diff --git a/backport-0001-CVE-2019-12973.patch b/backport-0001-CVE-2019-12973.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb61b1549564353eeb039293822aafe8f6080497 --- /dev/null +++ b/backport-0001-CVE-2019-12973.patch @@ -0,0 +1,75 @@ +From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Sat, 16 Mar 2019 19:57:27 +0800 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +See commit 8ee335227bbc for details. + +Signed-off-by: Young Xiao + +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3 + +--- + src/bin/jp2/convertbmp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 8220078..c69daee 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + } else { /* absolute mode */ + c = getc(IN); +@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + c1 = (OPJ_UINT8)getc(IN); + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ + getc(IN); +@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } + } + } /* while(y < height) */ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } + return OPJ_TRUE; + } + +-- +2.33.0 + diff --git a/backport-0002-CVE-2019-12973.patch b/backport-0002-CVE-2019-12973.patch new file mode 100644 index 0000000000000000000000000000000000000000..77c897c5b5a7e6b5c31fbde86cefdf0ff05da195 --- /dev/null +++ b/backport-0002-CVE-2019-12973.patch @@ -0,0 +1,89 @@ +From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Sat, 16 Mar 2019 20:09:59 +0800 +Subject: [PATCH] bmp_read_rle4_data(): avoid potential infinite loop + +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66 + +--- + src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index c69daee..5d38739 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + while (y < height) { + int c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c) { /* encoded mode */ +- int j; +- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); ++ int j, c1_int; ++ OPJ_UINT8 c1; ++ ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { +@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } else { /* absolute mode */ + c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c == 0x00) { /* EOL */ +@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + break; + } else if (c == 0x02) { /* MOVE by dxdy */ + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + x += (OPJ_UINT32)c; + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + y += (OPJ_UINT32)c; + pix = pData + y * stride + x; + } else { /* 03 .. 255 : absolute mode */ +@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + if ((j & 1) == 0) { +- c1 = (OPJ_UINT8)getc(IN); ++ int c1_int; ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ +- getc(IN); ++ c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + } + } + } +-- +2.33.0 + diff --git a/backport-CVE-2021-3575.patch b/backport-CVE-2021-3575.patch new file mode 100644 index 0000000000000000000000000000000000000000..5554731fa29e82bcbbfa246d5e556f7335172655 --- /dev/null +++ b/backport-CVE-2021-3575.patch @@ -0,0 +1,35 @@ +From f4cb033a340b55dbc576453c4b6a967fec5cbbda Mon Sep 17 00:00:00 2001 +From: Mehdi Sabwat +Date: Fri, 7 May 2021 01:50:37 +0200 +Subject: [PATCH] fix heap buffer overflow #1347 + +Conflict:NA +Reference:https://github.com/uclouvain/openjpeg/commit/f4cb033a340b55dbc576453c4b6a967fec5cbbda + +--- + src/bin/common/color.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/bin/common/color.c b/src/bin/common/color.c +index 27f15f137..935fa44eb 100644 +--- a/src/bin/common/color.c ++++ b/src/bin/common/color.c +@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t *img) + + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); + +- ++y; ++ if (*y != img->comps[0].data[loopmaxh]) ++ ++y; + ++r; + ++g; + ++b; +- ++cb; +- ++cr; ++ if (*cb != img->comps[1].data[loopmaxh]) ++ ++cb; ++ if (*cr != img->comps[2].data[loopmaxh]) ++ ++cr; + } + if (j < maxw) { + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); diff --git a/openjpeg2.spec b/openjpeg2.spec index 747662423dd3b401c086d0f634ca56e3d5ef1876..bd5ecf453ca28d2afa066a323345befe1b90b38b 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -1,6 +1,6 @@ Name: openjpeg2 Version: 2.3.1 -Release: 8 +Release: 9 Summary: C-Library for JPEG 2000 License: BSD and MIT URL: https://github.com/uclouvain/openjpeg @@ -22,7 +22,10 @@ Patch6009: backport-CVE-2020-6851.patch Patch6010: backport-CVE-2020-27823.patch Patch6011: backport-CVE-2020-27824.patch Patch6012: backport-CVE-2021-29338.patch -Patch6013: backport-CVE-2020-27842.patch +Patch6013: backport-CVE-2020-27842.patch +Patch6014: backport-0001-CVE-2019-12973.patch +Patch6015: backport-0002-CVE-2019-12973.patch +Patch6016: backport-CVE-2021-3575.patch BuildRequires: cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen @@ -98,6 +101,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump. %{_mandir}/man3/*.3* %changelog +* Mon Mar 14 2022 dongyuzhen - 2.3.1-9 +- fix CVE-2019-12973,CVE-2021-3575 + * Tue Jan 4 2022 dongyuzhen - 2.3.1-8 - fix CVE-2020-27842