[openjpeg] 1.5.1-3
Rex Dieter
rdieter at fedoraproject.org
Fri Dec 7 14:09:13 UTC 2012
commit e99f743c60eaf62869a59185f4b8974ac557db81
Author: Rex Dieter <rdieter at math.unl.edu>
Date: Fri Dec 7 08:09:22 2012 -0600
1.5.1-3
- int main() in t1_generate_luts.c breaks mplayer (issue#152)
- jp2_read_boxhdr() can trigger random pointer memory access (issue#155)
- missing range check in j2k_read_coc et al (issue#166)
- division by zero in j2k_read_siz (issue#169)
openjpeg-1.5-r2029.patch | 77 ++++++++++++++++++++++++++++++++++++++++++++++
openjpeg-1.5-r2031.patch | 24 ++++++++++++++
openjpeg-1.5-r2032.patch | 30 ++++++++++++++++++
openjpeg-1.5-r2033.patch | 49 +++++++++++++++++++++++++++++
openjpeg.spec | 21 ++++++++++++-
5 files changed, 200 insertions(+), 1 deletions(-)
---
diff --git a/openjpeg-1.5-r2029.patch b/openjpeg-1.5-r2029.patch
new file mode 100644
index 0000000..a1a819a
--- /dev/null
+++ b/openjpeg-1.5-r2029.patch
@@ -0,0 +1,77 @@
+Index: libopenjpeg/jp2.c
+===================================================================
+--- libopenjpeg/jp2.c (revision 2028)
++++ libopenjpeg/jp2.c (revision 2029)
+@@ -173,6 +173,10 @@
+ else if (box->length == 0) {
+ box->length = cio_numbytesleft(cio) + 8;
+ }
++ if (box->length < 0) {
++ opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n");
++ return OPJ_FALSE; // TODO: actually check jp2_read_boxhdr's return value
++ }
+
+ return OPJ_TRUE;
+ }
+@@ -654,6 +658,7 @@
+ opj_event_msg(cinfo, EVT_ERROR, "Expected JP2H Marker\n");
+ return OPJ_FALSE;
+ }
++ if (box.length <= 8) return OPJ_FALSE;
+ cio_skip(cio, box.length - 8);
+
+ if(cio->bp >= cio->end) return OPJ_FALSE;
+@@ -679,6 +684,7 @@
+ {
+ if( !jp2_read_colr(jp2, cio, &box, color))
+ {
++ if (box.length <= 8) return OPJ_FALSE;
+ cio_seek(cio, box.init_pos + 8);
+ cio_skip(cio, box.length - 8);
+ }
+@@ -689,6 +695,7 @@
+ {
+ if( !jp2_read_cdef(jp2, cio, &box, color))
+ {
++ if (box.length <= 8) return OPJ_FALSE;
+ cio_seek(cio, box.init_pos + 8);
+ cio_skip(cio, box.length - 8);
+ }
+@@ -699,6 +706,7 @@
+ {
+ if( !jp2_read_pclr(jp2, cio, &box, color))
+ {
++ if (box.length <= 8) return OPJ_FALSE;
+ cio_seek(cio, box.init_pos + 8);
+ cio_skip(cio, box.length - 8);
+ }
+@@ -709,12 +717,14 @@
+ {
+ if( !jp2_read_cmap(jp2, cio, &box, color))
+ {
++ if (box.length <= 8) return OPJ_FALSE;
+ cio_seek(cio, box.init_pos + 8);
+ cio_skip(cio, box.length - 8);
+ }
+ if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
+ continue;
+ }
++ if (box.length <= 8) return OPJ_FALSE;
+ cio_seek(cio, box.init_pos + 8);
+ cio_skip(cio, box.length - 8);
+ if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
+@@ -910,12 +920,14 @@
+ }
+ do {
+ if(JP2_JP2C != box.type) {
++ if (box.length <= 8) return OPJ_FALSE;
+ cio_skip(cio, box.length - 8);
+ if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
+ }
+ } while(JP2_JP2C != box.type);
+
+ *j2k_codestream_offset = cio_tell(cio);
++ if (box.length <= 8) return OPJ_FALSE;
+ *j2k_codestream_length = box.length - 8;
+
+ return OPJ_TRUE;
diff --git a/openjpeg-1.5-r2031.patch b/openjpeg-1.5-r2031.patch
new file mode 100644
index 0000000..d8249ac
--- /dev/null
+++ b/openjpeg-1.5-r2031.patch
@@ -0,0 +1,24 @@
+Index: libopenjpeg/jpwl/Makefile.am
+===================================================================
+--- libopenjpeg/jpwl/Makefile.am (revision 2030)
++++ libopenjpeg/jpwl/Makefile.am (revision 2031)
+@@ -18,7 +18,6 @@
+ ../pi.c \
+ ../raw.c \
+ ../t1.c \
+-../t1_generate_luts.c \
+ ../t2.c \
+ ../tcd.c \
+ ../tgt.c \
+Index: libopenjpeg/Makefile.am
+===================================================================
+--- libopenjpeg/Makefile.am (revision 2030)
++++ libopenjpeg/Makefile.am (revision 2031)
+@@ -35,7 +35,6 @@
+ pi.c \
+ raw.c \
+ t1.c \
+-t1_generate_luts.c \
+ t2.c \
+ tcd.c \
+ tgt.c \
diff --git a/openjpeg-1.5-r2032.patch b/openjpeg-1.5-r2032.patch
new file mode 100644
index 0000000..3d7d4fa
--- /dev/null
+++ b/openjpeg-1.5-r2032.patch
@@ -0,0 +1,30 @@
+Index: libopenjpeg/j2k.c
+===================================================================
+--- libopenjpeg/j2k.c (revision 2031)
++++ libopenjpeg/j2k.c (revision 2032)
+@@ -468,6 +468,12 @@
+ }
+ #endif /* USE_JPWL */
+
++ /* prevent division by zero */
++ if (!(cp->tdx * cp->tdy)) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: invalid tile size (tdx: %d, tdy: %d)\n", cp->tdx, cp->tdy);
++ return;
++ }
++
+ image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t));
+ for (i = 0; i < image->numcomps; i++) {
+ int tmp, w, h;
+@@ -506,6 +512,12 @@
+ }
+ #endif /* USE_JPWL */
+
++ /* prevent division by zero */
++ if (!(image->comps[i].dx * image->comps[i].dy)) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: invalid component size (dx: %d, dy: %d)\n", image->comps[i].dx, image->comps[i].dy);
++ return;
++ }
++
+ /* TODO: unused ? */
+ w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx);
+ h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy);
diff --git a/openjpeg-1.5-r2033.patch b/openjpeg-1.5-r2033.patch
new file mode 100644
index 0000000..a845139
--- /dev/null
+++ b/openjpeg-1.5-r2033.patch
@@ -0,0 +1,49 @@
+Index: libopenjpeg/j2k.c
+===================================================================
+--- libopenjpeg/j2k.c (revision 2032)
++++ libopenjpeg/j2k.c (revision 2033)
+@@ -835,6 +835,12 @@
+
+ len = cio_read(cio, 2); /* Lcoc */
+ compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */
++ if (compno >= image->numcomps) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "bad component number in COC (%d out of a maximum of %d)\n",
++ compno, image->numcomps);
++ return;
++ }
+ tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */
+ j2k_read_cox(j2k, compno);
+ }
+@@ -1016,9 +1022,16 @@
+
+ /* keep your private count of tiles */
+ backup_compno++;
+- };
++ }
+ #endif /* USE_JPWL */
+
++ if ((compno < 0) || (compno >= numcomp)) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "bad component number in QCC (%d out of a maximum of %d)\n",
++ compno, j2k->image->numcomps);
++ return;
++ }
++
+ j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2));
+ }
+
+@@ -1602,6 +1615,13 @@
+ };
+ #endif /* USE_JPWL */
+
++ if (compno >= numcomps) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "bad component number in RGN (%d out of a maximum of %d)\n",
++ compno, j2k->image->numcomps);
++ return;
++ }
++
+ tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */
+ }
+
diff --git a/openjpeg.spec b/openjpeg.spec
index 0702b36..579c53b 100644
--- a/openjpeg.spec
+++ b/openjpeg.spec
@@ -9,7 +9,7 @@
Name: openjpeg
Version: 1.5.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: JPEG 2000 command line tools
License: BSD
@@ -29,6 +29,15 @@ Patch1: openjpeg-1.5.1-soname.patch
Patch50: openjpeg-1.5.1-cmake_libdir.patch
## upstream patches:
+# http://code.google.com/p/openjpeg/issues/detail?id=155
+Patch100: openjpeg-1.5-r2029.patch
+# http://code.google.com/p/openjpeg/issues/detail?id=152
+Patch101: openjpeg-1.5-r2031.patch
+# http://code.google.com/p/openjpeg/issues/detail?id=169
+Patch102: openjpeg-1.5-r2032.patch
+# http://code.google.com/p/openjpeg/issues/detail?id=166
+Patch103: openjpeg-1.5-r2033.patch
+
%if 0%{?cmake_build}
BuildRequires: cmake
@@ -79,6 +88,10 @@ BuildArch: noarch
autoreconf -i -f
%endif
+%patch100 -p0 -b .r2029
+%patch101 -p0 -b .r2031
+%patch102 -p0 -b .r2032
+%patch103 -p0 -b .r2033
%build
@@ -165,6 +178,12 @@ make test -C %{_target_platform}
%changelog
+* Fri Dec 07 2012 Rex Dieter <rdieter at fedoraproject.org> 1.5.1-3
+- int main() in t1_generate_luts.c breaks mplayer (issue#152)
+- jp2_read_boxhdr() can trigger random pointer memory access (issue#155)
+- missing range check in j2k_read_coc et al (issue#166)
+- division by zero in j2k_read_siz (issue#169)
+
* Thu Dec 06 2012 Rex Dieter <rdieter at fedoraproject.org> 1.5.1-2
- fix multilib bugs due to timestamps in generated doc files (#884827)
More information about the scm-commits
mailing list