Name:           openjpeg2
 Version:        2.1.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        C-Library for JPEG 2000

 # windirent.h is MIT, the rest is BSD
@ -30,6 +30,8 @@ Source1: data.tar.xz
 Patch0:         openjpeg2_remove-thirdparty.patch
 # Bigendian fixes
 Patch1:         openjpeg2_bigendian.patch
+# Backport fix for use after free vulnerability (#1263359)
+Patch2:         940100c28ae28931722290794889cf84a92c5f6f.patch

 BuildRequires:  cmake
 BuildRequires:  zlib-devel
@ -211,6 +213,7 @@ OpenJPEG2 JP3D module command line tools
 %endif
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1

 # Remove all third party libraries just to be sure
 rm -rf thirdparty
@ -339,6 +342,9 @@ make test -C %{_target_platform}


 %changelog
+* Tue Sep 15 2015 Sandro Mani <manisandro@gmail.com> - 2.1.0-6
+- Backport fix for use after free vulnerability (#1263359)
+
 * Thu Jun 25 2015 Sandro Mani <manisandro@gmail.com> - 2.1.0-5
 - Add openjpeg2_bigendian.patch (#1232739)