Hello community, here is the log from the commit of package openjpeg for openSUSE:Factory checked in at 2014-01-17 11:05:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openjpeg (Old) and /work/SRC/openSUSE:Factory/.openjpeg.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openjpeg" Changes: -------- --- /work/SRC/openSUSE:Factory/openjpeg/openjpeg.changes 2012-11-20 13:10:12.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openjpeg.new/openjpeg.changes 2014-01-23 15:50:19.000000000 +0100 @@ -0,0 +1,7 @@ +Fri Jan 10 15:20:37 UTC 2014 - [email protected] + +- Security: + * Patches openjpeg-1.5.1-cve-2013-6045-1.patch and + openjpeg-1.5.1-cve-2013-6045-2.patch fix heap overflow + described in CVE-2013-6045, bnc#853838. + New: ---- openjpeg-1.5.1-cve-2013-6045-1.patch openjpeg-1.5.1-cve-2013-6045-2.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openjpeg.spec ++++++ --- /var/tmp/diff_new_pack.t4uR1w/_old 2014-01-23 15:50:20.000000000 +0100 +++ /var/tmp/diff_new_pack.t4uR1w/_new 2014-01-23 15:50:20.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package openjpeg # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,8 @@ # PATCH-FIX-OPENSUSE openjpeg-1.5.1-soname.patch [email protected] -- Revert soname bump compared to 1.5.0 release (for now, remove patch in 2.0 release) (taken from Fedora) # See "http://code.google.com/p/openjpeg/source/browse/tags/version.1.5.1/CMakeLists.txt";. The change was introduced in 1.5.1 but soname can remain the same between 1.5.0 and 1.5.1 versions. Patch1: openjpeg-1.5.1-soname.patch +Patch2: openjpeg-1.5.1-cve-2013-6045-1.patch +Patch3: openjpeg-1.5.1-cve-2013-6045-2.patch BuildRequires: cmake BuildRequires: doxygen %if 0%{?suse_version} @@ -70,7 +72,8 @@ %setup -q %patch0 -p1 %patch1 -p1 - +%patch2 -p1 +%patch3 -p1 # Remove build time references so build-compare can do its work sed -i "s/HTML_TIMESTAMP = YES/HTML_TIMESTAMP = NO/g" doc/Doxyfile.dox.cmake.in ++++++ openjpeg-1.5.1-cve-2013-6045-1.patch ++++++ Index: libopenjpeg/j2k.c =================================================================== --- openjpeg-1.5.1/libopenjpeg/j2k.c.orig +++ openjpeg-1.5.1/libopenjpeg/j2k.c @@ -823,6 +823,12 @@ static void j2k_read_coc(opj_j2k_t *j2k) len = cio_read(cio, 2); /* Lcoc */ compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */ + if ((compno < 0) || (compno >= image->numcomps)) { + opj_event_msg(j2k->cinfo, EVT_ERROR , + "bad component number in COC (%d out of a maximum of %d)\n", + compno, image->numcomps); + return; + } tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */ j2k_read_cox(j2k, compno); } @@ -1004,8 +1010,18 @@ static void j2k_read_qcc(opj_j2k_t *j2k) /* keep your private count of tiles */ backup_compno++; - }; + } + else #endif /* USE_JPWL */ + { + /* compno is negative or larger than the number of components!!! */ + if ((compno < 0) || (compno >= numcomp)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad component number in QCC (%d out of a maximum of %d)\n", + compno, numcomp); + return; + } + } j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2)); } @@ -1051,6 +1067,17 @@ static void j2k_read_poc(opj_j2k_t *j2k) tcp->POC = 1; len = cio_read(cio, 2); /* Lpoc */ numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2)); + + { + /* old_poc < 0 "just in case" */ + int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0])); + if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n", + (numpchgs + old_poc), maxpocs); + return; + } + } for (i = old_poc; i < numpchgs + old_poc; i++) { opj_poc_t *poc; @@ -1590,6 +1617,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k) }; #endif /* USE_JPWL */ + /* totlen is negative or larger than the bytes left!!! */ + if (compno >= numcomps) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad component number in RGN (%d when there are only %d)\n", + compno, numcomps); + return; + } + tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ } ++++++ openjpeg-1.5.1-cve-2013-6045-2.patch ++++++ Index: openjpeg-1.5.1/libopenjpeg/tcd.c =================================================================== --- openjpeg-1.5.1.orig/libopenjpeg/tcd.c +++ openjpeg-1.5.1/libopenjpeg/tcd.c @@ -1387,23 +1387,33 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, t1_time = opj_clock(); /* time needed to decode a tile */ t1 = t1_create(tcd->cinfo); - if (t1 == NULL) - { - opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); - t1_destroy(t1); - return OPJ_FALSE; - } + + if (t1 == NULL) + { + opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); + t1_destroy(t1); + return OPJ_FALSE; + } + + int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0); for (compno = 0; compno < tile->numcomps; ++compno) { opj_tcd_tilecomp_t* tilec = &tile->comps[compno]; + int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0)); + /* Later-on it is assumed that all components are of at least comp0size blocks */ + if (compcsize < comp0size) + { + opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks " + "while component 0 has %d blocks\n", compno, compcsize, comp0size); + return OPJ_FALSE; + } /* The +3 is headroom required by the vectorized DWT */ - tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int)); - if (tilec->data == NULL) - { - opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); - return OPJ_FALSE; - } - + tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); + if (tilec->data == NULL) + { + opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); + return OPJ_FALSE; + } t1_decode_cblks(t1, tilec, &tcd->tcp->tccps[compno]); } t1_destroy(t1); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
