packages/openjpeg2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2019-12973 and CVE-2021-3575

Browse Source 
(cherry picked from commit 2c600008132050c2ba42a46a129834f3c8154ec6)
This commit is contained in:
dongyuzhen 2022-03-14 17:21:44 +08:00 committed by openeuler-sync-bot
parent 3a504604d0
commit f0b83764a5
4 changed files with 207 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
backport-0001-CVE-2019-12973.patch Normal file
View File

@ -0,0 +1,75 @@
From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001
From: Young Xiao <YangX92@hotmail.com>
Date: Sat, 16 Mar 2019 19:57:27 +0800
Subject: [PATCH] convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
See commit 8ee335227bbc for details.
Signed-off-by: Young Xiao <YangX92@hotmail.com>
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3
---
src/bin/jp2/convertbmp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index 8220078..c69daee 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
}
} else { /* absolute mode */
c = getc(IN);
@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
c1 = (OPJ_UINT8)getc(IN);
}
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
}
if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
getc(IN);
@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
}
}
} /* while(y < height) */
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
return OPJ_TRUE;
}
--
2.33.0

89
backport-0002-CVE-2019-12973.patch Normal file
View File

@ -0,0 +1,89 @@
From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001
From: Young Xiao <YangX92@hotmail.com>
Date: Sat, 16 Mar 2019 20:09:59 +0800
Subject: [PATCH] bmp_read_rle4_data(): avoid potential infinite loop
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66
---
src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index c69daee..5d38739 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
while (y < height) {
int c = getc(IN);
if (c == EOF) {
- break;
+ return OPJ_FALSE;
}
if (c) { /* encoded mode */
- int j;
- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN);
+ int j, c1_int;
+ OPJ_UINT8 c1;
+
+ c1_int = getc(IN);
+ if (c1_int == EOF) {
+ return OPJ_FALSE;
+ }
+ c1 = (OPJ_UINT8)c1_int;
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
} else { /* absolute mode */
c = getc(IN);
if (c == EOF) {
- break;
+ return OPJ_FALSE;
}
if (c == 0x00) { /* EOL */
@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
break;
} else if (c == 0x02) { /* MOVE by dxdy */
c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
x += (OPJ_UINT32)c;
c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
y += (OPJ_UINT32)c;
pix = pData + y * stride + x;
} else { /* 03 .. 255 : absolute mode */
@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
if ((j & 1) == 0) {
- c1 = (OPJ_UINT8)getc(IN);
+ int c1_int;
+ c1_int = getc(IN);
+ if (c1_int == EOF) {
+ return OPJ_FALSE;
+ }
+ c1 = (OPJ_UINT8)c1_int;
}
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
written++;
}
if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
- getc(IN);
+ c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
}
}
}
--
2.33.0

35
backport-CVE-2021-3575.patch Normal file
View File

@ -0,0 +1,35 @@
From f4cb033a340b55dbc576453c4b6a967fec5cbbda Mon Sep 17 00:00:00 2001
From: Mehdi Sabwat <mehdisabwat@gmail.com>
Date: Fri, 7 May 2021 01:50:37 +0200
Subject: [PATCH] fix heap buffer overflow #1347
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/commit/f4cb033a340b55dbc576453c4b6a967fec5cbbda
---
src/bin/common/color.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/bin/common/color.c b/src/bin/common/color.c
index 27f15f137..935fa44eb 100644
--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t *img)
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
- ++y;
+ if (*y != img->comps[0].data[loopmaxh])
+ ++y;
++r;
++g;
++b;
- ++cb;
- ++cr;
+ if (*cb != img->comps[1].data[loopmaxh])
+ ++cb;
+ if (*cr != img->comps[2].data[loopmaxh])
+ ++cr;
}
if (j < maxw) {
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);

10
openjpeg2.spec
View File

@ -1,6 +1,6 @@
Name: openjpeg2
Version: 2.3.1
Release: 8
Release: 9
Summary: C-Library for JPEG 2000
License: BSD and MIT
URL: https://github.com/uclouvain/openjpeg
@ -22,7 +22,10 @@ Patch6009: backport-CVE-2020-6851.patch
Patch6010: backport-CVE-2020-27823.patch
Patch6011: backport-CVE-2020-27824.patch
Patch6012: backport-CVE-2021-29338.patch
Patch6013: backport-CVE-2020-27842.patch
Patch6013: backport-CVE-2020-27842.patch
Patch6014: backport-0001-CVE-2019-12973.patch
Patch6015: backport-0002-CVE-2019-12973.patch
Patch6016: backport-CVE-2021-3575.patch
BuildRequires: cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen
@ -98,6 +101,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.
%{_mandir}/man3/*.3*
%changelog
* Mon Mar 14 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2.3.1-9
- fix CVE-2019-12973,CVE-2021-3575
* Tue Jan 4 2022 dongyuzhen <dongyuzhen@huawei.com> - 2.3.1-8
- fix CVE-2020-27842