Compare commits

..

No commits in common. "fb20b7e521800acc921c4e0d5c5c65d225e78205" and "359483f939b95e94ef234cd6f4908fcc2e64ed7f" have entirely different histories.

12 changed files with 85 additions and 279 deletions

1
.gitignore vendored
View File

@ -7,4 +7,3 @@
/openjpeg-2.2.0.tar.gz
/openjpeg-2.3.0.tar.gz
/openjpeg-2.3.1.tar.gz
/openjpeg-2.4.0.tar.gz

View File

@ -1 +0,0 @@
bbbf4dc4d9ce95286843cd39ac2febd3fd516c9d openjpeg-2.4.0.tar.gz

View File

@ -1,7 +0,0 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

View File

@ -1,165 +0,0 @@
From efbfbbb723e100cfbcea287a30958bf678e83458 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Tue, 27 Apr 2021 09:37:40 -0600
Subject: [PATCH] opj_{compress,decompress,dump}: fix possible buffer overflows
in path manipulation functions
---
src/bin/jp2/opj_compress.c | 12 ++++++------
src/bin/jp2/opj_decompress.c | 13 ++++++-------
src/bin/jp2/opj_dump.c | 14 +++++++-------
3 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
index 6827484..d8f894c 100644
--- a/src/bin/jp2/opj_compress.c
+++ b/src/bin/jp2/opj_compress.c
@@ -543,8 +543,8 @@ static char * get_file_name(char *name)
static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
opj_cparameters_t *parameters)
{
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
char *temp_p, temp1[OPJ_PATH_LEN] = "";
strcpy(image_filename, dirptr->filename[imageno]);
@@ -553,7 +553,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
if (parameters->decod_format == -1) {
return 1;
}
- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
infilename) != 0) {
return 1;
@@ -566,7 +566,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
sprintf(temp1, ".%s", temp_p);
}
if (img_fol->set_out_format == 1) {
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
img_fol->out_format);
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
outfilename) != 0) {
@@ -1910,9 +1910,9 @@ int main(int argc, char **argv)
num_images = get_num_images(img_fol.imgdirpath);
dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
if (dirptr) {
- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
+ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
char)); /* Stores at max 10 image file names*/
- dirptr->filename = (char**) malloc(num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc(num_images, sizeof(char*));
if (!dirptr->filename_buf) {
ret = 0;
goto fin;
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
index 2634907..e54e54f 100644
--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
@@ -455,13 +455,13 @@ const char* path_separator = "/";
char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
opj_decompress_parameters *parameters)
{
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
char *temp_p, temp1[OPJ_PATH_LEN] = "";
strcpy(image_filename, dirptr->filename[imageno]);
fprintf(stderr, "File Number %d \"%s\"\n", imageno, image_filename);
- sprintf(infilename, "%s%s%s", img_fol->imgdirpath, path_separator,
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s%s%s", img_fol->imgdirpath, path_separator,
image_filename);
parameters->decod_format = infile_format(infilename);
if (parameters->decod_format == -1) {
@@ -479,7 +479,7 @@ char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
sprintf(temp1, ".%s", temp_p);
}
if (img_fol->set_out_format == 1) {
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
img_fol->out_format);
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
outfilename) != 0) {
@@ -1357,14 +1357,13 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
/* Stores at max 10 image file names */
- dirptr->filename_buf = (char*)malloc(sizeof(char) *
- (size_t)num_images * OPJ_PATH_LEN);
+ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
if (!dirptr->filename_buf) {
failed = 1;
goto fin;
}
- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) {
failed = 1;
diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
index 6e15fee..4e19c61 100644
--- a/src/bin/jp2/opj_dump.c
+++ b/src/bin/jp2/opj_dump.c
@@ -201,8 +201,8 @@ static int get_file_format(const char *filename)
static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
opj_dparameters_t *parameters)
{
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
char *temp_p, temp1[OPJ_PATH_LEN] = "";
strcpy(image_filename, dirptr->filename[imageno]);
@@ -211,7 +211,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
if (parameters->decod_format == -1) {
return 1;
}
- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
infilename) != 0) {
return 1;
@@ -224,7 +224,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
sprintf(temp1, ".%s", temp_p);
}
if (img_fol->set_out_format == 1) {
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
img_fol->out_format);
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
outfilename) != 0) {
@@ -457,7 +457,7 @@ int main(int argc, char *argv[])
opj_codestream_info_v2_t* cstr_info = NULL;
opj_codestream_index_t* cstr_index = NULL;
- OPJ_INT32 num_images, imageno;
+ int num_images, imageno;
img_fol_t img_fol;
dircnt_t *dirptr = NULL;
@@ -486,13 +486,13 @@ int main(int argc, char *argv[])
if (!dirptr) {
return EXIT_FAILURE;
}
- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
+ dirptr->filename_buf = (char*) calloc((size_t) num_images, OPJ_PATH_LEN * sizeof(
char)); /* Stores at max 10 image file names*/
if (!dirptr->filename_buf) {
free(dirptr);
return EXIT_FAILURE;
}
- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) {
goto fails;
--
2.31.1

View File

@ -1,35 +0,0 @@
From 409907d89878222cf9dea80f0add8f73e9383834 Mon Sep 17 00:00:00 2001
From: Mehdi Sabwat <mehdisabwat@gmail.com>
Date: Fri, 7 May 2021 01:50:37 +0200
Subject: [PATCH] fix heap buffer overflow #1347
---
src/bin/common/color.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/bin/common/color.c b/src/bin/common/color.c
index 27f15f1..935fa44 100644
--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t *img)
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
- ++y;
+ if (*y != img->comps[0].data[loopmaxh])
+ ++y;
++r;
++g;
++b;
- ++cb;
- ++cr;
+ if (*cb != img->comps[1].data[loopmaxh])
+ ++cb;
+ if (*cr != img->comps[2].data[loopmaxh])
+ ++cr;
}
if (j < maxw) {
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
--
2.31.1

View File

@ -1,26 +0,0 @@
From 0afbdcf3e6d0d2bd2e16a0c4d513ee3cf86e460d Mon Sep 17 00:00:00 2001
From: xiaoxiaoafeifei <lliangliang2007@163.com>
Date: Wed, 14 Jul 2021 09:35:13 +0800
Subject: [PATCH] Fix segfault in src/bin/jp2/opj_decompress.c due to
uninitialized pointer (fixes #1368) (#1369)
---
src/bin/jp2/opj_decompress.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
index 0e028735..18ead672 100644
--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
@@ -1356,7 +1356,7 @@ int main(int argc, char **argv)
int it_image;
num_images = get_num_images(img_fol.imgdirpath);
- dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
+ dirptr = (dircnt_t*)calloc(1, sizeof(dircnt_t));
if (!dirptr) {
destroy_parameters(&parameters);
return EXIT_FAILURE;
--
2.34.1

View File

@ -7,8 +7,8 @@
%global _target_platform %{_vendor}-%{_target_os}
Name: openjpeg2
Version: 2.4.0
Release: 7%{?dist}
Version: 2.3.1
Release: 8%{?dist}
Summary: C-Library for JPEG 2000
# windirent.h is MIT, the rest is BSD
@ -22,11 +22,16 @@ Source1: data.tar.xz
# Rename tool names to avoid conflicts with openjpeg-1.x
Patch0: openjpeg2_opj2.patch
# Fix CVE-2021-29338
Patch1: openjpeg2-CVE-2021-29338.patch
# Fix CVE-2021-3575
Patch2: openjpeg2-CVE-2021-3575.patch
Patch3: openjpeg2-CVE-2022-1122.patch
# Backport patch for CVE 2020-6851
# https://github.com/uclouvain/openjpeg/issues/1228
Patch1: openjpeg2_CVE-2020-6851.patch
# Backport patch for CVE 2020-8112
# https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074
Patch2: openjpeg2_CVE-2020-8112.patch
# Backport patch for CVE-2020-27814
# https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc
Patch3: openjpeg2_CVE-2020-27814.patch
BuildRequires: cmake
# The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler
@ -263,12 +268,12 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer
%{_mandir}/man3/libopenjp2.3*
%files devel
%dir %{_includedir}/openjpeg-2.4/
%{_includedir}/openjpeg-2.4/openjpeg.h
%{_includedir}/openjpeg-2.4/opj_config.h
%{_includedir}/openjpeg-2.4/opj_stdint.h
%dir %{_includedir}/openjpeg-2.3/
%{_includedir}/openjpeg-2.3/openjpeg.h
%{_includedir}/openjpeg-2.3/opj_config.h
%{_includedir}/openjpeg-2.3/opj_stdint.h
%{_libdir}/libopenjp2.so
%{_libdir}/openjpeg-2.4/
%{_libdir}/openjpeg-2.3/
%{_libdir}/pkgconfig/libopenjp2.pc
%files devel-docs
@ -328,34 +333,6 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer
%changelog
* Wed Jun 15 2022 Matej Mužila <mmuzila@redhat.com> - 2.4.0-7
- Fix CVE-2022-1122
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.0-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Jun 25 2021 Nikola Forró <nforro@redhat.com> - 2.4.0-5
- Fix CVE-2021-3575 (#1969280)
* Fri Jun 25 2021 Nikola Forró <nforro@redhat.com> - 2.4.0-4
- Fix CVE-2021-29338 (#1951333)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.0-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 29 2020 Sandro Mani <manisandro@gmail.com> - 2.4.0-1
- Update to 2.4.0
* Thu Dec 17 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-10
* Backport patches for CVE-2020-27841, CVE-2020-27842, CVE-2020-27843, CVE-2020-27845
* Thu Dec 10 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-9
* Backport patches for CVE-2020-27824 and CVE-2020-27823
* Sat Nov 28 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-8
- Backport patch for CVE-2020-27814

View File

@ -0,0 +1,16 @@
diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/tcd.c openjpeg-2.3.1-new/src/lib/openjp2/tcd.c
--- openjpeg-2.3.1/src/lib/openjp2/tcd.c 2020-11-28 23:29:38.701863373 +0100
+++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c 2020-11-28 23:29:38.704863383 +0100
@@ -1235,9 +1235,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
/* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
/* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */
+ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */
/* TODO: is there a theoretical upper-bound for the compressed code */
/* block size ? */
- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
(p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {

View File

@ -0,0 +1,18 @@
diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/j2k.c openjpeg-2.3.1-new/src/lib/openjp2/j2k.c
--- openjpeg-2.3.1/src/lib/openjp2/j2k.c 2019-04-02 14:45:15.000000000 +0200
+++ openjpeg-2.3.1-new/src/lib/openjp2/j2k.c 2020-11-28 23:29:38.618863089 +0100
@@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dim
l_img_comp = p_image->comps;
for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
OPJ_INT32 l_h, l_w;
+ if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
+ p_image->y0 > (OPJ_UINT32)INT_MAX ||
+ p_image->x1 > (OPJ_UINT32)INT_MAX ||
+ p_image->y1 > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Image coordinates above INT_MAX are not supported\n");
+ return OPJ_FALSE;
+ }
l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
(OPJ_INT32)l_img_comp->dx);

View File

@ -0,0 +1,30 @@
diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/tcd.c openjpeg-2.3.1-new/src/lib/openjp2/tcd.c
--- openjpeg-2.3.1/src/lib/openjp2/tcd.c 2019-04-02 14:45:15.000000000 +0200
+++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c 2020-11-28 23:29:38.662863239 +0100
@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile
/* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
+ (OPJ_INT32)l_pdx)) << l_pdx;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_x_end = (OPJ_INT32)tmp;
+ }
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
+ (OPJ_INT32)l_pdy)) << l_pdy;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_y_end = (OPJ_INT32)tmp;
+ }
/*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((

View File

@ -1,6 +1,6 @@
diff -rupN --no-dereference openjpeg-2.4.0/src/bin/jp2/CMakeLists.txt openjpeg-2.4.0-new/src/bin/jp2/CMakeLists.txt
--- openjpeg-2.4.0/src/bin/jp2/CMakeLists.txt 2020-12-28 21:59:39.000000000 +0100
+++ openjpeg-2.4.0-new/src/bin/jp2/CMakeLists.txt 2020-12-29 15:45:09.466819414 +0100
diff -rupN --no-dereference openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt
--- openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt 2019-04-02 14:45:15.000000000 +0200
+++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt 2020-11-28 23:29:38.576862946 +0100
@@ -44,6 +44,8 @@ endif()
# Loop over all executables:
foreach(exe opj_decompress opj_compress opj_dump)

View File

@ -1 +1 @@
SHA512 (openjpeg-2.4.0.tar.gz) = 55daab47d33823af94e32e5d345b52c251a5410f0c8e0a13b693f17899eedc8b2bb107489ddcba9ab78ef17dfd7cd80d3c5ec80c1e429189cb041124b67e07a8
SHA512 (openjpeg-2.3.1.tar.gz) = 339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03