diff --git a/backport-CVE-2020-27823.patch b/backport-CVE-2020-27823.patch new file mode 100644 index 0000000000000000000000000000000000000000..b8bfb3913d8e7e5de54b9dac7af202d53a7c7de9 --- /dev/null +++ b/backport-CVE-2020-27823.patch @@ -0,0 +1,30 @@ +From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 30 Nov 2020 22:31:51 +0100 +Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is + used, that would result in a heap buffer overflow (fixes #1284) + +reason:CVE-2020-27823 +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919 + +--- + src/bin/jp2/convertpng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c +index 328c91beb..00f596e27 100644 +--- a/src/bin/jp2/convertpng.c ++++ b/src/bin/jp2/convertpng.c +@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params) + image->x0 = (OPJ_UINT32)params->image_offset_x0; + image->y0 = (OPJ_UINT32)params->image_offset_y0; + image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32) +- params->subsampling_dx + 1 + image->x0); ++ params->subsampling_dx + 1); + image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32) +- params->subsampling_dy + 1 + image->y0); ++ params->subsampling_dy + 1); + + row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32)); + if (row32s == NULL) { diff --git a/backport-CVE-2020-27824.patch b/backport-CVE-2020-27824.patch new file mode 100644 index 0000000000000000000000000000000000000000..ebc3743a13f7d2ed21fb4498c40fbb12087da5cf --- /dev/null +++ b/backport-CVE-2020-27824.patch @@ -0,0 +1,27 @@ +From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 30 Nov 2020 22:37:07 +0100 +Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible + conversion when too many decomposition levels are specified (fixes #1286) + +reason:CVE-2020-27824 +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d + +--- + src/lib/openjp2/dwt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c +index ee9eb5e63..4164ba090 100644 +--- a/src/lib/openjp2/dwt.c ++++ b/src/lib/openjp2/dwt.c +@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec) + if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) { + stepsize = 1.0; + } else { +- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level]; ++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient); + stepsize = (1 << (gain)) / norm; + } + opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0), diff --git a/backport-CVE-2020-27841.patch b/backport-CVE-2020-27841.patch index 2a09919d692afee73a7c2dc4dbac986e062b8bd0..dd360bded374cc10f3e65e89f1bc77bfc0494f7b 100644 --- a/backport-CVE-2020-27841.patch +++ b/backport-CVE-2020-27841.patch @@ -4,6 +4,10 @@ Date: Wed, 2 Dec 2020 14:02:17 +0100 Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836) +reason:CVE-2020-27841 +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce + --- src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++--------------- src/lib/openjp2/pi.h | 10 +++++++-- @@ -176,7 +180,7 @@ index 7fb3417fe..0320523b7 100644 --- a/src/lib/openjp2/pi.h +++ b/src/lib/openjp2/pi.h @@ -107,6 +107,8 @@ typedef struct opj_pi_iterator { - OPJ_INT32 x, y; + OPJ_UINT32 x, y; /** FIXME DOC*/ OPJ_UINT32 dx, dy; + /** event manager */ diff --git a/backport-CVE-2020-6851.patch b/backport-CVE-2020-6851.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca2d84244fe0249878ae6cdb6c0d619f830c1ee1 --- /dev/null +++ b/backport-CVE-2020-6851.patch @@ -0,0 +1,31 @@ +From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 11 Jan 2020 01:51:19 +0100 +Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose + coordinates are beyond INT_MAX (fixes #1228) + +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/commit/46c1eff9e98bbcf794d042f7b2e3d45556e805ce +--- + src/lib/openjp2/j2k.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff -Naur a_openjpeg/src/lib/openjp2/j2k.c b_openjpeg/src/lib/openjp2/j2k.c +--- a_openjpeg/src/lib/openjp2/j2k.c 2020-05-28 09:19:53.024612881 -0400 ++++ b_openjpeg/src/lib/openjp2/j2k.c 2020-05-28 09:29:55.623612881 -0400 +@@ -9236,6 +9236,14 @@ + l_img_comp = p_image->comps; + for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { + OPJ_INT32 l_h, l_w; ++ if (p_image->x0 > (OPJ_UINT32)INT_MAX || ++ p_image->y0 > (OPJ_UINT32)INT_MAX || ++ p_image->x1 > (OPJ_UINT32)INT_MAX || ++ p_image->y1 > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Image coordinates above INT_MAX are not supported\n"); ++ return OPJ_FALSE; ++ } + + l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, + (OPJ_INT32)l_img_comp->dx); + diff --git a/backport-CVE-2020-8112.patch b/backport-CVE-2020-8112.patch new file mode 100644 index 0000000000000000000000000000000000000000..e21813420748cde3c1ea85356c4f57cb15b4a4fa --- /dev/null +++ b/backport-CVE-2020-8112.patch @@ -0,0 +1,46 @@ +From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 30 Jan 2020 00:59:57 +0100 +Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow + +That could lead to later assertion failures. + +Fixes #1231 / CVE-2020-8112 + +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074 +--- + src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff -Naur a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +--- a/src/lib/openjp2/tcd.c 2020-06-01 17:05:36.781309518 -0400 ++++ b/src/lib/openjp2/tcd.c 2020-06-01 17:08:08.504309518 -0400 +@@ -905,8 +905,24 @@ + /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ + l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; + l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; +- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; +- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, ++ (OPJ_INT32)l_pdx)) << l_pdx; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_x_end = (OPJ_INT32)tmp; ++ } ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, ++ (OPJ_INT32)l_pdy)) << l_pdy; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_y_end = (OPJ_INT32)tmp; ++ } + /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ + + l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( + diff --git a/backport-avoid-integer-overflow.patch b/backport-avoid-integer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..2a1ab68ce087d1e609356d442448a6fafbd50cff --- /dev/null +++ b/backport-avoid-integer-overflow.patch @@ -0,0 +1,81 @@ +From 4cb1f663049aab96e122d1ff16f601d0cc0be976 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 17 Nov 2019 01:18:26 +0100 +Subject: [PATCH] pi.c: avoid integer overflow, resulting in later invalid + access to memory in opj_t2_decode_packets(). Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979 + +reason:avoid integer overflow, resulting in later invalid +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/commit/4cb1f663049aab96e122d1ff16f601d0cc0be976 + +--- + src/lib/openjp2/pi.c | 24 ++++++++++++------------ + src/lib/openjp2/pi.h | 4 ++-- + 2 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c +index 4a6ed68e2..3ddb4a0c5 100644 +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -376,10 +376,10 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi) + pi->poc.tx1 = pi->tx1; + } + for (pi->resno = pi->poc.resno0; pi->resno < pi->poc.resno1; pi->resno++) { +- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; +- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { +- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; +- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { ++ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; ++ pi->y += (pi->dy - (pi->y % pi->dy))) { ++ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; ++ pi->x += (pi->dx - (pi->x % pi->dx))) { + for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) { + OPJ_UINT32 levelno; + OPJ_INT32 trx0, try0; +@@ -508,10 +508,10 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) + pi->poc.ty1 = pi->ty1; + pi->poc.tx1 = pi->tx1; + } +- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; +- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { +- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; +- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { ++ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; ++ pi->y += (pi->dy - (pi->y % pi->dy))) { ++ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; ++ pi->x += (pi->dx - (pi->x % pi->dx))) { + for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) { + comp = &pi->comps[pi->compno]; + for (pi->resno = pi->poc.resno0; +@@ -639,10 +639,10 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) + pi->poc.ty1 = pi->ty1; + pi->poc.tx1 = pi->tx1; + } +- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; +- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { +- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; +- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { ++ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; ++ pi->y += (pi->dy - (pi->y % pi->dy))) { ++ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; ++ pi->x += (pi->dx - (pi->x % pi->dx))) { + for (pi->resno = pi->poc.resno0; + pi->resno < opj_uint_min(pi->poc.resno1, comp->numresolutions); pi->resno++) { + OPJ_UINT32 levelno; +diff --git a/src/lib/openjp2/pi.h b/src/lib/openjp2/pi.h +index 8c0dc25c1..873802089 100644 +--- a/src/lib/openjp2/pi.h ++++ b/src/lib/openjp2/pi.h +@@ -102,9 +102,9 @@ typedef struct opj_pi_iterator { + /** Components*/ + opj_pi_comp_t *comps; + /** FIXME DOC*/ +- OPJ_INT32 tx0, ty0, tx1, ty1; ++ OPJ_UINT32 tx0, ty0, tx1, ty1; + /** FIXME DOC*/ +- OPJ_INT32 x, y; ++ OPJ_UINT32 x, y; + /** FIXME DOC*/ + OPJ_UINT32 dx, dy; + } opj_pi_iterator_t; diff --git a/openjpeg2.spec b/openjpeg2.spec index c3116c52ca33efb5645f291b0937a2f0152258bb..3b5803353f6e8fba8099e950fd33b9278ebd2a5a 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -1,6 +1,6 @@ Name: openjpeg2 Version: 2.3.1 -Release: 5 +Release: 6 Summary: C-Library for JPEG 2000 License: BSD and MIT URL: https://github.com/uclouvain/openjpeg @@ -12,10 +12,15 @@ Patch1: openjpeg2_opj2.patch Patch6000: CVE-2016-10505.patch Patch6001: CVE-2016-7445.patch Patch6002: CVE-2020-15389.patch -Patch6003: backport-CVE-2020-27814.patch -Patch6004: backport-CVE-2020-27841.patch -Patch6005: backport-CVE-2020-27843.patch -Patch6006: backport-CVE-2020-27845.patch +Patch6003: backport-avoid-integer-overflow.patch +Patch6004: backport-CVE-2020-27814.patch +Patch6005: backport-CVE-2020-27841.patch +Patch6006: backport-CVE-2020-27843.patch +Patch6007: backport-CVE-2020-27845.patch +Patch6008: backport-CVE-2020-8112.patch +Patch6009: backport-CVE-2020-6851.patch +Patch6010: backport-CVE-2020-27823.patch +Patch6011: backport-CVE-2020-27824.patch BuildRequires: cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen @@ -91,6 +96,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump. %{_mandir}/man3/*.3* %changelog +* Tue Jun 8 2021 liuyumeng - 2.3.1-6 +- fix CVE-2020-8112 CVE-2020-6851 CVE-2020-27823 CVE-2020-27824,avoid integer overflow:pre-patch of CVE-2020-27841,fix fuzz + * Tue Feb 23 2021 jinzhimin - 2.3.1-5 - fix CVE-2020-27841 CVE-2020-27843 CVE-2020-27845