[mingw-openjpeg] Add patches for CVE-2013-6052 CVE-2013-6053 CVE-2013-6045

Thu Dec 5 09:57:46 UTC 2013

commit 59d97763666e25b1a983457a2c987ad34679a90a
Author: Sandro Mani <manisandro at gmail.com>
Date:   Thu Dec 5 10:57:34 2013 +0100

    Add patches for CVE-2013-6052 CVE-2013-6053 CVE-2013-6045

 rhbz1036491_CVE-2013-6052.patch |   53 ++++++++++++++++++++++
 rhbz1036493_CVE-2013-6053.patch |   13 +++++
 rhbz1036495_CVE-2013-6045.patch |   93 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 159 insertions(+), 0 deletions(-)
---

diff --git a/rhbz1036491_CVE-2013-6052.patch b/rhbz1036491_CVE-2013-6052.patch
new file mode 100644
index 0000000..6c26cc5
--- /dev/null
+++ b/rhbz1036491_CVE-2013-6052.patch
@@ -0,0 +1,53 @@
+diff -rupN openjpeg-1.5.1/libopenjpeg/cio.c openjpeg-1.5.1-new/libopenjpeg/cio.c
+--- openjpeg-1.5.1/libopenjpeg/cio.c	2012-09-13 09:58:39.000000000 +0200
++++ openjpeg-1.5.1-new/libopenjpeg/cio.c	2013-12-05 10:25:07.717415888 +0100
+@@ -30,6 +30,7 @@
+  */
+ 
+ #include "opj_includes.h"
++#include <assert.h>
+ 
+ /* ----------------------------------------------------------------------- */
+ 
+@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns
+  * Read a byte.
+  */
+ unsigned char cio_bytein(opj_cio_t *cio) {
++	if (cio->bp < cio->start) {
++		opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
++		abort();
++		return 0;
++	}
+ 	if (cio->bp >= cio->end) {
+ 		opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
+ 		return 0;
+@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in
+ 	unsigned int v;
+ 	v = 0;
+ 	for (i = n - 1; i >= 0; i--) {
+-		v += cio_bytein(cio) << (i << 3);
++		v += (unsigned int)cio_bytein(cio) << (i << 3);
+ 	}
+ 	return v;
+ }
+@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in
+  * n : number of bytes to skip
+  */
+ void cio_skip(opj_cio_t *cio, int n) {
++	assert((cio->bp + n) >= cio->bp);
+ 	cio->bp += n;
+ }
+ 
+diff -rupN openjpeg-1.5.1/libopenjpeg/jp2.c openjpeg-1.5.1-new/libopenjpeg/jp2.c
+--- openjpeg-1.5.1/libopenjpeg/jp2.c	2012-09-13 09:58:39.000000000 +0200
++++ openjpeg-1.5.1-new/libopenjpeg/jp2.c	2013-12-05 10:25:07.718415907 +0100
+@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm
+ 	}
+ 	else if (box->length == 0) {
+ 		box->length = cio_numbytesleft(cio) + 8;
++	} else if (box->length < 0) {
++		opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n");
++		return OPJ_FALSE;
+ 	}
+ 	
+ 	return OPJ_TRUE;
diff --git a/rhbz1036493_CVE-2013-6053.patch b/rhbz1036493_CVE-2013-6053.patch
new file mode 100644
index 0000000..d464b60
--- /dev/null
+++ b/rhbz1036493_CVE-2013-6053.patch
@@ -0,0 +1,13 @@
+Index: openjpeg-1.5.1/libopenjpeg/j2k.c
+===================================================================
+--- openjpeg-1.5.1.orig/libopenjpeg/j2k.c	2013-01-01 01:01:01.000000000 +0000
++++ openjpeg-1.5.1/libopenjpeg/j2k.c	2013-01-01 01:01:01.000000000 +0000
+@@ -422,7 +422,7 @@ static void j2k_read_siz(opj_j2k_t *j2k)
+ 	
+ 	if ((image->x0<0)||(image->x1<0)||(image->y0<0)||(image->y1<0)) {
+ 		opj_event_msg(j2k->cinfo, EVT_ERROR,
+-									"%s: invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n",
++									"invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n",
+ 									image->x0,image->x1,image->y0,image->y1);
+ 		return;
+ 	}
diff --git a/rhbz1036495_CVE-2013-6045.patch b/rhbz1036495_CVE-2013-6045.patch
new file mode 100644
index 0000000..c85a22e
--- /dev/null
+++ b/rhbz1036495_CVE-2013-6045.patch
@@ -0,0 +1,93 @@
+diff -rupN openjpeg-1.5.1/libopenjpeg/j2k.c openjpeg-1.5.1-new/libopenjpeg/j2k.c
+--- openjpeg-1.5.1/libopenjpeg/j2k.c	2013-12-05 10:26:15.000000000 +0100
++++ openjpeg-1.5.1-new/libopenjpeg/j2k.c	2013-12-05 10:32:34.752636957 +0100
+@@ -823,6 +823,12 @@ static void j2k_read_coc(opj_j2k_t *j2k)
+ 	
+ 	len = cio_read(cio, 2);		/* Lcoc */
+ 	compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2);	/* Ccoc */
++	if ((compno < 0) || (compno >= image->numcomps)) {
++		opj_event_msg(j2k->cinfo, EVT_ERROR ,
++				"bad component number in COC (%d out of a maximum of %d)\n",
++				compno, image->numcomps);
++		return;
++	}
+ 	tcp->tccps[compno].csty = cio_read(cio, 1);	/* Scoc */
+ 	j2k_read_cox(j2k, compno);
+ }
+@@ -1004,8 +1010,18 @@ static void j2k_read_qcc(opj_j2k_t *j2k)
+ 
+ 		/* keep your private count of tiles */
+ 		backup_compno++;
+-	};
++	}
++	else
+ #endif /* USE_JPWL */
++	{
++		/* compno is negative or larger than the number of components!!! */
++		if ((compno < 0) || (compno >= numcomp)) {
++			opj_event_msg(j2k->cinfo, EVT_ERROR,
++				"JPWL: bad component number in QCC (%d out of a maximum of %d)\n",
++				compno, numcomp);
++			return;
++		}
++	}
+ 
+ 	j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2));
+ }
+@@ -1051,6 +1067,17 @@ static void j2k_read_poc(opj_j2k_t *j2k)
+ 	tcp->POC = 1;
+ 	len = cio_read(cio, 2);		/* Lpoc */
+ 	numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2));
++
++	{
++		/* old_poc < 0 "just in case" */
++		int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0]));
++		if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) {
++			opj_event_msg(j2k->cinfo, EVT_ERROR,
++				"JPWL: bad number of progression order changes (%d out of a maximum of %d)\n",
++				(numpchgs + old_poc), maxpocs);
++			return;
++		}
++	}
+ 	
+ 	for (i = old_poc; i < numpchgs + old_poc; i++) {
+ 		opj_poc_t *poc;
+@@ -1590,6 +1617,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k)
+ 	};
+ #endif /* USE_JPWL */
+ 
++	/* totlen is negative or larger than the bytes left!!! */
++	if (compno >= numcomps) {
++		opj_event_msg(j2k->cinfo, EVT_ERROR,
++			"JPWL: bad component number in RGN (%d when there are only %d)\n",
++			compno, numcomps);
++		return;
++	}
++
+ 	tcp->tccps[compno].roishift = cio_read(cio, 1);				/* SPrgn */
+ }
+ 
+diff -rupN openjpeg-1.5.1/libopenjpeg/tcd.c openjpeg-1.5.1-new/libopenjpeg/tcd.c
+--- openjpeg-1.5.1/libopenjpeg/tcd.c	2012-09-13 09:58:39.000000000 +0200
++++ openjpeg-1.5.1-new/libopenjpeg/tcd.c	2013-12-05 10:32:21.721452575 +0100
+@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
+         return OPJ_FALSE;
+     }
+ 
++	int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0);
+ 	for (compno = 0; compno < tile->numcomps; ++compno) {
+ 		opj_tcd_tilecomp_t* tilec = &tile->comps[compno];
++		int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0));
++		/* Later-on it is assumed that all components are of at least comp0size blocks */
++		if (compcsize < comp0size)
++		{
++			opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks "
++				"while component 0 has %d blocks\n", compno, compcsize, comp0size);
++			return OPJ_FALSE;
++		}
+ 		/* The +3 is headroom required by the vectorized DWT */
+-		tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int));
++		tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
+         if (tilec->data == NULL)
+         {
+             opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");
