[openjpeg/f17] fix CVE-2009-5030

Rex Dieter rdieter at fedoraproject.org
Sun Jun 17 17:45:10 UTC 2012 

commit 3d9b42140d02791112f2f7d98f0c33ccb18d0ed4
Author: Rex Dieter <rdieter at fedoraproject.org>
Date:   Sun Jun 17 12:35:19 2012 -0500

    fix CVE-2009-5030
    
    openjpeg: Heap memory corruption leading to invalid free
    by processing certain Gray16 TIFF images (#812317)

 openjpeg-1.4-r1703_backport.patch |   12 ++++++++++++
 openjpeg.spec                     |    4 ++++
 2 files changed, 16 insertions(+), 0 deletions(-)
---
diff --git a/openjpeg-1.4-r1703_backport.patch b/openjpeg-1.4-r1703_backport.patch
new file mode 100644
index 0000000..f2f03b4
--- /dev/null
+++ b/openjpeg-1.4-r1703_backport.patch
@@ -0,0 +1,12 @@
+diff -up openjpeg_v1_4_sources_r697/libopenjpeg/tcd.c.r1703 openjpeg_v1_4_sources_r697/libopenjpeg/tcd.c
+--- openjpeg_v1_4_sources_r697/libopenjpeg/tcd.c.r1703	2011-01-02 12:14:45.000000000 -0600
++++ openjpeg_v1_4_sources_r697/libopenjpeg/tcd.c	2012-06-17 12:33:22.590298592 -0500
+@@ -332,7 +332,7 @@ void tcd_malloc_encode(opj_tcd_t *tcd, o
+ 							cblk->y0 = int_max(cblkystart, prc->y0);
+ 							cblk->x1 = int_min(cblkxend, prc->x1);
+ 							cblk->y1 = int_min(cblkyend, prc->y1);
+-							cblk->data = (unsigned char*) opj_calloc(8192+2, sizeof(unsigned char));
++							cblk->data = (unsigned char*) opj_calloc(9728+2, sizeof(unsigned char));
+ 							/* FIXME: mqc_init_enc and mqc_byteout underrun the buffer if we don't do this. Why? */
+ 							cblk->data += 2;
+ 							cblk->layers = (opj_tcd_layer_t*) opj_calloc(100, sizeof(opj_tcd_layer_t));
diff --git a/openjpeg.spec b/openjpeg.spec
index 20c8d05..6e8e7af 100644
--- a/openjpeg.spec
+++ b/openjpeg.spec
@@ -57,6 +57,8 @@ Patch55: openjpeg-1.4-OpenJPEGConfig.patch
 Patch100: openjpeg-1.4-poppler_regression.patch
 # http://code.google.com/p/openjpeg/source/detail?r=1330
 Patch101: openjpeg-1.4-r1330_backport.patch
+# http://code.google.com/p/openjpeg/source/detail?r=1703
+Patch102: openjpeg-1.4-r1703_backport.patch
 
 %description
 OpenJPEG is an open-source JPEG 2000 codec written in C. It has been
@@ -99,6 +101,7 @@ autoreconf -i -f
 #patch100 -p1 -b .poppler_regression
 #endif
 %patch101 -p1 -b .r1330_backport
+%patch102 -p1 -b .r1703_backport
 
 
 %build
@@ -198,6 +201,7 @@ rm -rf %{buildroot}
 %changelog
 * Sun Jun 17 2012 Rex Dieter <rdieter at fedoraproject.org> 1.4-13
 - CVE-2012-1499 openjpeg: Out-of heap-based buffer write by processing palette information in certain JPEG 2000 images (#805912)
+- CVE-2009-5030 openjpeg: Heap memory corruption leading to invalid free by processing certain Gray16 TIFF images (#812317)
 
 * Thu Mar 01 2012 Rex Dieter <rdieter at fedoraproject.org> 1.4-12
 - revert poppler regression patch, breaks ABI (#796500)

More information about the scm-commits mailing list