Hello community, here is the log from the commit of package openjpeg for openSUSE:Factory checked in at 2014-02-15 17:17:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openjpeg (Old) and /work/SRC/openSUSE:Factory/.openjpeg.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openjpeg" Changes: -------- --- /work/SRC/openSUSE:Factory/openjpeg/openjpeg.changes 2014-01-23 15:50:19.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openjpeg.new/openjpeg.changes 2014-02-15 17:17:32.000000000 +0100 @@ -0,0 +1,23 @@ +------------------------------------------------------------------- +Wed Feb 12 20:08:03 UTC 2014 - asterios.dra...@gmail.com + +- Added the following security patches (based also on Redhat/Fedora patches): + * openjpeg-1.5-r2029.patch + From upstream. Fix issue 155, jp2_read_boxhdr() can trigger random pointer + memory access + * openjpeg-1.5-r2032.patch + From upstream. Fix issue 169, division by zero in j2k_read_siz + * openjpeg-1.5-r2033.patch + From upstream. Fix issue 166, missing range check in j2k_read_coc et al + * CVE-2013-1447.patch + Fix multiple denial of service flaws, CVE-2013-1447, bnc#853834 + * CVE-2013-6052.patch + Fix heap OOB reads, information leaks, CVE-2013-6052, bnc#853644 + * CVE-2013-6053.patch + Fix heap OOB reads, information leaks, CVE-2013-6053, bnc#853644 + * CVE-2013-6887.patch + Fix multiple denial of service flaws, CVE-2013-6887, bnc#853644 +- Removed part of openjpeg-1.5.1-cve-2013-6045-1.patch that is already + upstream, included in openjpeg-1.5-r2033.patch (slightly modified). + +------------------------------------------------------------------- New: ---- CVE-2013-1447.patch CVE-2013-6052.patch CVE-2013-6053.patch CVE-2013-6887.patch openjpeg-1.5-r2029.patch openjpeg-1.5-r2032.patch openjpeg-1.5-r2033.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openjpeg.spec ++++++ --- /var/tmp/diff_new_pack.DPHEPf/_old 2014-02-15 17:17:33.000000000 +0100 +++ /var/tmp/diff_new_pack.DPHEPf/_new 2014-02-15 17:17:33.000000000 +0100 @@ -32,8 +32,24 @@ # PATCH-FIX-OPENSUSE openjpeg-1.5.1-soname.patch asterios.dra...@gmail.com -- Revert soname bump compared to 1.5.0 release (for now, remove patch in 2.0 release) (taken from Fedora) # See "http://code.google.com/p/openjpeg/source/browse/tags/version.1.5.1/CMakeLists.txt";. The change was introduced in 1.5.1 but soname can remain the same between 1.5.0 and 1.5.1 versions. Patch1: openjpeg-1.5.1-soname.patch -Patch2: openjpeg-1.5.1-cve-2013-6045-1.patch -Patch3: openjpeg-1.5.1-cve-2013-6045-2.patch +# PATCH-FIX-UPSTREAM openjpeg-1.5-r2029.patch asterios.dra...@gmail.com -- From upstream. Fix issue 155, jp2_read_boxhdr() can trigger random pointer memory access +Patch2: openjpeg-1.5-r2029.patch +# PATCH-FIX-UPSTREAM openjpeg-1.5-r2032.patch asterios.dra...@gmail.com -- From upstream. Fix issue 169, division by zero in j2k_read_siz +Patch3: openjpeg-1.5-r2032.patch +# PATCH-FIX-UPSTREAM openjpeg-1.5-r2033.patch asterios.dra...@gmail.com -- From upstream. Fix issue 166, missing range check in j2k_read_coc et al +Patch4: openjpeg-1.5-r2033.patch +# PATCH-FIX-UPSTREAM openjpeg-1.5.1-cve-2013-6045-1.patch CVE-2013-6045 bnc#853838 -- Fix heap-based buffer overflows (rest of the fix is in openjpeg-1.5-r2033.patch) +Patch5: openjpeg-1.5.1-cve-2013-6045-1.patch +# PATCH-FIX-UPSTREAM openjpeg-1.5.1-cve-2013-6045-2.patch CVE-2013-6045 bnc#853838 -- Fix heap-based buffer overflows +Patch6: openjpeg-1.5.1-cve-2013-6045-2.patch +# PATCH-FIX-UPSTREAM CVE-2013-6052.patch CVE-2013-6052 bnc#853644 asterios.dra...@gmail.com -- Fix heap OOB reads, information leaks +Patch7: CVE-2013-6052.patch +# PATCH-FIX-UPSTREAM CVE-2013-6053.patch CVE-2013-6053 bnc#853644 asterios.dra...@gmail.com -- Fix heap OOB reads, information leaks +Patch8: CVE-2013-6053.patch +# PATCH-FIX-UPSTREAM CVE-2013-1447.patch CVE-2013-1447 bnc#853834 asterios.dra...@gmail.com -- Fix multiple denial of service flaws +Patch9: CVE-2013-1447.patch +# PATCH-FIX-UPSTREAM CVE-2013-6887.patch CVE-2013-6887 bnc#853644 asterios.dra...@gmail.com -- Fix multiple denial of service flaws +Patch10: CVE-2013-6887.patch BuildRequires: cmake BuildRequires: doxygen %if 0%{?suse_version} @@ -72,8 +88,15 @@ %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 +%patch2 +%patch3 +%patch4 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 # Remove build time references so build-compare can do its work sed -i "s/HTML_TIMESTAMP = YES/HTML_TIMESTAMP = NO/g" doc/Doxyfile.dox.cmake.in ++++++ CVE-2013-1447.patch ++++++ diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/cio.c openjpeg-1.5.1/libopenjpeg/cio.c --- openjpeg-1.5.1.orig/libopenjpeg/cio.c 2014-02-12 21:54:22.519760814 +0200 +++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-02-12 21:55:05.610745799 +0200 @@ -107,6 +107,11 @@ int OPJ_CALLCONV cio_tell(opj_cio_t *cio * pos : position, in number of bytes, from the beginning of the stream */ void OPJ_CALLCONV cio_seek(opj_cio_t *cio, int pos) { + if ((cio->start + pos) > cio->end) { + opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to seek past the end of the codestream (start = %d, change = %d, end = %d\n", cio->start, pos, cio->end); + cio->bp = cio->end; + return; + } cio->bp = cio->start + pos; } @@ -114,6 +119,7 @@ void OPJ_CALLCONV cio_seek(opj_cio_t *ci * Number of bytes left before the end of the stream. */ int cio_numbytesleft(opj_cio_t *cio) { + assert((cio->end - cio->bp) >= 0); return cio->end - cio->bp; } @@ -191,6 +197,11 @@ unsigned int cio_read(opj_cio_t *cio, in */ void cio_skip(opj_cio_t *cio, int n) { assert((cio->bp + n) >= cio->bp); + if (((cio->bp + n) < cio->start) || ((cio->bp + n) > cio->end)) { + opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to skip bytes past the end of the codestream (current = %d, change = %d, end = %d\n", cio->bp, n, cio->end); + cio->bp = cio->end; + return; + } cio->bp += n; } diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/j2k.c openjpeg-1.5.1/libopenjpeg/j2k.c --- openjpeg-1.5.1.orig/libopenjpeg/j2k.c 2014-02-12 21:54:43.161239193 +0200 +++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-02-12 21:55:05.611745822 +0200 @@ -476,7 +476,7 @@ static void j2k_read_siz(opj_j2k_t *j2k) image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t)); for (i = 0; i < image->numcomps; i++) { - int tmp, w, h; + int tmp/*, w, h*/; tmp = cio_read(cio, 1); /* Ssiz_i */ image->comps[i].prec = (tmp & 0x7f) + 1; image->comps[i].sgnd = tmp >> 7; @@ -511,6 +511,14 @@ static void j2k_read_siz(opj_j2k_t *j2k) } #endif /* USE_JPWL */ + { + if (!(image->comps[i].dx * image->comps[i].dy)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad XRsiz_%d/YRsiz_%d (%d x %d)\n", + i, i, image->comps[i].dx, image->comps[i].dy); + return; + } + } /* prevent division by zero */ if (!(image->comps[i].dx * image->comps[i].dy)) { @@ -519,8 +527,8 @@ static void j2k_read_siz(opj_j2k_t *j2k) } /* TODO: unused ? */ - w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); - h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy); +/* w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); + h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy);*/ image->comps[i].resno_decoded = 0; /* number of resolution decoded */ image->comps[i].factor = cp->reduce; /* reducing factor per component */ @@ -2015,6 +2023,11 @@ opj_image_t* j2k_decode(opj_j2k_t *j2k, } if (j2k->state == J2K_STATE_NEOC) { j2k_read_eoc(j2k); + /* Check one last time for errors during decoding before returning */ + if (j2k->state & J2K_STATE_ERR) { + opj_image_destroy(image); + return NULL; + } } if (j2k->state != J2K_STATE_MT) { diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/jp2.c openjpeg-1.5.1/libopenjpeg/jp2.c --- openjpeg-1.5.1.orig/libopenjpeg/jp2.c 2014-02-12 21:54:22.520760837 +0200 +++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-02-12 21:55:05.612745844 +0200 @@ -819,6 +819,17 @@ void jp2_write_jp2h(opj_jp2_t *jp2, opj_ jp2_write_ihdr(jp2, cio); + { + int curpos = cio_tell(cio); + cio_seek(cio, box.init_pos); + cio_skip(cio, box.length); + if ((cio_tell(cio) - box.init_pos) != box.length) { + opj_event_msg(jp2->cinfo, EVT_ERROR, "Box size exceeds size of codestream (expected: %d, real: %d)\n", box.length, (cio_tell(cio) - box.init_pos)); + return OPJ_FALSE; + } + cio_seek(cio, curpos); + } + if (jp2->bpc == 255) { jp2_write_bpcc(jp2, cio); } @@ -871,6 +882,13 @@ static opj_bool jp2_read_ftyp(opj_jp2_t jp2->numcl = (box.length - 16) / 4; jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int)); + if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) { + opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box " + "(expected %d, but only %d left)\n", + ((int)jp2->numcl * 4), cio_numbytesleft(cio)); + return OPJ_FALSE; + } + for (i = 0; i < (int)jp2->numcl; i++) { jp2->cl[i] = cio_read(cio, 4); /* CLi */ } diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/t2.c openjpeg-1.5.1/libopenjpeg/t2.c --- openjpeg-1.5.1.orig/libopenjpeg/t2.c 2012-09-13 10:58:39.000000000 +0300 +++ openjpeg-1.5.1/libopenjpeg/t2.c 2014-02-12 21:55:05.613745866 +0200 @@ -340,6 +340,11 @@ static int t2_decode_packet(opj_t2_t* t2 int precno = pi->precno; /* precinct value */ int layno = pi->layno; /* quality layer value */ + if (!&(tile->comps[compno])) { + opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n"); + return -999; + } + opj_tcd_resolution_t* res = &tile->comps[compno].resolutions[resno]; unsigned char *hd = NULL; diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/tcd.c openjpeg-1.5.1/libopenjpeg/tcd.c --- openjpeg-1.5.1.orig/libopenjpeg/tcd.c 2014-02-12 21:53:55.337111606 +0200 +++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-02-12 21:55:05.614745889 +0200 @@ -667,8 +667,8 @@ void tcd_malloc_decode(opj_tcd_t *tcd, o y1 = j == 0 ? tilec->y1 : int_max(y1, (unsigned int) tilec->y1); } - w = int_ceildivpow2(x1 - x0, image->comps[i].factor); - h = int_ceildivpow2(y1 - y0, image->comps[i].factor); + w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor); + h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor); image->comps[i].w = w; image->comps[i].h = h; @@ -1381,7 +1381,15 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, if (l == -999) { eof = 1; opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: incomplete bistream\n"); + return OPJ_FALSE; } + + /* The code below assumes that numcomps > 0 */ + if (tile->numcomps <= 0) { + opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n"); + return OPJ_TRUE; + } + /*------------------TIER1-----------------*/ ++++++ CVE-2013-6052.patch ++++++ diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/cio.c openjpeg-1.5.1/libopenjpeg/cio.c --- openjpeg-1.5.1.orig/libopenjpeg/cio.c 2012-09-13 10:58:39.000000000 +0300 +++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-02-11 21:46:40.963759620 +0200 @@ -30,6 +30,7 @@ */ #include "opj_includes.h" +#include <assert.h> /* ----------------------------------------------------------------------- */ @@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns * Read a byte. */ unsigned char cio_bytein(opj_cio_t *cio) { + if (cio->bp < cio->start) { + opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); + abort(); + return 0; + } if (cio->bp >= cio->end) { opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); return 0; @@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in unsigned int v; v = 0; for (i = n - 1; i >= 0; i--) { - v += cio_bytein(cio) << (i << 3); + v += (unsigned int)cio_bytein(cio) << (i << 3); } return v; } @@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in * n : number of bytes to skip */ void cio_skip(opj_cio_t *cio, int n) { + assert((cio->bp + n) >= cio->bp); cio->bp += n; } diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/jp2.c openjpeg-1.5.1/libopenjpeg/jp2.c --- openjpeg-1.5.1.orig/libopenjpeg/jp2.c 2014-02-11 21:26:35.416647925 +0200 +++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-02-11 21:46:40.964759635 +0200 @@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm } else if (box->length == 0) { box->length = cio_numbytesleft(cio) + 8; + } else if (box->length < 0) { + opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n"); + return OPJ_FALSE; } if (box->length < 0) { opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n"); ++++++ CVE-2013-6053.patch ++++++ diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/j2k.c openjpeg-1.5.1/libopenjpeg/j2k.c --- openjpeg-1.5.1.orig/libopenjpeg/j2k.c 2014-02-11 21:44:50.471125032 +0200 +++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-02-11 21:47:31.284512599 +0200 @@ -422,7 +422,7 @@ static void j2k_read_siz(opj_j2k_t *j2k) if ((image->x0<0)||(image->x1<0)||(image->y0<0)||(image->y1<0)) { opj_event_msg(j2k->cinfo, EVT_ERROR, - "%s: invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n", + "invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n", image->x0,image->x1,image->y0,image->y1); return; } ++++++ CVE-2013-6887.patch ++++++ diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/j2k.c openjpeg-1.5.1/libopenjpeg/j2k.c --- openjpeg-1.5.1.orig/libopenjpeg/j2k.c 2014-02-12 21:55:05.611745822 +0200 +++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-02-12 21:55:39.808491487 +0200 @@ -1697,8 +1697,11 @@ static void j2k_read_eoc(opj_j2k_t *j2k) else { for (i = 0; i < j2k->cp->tileno_size; i++) { tileno = j2k->cp->tileno[i]; - opj_free(j2k->tile_data[tileno]); - j2k->tile_data[tileno] = NULL; + /* not sure if this can actually happen */ + if (tileno != -1) { + opj_free(j2k->tile_data[tileno]); + j2k->tile_data[tileno] = NULL; + } } } if (j2k->state & J2K_STATE_ERR) @@ -1858,8 +1861,10 @@ void j2k_destroy_decompress(opj_j2k_t *j if(j2k->cp != NULL) { for (i = 0; i < j2k->cp->tileno_size; i++) { int tileno = j2k->cp->tileno[i]; - opj_free(j2k->tile_data[tileno]); - j2k->tile_data[tileno] = NULL; + if (tileno != -1) { + opj_free(j2k->tile_data[tileno]); + j2k->tile_data[tileno] = NULL; + } } } ++++++ openjpeg-1.5-r2029.patch ++++++ Index: libopenjpeg/jp2.c =================================================================== --- libopenjpeg/jp2.c (revision 2028) +++ libopenjpeg/jp2.c (revision 2029) @@ -173,6 +173,10 @@ else if (box->length == 0) { box->length = cio_numbytesleft(cio) + 8; } + if (box->length < 0) { + opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n"); + return OPJ_FALSE; // TODO: actually check jp2_read_boxhdr's return value + } return OPJ_TRUE; } @@ -654,6 +658,7 @@ opj_event_msg(cinfo, EVT_ERROR, "Expected JP2H Marker\n"); return OPJ_FALSE; } + if (box.length <= 8) return OPJ_FALSE; cio_skip(cio, box.length - 8); if(cio->bp >= cio->end) return OPJ_FALSE; @@ -679,6 +684,7 @@ { if( !jp2_read_colr(jp2, cio, &box, color)) { + if (box.length <= 8) return OPJ_FALSE; cio_seek(cio, box.init_pos + 8); cio_skip(cio, box.length - 8); } @@ -689,6 +695,7 @@ { if( !jp2_read_cdef(jp2, cio, &box, color)) { + if (box.length <= 8) return OPJ_FALSE; cio_seek(cio, box.init_pos + 8); cio_skip(cio, box.length - 8); } @@ -699,6 +706,7 @@ { if( !jp2_read_pclr(jp2, cio, &box, color)) { + if (box.length <= 8) return OPJ_FALSE; cio_seek(cio, box.init_pos + 8); cio_skip(cio, box.length - 8); } @@ -709,12 +717,14 @@ { if( !jp2_read_cmap(jp2, cio, &box, color)) { + if (box.length <= 8) return OPJ_FALSE; cio_seek(cio, box.init_pos + 8); cio_skip(cio, box.length - 8); } if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; continue; } + if (box.length <= 8) return OPJ_FALSE; cio_seek(cio, box.init_pos + 8); cio_skip(cio, box.length - 8); if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; @@ -910,12 +920,14 @@ } do { if(JP2_JP2C != box.type) { + if (box.length <= 8) return OPJ_FALSE; cio_skip(cio, box.length - 8); if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; } } while(JP2_JP2C != box.type); *j2k_codestream_offset = cio_tell(cio); + if (box.length <= 8) return OPJ_FALSE; *j2k_codestream_length = box.length - 8; return OPJ_TRUE; ++++++ openjpeg-1.5-r2032.patch ++++++ Index: libopenjpeg/j2k.c =================================================================== --- libopenjpeg/j2k.c (revision 2031) +++ libopenjpeg/j2k.c (revision 2032) @@ -468,6 +468,12 @@ } #endif /* USE_JPWL */ + /* prevent division by zero */ + if (!(cp->tdx * cp->tdy)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: invalid tile size (tdx: %d, tdy: %d)\n", cp->tdx, cp->tdy); + return; + } + image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t)); for (i = 0; i < image->numcomps; i++) { int tmp, w, h; @@ -506,6 +512,12 @@ } #endif /* USE_JPWL */ + /* prevent division by zero */ + if (!(image->comps[i].dx * image->comps[i].dy)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: invalid component size (dx: %d, dy: %d)\n", image->comps[i].dx, image->comps[i].dy); + return; + } + /* TODO: unused ? */ w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy); ++++++ openjpeg-1.5-r2033.patch ++++++ Index: libopenjpeg/j2k.c =================================================================== --- libopenjpeg/j2k.c (revision 2032) +++ libopenjpeg/j2k.c (revision 2033) @@ -835,6 +835,12 @@ len = cio_read(cio, 2); /* Lcoc */ compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */ + if (compno >= image->numcomps) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "bad component number in COC (%d out of a maximum of %d)\n", + compno, image->numcomps); + return; + } tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */ j2k_read_cox(j2k, compno); } @@ -1016,9 +1022,16 @@ /* keep your private count of tiles */ backup_compno++; - }; + } #endif /* USE_JPWL */ + if ((compno < 0) || (compno >= numcomp)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "bad component number in QCC (%d out of a maximum of %d)\n", + compno, j2k->image->numcomps); + return; + } + j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2)); } @@ -1602,6 +1615,13 @@ }; #endif /* USE_JPWL */ + if (compno >= numcomps) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "bad component number in RGN (%d out of a maximum of %d)\n", + compno, j2k->image->numcomps); + return; + } + tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ } ++++++ openjpeg-1.5.1-cve-2013-6045-1.patch ++++++ --- /var/tmp/diff_new_pack.DPHEPf/_old 2014-02-15 17:17:33.000000000 +0100 +++ /var/tmp/diff_new_pack.DPHEPf/_new 2014-02-15 17:17:33.000000000 +0100 @@ -1,41 +1,7 @@ -Index: libopenjpeg/j2k.c -=================================================================== ---- openjpeg-1.5.1/libopenjpeg/j2k.c.orig -+++ openjpeg-1.5.1/libopenjpeg/j2k.c -@@ -823,6 +823,12 @@ static void j2k_read_coc(opj_j2k_t *j2k) - - len = cio_read(cio, 2); /* Lcoc */ - compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */ -+ if ((compno < 0) || (compno >= image->numcomps)) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR , -+ "bad component number in COC (%d out of a maximum of %d)\n", -+ compno, image->numcomps); -+ return; -+ } - tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */ - j2k_read_cox(j2k, compno); - } -@@ -1004,8 +1010,18 @@ static void j2k_read_qcc(opj_j2k_t *j2k) - - /* keep your private count of tiles */ - backup_compno++; -- }; -+ } -+ else - #endif /* USE_JPWL */ -+ { -+ /* compno is negative or larger than the number of components!!! */ -+ if ((compno < 0) || (compno >= numcomp)) { -+ opj_event_msg(j2k->cinfo, EVT_ERROR, -+ "JPWL: bad component number in QCC (%d out of a maximum of %d)\n", -+ compno, numcomp); -+ return; -+ } -+ } - - j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2)); - } -@@ -1051,6 +1067,17 @@ static void j2k_read_poc(opj_j2k_t *j2k) +diff -Naurp openjpeg-1.5.1.orig/libopenjpeg/j2k.c openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1.orig/libopenjpeg/j2k.c 2014-02-12 21:31:39.130390265 +0200 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-02-12 21:41:31.515864601 +0200 +@@ -1076,6 +1076,17 @@ static void j2k_read_poc(opj_j2k_t *j2k) tcp->POC = 1; len = cio_read(cio, 2); /* Lpoc */ numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2)); @@ -53,9 +19,9 @@ for (i = old_poc; i < numpchgs + old_poc; i++) { opj_poc_t *poc; -@@ -1590,6 +1617,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k) - }; - #endif /* USE_JPWL */ +@@ -1622,6 +1633,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k) + return; + } + /* totlen is negative or larger than the bytes left!!! */ + if (compno >= numcomps) { -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
