Hello community, here is the log from the commit of package openjpeg2 for openSUSE:Factory checked in at 2017-09-15 21:08:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openjpeg2 (Old) and /work/SRC/openSUSE:Factory/.openjpeg2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openjpeg2" Fri Sep 15 21:08:28 2017 rev:10 rq:525881 version:2.1.2 Changes: -------- --- /work/SRC/openSUSE:Factory/openjpeg2/openjpeg2.changes 2016-12-22 16:00:02.200755315 +0100 +++ /work/SRC/openSUSE:Factory/.openjpeg2.new/openjpeg2.changes 2017-09-15 21:08:30.251302032 +0200 @@ -1,0 +2,17 @@ +Tue Sep 12 20:49:00 CEST 2017 - [email protected] + +- Add security fixes: + openjpeg2-CVE-2016-10504.patch (CVE-2016-10504, bsc#1056351), + openjpeg2-CVE-2016-10505.patch (CVE-2016-10505, bsc#1056363), + openjpeg2-CVE-2016-10506.patch (CVE-2016-10506, bsc#1056396), + openjpeg2-CVE-2017-12982.patch (CVE-2017-12982, bsc#1054696), + openjpeg2-CVE-2017-14039.patch (CVE-2017-14039, CVE-2017-14164, + bsc#1056622, bsc#1057511), + openjpeg2-CVE-2017-14040.patch (CVE-2017-14040, bsc#1056621), + openjpeg2-CVE-2017-14041.patch (CVE-2017-14041, bsc#1056562), + openjpeg2-CVE-2017-14151.patch (CVE-2017-14151, bsc#1057336), + openjpeg2-CVE-2017-14152.patch (CVE-2017-14152, bsc#1057335), + most of which are critical, including heap and stack overwrites, + over-reads and division by zero errors. + +------------------------------------------------------------------- New: ---- openjpeg2-CVE-2016-10504.patch openjpeg2-CVE-2016-10505.patch openjpeg2-CVE-2016-10506.patch openjpeg2-CVE-2017-12982.patch openjpeg2-CVE-2017-14039.patch openjpeg2-CVE-2017-14040.patch openjpeg2-CVE-2017-14041.patch openjpeg2-CVE-2017-14151.patch openjpeg2-CVE-2017-14152.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openjpeg2.spec ++++++ --- /var/tmp/diff_new_pack.uMpKAX/_old 2017-09-15 21:08:31.135177937 +0200 +++ /var/tmp/diff_new_pack.uMpKAX/_new 2017-09-15 21:08:31.139177375 +0200 @@ -1,7 +1,7 @@ # # spec file for package openjpeg2 # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -39,6 +39,24 @@ # CVE-2016-5152 is # https://pdfium.googlesource.com/pdfium.git/+/d8cc503575463ff3d81b22dad292665f2c88911e/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch Patch1: 0018-tcd_get_decoded_tile_size.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2016-10504.patch bsc#1056351 [email protected] +Patch2: openjpeg2-CVE-2016-10504.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2016-10505.patch bsc#1056363 [email protected] +Patch3: openjpeg2-CVE-2016-10505.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2016-10506.patch bsc#1056396 [email protected] +Patch4: openjpeg2-CVE-2016-10506.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-12982.patch bsc#1054696 [email protected] +Patch5: openjpeg2-CVE-2017-12982.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14039.patch bsc#1056622 bsc#1057511 [email protected] +Patch6: openjpeg2-CVE-2017-14039.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14040.patch bsc#1056621 [email protected] +Patch7: openjpeg2-CVE-2017-14040.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14041.patch bsc#1056562 [email protected] +Patch8: openjpeg2-CVE-2017-14041.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14151.patch bsc#1057336 [email protected] +Patch9: openjpeg2-CVE-2017-14151.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14152.patch bsc#1057335 [email protected] +Patch10: openjpeg2-CVE-2017-14152.patch %description The OpenJPEG library is an open-source JPEG 2000 codec written in C language. @@ -81,6 +99,15 @@ [ -d "$d" ] && rm -rf "$d" done %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 %build %cmake \ ++++++ openjpeg2-CVE-2016-10504.patch ++++++ commit 0a915d5e6b49c8428a28d0b858b9e274851b4b1c Author: Hans Petter Jansson <[email protected]> Date: Fri Sep 8 00:22:18 2017 +0200 openjpeg2-CVE-2016-10504.patch diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index 985ac5f..2e116b2 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -1088,8 +1088,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_cod { OPJ_UINT32 l_data_size; - l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); - + /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ + l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + if (l_data_size > p_code_block->data_size) { if (p_code_block->data) { opj_free(p_code_block->data - 1); /* again, why -1 */ ++++++ openjpeg2-CVE-2016-10505.patch ++++++ diff --git a/src/bin/common/color.c b/src/bin/common/color.c index 234c7bd..f42d982 100644 --- a/src/bin/common/color.c +++ b/src/bin/common/color.c @@ -108,6 +108,7 @@ static void sycc444_to_rgb(opj_image_t *img) d1 = g = (int*)malloc(sizeof(int) * max); d2 = b = (int*)malloc(sizeof(int) * max); + if(y == NULL || cb == NULL || cr == NULL) goto fails; if(r == NULL || g == NULL || b == NULL) goto fails; for(i = 0U; i < max; ++i) @@ -149,6 +150,7 @@ static void sycc422_to_rgb(opj_image_t *img) d1 = g = (int*)malloc(sizeof(int) * max); d2 = b = (int*)malloc(sizeof(int) * max); + if(y == NULL || cb == NULL || cr == NULL) goto fails; if(r == NULL || g == NULL || b == NULL) goto fails; /* if img->x0 is odd, then first column shall use Cb/Cr = 0 */ @@ -918,6 +920,7 @@ void color_esycc_to_rgb(opj_image_t *image) (image->numcomps < 3) || (image->comps[0].dx != image->comps[1].dx) || (image->comps[0].dx != image->comps[2].dx) || (image->comps[0].dy != image->comps[1].dy) || (image->comps[0].dy != image->comps[2].dy) + || !image->comps [0].data || !image->comps [1].data || !image->comps [2].data ) { fprintf(stderr,"%s:%d:color_esycc_to_rgb\n\tCAN NOT CONVERT\n", __FILE__,__LINE__); return; diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c index 4df8d58..5c52ef4 100644 --- a/src/bin/jp2/convertbmp.c +++ b/src/bin/jp2/convertbmp.c @@ -814,6 +814,14 @@ int imagetobmp(opj_image_t * image, const char *outfile) { fprintf(stderr, "Unsupported number of components: %d\n", image->comps[0].prec); return 1; } + + for (i = 0; i < image->numcomps; i++) { + if (image->comps[i].data == NULL) { + fprintf(stderr, "Missing image data\n"); + return 1; + } + } + if (image->numcomps >= 3 && image->comps[0].dx == image->comps[1].dx && image->comps[1].dx == image->comps[2].dx && image->comps[0].dy == image->comps[1].dy ++++++ openjpeg2-CVE-2016-10506.patch ++++++ diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c index 41a2f04..ca9b62f 100644 --- a/src/lib/openjp2/pi.c +++ b/src/lib/openjp2/pi.c @@ -360,6 +360,16 @@ if (!pi->tp_on){ try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); rpx = res->pdx + levelno; rpy = res->pdy + levelno; + + /* To avoid divisions by zero / undefined behaviour on shift */ + /* in below tests */ + /* Fixes reading id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 */ + /* of https://github.com/uclouvain/openjpeg/issues/938 */ + if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || + rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { + continue; + } + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ continue; } @@ -441,6 +451,16 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) { try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); rpx = res->pdx + levelno; rpy = res->pdy + levelno; + + /* To avoid divisions by zero / undefined behaviour on shift */ + /* in below tests */ + /* Relates to id:000019,sig:08,src:001098,op:flip1,pos:49 */ + /* of https://github.com/uclouvain/openjpeg/issues/938 */ + if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || + rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { + continue; + } + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ continue; } @@ -520,6 +540,16 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) { try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); rpx = res->pdx + levelno; rpy = res->pdy + levelno; + + /* To avoid divisions by zero / undefined behaviour on shift */ + /* in below tests */ + /* Fixes reading id:000019,sig:08,src:001098,op:flip1,pos:49 */ + /* of https://github.com/uclouvain/openjpeg/issues/938 */ + if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || + rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { + continue; + } + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ continue; } ++++++ openjpeg2-CVE-2017-12982.patch ++++++ diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c index ae83077..4df8d58 100644 --- a/src/bin/jp2/convertbmp.c +++ b/src/bin/jp2/convertbmp.c @@ -379,6 +379,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header) header->biBitCount = (OPJ_UINT16)getc(IN); header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8); + if (header->biBitCount == 0) { + fprintf(stderr, "Error, invalid biBitCount %d\n", 0); + return OPJ_FALSE; + } if(header->biSize >= 40U) { header->biCompression = (OPJ_UINT32)getc(IN); ++++++ openjpeg2-CVE-2017-14039.patch ++++++ diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 5cefffd..1844ac3 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -826,6 +826,7 @@ static OPJ_BOOL opj_j2k_write_tlm( opj_j2k_t *p_j2k, */ static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k, OPJ_BYTE * p_data, + OPJ_UINT32 p_total_data_size, OPJ_UINT32 * p_data_written, const opj_stream_private_t *p_stream, opj_event_mgr_t * p_manager ); @@ -3963,6 +3964,7 @@ static OPJ_BOOL opj_j2k_write_tlm( opj_j2k_t *p_j2k, static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k, OPJ_BYTE * p_data, + OPJ_UINT32 p_total_data_size, OPJ_UINT32 * p_data_written, const opj_stream_private_t *p_stream, opj_event_mgr_t * p_manager @@ -3973,6 +3975,12 @@ static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k, assert(p_manager != 00); assert(p_stream != 00); + if (p_total_data_size < 12) { + opj_event_msg(p_manager, EVT_ERROR, + "Not enough bytes in output buffer to write SOT marker\n"); + return OPJ_FALSE; + } + opj_write_bytes(p_data,J2K_MS_SOT,2); /* SOT */ p_data += 2; @@ -4308,6 +4316,12 @@ static OPJ_BOOL opj_j2k_write_sod( opj_j2k_t *p_j2k, assert(p_manager != 00); assert(p_stream != 00); + if (p_total_data_size < 4) { + opj_event_msg(p_manager, EVT_ERROR, + "Not enough bytes in output buffer to write SOD marker\n"); + return OPJ_FALSE; + } + opj_write_bytes(p_data,J2K_MS_SOD,2); /* SOD */ p_data += 2; @@ -10625,7 +10639,7 @@ static OPJ_BOOL opj_j2k_write_first_tile_part (opj_j2k_t *p_j2k, l_current_nb_bytes_written = 0; l_begin_data = p_data; - if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) + if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager)) { return OPJ_FALSE; } @@ -10712,7 +10726,7 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts( opj_j2k_t *p_j2k, l_part_tile_size = 0; l_begin_data = p_data; - if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) { + if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager)) { return OPJ_FALSE; } @@ -10752,7 +10766,7 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts( opj_j2k_t *p_j2k, l_part_tile_size = 0; l_begin_data = p_data; - if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) { + if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager)) { return OPJ_FALSE; } diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c index 5a8d440..f14cea8 100644 --- a/src/lib/openjp2/t2.c +++ b/src/lib/openjp2/t2.c @@ -585,6 +585,10 @@ static OPJ_BOOL opj_t2_encode_packet( OPJ_UINT32 tileno, /* <SOP 0xff91> */ if (tcp->csty & J2K_CP_CSTY_SOP) { + if (length < 6) { + return OPJ_FALSE; + } + c[0] = 255; c[1] = 145; c[2] = 0; @@ -731,6 +735,10 @@ static OPJ_BOOL opj_t2_encode_packet( OPJ_UINT32 tileno, /* <EPH 0xff92> */ if (tcp->csty & J2K_CP_CSTY_EPH) { + if (length < 2) { + return OPJ_FALSE; + } + c[0] = 255; c[1] = 146; c += 2; ++++++ openjpeg2-CVE-2017-14040.patch ++++++ diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c index deee4f6..f28c98d 100644 --- a/src/bin/jp2/convert.c +++ b/src/bin/jp2/convert.c @@ -41,6 +41,7 @@ #include <stdlib.h> #include <string.h> #include <ctype.h> +#include <limits.h> #include "openjpeg.h" #include "convert.h" @@ -558,12 +559,9 @@ struct tga_header }; #endif /* INFORMATION_ONLY */ -static unsigned short get_ushort(const unsigned char *data) { - unsigned short val = *(const unsigned short *)data; -#ifdef OPJ_BIG_ENDIAN - val = ((val & 0xffU) << 8) | (val >> 8); -#endif - return val; +/* Returns a ushort from a little-endian serialized value */ +static unsigned short get_tga_ushort(const unsigned char *data) { + return data[0] | (data[1] << 8); } #define TGA_HEADER_SIZE 18 @@ -589,17 +587,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel, id_len = tga[0]; /*cmap_type = tga[1];*/ image_type = tga[2]; - /*cmap_index = get_ushort(&tga[3]);*/ - cmap_len = get_ushort(&tga[5]); + /*cmap_index = get_tga_ushort(&tga[3]);*/ + cmap_len = get_tga_ushort(&tga[5]); cmap_entry_size = tga[7]; #if 0 - x_origin = get_ushort(&tga[8]); - y_origin = get_ushort(&tga[10]); + x_origin = get_tga_ushort(&tga[8]); + y_origin = get_tga_ushort(&tga[10]); #endif - image_w = get_ushort(&tga[12]); - image_h = get_ushort(&tga[14]); + image_w = get_tga_ushort(&tga[12]); + image_h = get_tga_ushort(&tga[14]); pixel_depth = tga[16]; image_desc = tga[17]; @@ -763,6 +761,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) { color_space = OPJ_CLRSPC_SRGB; } + /* If the declared file size is > 10 MB, check that the file is big */ + /* enough to avoid excessive memory allocations */ + if (image_height != 0 && image_width > 10000000 / image_height / numcomps) { + char ch; + OPJ_UINT64 expected_file_size = + (OPJ_UINT64)image_width * image_height * numcomps; + long curpos = ftell(f); + if (expected_file_size > (OPJ_UINT64)INT_MAX) { + expected_file_size = (OPJ_UINT64)INT_MAX; + } + fseek(f, (long)expected_file_size - 1, SEEK_SET); + if (fread(&ch, 1, 1, f) != 1) { + fclose(f); + return NULL; + } + fseek(f, curpos, SEEK_SET); + } + subsampling_dx = parameters->subsampling_dx; subsampling_dy = parameters->subsampling_dy; ++++++ openjpeg2-CVE-2017-14041.patch ++++++ diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c index f28c98d..2381f3a 100644 --- a/src/bin/jp2/convert.c +++ b/src/bin/jp2/convert.c @@ -1115,7 +1115,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) { } fseek(f, 0, SEEK_SET); - if( fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){ + if( fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){ fclose(f); fprintf(stderr, "ERROR: Failed to read the right number of element from the fscanf() function!\n"); return NULL; ++++++ openjpeg2-CVE-2017-14151.patch ++++++ diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index 2e116b2..2f50bfe 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -1087,10 +1087,13 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate (opj_tcd_cblk_enc_t * p_code_blo static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_code_block) { OPJ_UINT32 l_data_size; - - /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ - l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * - (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ + l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); if (l_data_size > p_code_block->data_size) { if (p_code_block->data) { ++++++ openjpeg2-CVE-2017-14152.patch ++++++ diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 1844ac3..316b928 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -6104,10 +6104,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters, opj_ima /* Precincts */ parameters->csty |= 0x01; - parameters->res_spec = parameters->numresolution-1; - for (i = 0; i<parameters->res_spec; i++) { - parameters->prcw_init[i] = 256; - parameters->prch_init[i] = 256; + if (parameters->numresolution == 1) { + parameters->res_spec = 1; + parameters->prcw_init[0] = 128; + parameters->prch_init[0] = 128; + } else { + parameters->res_spec = parameters->numresolution - 1; + for (i = 0; i < parameters->res_spec; i++) { + parameters->prcw_init[i] = 256; + parameters->prch_init[i] = 256; + } } /* The progression order shall be CPRL */
