[mingw-openjpeg] Add patches for CVE-2013-6052 CVE-2013-6053 CVE-2013-6045
Sandro Mani
smani at fedoraproject.org
Thu Dec 5 09:57:46 UTC 2013
commit 59d97763666e25b1a983457a2c987ad34679a90a
Author: Sandro Mani <manisandro at gmail.com>
Date: Thu Dec 5 10:57:34 2013 +0100
Add patches for CVE-2013-6052 CVE-2013-6053 CVE-2013-6045
rhbz1036491_CVE-2013-6052.patch | 53 ++++++++++++++++++++++
rhbz1036493_CVE-2013-6053.patch | 13 +++++
rhbz1036495_CVE-2013-6045.patch | 93 +++++++++++++++++++++++++++++++++++++++
3 files changed, 159 insertions(+), 0 deletions(-)
---
diff --git a/rhbz1036491_CVE-2013-6052.patch b/rhbz1036491_CVE-2013-6052.patch
new file mode 100644
index 0000000..6c26cc5
--- /dev/null
+++ b/rhbz1036491_CVE-2013-6052.patch
@@ -0,0 +1,53 @@
+diff -rupN openjpeg-1.5.1/libopenjpeg/cio.c openjpeg-1.5.1-new/libopenjpeg/cio.c
+--- openjpeg-1.5.1/libopenjpeg/cio.c 2012-09-13 09:58:39.000000000 +0200
++++ openjpeg-1.5.1-new/libopenjpeg/cio.c 2013-12-05 10:25:07.717415888 +0100
+@@ -30,6 +30,7 @@
+ */
+
+ #include "opj_includes.h"
++#include <assert.h>
+
+ /* ----------------------------------------------------------------------- */
+
+@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns
+ * Read a byte.
+ */
+ unsigned char cio_bytein(opj_cio_t *cio) {
++ if (cio->bp < cio->start) {
++ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
++ abort();
++ return 0;
++ }
+ if (cio->bp >= cio->end) {
+ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
+ return 0;
+@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in
+ unsigned int v;
+ v = 0;
+ for (i = n - 1; i >= 0; i--) {
+- v += cio_bytein(cio) << (i << 3);
++ v += (unsigned int)cio_bytein(cio) << (i << 3);
+ }
+ return v;
+ }
+@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in
+ * n : number of bytes to skip
+ */
+ void cio_skip(opj_cio_t *cio, int n) {
++ assert((cio->bp + n) >= cio->bp);
+ cio->bp += n;
+ }
+
+diff -rupN openjpeg-1.5.1/libopenjpeg/jp2.c openjpeg-1.5.1-new/libopenjpeg/jp2.c
+--- openjpeg-1.5.1/libopenjpeg/jp2.c 2012-09-13 09:58:39.000000000 +0200
++++ openjpeg-1.5.1-new/libopenjpeg/jp2.c 2013-12-05 10:25:07.718415907 +0100
+@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm
+ }
+ else if (box->length == 0) {
+ box->length = cio_numbytesleft(cio) + 8;
++ } else if (box->length < 0) {
++ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n");
++ return OPJ_FALSE;
+ }
+
+ return OPJ_TRUE;
diff --git a/rhbz1036493_CVE-2013-6053.patch b/rhbz1036493_CVE-2013-6053.patch
new file mode 100644
index 0000000..d464b60
--- /dev/null
+++ b/rhbz1036493_CVE-2013-6053.patch
@@ -0,0 +1,13 @@
+Index: openjpeg-1.5.1/libopenjpeg/j2k.c
+===================================================================
+--- openjpeg-1.5.1.orig/libopenjpeg/j2k.c 2013-01-01 01:01:01.000000000 +0000
++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2013-01-01 01:01:01.000000000 +0000
+@@ -422,7 +422,7 @@ static void j2k_read_siz(opj_j2k_t *j2k)
+
+ if ((image->x0<0)||(image->x1<0)||(image->y0<0)||(image->y1<0)) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+- "%s: invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n",
++ "invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n",
+ image->x0,image->x1,image->y0,image->y1);
+ return;
+ }
diff --git a/rhbz1036495_CVE-2013-6045.patch b/rhbz1036495_CVE-2013-6045.patch
new file mode 100644
index 0000000..c85a22e
--- /dev/null
+++ b/rhbz1036495_CVE-2013-6045.patch
@@ -0,0 +1,93 @@
+diff -rupN openjpeg-1.5.1/libopenjpeg/j2k.c openjpeg-1.5.1-new/libopenjpeg/j2k.c
+--- openjpeg-1.5.1/libopenjpeg/j2k.c 2013-12-05 10:26:15.000000000 +0100
++++ openjpeg-1.5.1-new/libopenjpeg/j2k.c 2013-12-05 10:32:34.752636957 +0100
+@@ -823,6 +823,12 @@ static void j2k_read_coc(opj_j2k_t *j2k)
+
+ len = cio_read(cio, 2); /* Lcoc */
+ compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */
++ if ((compno < 0) || (compno >= image->numcomps)) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR ,
++ "bad component number in COC (%d out of a maximum of %d)\n",
++ compno, image->numcomps);
++ return;
++ }
+ tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */
+ j2k_read_cox(j2k, compno);
+ }
+@@ -1004,8 +1010,18 @@ static void j2k_read_qcc(opj_j2k_t *j2k)
+
+ /* keep your private count of tiles */
+ backup_compno++;
+- };
++ }
++ else
+ #endif /* USE_JPWL */
++ {
++ /* compno is negative or larger than the number of components!!! */
++ if ((compno < 0) || (compno >= numcomp)) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad component number in QCC (%d out of a maximum of %d)\n",
++ compno, numcomp);
++ return;
++ }
++ }
+
+ j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2));
+ }
+@@ -1051,6 +1067,17 @@ static void j2k_read_poc(opj_j2k_t *j2k)
+ tcp->POC = 1;
+ len = cio_read(cio, 2); /* Lpoc */
+ numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2));
++
++ {
++ /* old_poc < 0 "just in case" */
++ int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0]));
++ if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n",
++ (numpchgs + old_poc), maxpocs);
++ return;
++ }
++ }
+
+ for (i = old_poc; i < numpchgs + old_poc; i++) {
+ opj_poc_t *poc;
+@@ -1590,6 +1617,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k)
+ };
+ #endif /* USE_JPWL */
+
++ /* totlen is negative or larger than the bytes left!!! */
++ if (compno >= numcomps) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad component number in RGN (%d when there are only %d)\n",
++ compno, numcomps);
++ return;
++ }
++
+ tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */
+ }
+
+diff -rupN openjpeg-1.5.1/libopenjpeg/tcd.c openjpeg-1.5.1-new/libopenjpeg/tcd.c
+--- openjpeg-1.5.1/libopenjpeg/tcd.c 2012-09-13 09:58:39.000000000 +0200
++++ openjpeg-1.5.1-new/libopenjpeg/tcd.c 2013-12-05 10:32:21.721452575 +0100
+@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
+ return OPJ_FALSE;
+ }
+
++ int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0);
+ for (compno = 0; compno < tile->numcomps; ++compno) {
+ opj_tcd_tilecomp_t* tilec = &tile->comps[compno];
++ int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0));
++ /* Later-on it is assumed that all components are of at least comp0size blocks */
++ if (compcsize < comp0size)
++ {
++ opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks "
++ "while component 0 has %d blocks\n", compno, compcsize, comp0size);
++ return OPJ_FALSE;
++ }
+ /* The +3 is headroom required by the vectorized DWT */
+- tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int));
++ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
+ if (tilec->data == NULL)
+ {
+ opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");
More information about the scm-commits
mailing list