[openjpeg/f17] fix CVE-2012-1499
Rex Dieter
rdieter at fedoraproject.org
Sun Jun 17 17:45:05 UTC 2012
commit e6b7c90318b589c08110b453c0ce6e263426e418
Author: Rex Dieter <rdieter at fedoraproject.org>
Date: Sun Jun 17 12:25:12 2012 -0500
fix CVE-2012-1499
openjpeg: Out-of heap-based buffer write by processing palette
information in certain JPEG 2000 images (#805912)
openjpeg-1.4-r1330_backport.patch | 42 +++++++++++++++++++++++++++++++++++++
openjpeg.spec | 8 ++++++-
2 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/openjpeg-1.4-r1330_backport.patch b/openjpeg-1.4-r1330_backport.patch
new file mode 100644
index 0000000..9ebcf29
--- /dev/null
+++ b/openjpeg-1.4-r1330_backport.patch
@@ -0,0 +1,42 @@
+diff -up openjpeg_v1_4_sources_r697/libopenjpeg/jp2.c.r1330 openjpeg_v1_4_sources_r697/libopenjpeg/jp2.c
+--- openjpeg_v1_4_sources_r697/libopenjpeg/jp2.c.r1330 2011-01-02 12:14:45.000000000 -0600
++++ openjpeg_v1_4_sources_r697/libopenjpeg/jp2.c 2012-06-17 12:09:09.850460340 -0500
+@@ -93,7 +93,7 @@ Apply collected palette data
+ @param color Collector for profile, cdef and pclr data
+ @param image
+ */
+-static void jp2_apply_pclr(opj_jp2_color_t *color, opj_image_t *image);
++static void jp2_apply_pclr(opj_jp2_color_t *color, opj_image_t *image, opj_common_ptr cinfo);
+ /**
+ Collect palette data
+ @param jp2 JP2 handle
+@@ -318,7 +318,7 @@ static void free_color_data(opj_jp2_colo
+ if(color->icc_profile_buf) opj_free(color->icc_profile_buf);
+ }
+
+-static void jp2_apply_pclr(opj_jp2_color_t *color, opj_image_t *image)
++static void jp2_apply_pclr(opj_jp2_color_t *color, opj_image_t *image, opj_common_ptr cinfo)
+ {
+ opj_image_comp_t *old_comps, *new_comps;
+ unsigned char *channel_size, *channel_sign;
+@@ -343,7 +343,10 @@ static void jp2_apply_pclr(opj_jp2_color
+ {
+ pcol = cmap[i].pcol; cmp = cmap[i].cmp;
+
+- new_comps[pcol] = old_comps[cmp];
++ if( pcol < nr_channels )
++ new_comps[pcol] = old_comps[cmp];
++ else
++ opj_event_msg(cinfo, EVT_ERROR, "Error with pcol value. skipping\n");
+
+ if(cmap[i].mtyp == 0) /* Direct use */
+ {
+@@ -733,7 +736,7 @@ opj_image_t* jp2_decode(opj_jp2_t *jp2,
+ if( !color.jp2_pclr->cmap)
+ jp2_free_pclr(&color);
+ else
+- jp2_apply_pclr(&color, image);
++ jp2_apply_pclr(&color, image, cinfo);
+ }
+ if(color.icc_profile_buf)
+ {
diff --git a/openjpeg.spec b/openjpeg.spec
index 7e16ad1..20c8d05 100644
--- a/openjpeg.spec
+++ b/openjpeg.spec
@@ -11,7 +11,7 @@
Name: openjpeg
Version: 1.4
-Release: 12%{?dist}
+Release: 13%{?dist}
Summary: JPEG 2000 command line tools
Group: Applications/Multimedia
@@ -55,6 +55,8 @@ Patch55: openjpeg-1.4-OpenJPEGConfig.patch
# http://code.google.com/p/openjpeg/issues/detail?id=104
# http://code.google.com/p/openjpeg/source/detail?r=1333
Patch100: openjpeg-1.4-poppler_regression.patch
+# http://code.google.com/p/openjpeg/source/detail?r=1330
+Patch101: openjpeg-1.4-r1330_backport.patch
%description
OpenJPEG is an open-source JPEG 2000 codec written in C. It has been
@@ -96,6 +98,7 @@ autoreconf -i -f
#if 0%{?fedora} > 15
#patch100 -p1 -b .poppler_regression
#endif
+%patch101 -p1 -b .r1330_backport
%build
@@ -193,6 +196,9 @@ rm -rf %{buildroot}
%changelog
+* Sun Jun 17 2012 Rex Dieter <rdieter at fedoraproject.org> 1.4-13
+- CVE-2012-1499 openjpeg: Out-of heap-based buffer write by processing palette information in certain JPEG 2000 images (#805912)
+
* Thu Mar 01 2012 Rex Dieter <rdieter at fedoraproject.org> 1.4-12
- revert poppler regression patch, breaks ABI (#796500)
- backport pkgconfig includedir path fix (upstream issue #118)
More information about the scm-commits
mailing list