Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=2b614a224ff2384bb58e525728cefa798ec19394
commit 2b614a224ff2384bb58e525728cefa798ec19394 Author: kikadf <[email protected]> Date: Fri Oct 17 09:49:26 2014 +0200 openjpeg-1.5.1-3arcturus1-x86_64 * Fix CVE-2013-1447, CVE-2013-6045, CVE-2013-6052, CVE-2013-6053, * CVE-2013-6887 diff --git a/source/lib/openjpeg/CVE-2013-1447.patch b/source/lib/openjpeg/CVE-2013-1447.patch new file mode 100644 index 0000000..091e382 --- /dev/null +++ b/source/lib/openjpeg/CVE-2013-1447.patch @@ -0,0 +1,161 @@ +diff -Naur openjpeg-1.5.1.old/libopenjpeg/cio.c openjpeg-1.5.1/libopenjpeg/cio.c +--- openjpeg-1.5.1.old/libopenjpeg/cio.c 2012-09-13 09:58:39.000000000 +0200 ++++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-10-14 09:40:28.012179400 +0200 +@@ -106,6 +106,11 @@ + * pos : position, in number of bytes, from the beginning of the stream + */ + void OPJ_CALLCONV cio_seek(opj_cio_t *cio, int pos) { ++ if ((cio->start + pos) > cio->end) { ++ opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to seek past the end of the codestream (start = %d, change = %d, end = %d\n", cio->start, pos, cio->end); ++ cio->bp = cio->end; ++ return; ++ } + cio->bp = cio->start + pos; + } + +@@ -113,6 +118,7 @@ + * Number of bytes left before the end of the stream. + */ + int cio_numbytesleft(opj_cio_t *cio) { ++ assert((cio->end - cio->bp) >= 0); + return cio->end - cio->bp; + } + +@@ -184,6 +190,12 @@ + * n : number of bytes to skip + */ + void cio_skip(opj_cio_t *cio, int n) { ++ assert((cio->bp + n) >= cio->bp); ++ if (((cio->bp + n) < cio->start) || ((cio->bp + n) > cio->end)) { ++ opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to skip bytes past the end of the codestream (current = %d, change = %d, end = %d\n", cio->bp, n, cio->end); ++ cio->bp = cio->end; ++ return; ++ } + cio->bp += n; + } + +diff -Naur openjpeg-1.5.1.old/libopenjpeg/j2k.c openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1.old/libopenjpeg/j2k.c 2012-09-13 09:58:39.000000000 +0200 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-10-14 09:38:25.791188800 +0200 +@@ -470,7 +470,7 @@ + + image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t)); + for (i = 0; i < image->numcomps; i++) { +- int tmp, w, h; ++ int tmp/*, w, h*/; + tmp = cio_read(cio, 1); /* Ssiz_i */ + image->comps[i].prec = (tmp & 0x7f) + 1; + image->comps[i].sgnd = tmp >> 7; +@@ -505,10 +505,18 @@ + + } + #endif /* USE_JPWL */ ++ { ++ if (!(image->comps[i].dx * image->comps[i].dy)) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "JPWL: bad XRsiz_%d/YRsiz_%d (%d x %d)\n", ++ i, i, image->comps[i].dx, image->comps[i].dy); ++ return; ++ } ++ } + + /* TODO: unused ? */ +- w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); +- h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy); ++/* w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); ++ h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy);*/ + + image->comps[i].resno_decoded = 0; /* number of resolution decoded */ + image->comps[i].factor = cp->reduce; /* reducing factor per component */ +@@ -1964,6 +1972,11 @@ + } + if (j2k->state == J2K_STATE_NEOC) { + j2k_read_eoc(j2k); ++ /* Check one last time for errors during decoding before returning */ ++ if (j2k->state & J2K_STATE_ERR) { ++ opj_image_destroy(image); ++ return NULL; ++ } + } + + if (j2k->state != J2K_STATE_MT) { +diff -Naur openjpeg-1.5.1.old/libopenjpeg/jp2.c openjpeg-1.5.1/libopenjpeg/jp2.c +--- openjpeg-1.5.1.old/libopenjpeg/jp2.c 2012-09-13 09:58:39.000000000 +0200 ++++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-10-14 09:38:25.794188900 +0200 +@@ -806,6 +806,17 @@ + + jp2_write_ihdr(jp2, cio); + ++ { ++ int curpos = cio_tell(cio); ++ cio_seek(cio, box.init_pos); ++ cio_skip(cio, box.length); ++ if ((cio_tell(cio) - box.init_pos) != box.length) { ++ opj_event_msg(jp2->cinfo, EVT_ERROR, "Box size exceeds size of codestream (expected: %d, real: %d)\n", box.length, (cio_tell(cio) - box.init_pos)); ++ return OPJ_FALSE; ++ } ++ cio_seek(cio, curpos); ++ } ++ + if (jp2->bpc == 255) { + jp2_write_bpcc(jp2, cio); + } +@@ -858,6 +869,13 @@ + jp2->numcl = (box.length - 16) / 4; + jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int)); + ++ if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) { ++ opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box " ++ "(expected %d, but only %d left)\n", ++ ((int)jp2->numcl * 4), cio_numbytesleft(cio)); ++ return OPJ_FALSE; ++ } ++ + for (i = 0; i < (int)jp2->numcl; i++) { + jp2->cl[i] = cio_read(cio, 4); /* CLi */ + } +diff -Naur openjpeg-1.5.1.old/libopenjpeg/t2.c openjpeg-1.5.1/libopenjpeg/t2.c +--- openjpeg-1.5.1.old/libopenjpeg/t2.c 2012-09-13 09:58:39.000000000 +0200 ++++ openjpeg-1.5.1/libopenjpeg/t2.c 2014-10-14 09:38:25.798189200 +0200 +@@ -340,6 +340,11 @@ + int precno = pi->precno; /* precinct value */ + int layno = pi->layno; /* quality layer value */ + ++ if (!&(tile->comps[compno])) { ++ opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n"); ++ return -999; ++ } ++ + opj_tcd_resolution_t* res = &tile->comps[compno].resolutions[resno]; + + unsigned char *hd = NULL; +diff -Naur openjpeg-1.5.1.old/libopenjpeg/tcd.c openjpeg-1.5.1/libopenjpeg/tcd.c +--- openjpeg-1.5.1.old/libopenjpeg/tcd.c 2012-09-13 09:58:39.000000000 +0200 ++++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-10-14 09:38:25.801189300 +0200 +@@ -667,8 +667,8 @@ + y1 = j == 0 ? tilec->y1 : int_max(y1, (unsigned int) tilec->y1); + } + +- w = int_ceildivpow2(x1 - x0, image->comps[i].factor); +- h = int_ceildivpow2(y1 - y0, image->comps[i].factor); ++ w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor); ++ h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor); + + image->comps[i].w = w; + image->comps[i].h = h; +@@ -1381,7 +1381,15 @@ + if (l == -999) { + eof = 1; + opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: incomplete bistream\n"); ++ return OPJ_FALSE; + } ++ ++ /* The code below assumes that numcomps > 0 */ ++ if (tile->numcomps <= 0) { ++ opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n"); ++ return OPJ_TRUE; ++ } ++ + + /*------------------TIER1-----------------*/ + diff --git a/source/lib/openjpeg/CVE-2013-6045.patch b/source/lib/openjpeg/CVE-2013-6045.patch new file mode 100644 index 0000000..fb970b7 --- /dev/null +++ b/source/lib/openjpeg/CVE-2013-6045.patch @@ -0,0 +1,17 @@ +diff -Naur openjpeg-1.5.1.orig/libopenjpeg/tcd.c openjpeg-1.5.1/libopenjpeg/tcd.c +--- openjpeg-1.5.1.orig/libopenjpeg/tcd.c 2012-09-13 09:58:39.000000000 +0200 ++++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-03-27 11:58:08.000000000 +0100 +@@ -1447,6 +1456,13 @@ + int n = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0); + + if (tile->numcomps >= 3 ){ ++ /* testcase 1336.pdf.asan.47.376 */ ++ if ((tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0) < n || ++ ( tile->comps[1].x1 - tile->comps[1].x0) * (tile->comps[1].y1 - tile->comps[1].y0) < n || ++ ( tile->comps[2].x1 - tile->comps[2].x0) * (tile->comps[2].y1 - tile->comps[2].y0) < n) { ++ opj_event_msg(tcd->cinfo, EVT_ERROR, "Tiles don't all have the same dimension. Skip the MCT step.\n"); ++ return OPJ_FALSE; ++ } + if (tcd->tcp->tccps[0].qmfbid == 1) { + mct_decode( + tile->comps[0].data, diff --git a/source/lib/openjpeg/CVE-2013-6052.patch b/source/lib/openjpeg/CVE-2013-6052.patch new file mode 100644 index 0000000..0e08300 --- /dev/null +++ b/source/lib/openjpeg/CVE-2013-6052.patch @@ -0,0 +1,46 @@ +diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/cio.c +--- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 2012-09-13 02:58:39.000000000 -0500 ++++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 14:43:14.213256439 -0600 +@@ -30,6 +30,7 @@ + */ + + #include "opj_includes.h" ++#include <assert.h> + + /* ----------------------------------------------------------------------- */ + +@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns + * Read a byte. + */ + unsigned char cio_bytein(opj_cio_t *cio) { ++ if (cio->bp < cio->start) { ++ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); ++ abort(); ++ return 0; ++ } + if (cio->bp >= cio->end) { + opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); + return 0; +@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in + unsigned int v; + v = 0; + for (i = n - 1; i >= 0; i--) { +- v += cio_bytein(cio) << (i << 3); ++ v += (unsigned int)cio_bytein(cio) << (i << 3); + } + return v; + } + +diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/jp2.c +--- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 2014-01-07 14:43:14.201256566 -0600 ++++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 14:43:14.214256428 -0600 +@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm + } + else if (box->length == 0) { + box->length = cio_numbytesleft(cio) + 8; ++ } else if (box->length < 0) { ++ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n"); ++ return OPJ_FALSE; + } + if (box->length < 0) { + opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n"); diff --git a/source/lib/openjpeg/CVE-2013-6053.patch b/source/lib/openjpeg/CVE-2013-6053.patch new file mode 100644 index 0000000..292084a --- /dev/null +++ b/source/lib/openjpeg/CVE-2013-6053.patch @@ -0,0 +1,12 @@ +diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6053 openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6053 2014-01-07 14:44:40.086344624 -0600 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 14:44:40.092344561 -0600 +@@ -422,7 +422,7 @@ static void j2k_read_siz(opj_j2k_t *j2k) + + if ((image->x0<0)||(image->x1<0)||(image->y0<0)||(image->y1<0)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, +- "%s: invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n", ++ "invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n", + image->x0,image->x1,image->y0,image->y1); + return; + } diff --git a/source/lib/openjpeg/CVE-2013-6887.patch b/source/lib/openjpeg/CVE-2013-6887.patch new file mode 100644 index 0000000..f9d68ef --- /dev/null +++ b/source/lib/openjpeg/CVE-2013-6887.patch @@ -0,0 +1,30 @@ +diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6887 openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6887 2014-01-07 15:13:20.297114457 -0600 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:13:20.302114404 -0600 +@@ -1697,8 +1697,11 @@ static void j2k_read_eoc(opj_j2k_t *j2k) + else { + for (i = 0; i < j2k->cp->tileno_size; i++) { + tileno = j2k->cp->tileno[i]; +- opj_free(j2k->tile_data[tileno]); +- j2k->tile_data[tileno] = NULL; ++ /* not sure if this can actually happen */ ++ if (tileno != -1) { ++ opj_free(j2k->tile_data[tileno]); ++ j2k->tile_data[tileno] = NULL; ++ } + } + } + if (j2k->state & J2K_STATE_ERR) +@@ -1858,8 +1861,10 @@ void j2k_destroy_decompress(opj_j2k_t *j + if(j2k->cp != NULL) { + for (i = 0; i < j2k->cp->tileno_size; i++) { + int tileno = j2k->cp->tileno[i]; +- opj_free(j2k->tile_data[tileno]); +- j2k->tile_data[tileno] = NULL; ++ if (tileno != -1) { ++ opj_free(j2k->tile_data[tileno]); ++ j2k->tile_data[tileno] = NULL; ++ } + } + } + diff --git a/source/lib/openjpeg/FrugalBuild b/source/lib/openjpeg/FrugalBuild index c1a7407..0bb4b61 100644 --- a/source/lib/openjpeg/FrugalBuild +++ b/source/lib/openjpeg/FrugalBuild @@ -3,7 +3,7 @@ pkgname=openjpeg pkgver=1.5.1 -pkgrel=2 +pkgrel=3arcturus1 pkgdesc="An open-source JPEG 2000 codec written in C" Finclude googlecode url="http://www.openjpeg.org/"; @@ -13,7 +13,19 @@ archs=('i686' 'x86_64') sha1sums=('1b0b74d1af4c297fd82806a9325bb544caf9bb8b') Fconfopts+=" --docdir=/usr/share/doc/openjpeg" + +# FSA fix *** +source=(${source[@]} CVE-2013-1447.patch CVE-2013-6045.patch CVE-2013-6052.patch + CVE-2013-6053.patch CVE-2013-6887.patch) +sha1sums=(${sha1sums[@]} 'f191a567ca5f0875a27d98367f055957a1a4b21a' \ + '13cb34f467b5d9aa1e635045f949adf4418cbae3' \ + '051e559418e37e5a7567720ce658f7eeb45de3ef' \ + '8d2da4b912d7e930abec31a956b678f62566884c' \ + '038e471597decf36de0c7c78915744054704c601') +# *********** + build() { Fbuild Fln /usr/include/openjpeg-1.5/openjpeg.h /usr/include/openjpeg.h } + _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
