import openjpeg2-2.4.0-4.el8

This commit is contained in:
CentOS Sources 2021-11-09 04:50:06 -05:00 committed by Stepan Oksanichenko
parent 5ae400819b
commit d3cf5dd642
8 changed files with 268 additions and 97 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openjpeg-2.3.1.tar.gz
SOURCES/openjpeg-2.4.0.tar.gz

View File

@ -1 +1 @@
38321fa9730252039ad0b7f247a160a8164f5871 SOURCES/openjpeg-2.3.1.tar.gz
bbbf4dc4d9ce95286843cd39ac2febd3fd516c9d SOURCES/openjpeg-2.4.0.tar.gz

View File

@ -0,0 +1,165 @@
From efbfbbb723e100cfbcea287a30958bf678e83458 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Tue, 27 Apr 2021 09:37:40 -0600
Subject: [PATCH] opj_{compress,decompress,dump}: fix possible buffer overflows
in path manipulation functions
---
src/bin/jp2/opj_compress.c | 12 ++++++------
src/bin/jp2/opj_decompress.c | 13 ++++++-------
src/bin/jp2/opj_dump.c | 14 +++++++-------
3 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
index 6827484..d8f894c 100644
--- a/src/bin/jp2/opj_compress.c
+++ b/src/bin/jp2/opj_compress.c
@@ -543,8 +543,8 @@ static char * get_file_name(char *name)
static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
opj_cparameters_t *parameters)
{
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
char *temp_p, temp1[OPJ_PATH_LEN] = "";
strcpy(image_filename, dirptr->filename[imageno]);
@@ -553,7 +553,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
if (parameters->decod_format == -1) {
return 1;
}
- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
infilename) != 0) {
return 1;
@@ -566,7 +566,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
sprintf(temp1, ".%s", temp_p);
}
if (img_fol->set_out_format == 1) {
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
img_fol->out_format);
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
outfilename) != 0) {
@@ -1910,9 +1910,9 @@ int main(int argc, char **argv)
num_images = get_num_images(img_fol.imgdirpath);
dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
if (dirptr) {
- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
+ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
char)); /* Stores at max 10 image file names*/
- dirptr->filename = (char**) malloc(num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc(num_images, sizeof(char*));
if (!dirptr->filename_buf) {
ret = 0;
goto fin;
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
index 2634907..e54e54f 100644
--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
@@ -455,13 +455,13 @@ const char* path_separator = "/";
char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
opj_decompress_parameters *parameters)
{
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
char *temp_p, temp1[OPJ_PATH_LEN] = "";
strcpy(image_filename, dirptr->filename[imageno]);
fprintf(stderr, "File Number %d \"%s\"\n", imageno, image_filename);
- sprintf(infilename, "%s%s%s", img_fol->imgdirpath, path_separator,
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s%s%s", img_fol->imgdirpath, path_separator,
image_filename);
parameters->decod_format = infile_format(infilename);
if (parameters->decod_format == -1) {
@@ -479,7 +479,7 @@ char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
sprintf(temp1, ".%s", temp_p);
}
if (img_fol->set_out_format == 1) {
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
img_fol->out_format);
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
outfilename) != 0) {
@@ -1357,14 +1357,13 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
/* Stores at max 10 image file names */
- dirptr->filename_buf = (char*)malloc(sizeof(char) *
- (size_t)num_images * OPJ_PATH_LEN);
+ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
if (!dirptr->filename_buf) {
failed = 1;
goto fin;
}
- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) {
failed = 1;
diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
index 6e15fee..4e19c61 100644
--- a/src/bin/jp2/opj_dump.c
+++ b/src/bin/jp2/opj_dump.c
@@ -201,8 +201,8 @@ static int get_file_format(const char *filename)
static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
opj_dparameters_t *parameters)
{
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
char *temp_p, temp1[OPJ_PATH_LEN] = "";
strcpy(image_filename, dirptr->filename[imageno]);
@@ -211,7 +211,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
if (parameters->decod_format == -1) {
return 1;
}
- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
infilename) != 0) {
return 1;
@@ -224,7 +224,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
sprintf(temp1, ".%s", temp_p);
}
if (img_fol->set_out_format == 1) {
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
img_fol->out_format);
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
outfilename) != 0) {
@@ -457,7 +457,7 @@ int main(int argc, char *argv[])
opj_codestream_info_v2_t* cstr_info = NULL;
opj_codestream_index_t* cstr_index = NULL;
- OPJ_INT32 num_images, imageno;
+ int num_images, imageno;
img_fol_t img_fol;
dircnt_t *dirptr = NULL;
@@ -486,13 +486,13 @@ int main(int argc, char *argv[])
if (!dirptr) {
return EXIT_FAILURE;
}
- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
+ dirptr->filename_buf = (char*) calloc((size_t) num_images, OPJ_PATH_LEN * sizeof(
char)); /* Stores at max 10 image file names*/
if (!dirptr->filename_buf) {
free(dirptr);
return EXIT_FAILURE;
}
- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) {
goto fails;
--
2.31.1

View File

@ -0,0 +1,35 @@
From 409907d89878222cf9dea80f0add8f73e9383834 Mon Sep 17 00:00:00 2001
From: Mehdi Sabwat <mehdisabwat@gmail.com>
Date: Fri, 7 May 2021 01:50:37 +0200
Subject: [PATCH] fix heap buffer overflow #1347
---
src/bin/common/color.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/bin/common/color.c b/src/bin/common/color.c
index 27f15f1..935fa44 100644
--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t *img)
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
- ++y;
+ if (*y != img->comps[0].data[loopmaxh])
+ ++y;
++r;
++g;
++b;
- ++cb;
- ++cr;
+ if (*cb != img->comps[1].data[loopmaxh])
+ ++cb;
+ if (*cr != img->comps[2].data[loopmaxh])
+ ++cr;
}
if (j < maxw) {
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
--
2.31.1

View File

@ -1,32 +0,0 @@
From 36dc8ffca8c085423149bb028da5688936c88c68 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 11 Jan 2020 01:51:19 +0100
Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
coordinates are beyond INT_MAX (fixes #1228)
---
src/lib/openjp2/j2k.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 4169cd6..9e9a30f 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image,
l_img_comp = p_image->comps;
for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
OPJ_INT32 l_h, l_w;
+ if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
+ p_image->y0 > (OPJ_UINT32)INT_MAX ||
+ p_image->x1 > (OPJ_UINT32)INT_MAX ||
+ p_image->y1 > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Image coordinates above INT_MAX are not supported\n");
+ return OPJ_FALSE;
+ }
l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
(OPJ_INT32)l_img_comp->dx);
--
2.21.1

View File

@ -1,46 +0,0 @@
From dc315cbd2d8582498c885a55ea73ecc84634168b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 30 Jan 2020 00:59:57 +0100
Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow
That could lead to later assertion failures.
Fixes #1231 / CVE-2020-8112
---
src/lib/openjp2/tcd.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index be3b843..647991c 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
/* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
+ (OPJ_INT32)l_pdx)) << l_pdx;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_x_end = (OPJ_INT32)tmp;
+ }
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
+ (OPJ_INT32)l_pdy)) << l_pdy;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_y_end = (OPJ_INT32)tmp;
+ }
/*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
--
2.21.1

View File

@ -1,5 +1,5 @@
diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
index 44d985f..b85e126 100644
index 00f596e..af3f91e 100644
--- a/src/bin/jp2/convertpng.c
+++ b/src/bin/jp2/convertpng.c
@@ -75,10 +75,10 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
@ -17,10 +17,10 @@ index 44d985f..b85e126 100644
OPJ_UINT32 nr_comp;
OPJ_BYTE sigbuf[8];
diff --git a/src/bin/jp2/converttif.c b/src/bin/jp2/converttif.c
index 6714d69..625c407 100644
index 9d1037a..8d5002a 100644
--- a/src/bin/jp2/converttif.c
+++ b/src/bin/jp2/converttif.c
@@ -714,7 +714,7 @@ int imagetotif(opj_image_t * image, const char *outfile)
@@ -720,7 +720,7 @@ int imagetotif(opj_image_t * image, const char *outfile)
TIFFClose(tif);
return 1;
}
@ -29,7 +29,7 @@ index 6714d69..625c407 100644
if (rowStride != strip_size) {
fprintf(stderr, "Invalid TIFF strip size\n");
TIFFClose(tif);
@@ -1277,8 +1277,6 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
@@ -1283,8 +1283,6 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto);
TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC);
@ -38,7 +38,7 @@ index 6714d69..625c407 100644
if (tiSpp == 0 || tiSpp > 4) { /* should be 1 ... 4 */
fprintf(stderr, "tiftoimage: Bad value for samples per pixel == %d.\n"
@@ -1445,7 +1443,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
@@ -1451,7 +1449,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
return NULL;
}
@ -47,3 +47,28 @@ index 6714d69..625c407 100644
buffer32s = (OPJ_INT32 *)malloc(sizeof(OPJ_INT32) * tiWidth * tiSpp);
if (buffer32s == NULL) {
_TIFFfree(buf);
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 8e343ab..c13d229 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -7075,7 +7075,7 @@ static OPJ_BOOL opj_j2k_is_imf_compliant(opj_cparameters_t *parameters,
/* Validate sublevel */
assert(sizeof(tabMaxSubLevelFromMainLevel) ==
(OPJ_IMF_MAINLEVEL_MAX + 1) * sizeof(tabMaxSubLevelFromMainLevel[0]));
- if (sublevel > tabMaxSubLevelFromMainLevel[mainlevel]) {
+ if (mainlevel <= OPJ_IMF_MAINLEVEL_MAX && sublevel > tabMaxSubLevelFromMainLevel[mainlevel]) {
opj_event_msg(p_manager, EVT_WARNING,
"IMF profile require sublevel <= %d for mainlevel = %d.\n"
"-> %d is thus not compliant\n"
diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
index 1481e16..d46bfb4 100644
--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
@@ -821,6 +821,7 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno,
opj_event_msg(p_manager, EVT_ERROR,
"opj_t2_encode_packet(): accessing precno=%u >= %u\n",
precno, res->pw * res->ph);
+ opj_bio_destroy(bio);
return OPJ_FALSE;
}

View File

@ -4,8 +4,8 @@
#global optional_components 1
Name: openjpeg2
Version: 2.3.1
Release: 6%{?dist}
Version: 2.4.0
Release: 4%{?dist}
Summary: C-Library for JPEG 2000
# windirent.h is MIT, the rest is BSD
@ -23,11 +23,10 @@ Patch0: openjpeg2_opj2.patch
# Fix Coverity issues
Patch1: openjpeg2_coverity.patch
# Fix for CVE-2020-6851
Patch2: openjpeg2_CVE-2020-6851.patch
# Fix for CVE-2020-8112
Patch3: openjpeg2_CVE-2020-8112.patch
# Fix CVE-2021-29338
Patch2: openjpeg2-CVE-2021-29338.patch
# Fix CVE-2021-3575
Patch3: openjpeg2-CVE-2021-3575.patch
BuildRequires: cmake
BuildRequires: gcc
@ -267,12 +266,12 @@ make test -C %{_target_platform}
%{_mandir}/man3/libopenjp2.3*
%files devel
%dir %{_includedir}/openjpeg-2.3/
%{_includedir}/openjpeg-2.3/openjpeg.h
%{_includedir}/openjpeg-2.3/opj_config.h
%{_includedir}/openjpeg-2.3/opj_stdint.h
%dir %{_includedir}/openjpeg-2.4/
%{_includedir}/openjpeg-2.4/openjpeg.h
%{_includedir}/openjpeg-2.4/opj_config.h
%{_includedir}/openjpeg-2.4/opj_stdint.h
%{_libdir}/libopenjp2.so
%{_libdir}/openjpeg-2.3/
%{_libdir}/openjpeg-2.4/
%{_libdir}/pkgconfig/libopenjp2.pc
%files devel-docs
@ -332,6 +331,31 @@ make test -C %{_target_platform}
%changelog
* Fri Jul 02 2021 Nikola Forró <nforro@redhat.com> - 2.4.0-4
- Fix Covscan defect
* Wed Jun 09 2021 Nikola Forró <nforro@redhat.com> - 2.4.0-3
- Fix CVE-2021-3575 (#1969279)
- Fix resource leak identified by Covscan
* Wed Jun 02 2021 Nikola Forró <nforro@redhat.com> - 2.4.0-2
- Fix CVE-2021-29338 (#1951332)
* Mon Mar 01 2021 Nikola Forró <nforro@redhat.com> - 2.4.0-1
- Rebase to 2.4.0
- Resolves: CVE-2018-5727 (#1538467)
- Resolves: CVE-2018-5785 (#1538556)
- Resolves: CVE-2018-20845 (#1730679)
- Resolves: CVE-2018-20847 (#1734337)
- Resolves: CVE-2019-12973 (#1739076)
- Resolves: CVE-2020-15389 (#1855115)
- Resolves: CVE-2020-27814 (#1908965)
- Resolves: CVE-2020-27823 (#1906222)
- Resolves: CVE-2020-27824 (#1906216)
- Resolves: CVE-2020-27842 (#1908165)
- Resolves: CVE-2020-27843 (#1908164)
- Resolves: CVE-2020-27845 (#1908168)
* Mon Feb 10 2020 Nikola Forró <nforro@redhat.com> - 2.3.1-6
- Fix CVE-2020-8112 (#1801034)