From b90a7240febe1dab8507f9078663acdfed8e92e6 Mon Sep 17 00:00:00 2001
From: Sandro Mani <manisandro@gmail.com>
Date: Tue, 15 Sep 2015 18:15:00 +0200
Subject: [PATCH] Backport fix for use after free vulnerability (#1263359)

---
 ...00c28ae28931722290794889cf84a92c5f6f.patch | 34 +++++++++++++++++++
 openjpeg2.spec                                |  8 ++++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 940100c28ae28931722290794889cf84a92c5f6f.patch

diff --git a/940100c28ae28931722290794889cf84a92c5f6f.patch b/940100c28ae28931722290794889cf84a92c5f6f.patch
new file mode 100644
index 0000000..fabae95
--- /dev/null
+++ b/940100c28ae28931722290794889cf84a92c5f6f.patch
@@ -0,0 +1,34 @@
+diff -rupN openjpeg-version.2.1/src/lib/openjp2/j2k.c openjpeg-version.2.1-new/src/lib/openjp2/j2k.c
+--- openjpeg-version.2.1/src/lib/openjp2/j2k.c	2014-04-29 14:58:10.000000000 +0200
++++ openjpeg-version.2.1-new/src/lib/openjp2/j2k.c	2015-09-15 18:12:52.394986909 +0200
+@@ -5526,8 +5526,7 @@ OPJ_BOOL opj_j2k_write_mco(     opj_j2k_
+         assert(p_stream != 00);
+ 
+         l_tcp =&(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]);
+-        l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
+-
++	
+         l_mco_size = 5 + l_tcp->m_nb_mcc_records;
+         if (l_mco_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {
+ 
+@@ -5542,6 +5541,8 @@ OPJ_BOOL opj_j2k_write_mco(     opj_j2k_
+                 p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;
+                 p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_mco_size;
+         }
++        l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
++
+ 
+         opj_write_bytes(l_current_data,J2K_MS_MCO,2);                   /* MCO */
+         l_current_data += 2;
+@@ -5553,10 +5554,9 @@ OPJ_BOOL opj_j2k_write_mco(     opj_j2k_
+         ++l_current_data;
+ 
+         l_mcc_record = l_tcp->m_mcc_records;
+-        for     (i=0;i<l_tcp->m_nb_mcc_records;++i) {
++        for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
+                 opj_write_bytes(l_current_data,l_mcc_record->m_index,1);/* Imco -> use the mcc indicated by 1*/
+                 ++l_current_data;
+-
+                 ++l_mcc_record;
+         }
+ 
diff --git a/openjpeg2.spec b/openjpeg2.spec
index dcaad6b..cb9b320 100644
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@@ -10,7 +10,7 @@
 
 Name:           openjpeg2
 Version:        2.1.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        C-Library for JPEG 2000
 
 # windirent.h is MIT, the rest is BSD
@@ -30,6 +30,8 @@ Source1: data.tar.xz
 Patch0:         openjpeg2_remove-thirdparty.patch
 # Bigendian fixes
 Patch1:         openjpeg2_bigendian.patch
+# Backport fix for use after free vulnerability (#1263359)
+Patch2:         940100c28ae28931722290794889cf84a92c5f6f.patch
 
 BuildRequires:  cmake
 BuildRequires:  zlib-devel
@@ -211,6 +213,7 @@ OpenJPEG2 JP3D module command line tools
 %endif
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 # Remove all third party libraries just to be sure
 rm -rf thirdparty
@@ -339,6 +342,9 @@ make test -C %{_target_platform}
 
 
 %changelog
+* Tue Sep 15 2015 Sandro Mani <manisandro@gmail.com> - 2.1.0-6
+- Backport fix for use after free vulnerability (#1263359)
+
 * Thu Jun 25 2015 Sandro Mani <manisandro@gmail.com> - 2.1.0-5
 - Add openjpeg2_bigendian.patch (#1232739)