[openjpeg] plethora of security updates (#1038409)
Rex Dieter
rdieter at fedoraproject.org
Tue Jan 7 21:48:41 UTC 2014
commit e506cabd3758497a749c0dd6c402f20e2d971d62
Author: Rex Dieter <rdieter at math.unl.edu>
Date: Tue Jan 7 15:48:46 2014 -0600
plethora of security updates (#1038409)
- CVE-2013-6052 (#1036491)
- CVE-2013-6053 (#1036493)
- CVE-2013-6045 (#1036495)
- CVE-2013-1447 (#1037945)
- CVE-2013-6887 (#1037948)
openjpeg-1.5.1-CVE-2013-1447.patch | 165 ++++++++++++++++++++++++++++++++++++
openjpeg-1.5.1-CVE-2013-6045.patch | 60 +++++++++++++
openjpeg-1.5.1-CVE-2013-6052.patch | 53 ++++++++++++
openjpeg-1.5.1-CVE-2013-6053.patch | 12 +++
openjpeg-1.5.1-CVE-2013-6887.patch | 30 +++++++
openjpeg.spec | 29 ++++++-
6 files changed, 348 insertions(+), 1 deletions(-)
---
diff --git a/openjpeg-1.5.1-CVE-2013-1447.patch b/openjpeg-1.5.1-CVE-2013-1447.patch
new file mode 100644
index 0000000..a0e3723
--- /dev/null
+++ b/openjpeg-1.5.1-CVE-2013-1447.patch
@@ -0,0 +1,165 @@
+diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/cio.c
+--- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-1447 2014-01-07 15:12:20.517748762 -0600
++++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 15:12:20.533748592 -0600
+@@ -107,6 +107,11 @@ int OPJ_CALLCONV cio_tell(opj_cio_t *cio
+ * pos : position, in number of bytes, from the beginning of the stream
+ */
+ void OPJ_CALLCONV cio_seek(opj_cio_t *cio, int pos) {
++ if ((cio->start + pos) > cio->end) {
++ opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to seek past the end of the codestream (start = %d, change = %d, end = %d\n", cio->start, pos, cio->end);
++ cio->bp = cio->end;
++ return;
++ }
+ cio->bp = cio->start + pos;
+ }
+
+@@ -114,6 +119,7 @@ void OPJ_CALLCONV cio_seek(opj_cio_t *ci
+ * Number of bytes left before the end of the stream.
+ */
+ int cio_numbytesleft(opj_cio_t *cio) {
++ assert((cio->end - cio->bp) >= 0);
+ return cio->end - cio->bp;
+ }
+
+@@ -191,6 +197,11 @@ unsigned int cio_read(opj_cio_t *cio, in
+ */
+ void cio_skip(opj_cio_t *cio, int n) {
+ assert((cio->bp + n) >= cio->bp);
++ if (((cio->bp + n) < cio->start) || ((cio->bp + n) > cio->end)) {
++ opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to skip bytes past the end of the codestream (current = %d, change = %d, end = %d\n", cio->bp, n, cio->end);
++ cio->bp = cio->end;
++ return;
++ }
+ cio->bp += n;
+ }
+
+diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/j2k.c
+--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-1447 2014-01-07 15:12:20.525748677 -0600
++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:12:20.534748582 -0600
+@@ -476,7 +476,7 @@ static void j2k_read_siz(opj_j2k_t *j2k)
+
+ image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t));
+ for (i = 0; i < image->numcomps; i++) {
+- int tmp, w, h;
++ int tmp/*, w, h*/;
+ tmp = cio_read(cio, 1); /* Ssiz_i */
+ image->comps[i].prec = (tmp & 0x7f) + 1;
+ image->comps[i].sgnd = tmp >> 7;
+@@ -511,6 +511,14 @@ static void j2k_read_siz(opj_j2k_t *j2k)
+
+ }
+ #endif /* USE_JPWL */
++ {
++ if (!(image->comps[i].dx * image->comps[i].dy)) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad XRsiz_%d/YRsiz_%d (%d x %d)\n",
++ i, i, image->comps[i].dx, image->comps[i].dy);
++ return;
++ }
++ }
+
+ /* prevent division by zero */
+ if (!(image->comps[i].dx * image->comps[i].dy)) {
+@@ -519,8 +527,8 @@ static void j2k_read_siz(opj_j2k_t *j2k)
+ }
+
+ /* TODO: unused ? */
+- w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx);
+- h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy);
++/* w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx);
++ h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy);*/
+
+ image->comps[i].resno_decoded = 0; /* number of resolution decoded */
+ image->comps[i].factor = cp->reduce; /* reducing factor per component */
+@@ -2015,6 +2023,11 @@ opj_image_t* j2k_decode(opj_j2k_t *j2k,
+ }
+ if (j2k->state == J2K_STATE_NEOC) {
+ j2k_read_eoc(j2k);
++ /* Check one last time for errors during decoding before returning */
++ if (j2k->state & J2K_STATE_ERR) {
++ opj_image_destroy(image);
++ return NULL;
++ }
+ }
+
+ if (j2k->state != J2K_STATE_MT) {
+diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/jp2.c
+--- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-1447 2014-01-07 15:12:20.518748752 -0600
++++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 15:12:20.535748571 -0600
+@@ -819,6 +819,17 @@ void jp2_write_jp2h(opj_jp2_t *jp2, opj_
+
+ jp2_write_ihdr(jp2, cio);
+
++ {
++ int curpos = cio_tell(cio);
++ cio_seek(cio, box.init_pos);
++ cio_skip(cio, box.length);
++ if ((cio_tell(cio) - box.init_pos) != box.length) {
++ opj_event_msg(jp2->cinfo, EVT_ERROR, "Box size exceeds size of codestream (expected: %d, real: %d)\n", box.length, (cio_tell(cio) - box.init_pos));
++ return OPJ_FALSE;
++ }
++ cio_seek(cio, curpos);
++ }
++
+ if (jp2->bpc == 255) {
+ jp2_write_bpcc(jp2, cio);
+ }
+@@ -871,6 +882,13 @@ static opj_bool jp2_read_ftyp(opj_jp2_t
+ jp2->numcl = (box.length - 16) / 4;
+ jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int));
+
++ if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) {
++ opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box "
++ "(expected %d, but only %d left)\n",
++ ((int)jp2->numcl * 4), cio_numbytesleft(cio));
++ return OPJ_FALSE;
++ }
++
+ for (i = 0; i < (int)jp2->numcl; i++) {
+ jp2->cl[i] = cio_read(cio, 4); /* CLi */
+ }
+diff -up openjpeg-1.5.1/libopenjpeg/t2.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/t2.c
+--- openjpeg-1.5.1/libopenjpeg/t2.c.CVE-2013-1447 2012-09-13 02:58:39.000000000 -0500
++++ openjpeg-1.5.1/libopenjpeg/t2.c 2014-01-07 15:12:20.535748571 -0600
+@@ -340,6 +340,11 @@ static int t2_decode_packet(opj_t2_t* t2
+ int precno = pi->precno; /* precinct value */
+ int layno = pi->layno; /* quality layer value */
+
++ if (!&(tile->comps[compno])) {
++ opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n");
++ return -999;
++ }
++
+ opj_tcd_resolution_t* res = &tile->comps[compno].resolutions[resno];
+
+ unsigned char *hd = NULL;
+diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/tcd.c
+--- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-1447 2014-01-07 15:12:20.526748667 -0600
++++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-01-07 15:12:20.536748561 -0600
+@@ -667,8 +667,8 @@ void tcd_malloc_decode(opj_tcd_t *tcd, o
+ y1 = j == 0 ? tilec->y1 : int_max(y1, (unsigned int) tilec->y1);
+ }
+
+- w = int_ceildivpow2(x1 - x0, image->comps[i].factor);
+- h = int_ceildivpow2(y1 - y0, image->comps[i].factor);
++ w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor);
++ h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor);
+
+ image->comps[i].w = w;
+ image->comps[i].h = h;
+@@ -1381,7 +1381,15 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
+ if (l == -999) {
+ eof = 1;
+ opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: incomplete bistream\n");
++ return OPJ_FALSE;
+ }
++
++ /* The code below assumes that numcomps > 0 */
++ if (tile->numcomps <= 0) {
++ opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n");
++ return OPJ_TRUE;
++ }
++
+
+ /*------------------TIER1-----------------*/
+
diff --git a/openjpeg-1.5.1-CVE-2013-6045.patch b/openjpeg-1.5.1-CVE-2013-6045.patch
new file mode 100644
index 0000000..f45566f
--- /dev/null
+++ b/openjpeg-1.5.1-CVE-2013-6045.patch
@@ -0,0 +1,60 @@
+diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/j2k.c
+--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 2014-01-07 15:11:30.622278207 -0600
++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:11:30.626278165 -0600
+@@ -1076,6 +1076,17 @@ static void j2k_read_poc(opj_j2k_t *j2k)
+ tcp->POC = 1;
+ len = cio_read(cio, 2); /* Lpoc */
+ numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2));
++
++ {
++ /* old_poc < 0 "just in case" */
++ int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0]));
++ if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n",
++ (numpchgs + old_poc), maxpocs);
++ return;
++ }
++ }
+
+ for (i = old_poc; i < numpchgs + old_poc; i++) {
+ opj_poc_t *poc;
+@@ -1622,6 +1633,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k)
+ return;
+ }
+
++ /* totlen is negative or larger than the bytes left!!! */
++ if (compno >= numcomps) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad component number in RGN (%d when there are only %d)\n",
++ compno, numcomps);
++ return;
++ }
++
+ tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */
+ }
+
+diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/tcd.c
+--- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 2012-09-13 02:58:39.000000000 -0500
++++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-01-07 15:11:30.626278165 -0600
+@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
+ return OPJ_FALSE;
+ }
+
++ int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0);
+ for (compno = 0; compno < tile->numcomps; ++compno) {
+ opj_tcd_tilecomp_t* tilec = &tile->comps[compno];
++ int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0));
++ /* Later-on it is assumed that all components are of at least comp0size blocks */
++ if (compcsize < comp0size)
++ {
++ opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks "
++ "while component 0 has %d blocks\n", compno, compcsize, comp0size);
++ return OPJ_FALSE;
++ }
+ /* The +3 is headroom required by the vectorized DWT */
+- tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int));
++ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
+ if (tilec->data == NULL)
+ {
+ opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");
diff --git a/openjpeg-1.5.1-CVE-2013-6052.patch b/openjpeg-1.5.1-CVE-2013-6052.patch
new file mode 100644
index 0000000..a157f39
--- /dev/null
+++ b/openjpeg-1.5.1-CVE-2013-6052.patch
@@ -0,0 +1,53 @@
+diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/cio.c
+--- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 2012-09-13 02:58:39.000000000 -0500
++++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 14:43:14.213256439 -0600
+@@ -30,6 +30,7 @@
+ */
+
+ #include "opj_includes.h"
++#include <assert.h>
+
+ /* ----------------------------------------------------------------------- */
+
+@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns
+ * Read a byte.
+ */
+ unsigned char cio_bytein(opj_cio_t *cio) {
++ if (cio->bp < cio->start) {
++ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
++ abort();
++ return 0;
++ }
+ if (cio->bp >= cio->end) {
+ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
+ return 0;
+@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in
+ unsigned int v;
+ v = 0;
+ for (i = n - 1; i >= 0; i--) {
+- v += cio_bytein(cio) << (i << 3);
++ v += (unsigned int)cio_bytein(cio) << (i << 3);
+ }
+ return v;
+ }
+@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in
+ * n : number of bytes to skip
+ */
+ void cio_skip(opj_cio_t *cio, int n) {
++ assert((cio->bp + n) >= cio->bp);
+ cio->bp += n;
+ }
+
+diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/jp2.c
+--- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 2014-01-07 14:43:14.201256566 -0600
++++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 14:43:14.214256428 -0600
+@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm
+ }
+ else if (box->length == 0) {
+ box->length = cio_numbytesleft(cio) + 8;
++ } else if (box->length < 0) {
++ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n");
++ return OPJ_FALSE;
+ }
+ if (box->length < 0) {
+ opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n");
diff --git a/openjpeg-1.5.1-CVE-2013-6053.patch b/openjpeg-1.5.1-CVE-2013-6053.patch
new file mode 100644
index 0000000..292084a
--- /dev/null
+++ b/openjpeg-1.5.1-CVE-2013-6053.patch
@@ -0,0 +1,12 @@
+diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6053 openjpeg-1.5.1/libopenjpeg/j2k.c
+--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6053 2014-01-07 14:44:40.086344624 -0600
++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 14:44:40.092344561 -0600
+@@ -422,7 +422,7 @@ static void j2k_read_siz(opj_j2k_t *j2k)
+
+ if ((image->x0<0)||(image->x1<0)||(image->y0<0)||(image->y1<0)) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+- "%s: invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n",
++ "invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n",
+ image->x0,image->x1,image->y0,image->y1);
+ return;
+ }
diff --git a/openjpeg-1.5.1-CVE-2013-6887.patch b/openjpeg-1.5.1-CVE-2013-6887.patch
new file mode 100644
index 0000000..f9d68ef
--- /dev/null
+++ b/openjpeg-1.5.1-CVE-2013-6887.patch
@@ -0,0 +1,30 @@
+diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6887 openjpeg-1.5.1/libopenjpeg/j2k.c
+--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6887 2014-01-07 15:13:20.297114457 -0600
++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:13:20.302114404 -0600
+@@ -1697,8 +1697,11 @@ static void j2k_read_eoc(opj_j2k_t *j2k)
+ else {
+ for (i = 0; i < j2k->cp->tileno_size; i++) {
+ tileno = j2k->cp->tileno[i];
+- opj_free(j2k->tile_data[tileno]);
+- j2k->tile_data[tileno] = NULL;
++ /* not sure if this can actually happen */
++ if (tileno != -1) {
++ opj_free(j2k->tile_data[tileno]);
++ j2k->tile_data[tileno] = NULL;
++ }
+ }
+ }
+ if (j2k->state & J2K_STATE_ERR)
+@@ -1858,8 +1861,10 @@ void j2k_destroy_decompress(opj_j2k_t *j
+ if(j2k->cp != NULL) {
+ for (i = 0; i < j2k->cp->tileno_size; i++) {
+ int tileno = j2k->cp->tileno[i];
+- opj_free(j2k->tile_data[tileno]);
+- j2k->tile_data[tileno] = NULL;
++ if (tileno != -1) {
++ opj_free(j2k->tile_data[tileno]);
++ j2k->tile_data[tileno] = NULL;
++ }
+ }
+ }
+
diff --git a/openjpeg.spec b/openjpeg.spec
index 8fcf599..d2db10e 100644
--- a/openjpeg.spec
+++ b/openjpeg.spec
@@ -9,7 +9,7 @@
Name: openjpeg
Version: 1.5.1
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: JPEG 2000 command line tools
License: BSD
@@ -39,6 +39,18 @@ Patch102: openjpeg-1.5-r2032.patch
# http://code.google.com/p/openjpeg/issues/detail?id=166
Patch103: openjpeg-1.5-r2033.patch
+## security patches
+# https://bugzilla.redhat.com/show_bug.cgi?id=1036491
+Patch200: openjpeg-1.5.1-CVE-2013-6052.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1036493
+Patch201: openjpeg-1.5.1-CVE-2013-6053.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1036495
+Patch202: openjpeg-1.5.1-CVE-2013-6045.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1037945
+Patch203: openjpeg-1.5.1-CVE-2013-1447.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1037948
+Patch204: openjpeg-1.5.1-CVE-2013-6887.patch
+
%if 0%{?cmake_build}
BuildRequires: cmake
@@ -96,6 +108,13 @@ autoreconf -i -f
%patch102 -p0 -b .r2032
%patch103 -p0 -b .r2033
+%patch200 -p1 -b .CVE-2013-6052
+%patch201 -p1 -b .CVE-2013-6053
+%patch202 -p1 -b .CVE-2013-6045
+%patch203 -p1 -b .CVE-2013-1447
+%patch204 -p1 -b .CVE-2013-6887
+
+
%build
%{?runcheck:export OPJ_DATA_ROOT=$(pwd)/data}
@@ -181,6 +200,14 @@ make test -C %{_target_platform}
%changelog
+* Tue Jan 07 2014 Rex Dieter <rdieter at fedoraproject.org> 1.5.1-7
+- plethora of security updates (#1038409)
+- CVE-2013-6052 (#1036491)
+- CVE-2013-6053 (#1036493)
+- CVE-2013-6045 (#1036495)
+- CVE-2013-1447 (#1037945)
+- CVE-2013-6887 (#1037948)
+
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
More information about the scm-commits
mailing list