From a8845341bc2bf1c422d4610e4d69a947753f291a Mon Sep 17 00:00:00 2001
From: liuyumeng <liuyumeng5@huawei.com>
Date: Mon, 7 Jun 2021 18:19:23 +0800
Subject: [PATCH] fix CVE-2020-6851 CVE-2020-8112 CVE-2020-27823 CVE-2020-27824

---
 backport-CVE-2020-27823.patch         | 30 +++++++++++++++++
 backport-CVE-2020-27824.patch         | 27 ++++++++++++++++
 backport-CVE-2020-6851.patch          | 31 ++++++++++++++++++
 backport-CVE-2020-8112.patch          | 46 +++++++++++++++++++++++++++
 backport-avoid-integer-overflow.patch | 32 +++++++++++++++++++
 openjpeg2.spec                        | 10 +++++-
 6 files changed, 175 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2020-27823.patch
 create mode 100644 backport-CVE-2020-27824.patch
 create mode 100644 backport-CVE-2020-6851.patch
 create mode 100644 backport-CVE-2020-8112.patch
 create mode 100644 backport-avoid-integer-overflow.patch

diff --git a/backport-CVE-2020-27823.patch b/backport-CVE-2020-27823.patch
new file mode 100644
index 0000000..b8bfb39
--- /dev/null
+++ b/backport-CVE-2020-27823.patch
@@ -0,0 +1,30 @@
+From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:31:51 +0100
+Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
+ used, that would result in a heap buffer overflow (fixes #1284)
+
+reason:CVE-2020-27823
+Conflict:NA
+Reference:https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919
+
+---
+ src/bin/jp2/convertpng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
+index 328c91beb..00f596e27 100644
+--- a/src/bin/jp2/convertpng.c
++++ b/src/bin/jp2/convertpng.c
+@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
+     image->x0 = (OPJ_UINT32)params->image_offset_x0;
+     image->y0 = (OPJ_UINT32)params->image_offset_y0;
+     image->x1 = (OPJ_UINT32)(image->x0 + (width  - 1) * (OPJ_UINT32)
+-                             params->subsampling_dx + 1 + image->x0);
++                             params->subsampling_dx + 1);
+     image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)
+-                             params->subsampling_dy + 1 + image->y0);
++                             params->subsampling_dy + 1);
+ 
+     row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32));
+     if (row32s == NULL) {
diff --git a/backport-CVE-2020-27824.patch b/backport-CVE-2020-27824.patch
new file mode 100644
index 0000000..ebc3743
--- /dev/null
+++ b/backport-CVE-2020-27824.patch
@@ -0,0 +1,27 @@
+From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:37:07 +0100
+Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible
+ conversion when too many decomposition levels are specified (fixes #1286)
+
+reason:CVE-2020-27824
+Conflict:NA
+Reference:https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d
+
+---
+ src/lib/openjp2/dwt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
+index ee9eb5e63..4164ba090 100644
+--- a/src/lib/openjp2/dwt.c
++++ b/src/lib/openjp2/dwt.c
+@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec)
+         if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {
+             stepsize = 1.0;
+         } else {
+-            OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level];
++            OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient);
+             stepsize = (1 << (gain)) / norm;
+         }
+         opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0),
diff --git a/backport-CVE-2020-6851.patch b/backport-CVE-2020-6851.patch
new file mode 100644
index 0000000..ca2d842
--- /dev/null
+++ b/backport-CVE-2020-6851.patch
@@ -0,0 +1,31 @@
+From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 11 Jan 2020 01:51:19 +0100
+Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
+ coordinates are beyond INT_MAX (fixes #1228)
+
+Conflict:NA
+Reference:https://github.com/uclouvain/openjpeg/commit/46c1eff9e98bbcf794d042f7b2e3d45556e805ce
+---
+ src/lib/openjp2/j2k.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+ 
+diff -Naur a_openjpeg/src/lib/openjp2/j2k.c b_openjpeg/src/lib/openjp2/j2k.c
+--- a_openjpeg/src/lib/openjp2/j2k.c    2020-05-28 09:19:53.024612881 -0400
++++ b_openjpeg/src/lib/openjp2/j2k.c    2020-05-28 09:29:55.623612881 -0400
+@@ -9236,6 +9236,14 @@
+     l_img_comp = p_image->comps;
+     for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
+         OPJ_INT32 l_h, l_w;
++       if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
++                p_image->y0 > (OPJ_UINT32)INT_MAX ||
++                p_image->x1 > (OPJ_UINT32)INT_MAX ||
++                p_image->y1 > (OPJ_UINT32)INT_MAX) {
++            opj_event_msg(p_manager, EVT_ERROR,
++                          "Image coordinates above INT_MAX are not supported\n");
++            return OPJ_FALSE;
++        }
+ 
+         l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
+                          (OPJ_INT32)l_img_comp->dx);
+
diff --git a/backport-CVE-2020-8112.patch b/backport-CVE-2020-8112.patch
new file mode 100644
index 0000000..e218134
--- /dev/null
+++ b/backport-CVE-2020-8112.patch
@@ -0,0 +1,46 @@
+From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 30 Jan 2020 00:59:57 +0100
+Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow
+
+That could lead to later assertion failures.
+
+Fixes #1231 / CVE-2020-8112
+
+Conflict:NA
+Reference:https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074
+---
+ src/lib/openjp2/tcd.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff -Naur a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+--- a/src/lib/openjp2/tcd.c 2020-06-01 17:05:36.781309518 -0400
++++ b/src/lib/openjp2/tcd.c 2020-06-01 17:08:08.504309518 -0400
+@@ -905,8 +905,24 @@
+             /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000)  */
+             l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
+             l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
+-            l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
+-            l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
++            {
++                OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
++                                  (OPJ_INT32)l_pdx)) << l_pdx;
++                if (tmp > (OPJ_UINT32)INT_MAX) {
++                    opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++                    return OPJ_FALSE;
++                }
++                l_br_prc_x_end = (OPJ_INT32)tmp;
++            }
++            {
++                OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
++                                  (OPJ_INT32)l_pdy)) << l_pdy;
++                if (tmp > (OPJ_UINT32)INT_MAX) {
++                    opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++                    return OPJ_FALSE;
++                }
++                l_br_prc_y_end = (OPJ_INT32)tmp;
++            }
+             /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
+ 
+             l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
+
diff --git a/backport-avoid-integer-overflow.patch b/backport-avoid-integer-overflow.patch
new file mode 100644
index 0000000..3f8e458
--- /dev/null
+++ b/backport-avoid-integer-overflow.patch
@@ -0,0 +1,32 @@
+From 4cb1f663049aab96e122d1ff16f601d0cc0be976 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 17 Nov 2019 01:18:26 +0100
+Subject: [PATCH] pi.c: avoid integer overflow, resulting in later invalid
+ access to memory in opj_t2_decode_packets(). Fixes
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979
+
+Conflict:NA
+Reference:https://github.com/uclouvain/openjpeg/commit/4cb1f663049aab96e122d1ff16f601d0cc0be976
+---
+ src/lib/openjp2/pi.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/pi.h b/src/lib/openjp2/pi.h
+index 7531d30..68f1b82 100644
+--- a/src/lib/openjp2/pi.h
++++ b/src/lib/openjp2/pi.h
+@@ -102,9 +102,9 @@ typedef struct opj_pi_iterator {
+     /** Components*/
+     opj_pi_comp_t *comps;
+     /** FIXME DOC*/
+-    OPJ_INT32 tx0, ty0, tx1, ty1;
++    OPJ_UINT32 tx0, ty0, tx1, ty1;
+     /** FIXME DOC*/
+-    OPJ_INT32 x, y;
++    OPJ_UINT32 x, y;
+     /** FIXME DOC*/
+     OPJ_UINT32 dx, dy;
+     /** event manager */
+-- 
+2.27.0
+
diff --git a/openjpeg2.spec b/openjpeg2.spec
index c3116c5..95d0112 100644
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@@ -1,6 +1,6 @@
 Name:           openjpeg2
 Version:        2.3.1
-Release:        5
+Release:        6
 Summary:        C-Library for JPEG 2000
 License:        BSD and MIT
 URL:            https://github.com/uclouvain/openjpeg
@@ -16,6 +16,11 @@ Patch6003:      backport-CVE-2020-27814.patch
 Patch6004:      backport-CVE-2020-27841.patch
 Patch6005:      backport-CVE-2020-27843.patch
 Patch6006:      backport-CVE-2020-27845.patch
+Patch6007:      backport-CVE-2020-8112.patch
+Patch6008:      backport-CVE-2020-6851.patch
+Patch6009:      backport-CVE-2020-27823.patch
+Patch6010:      backport-CVE-2020-27824.patch
+Patch6011:      backport-avoid-integer-overflow.patch
 
 BuildRequires:  cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen
 
@@ -91,6 +96,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.
 %{_mandir}/man3/*.3*
 
 %changelog
+* Mon Jun 7 2021 liuyumeng <liuyumeng5@huawei.com> - 2.3.1-6
+- fix CVE-2020-8112 CVE-2020-6851 CVE-2020-27823 CVE-2020-27824
+
 * Tue Feb 23 2021 jinzhimin <jinzhimin2@huawei.com> - 2.3.1-5
 - fix CVE-2020-27841 CVE-2020-27843 CVE-2020-27845
 
-- 
Gitee