Date: Monday, April 28, 2014 @ 09:45:26 Author: jgc Revision: 211844 upgpkg: openjpeg 1.5.2-1
Bump to 1.5.2, remove all included security patches Modified: openjpeg/trunk/PKGBUILD Deleted: openjpeg/trunk/openjpeg-1.5-r2029.patch openjpeg/trunk/openjpeg-1.5-r2031.patch openjpeg/trunk/openjpeg-1.5-r2032.patch openjpeg/trunk/openjpeg-1.5-r2033.patch openjpeg/trunk/openjpeg-1.5.1-CVE-2013-1447.patch openjpeg/trunk/openjpeg-1.5.1-CVE-2013-6045.patch openjpeg/trunk/openjpeg-1.5.1-CVE-2013-6052.patch openjpeg/trunk/openjpeg-1.5.1-CVE-2013-6053.patch openjpeg/trunk/openjpeg-1.5.1-CVE-2013-6887.patch openjpeg/trunk/openjpeg-1.5.1-doxygen_timestamp.patch ----------------------------------------+ PKGBUILD | 41 ------- openjpeg-1.5-r2029.patch | 77 -------------- openjpeg-1.5-r2031.patch | 24 ---- openjpeg-1.5-r2032.patch | 30 ----- openjpeg-1.5-r2033.patch | 49 --------- openjpeg-1.5.1-CVE-2013-1447.patch | 165 ------------------------------- openjpeg-1.5.1-CVE-2013-6045.patch | 60 ----------- openjpeg-1.5.1-CVE-2013-6052.patch | 53 --------- openjpeg-1.5.1-CVE-2013-6053.patch | 12 -- openjpeg-1.5.1-CVE-2013-6887.patch | 30 ----- openjpeg-1.5.1-doxygen_timestamp.patch | 24 ---- 11 files changed, 4 insertions(+), 561 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-04-28 05:52:08 UTC (rev 211843) +++ PKGBUILD 2014-04-28 07:45:26 UTC (rev 211844) @@ -2,8 +2,8 @@ # Maintainer: Jan de Groot <[email protected]> pkgname=openjpeg -pkgver=1.5.1 -pkgrel=2 +pkgver=1.5.2 +pkgrel=1 pkgdesc="An open source JPEG 2000 codec" arch=(i686 x86_64) license=('BSD') @@ -12,42 +12,9 @@ makedepends=('libtiff' 'lcms2' 'libpng' 'doxygen') optdepends=('lcms2: j2k_to_image and image_to_j2k programs' 'libpng: j2k_to_image and image_to_j2k programs') -source=(http://openjpeg.googlecode.com/files/openjpeg-${pkgver}.tar.gz - openjpeg-1.5.1-CVE-2013-1447.patch - openjpeg-1.5.1-CVE-2013-6045.patch - openjpeg-1.5.1-CVE-2013-6052.patch - openjpeg-1.5.1-CVE-2013-6053.patch - openjpeg-1.5.1-CVE-2013-6887.patch - openjpeg-1.5.1-doxygen_timestamp.patch - openjpeg-1.5-r2029.patch - openjpeg-1.5-r2031.patch - openjpeg-1.5-r2032.patch - openjpeg-1.5-r2033.patch) -sha1sums=('1b0b74d1af4c297fd82806a9325bb544caf9bb8b' - 'f2baf9bde105c96c7016be907cd278f2878be2b9' - 'f3764e473bd35508e83643a9257979eaa2c89c36' - '1d600a13432b977c46a5b74bf87bf1b5a130abfb' - '8d2da4b912d7e930abec31a956b678f62566884c' - '038e471597decf36de0c7c78915744054704c601' - '339677795a567c0f91b62141847b8e5dda53e763' - '1cd97c1be5cedad136894db2b16f856a28387aeb' - 'f68108dd25c7ed278678de11d5713fba87ab6017' - '222769c17e69022902d4e49c9dc5294361a00c85' - '9ec5c1e0909c8946a174733a598fbe38675a0c9c') +source=(http://downloads.sourceforge.net/openjpeg.mirror/${pkgname}-${pkgver}.tar.gz) +sha1sums=('496e99ff1d37b73bbce6a066dd9bd3576ebca0a2') -prepare() { - cd $pkgname-$pkgver - patch -Np1 -i ../openjpeg-1.5.1-doxygen_timestamp.patch - patch -Np0 -i ../openjpeg-1.5-r2029.patch - patch -Np0 -i ../openjpeg-1.5-r2031.patch - patch -Np0 -i ../openjpeg-1.5-r2032.patch - patch -Np0 -i ../openjpeg-1.5-r2033.patch - patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-6052.patch - patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-6053.patch -# patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-6045.patch - patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-1447.patch - patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-6887.patch -} build() { cd $pkgname-$pkgver Deleted: openjpeg-1.5-r2029.patch =================================================================== --- openjpeg-1.5-r2029.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5-r2029.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,77 +0,0 @@ -Index: libopenjpeg/jp2.c -=================================================================== ---- libopenjpeg/jp2.c (revision 2028) -+++ libopenjpeg/jp2.c (revision 2029) -@@ -173,6 +173,10 @@ - else if (box->length == 0) { - box->length = cio_numbytesleft(cio) + 8; - } -+ if (box->length < 0) { -+ opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n"); -+ return OPJ_FALSE; // TODO: actually check jp2_read_boxhdr's return value -+ } - - return OPJ_TRUE; - } -@@ -654,6 +658,7 @@ - opj_event_msg(cinfo, EVT_ERROR, "Expected JP2H Marker\n"); - return OPJ_FALSE; - } -+ if (box.length <= 8) return OPJ_FALSE; - cio_skip(cio, box.length - 8); - - if(cio->bp >= cio->end) return OPJ_FALSE; -@@ -679,6 +684,7 @@ - { - if( !jp2_read_colr(jp2, cio, &box, color)) - { -+ if (box.length <= 8) return OPJ_FALSE; - cio_seek(cio, box.init_pos + 8); - cio_skip(cio, box.length - 8); - } -@@ -689,6 +695,7 @@ - { - if( !jp2_read_cdef(jp2, cio, &box, color)) - { -+ if (box.length <= 8) return OPJ_FALSE; - cio_seek(cio, box.init_pos + 8); - cio_skip(cio, box.length - 8); - } -@@ -699,6 +706,7 @@ - { - if( !jp2_read_pclr(jp2, cio, &box, color)) - { -+ if (box.length <= 8) return OPJ_FALSE; - cio_seek(cio, box.init_pos + 8); - cio_skip(cio, box.length - 8); - } -@@ -709,12 +717,14 @@ - { - if( !jp2_read_cmap(jp2, cio, &box, color)) - { -+ if (box.length <= 8) return OPJ_FALSE; - cio_seek(cio, box.init_pos + 8); - cio_skip(cio, box.length - 8); - } - if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; - continue; - } -+ if (box.length <= 8) return OPJ_FALSE; - cio_seek(cio, box.init_pos + 8); - cio_skip(cio, box.length - 8); - if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; -@@ -910,12 +920,14 @@ - } - do { - if(JP2_JP2C != box.type) { -+ if (box.length <= 8) return OPJ_FALSE; - cio_skip(cio, box.length - 8); - if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; - } - } while(JP2_JP2C != box.type); - - *j2k_codestream_offset = cio_tell(cio); -+ if (box.length <= 8) return OPJ_FALSE; - *j2k_codestream_length = box.length - 8; - - return OPJ_TRUE; Deleted: openjpeg-1.5-r2031.patch =================================================================== --- openjpeg-1.5-r2031.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5-r2031.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,24 +0,0 @@ -Index: libopenjpeg/jpwl/Makefile.am -=================================================================== ---- libopenjpeg/jpwl/Makefile.am (revision 2030) -+++ libopenjpeg/jpwl/Makefile.am (revision 2031) -@@ -18,7 +18,6 @@ - ../pi.c \ - ../raw.c \ - ../t1.c \ --../t1_generate_luts.c \ - ../t2.c \ - ../tcd.c \ - ../tgt.c \ -Index: libopenjpeg/Makefile.am -=================================================================== ---- libopenjpeg/Makefile.am (revision 2030) -+++ libopenjpeg/Makefile.am (revision 2031) -@@ -35,7 +35,6 @@ - pi.c \ - raw.c \ - t1.c \ --t1_generate_luts.c \ - t2.c \ - tcd.c \ - tgt.c \ Deleted: openjpeg-1.5-r2032.patch =================================================================== --- openjpeg-1.5-r2032.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5-r2032.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,30 +0,0 @@ -Index: libopenjpeg/j2k.c -=================================================================== ---- libopenjpeg/j2k.c (revision 2031) -+++ libopenjpeg/j2k.c (revision 2032) -@@ -468,6 +468,12 @@ - } - #endif /* USE_JPWL */ - -+ /* prevent division by zero */ -+ if (!(cp->tdx * cp->tdy)) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: invalid tile size (tdx: %d, tdy: %d)\n", cp->tdx, cp->tdy); -+ return; -+ } -+ - image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t)); - for (i = 0; i < image->numcomps; i++) { - int tmp, w, h; -@@ -506,6 +512,12 @@ - } - #endif /* USE_JPWL */ - -+ /* prevent division by zero */ -+ if (!(image->comps[i].dx * image->comps[i].dy)) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: invalid component size (dx: %d, dy: %d)\n", image->comps[i].dx, image->comps[i].dy); -+ return; -+ } -+ - /* TODO: unused ? */ - w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); - h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy); Deleted: openjpeg-1.5-r2033.patch =================================================================== --- openjpeg-1.5-r2033.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5-r2033.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,49 +0,0 @@ -Index: libopenjpeg/j2k.c -=================================================================== ---- libopenjpeg/j2k.c (revision 2032) -+++ libopenjpeg/j2k.c (revision 2033) -@@ -835,6 +835,12 @@ - - len = cio_read(cio, 2); /* Lcoc */ - compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */ -+ if (compno >= image->numcomps) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, -+ "bad component number in COC (%d out of a maximum of %d)\n", -+ compno, image->numcomps); -+ return; -+ } - tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */ - j2k_read_cox(j2k, compno); - } -@@ -1016,9 +1022,16 @@ - - /* keep your private count of tiles */ - backup_compno++; -- }; -+ } - #endif /* USE_JPWL */ - -+ if ((compno < 0) || (compno >= numcomp)) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, -+ "bad component number in QCC (%d out of a maximum of %d)\n", -+ compno, j2k->image->numcomps); -+ return; -+ } -+ - j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2)); - } - -@@ -1602,6 +1615,13 @@ - }; - #endif /* USE_JPWL */ - -+ if (compno >= numcomps) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, -+ "bad component number in RGN (%d out of a maximum of %d)\n", -+ compno, j2k->image->numcomps); -+ return; -+ } -+ - tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ - } - Deleted: openjpeg-1.5.1-CVE-2013-1447.patch =================================================================== --- openjpeg-1.5.1-CVE-2013-1447.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5.1-CVE-2013-1447.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,165 +0,0 @@ -diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/cio.c ---- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-1447 2014-01-07 15:12:20.517748762 -0600 -+++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 15:12:20.533748592 -0600 -@@ -107,6 +107,11 @@ int OPJ_CALLCONV cio_tell(opj_cio_t *cio - * pos : position, in number of bytes, from the beginning of the stream - */ - void OPJ_CALLCONV cio_seek(opj_cio_t *cio, int pos) { -+ if ((cio->start + pos) > cio->end) { -+ opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to seek past the end of the codestream (start = %d, change = %d, end = %d\n", cio->start, pos, cio->end); -+ cio->bp = cio->end; -+ return; -+ } - cio->bp = cio->start + pos; - } - -@@ -114,6 +119,7 @@ void OPJ_CALLCONV cio_seek(opj_cio_t *ci - * Number of bytes left before the end of the stream. - */ - int cio_numbytesleft(opj_cio_t *cio) { -+ assert((cio->end - cio->bp) >= 0); - return cio->end - cio->bp; - } - -@@ -191,6 +197,11 @@ unsigned int cio_read(opj_cio_t *cio, in - */ - void cio_skip(opj_cio_t *cio, int n) { - assert((cio->bp + n) >= cio->bp); -+ if (((cio->bp + n) < cio->start) || ((cio->bp + n) > cio->end)) { -+ opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to skip bytes past the end of the codestream (current = %d, change = %d, end = %d\n", cio->bp, n, cio->end); -+ cio->bp = cio->end; -+ return; -+ } - cio->bp += n; - } - -diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/j2k.c ---- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-1447 2014-01-07 15:12:20.525748677 -0600 -+++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:12:20.534748582 -0600 -@@ -476,7 +476,7 @@ static void j2k_read_siz(opj_j2k_t *j2k) - - image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t)); - for (i = 0; i < image->numcomps; i++) { -- int tmp, w, h; -+ int tmp/*, w, h*/; - tmp = cio_read(cio, 1); /* Ssiz_i */ - image->comps[i].prec = (tmp & 0x7f) + 1; - image->comps[i].sgnd = tmp >> 7; -@@ -511,6 +511,14 @@ static void j2k_read_siz(opj_j2k_t *j2k) - - } - #endif /* USE_JPWL */ -+ { -+ if (!(image->comps[i].dx * image->comps[i].dy)) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, -+ "JPWL: bad XRsiz_%d/YRsiz_%d (%d x %d)\n", -+ i, i, image->comps[i].dx, image->comps[i].dy); -+ return; -+ } -+ } - - /* prevent division by zero */ - if (!(image->comps[i].dx * image->comps[i].dy)) { -@@ -519,8 +527,8 @@ static void j2k_read_siz(opj_j2k_t *j2k) - } - - /* TODO: unused ? */ -- w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); -- h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy); -+/* w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); -+ h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy);*/ - - image->comps[i].resno_decoded = 0; /* number of resolution decoded */ - image->comps[i].factor = cp->reduce; /* reducing factor per component */ -@@ -2015,6 +2023,11 @@ opj_image_t* j2k_decode(opj_j2k_t *j2k, - } - if (j2k->state == J2K_STATE_NEOC) { - j2k_read_eoc(j2k); -+ /* Check one last time for errors during decoding before returning */ -+ if (j2k->state & J2K_STATE_ERR) { -+ opj_image_destroy(image); -+ return NULL; -+ } - } - - if (j2k->state != J2K_STATE_MT) { -diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/jp2.c ---- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-1447 2014-01-07 15:12:20.518748752 -0600 -+++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 15:12:20.535748571 -0600 -@@ -819,6 +819,17 @@ void jp2_write_jp2h(opj_jp2_t *jp2, opj_ - - jp2_write_ihdr(jp2, cio); - -+ { -+ int curpos = cio_tell(cio); -+ cio_seek(cio, box.init_pos); -+ cio_skip(cio, box.length); -+ if ((cio_tell(cio) - box.init_pos) != box.length) { -+ opj_event_msg(jp2->cinfo, EVT_ERROR, "Box size exceeds size of codestream (expected: %d, real: %d)\n", box.length, (cio_tell(cio) - box.init_pos)); -+ return OPJ_FALSE; -+ } -+ cio_seek(cio, curpos); -+ } -+ - if (jp2->bpc == 255) { - jp2_write_bpcc(jp2, cio); - } -@@ -871,6 +882,13 @@ static opj_bool jp2_read_ftyp(opj_jp2_t - jp2->numcl = (box.length - 16) / 4; - jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int)); - -+ if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) { -+ opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box " -+ "(expected %d, but only %d left)\n", -+ ((int)jp2->numcl * 4), cio_numbytesleft(cio)); -+ return OPJ_FALSE; -+ } -+ - for (i = 0; i < (int)jp2->numcl; i++) { - jp2->cl[i] = cio_read(cio, 4); /* CLi */ - } -diff -up openjpeg-1.5.1/libopenjpeg/t2.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/t2.c ---- openjpeg-1.5.1/libopenjpeg/t2.c.CVE-2013-1447 2012-09-13 02:58:39.000000000 -0500 -+++ openjpeg-1.5.1/libopenjpeg/t2.c 2014-01-07 15:12:20.535748571 -0600 -@@ -340,6 +340,11 @@ static int t2_decode_packet(opj_t2_t* t2 - int precno = pi->precno; /* precinct value */ - int layno = pi->layno; /* quality layer value */ - -+ if (!&(tile->comps[compno])) { -+ opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n"); -+ return -999; -+ } -+ - opj_tcd_resolution_t* res = &tile->comps[compno].resolutions[resno]; - - unsigned char *hd = NULL; -diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/tcd.c ---- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-1447 2014-01-07 15:12:20.526748667 -0600 -+++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-01-07 15:12:20.536748561 -0600 -@@ -667,8 +667,8 @@ void tcd_malloc_decode(opj_tcd_t *tcd, o - y1 = j == 0 ? tilec->y1 : int_max(y1, (unsigned int) tilec->y1); - } - -- w = int_ceildivpow2(x1 - x0, image->comps[i].factor); -- h = int_ceildivpow2(y1 - y0, image->comps[i].factor); -+ w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor); -+ h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor); - - image->comps[i].w = w; - image->comps[i].h = h; -@@ -1381,7 +1381,15 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, - if (l == -999) { - eof = 1; - opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: incomplete bistream\n"); -+ return OPJ_FALSE; - } -+ -+ /* The code below assumes that numcomps > 0 */ -+ if (tile->numcomps <= 0) { -+ opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n"); -+ return OPJ_TRUE; -+ } -+ - - /*------------------TIER1-----------------*/ - Deleted: openjpeg-1.5.1-CVE-2013-6045.patch =================================================================== --- openjpeg-1.5.1-CVE-2013-6045.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5.1-CVE-2013-6045.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,60 +0,0 @@ -diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/j2k.c ---- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 2014-01-07 15:11:30.622278207 -0600 -+++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:11:30.626278165 -0600 -@@ -1076,6 +1076,17 @@ static void j2k_read_poc(opj_j2k_t *j2k) - tcp->POC = 1; - len = cio_read(cio, 2); /* Lpoc */ - numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2)); -+ -+ { -+ /* old_poc < 0 "just in case" */ -+ int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0])); -+ if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, -+ "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n", -+ (numpchgs + old_poc), maxpocs); -+ return; -+ } -+ } - - for (i = old_poc; i < numpchgs + old_poc; i++) { - opj_poc_t *poc; -@@ -1622,6 +1633,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k) - return; - } - -+ /* totlen is negative or larger than the bytes left!!! */ -+ if (compno >= numcomps) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, -+ "JPWL: bad component number in RGN (%d when there are only %d)\n", -+ compno, numcomps); -+ return; -+ } -+ - tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ - } - -diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/tcd.c ---- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 2012-09-13 02:58:39.000000000 -0500 -+++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-01-07 15:11:30.626278165 -0600 -@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, - return OPJ_FALSE; - } - -+ int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0); - for (compno = 0; compno < tile->numcomps; ++compno) { - opj_tcd_tilecomp_t* tilec = &tile->comps[compno]; -+ int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0)); -+ /* Later-on it is assumed that all components are of at least comp0size blocks */ -+ if (compcsize < comp0size) -+ { -+ opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks " -+ "while component 0 has %d blocks\n", compno, compcsize, comp0size); -+ return OPJ_FALSE; -+ } - /* The +3 is headroom required by the vectorized DWT */ -- tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int)); -+ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); - if (tilec->data == NULL) - { - opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); Deleted: openjpeg-1.5.1-CVE-2013-6052.patch =================================================================== --- openjpeg-1.5.1-CVE-2013-6052.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5.1-CVE-2013-6052.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,53 +0,0 @@ -diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/cio.c ---- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 2012-09-13 02:58:39.000000000 -0500 -+++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 14:43:14.213256439 -0600 -@@ -30,6 +30,7 @@ - */ - - #include "opj_includes.h" -+#include <assert.h> - - /* ----------------------------------------------------------------------- */ - -@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns - * Read a byte. - */ - unsigned char cio_bytein(opj_cio_t *cio) { -+ if (cio->bp < cio->start) { -+ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); -+ abort(); -+ return 0; -+ } - if (cio->bp >= cio->end) { - opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); - return 0; -@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in - unsigned int v; - v = 0; - for (i = n - 1; i >= 0; i--) { -- v += cio_bytein(cio) << (i << 3); -+ v += (unsigned int)cio_bytein(cio) << (i << 3); - } - return v; - } -@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in - * n : number of bytes to skip - */ - void cio_skip(opj_cio_t *cio, int n) { -+ assert((cio->bp + n) >= cio->bp); - cio->bp += n; - } - -diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/jp2.c ---- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 2014-01-07 14:43:14.201256566 -0600 -+++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 14:43:14.214256428 -0600 -@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm - } - else if (box->length == 0) { - box->length = cio_numbytesleft(cio) + 8; -+ } else if (box->length < 0) { -+ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n"); -+ return OPJ_FALSE; - } - if (box->length < 0) { - opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n"); Deleted: openjpeg-1.5.1-CVE-2013-6053.patch =================================================================== --- openjpeg-1.5.1-CVE-2013-6053.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5.1-CVE-2013-6053.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,12 +0,0 @@ -diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6053 openjpeg-1.5.1/libopenjpeg/j2k.c ---- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6053 2014-01-07 14:44:40.086344624 -0600 -+++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 14:44:40.092344561 -0600 -@@ -422,7 +422,7 @@ static void j2k_read_siz(opj_j2k_t *j2k) - - if ((image->x0<0)||(image->x1<0)||(image->y0<0)||(image->y1<0)) { - opj_event_msg(j2k->cinfo, EVT_ERROR, -- "%s: invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n", -+ "invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n", - image->x0,image->x1,image->y0,image->y1); - return; - } Deleted: openjpeg-1.5.1-CVE-2013-6887.patch =================================================================== --- openjpeg-1.5.1-CVE-2013-6887.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5.1-CVE-2013-6887.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,30 +0,0 @@ -diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6887 openjpeg-1.5.1/libopenjpeg/j2k.c ---- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6887 2014-01-07 15:13:20.297114457 -0600 -+++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:13:20.302114404 -0600 -@@ -1697,8 +1697,11 @@ static void j2k_read_eoc(opj_j2k_t *j2k) - else { - for (i = 0; i < j2k->cp->tileno_size; i++) { - tileno = j2k->cp->tileno[i]; -- opj_free(j2k->tile_data[tileno]); -- j2k->tile_data[tileno] = NULL; -+ /* not sure if this can actually happen */ -+ if (tileno != -1) { -+ opj_free(j2k->tile_data[tileno]); -+ j2k->tile_data[tileno] = NULL; -+ } - } - } - if (j2k->state & J2K_STATE_ERR) -@@ -1858,8 +1861,10 @@ void j2k_destroy_decompress(opj_j2k_t *j - if(j2k->cp != NULL) { - for (i = 0; i < j2k->cp->tileno_size; i++) { - int tileno = j2k->cp->tileno[i]; -- opj_free(j2k->tile_data[tileno]); -- j2k->tile_data[tileno] = NULL; -+ if (tileno != -1) { -+ opj_free(j2k->tile_data[tileno]); -+ j2k->tile_data[tileno] = NULL; -+ } - } - } - Deleted: openjpeg-1.5.1-doxygen_timestamp.patch =================================================================== --- openjpeg-1.5.1-doxygen_timestamp.patch 2014-04-28 05:52:08 UTC (rev 211843) +++ openjpeg-1.5.1-doxygen_timestamp.patch 2014-04-28 07:45:26 UTC (rev 211844) @@ -1,24 +0,0 @@ -diff -up openjpeg-1.5.1/doc/Doxyfile.dox.cmake.in.doxygen_timestamp openjpeg-1.5.1/doc/Doxyfile.dox.cmake.in ---- openjpeg-1.5.1/doc/Doxyfile.dox.cmake.in.doxygen_timestamp 2012-09-13 02:58:39.000000000 -0500 -+++ openjpeg-1.5.1/doc/Doxyfile.dox.cmake.in 2012-12-06 15:23:35.079838524 -0600 -@@ -148,7 +148,7 @@ HTML_STYLESHEET = - HTML_COLORSTYLE_HUE = 220 - HTML_COLORSTYLE_SAT = 100 - HTML_COLORSTYLE_GAMMA = 80 --HTML_TIMESTAMP = YES -+HTML_TIMESTAMP = NO - HTML_ALIGN_MEMBERS = YES - HTML_DYNAMIC_SECTIONS = NO - GENERATE_DOCSET = NO -diff -up openjpeg-1.5.1/doc/Doxyfile.dox.doxygen_timestamp openjpeg-1.5.1/doc/Doxyfile.dox ---- openjpeg-1.5.1/doc/Doxyfile.dox.doxygen_timestamp 2012-09-13 02:58:39.000000000 -0500 -+++ openjpeg-1.5.1/doc/Doxyfile.dox 2012-12-06 15:23:37.177813275 -0600 -@@ -147,7 +147,7 @@ HTML_STYLESHEET = - HTML_COLORSTYLE_HUE = 220 - HTML_COLORSTYLE_SAT = 100 - HTML_COLORSTYLE_GAMMA = 80 --HTML_TIMESTAMP = YES -+HTML_TIMESTAMP = NO - HTML_ALIGN_MEMBERS = YES - HTML_DYNAMIC_SECTIONS = NO - GENERATE_DOCSET = NO
