pool/ghostscript
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 731293 from Printing

Browse Source 
- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
  for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
  for CVE-2019-14817

- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
  for CVE-2019-12973

- Update RPM groups.

  use this with its wrapper script

- CVE-2019-10216.patch fixes CVE-2019-10216
  forceput/superexec in .buildfont1 is still accessible
  https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
  https://bugs.ghostscript.com/show_bug.cgi?id=701394
- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
  for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
  for CVE-2019-14817

- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
  for CVE-2019-12973

- Update RPM groups.

  use this with its wrapper script 

- CVE-2019-10216.patch fixes CVE-2019-10216
  forceput/superexec in .buildfont1 is still accessible

OBS-URL: https://build.opensuse.org/request/show/731293
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=42
This commit is contained in:
Yuchen Lin 2019-09-20 12:48:11 +00:00 committed by Git OBS Bridge
commit 2bfcf642e0
8 changed files with 472 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
CVE-2019-10216.patch Normal file
View File

@ -0,0 +1,44 @@
From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 2 Aug 2019 15:18:26 +0100
Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
---
Resource/Init/gs_type1.ps | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- Resource/Init/gs_type1.ps
+++ Resource/Init/gs_type1.ps 2019-09-16 13:09:12.277074046 +0000
@@ -118,25 +118,25 @@
( to be the same as glyph: ) print 1 index //== exec } if
3 index exch 3 index .forceput
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
- }
+ }executeonly
{pop} ifelse
- } forall
+ } executeonly forall
pop pop
- }
+ } executeonly
{
pop pop pop
} ifelse
- }
+ } executeonly
{
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
pop pop
} ifelse
- } forall
+ } executeonly forall
3 1 roll pop pop
- } if
+ } executeonly if
pop
dup /.AGLprocessed~GS //true .forceput
- } if
+ } executeonly if
%% We need to excute the C .buildfont1 in a stopped context so that, if there
%% are errors we can put the stack back sanely and exit. Otherwise callers won't

29
ghostscript-mini.changes
View File

@ -1,9 +1,36 @@
-------------------------------------------------------------------
Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
for CVE-2019-14817
-------------------------------------------------------------------
Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
for CVE-2019-12973
-------------------------------------------------------------------
Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Update RPM groups.
-------------------------------------------------------------------
Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Use update-alternatives to get the real ghostscript binary from
/usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
use this with ist wrapper script
use this with its wrapper script
-------------------------------------------------------------------
Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- CVE-2019-10216.patch fixes CVE-2019-10216
forceput/superexec in .buildfont1 is still accessible
https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
https://bugs.ghostscript.com/show_bug.cgi?id=701394
-------------------------------------------------------------------
Thu Apr 4 14:37:09 CEST 2019 - jsmeix@suse.de

26
ghostscript-mini.spec
View File

@ -35,8 +35,8 @@ Requires(post): update-alternatives
Requires(preun): update-alternatives
Summary: Minimal Ghostscript for minimal build requirements
License: AGPL-3.0-only
Group: System/Libraries
Url: http://www.ghostscript.com/
Group: Productivity/Office/Other
URL: https://www.ghostscript.com/
# Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1).
# Version 9.15rc1 would be newer than 9.15 (run "zypper vcmp 9.15rc1 9.15") because the rpmvercmp algorithm
# would treat 9.15rc1 as 9.15.rc.1 (alphabetic and numeric sections get separated into different elements)
@ -45,6 +45,7 @@ Url: http://www.ghostscript.com/
# But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14"
# because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
# so that we keep additionally the previous version number to upgrade from the previous version:
# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
#Version: 9.25pre26rc1
Version: 9.27
Release: 0
@ -77,6 +78,14 @@ Release: 0
Source0: ghostscript-%{version}.tar.gz
Source1: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch
# Patch1 Add commit from of upstream to fix CVE-2019-10216
Patch1: CVE-2019-10216.patch
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
Patch2: gs-CVE-2019-14811-885444fc.patch
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
Patch3: gs-CVE-2019-14817-cd1b1cac.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
@ -143,6 +152,15 @@ This package contains the development files for Minimal Ghostscript.
# Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
# openjpeg4gs-CVE-2018-6616-8ee33522.patch
%patch0
# Patch1 Add commit from of upstream to fix CVE-2019-10216
%patch1 -p0
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
%patch2 -p1
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
%patch3 -p1
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream
@ -194,8 +212,8 @@ rm -rf lcms2art
# Derive build timestamp from latest changelog entry
export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s)
# Set our preferred architecture-specific flags for the compiler and linker:
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="%{optflags} -fno-strict-aliasing"
autoreconf -fi
# --docdir=%%{_defaultdocdir}/%%{name} does not work therefore it is not used.
# --disable-cups and --without-pdftoraster

29
ghostscript.changes
View File

@ -1,9 +1,36 @@
-------------------------------------------------------------------
Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
for CVE-2019-14817
-------------------------------------------------------------------
Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
for CVE-2019-12973
-------------------------------------------------------------------
Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Update RPM groups.
-------------------------------------------------------------------
Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Use update-alternatives to get the real ghostscript binary from
/usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
use this with ist wrapper script
use this with its wrapper script
-------------------------------------------------------------------
Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- CVE-2019-10216.patch fixes CVE-2019-10216
forceput/superexec in .buildfont1 is still accessible
https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
https://bugs.ghostscript.com/show_bug.cgi?id=701394
-------------------------------------------------------------------
Wed May 8 08:46:43 UTC 2019 - jsegitz@suse.com

31
ghostscript.spec
View File

@ -46,6 +46,8 @@ BuildRequires: update-alternatives
BuildRequires: xorg-x11-devel
BuildRequires: xorg-x11-fonts
BuildRequires: zlib-devel
# Always check if latest version of penjpeg becomes compatible with ghostscript
#BuildRequires: pkgconfig(libopenjp2)
%if 0%{?suse_version} >= 1500
BuildRequires: apparmor-abstractions
BuildRequires: apparmor-rpm-macros
@ -55,8 +57,8 @@ Requires(post): update-alternatives
Requires(preun): update-alternatives
Summary: The Ghostscript interpreter for PostScript and PDF
License: AGPL-3.0-only
Group: System/Libraries
Url: http://www.ghostscript.com/
Group: Productivity/Office/Other
URL: https://www.ghostscript.com/
# Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1).
# Version 9.15rc1 would be newer than 9.15 (run "zypper vcmp 9.15rc1 9.15") because the rpmvercmp algorithm
# would treat 9.15rc1 as 9.15.rc.1 (alphabetic and numeric sections get separated into different elements)
@ -65,6 +67,7 @@ Url: http://www.ghostscript.com/
# But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14"
# because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
# so that we keep additionally the previous version number to upgrade from the previous version:
# Starting SLE12/rpm-4.10, one can use tildeversions: 9.15~rc1.
#Version: 9.25pre26rc1
Version: 9.27
Release: 0
@ -97,6 +100,14 @@ Release: 0
Source0: ghostscript-%{version}.tar.gz
Source1: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch
# Patch1 Add commit from of upstream to fix CVE-2019-10216
Patch1: CVE-2019-10216.patch
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
Patch2: gs-CVE-2019-14811-885444fc.patch
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
Patch3: gs-CVE-2019-14817-cd1b1cac.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
@ -125,9 +136,6 @@ Patch101: ijs_exec_server_dont_use_sh.patch
# ghostscript_x11
# ghostscript-mini
# Which other packages need those in openSUSE:Factory (dated 22 Feb. 2012):
# blocxx-doc BuildRequires ghostscript
# iproute2 BuildRequires ghostscript
# gle-graphics Requires ghostscript
# webdot Requires ghostscript
# ddd BuildRequires ghostscript_any
# emacs-auctex BuildRequires ghostscript_any
@ -279,6 +287,15 @@ This package contains the development files for Ghostscript.
# Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
# openjpeg4gs-CVE-2018-6616-8ee33522.patch
%patch0
# Patch1 Add commit from of upstream to fix CVE-2019-10216
%patch1 -p0
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
%patch2 -p1
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
%patch3 -p1
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream
@ -330,8 +347,8 @@ rm -rf lcms2art
# Derive build timestamp from latest changelog entry
export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s)
# Set our preferred architecture-specific flags for the compiler and linker:
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="%{optflags} -fno-strict-aliasing"
autoreconf -fi
# --docdir=%%{_defaultdocdir}/%%{name} does not work therefore it is not used.
# --enable-cups but no longer --with-pdftoraster --enable-dbus --with-install-cups because

59
gs-CVE-2019-14811-885444fc.patch Normal file
View File

@ -0,0 +1,59 @@
Based on 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 20 Aug 2019 10:10:28 +0100
Subject: [PATCH] make .forceput inaccessible
Bug #701343, #701344, #701345
More defensive programming. We don't want people to access .forecput
even though it is no longer sufficient to bypass SAFER. The exploit
in #701343 didn't work anyway because of earlier work to stop the error
handler being used, but nevertheless, prevent access to .forceput from
.setuserparams2.
---
Resource/Init/gs_lev2.ps | 6 +++---
Resource/Init/gs_pdfwr.ps | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -158,7 +158,7 @@ end
{
pop pop
} ifelse
- } forall
+ } executeonly forall
% A context switch might have occurred during the above loop,
% causing the interpreter-level parameters to be reset.
% Set them again to the new values. From here on, we are safe,
@@ -229,9 +229,9 @@ end
{ pop pop
}
ifelse
- }
+ } executeonly
forall pop
-} .bind odef
+} .bind executeonly odef
% Initialize the passwords.
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
systemdict /.pdf_hooked_DSC_Creator //true .forceput
} executeonly if
pop
- } if
+ } executeonly if
} {
pop
} ifelse
- }
+ } executeonly
{
pop
} ifelse

200
gs-CVE-2019-14817-cd1b1cac.patch Normal file
View File

@ -0,0 +1,200 @@
Based on cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 21 Aug 2019 10:10:51 +0100
Subject: [PATCH] PDF interpreter - review .forceput security
Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
By abusing the error handler it was possible to get the PDFDEBUG portion
of .pdfexectoken, which uses .forceput left readable.
Add an executeonly appropriately to make sure that clause isn't readable
no mstter what.
Review all the uses of .forceput searching for similar cases, add
executeonly as required to secure those. All cases in the PostScript
support files seem to be covered already.
---
Resource/Init/pdf_base.ps | 2 +-
Resource/Init/pdf_draw.ps | 14 +++++++-------
Resource/Init/pdf_font.ps | 21 +++++++++++----------
Resource/Init/pdf_main.ps | 6 +++---
Resource/Init/pdf_ops.ps | 11 ++++++-----
5 files changed, 28 insertions(+), 26 deletions(-)
diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
--- a/Resource/Init/pdf_base.ps
+++ b/Resource/Init/pdf_base.ps
@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
{
dup ==only () = flush
} ifelse % PDFSTEP
- } if % PDFDEBUG
+ } executeonly if % PDFDEBUG
2 copy .knownget {
exch pop exch pop exch pop exec
} {
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
@@ -501,8 +501,8 @@ end
( Output may be incorrect.\n) pdfformaterror
//pdfdict /.gs_warning_issued //true .forceput
PDFSTOPONERROR { /gs /undefined signalerror } if
- } if
- }
+ } executeonly if
+ } executeonly
ifelse
} bind executeonly def
@@ -1142,7 +1142,7 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
@@ -1150,8 +1150,8 @@ currentdict end readonly def
pdfformaterror
} executeonly ifelse
end
- } ifelse
- } loop
+ } executeonly ifelse
+ } executeonly loop
{
(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
//pdfdict /.Qqwarning_issued .knownget
@@ -1165,14 +1165,14 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
pop
% restore pdfemptycount
diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
--- a/Resource/Init/pdf_font.ps
+++ b/Resource/Init/pdf_font.ps
@@ -701,9 +701,9 @@ currentdict end readonly def
} if
PDFDEBUG {
(.processToUnicode end) =
- } if
- } if
- } stopped
+ } executeonly if
+ } executeonly if
+ } executeonly stopped
{
.dstackdepth 1 countdictstack 1 sub
{pop end} for
@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef
//pdfdict /.Qqwarning_issued //true .forceput
} executeonly if
Q
- } repeat
+ } executeonly repeat
Q
- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
PDFfile exch setfileposition
- } ifelse
- } {
+ } executeonly ifelse
+ } executeonly
+ {
% PDF Type 3 fonts don't use .notdef
% d1 implementation adjusts the width as needed
0 0 0 0 0 0
pdfopdict /d1 get exec
} ifelse
end end
- } bdef
+ } executeonly bdef
dup currentdict Encoding .processToUnicode
currentdict end .completefont exch pop
} bind executeonly odef
@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef
(Will continue, but content may be missing.) = flush
} ifelse
} if
- } if
+ } executeonly if
/findresource cvx /undefined signalerror
- } loop
+ } executeonly loop
} bind executeonly odef
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
--- a/Resource/Init/pdf_main.ps
+++ b/Resource/Init/pdf_main.ps
@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
- } if
+ } executeonly if
+ } executeonly if
pop
count PDFexecstackcount sub { pop } repeat
(after exec) VMDEBUG
diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
--- a/Resource/Init/pdf_ops.ps
+++ b/Resource/Init/pdf_ops.ps
@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
} bind executeonly odef
% Save PDF gstate
@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
dup type /booleantype eq {
.currentSMask type /dicttype eq {
.currentSMask /Processed 2 index .forceput
+ } executeonly
+ {
+ .setSMask
+ }ifelse
} executeonly
{
- .setSMask
- }ifelse
- }{
.setSMask
}ifelse

67
openjpeg4gs-CVE-2018-6616-8ee33522.patch Normal file
View File

@ -0,0 +1,67 @@
From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 14 Dec 2018 04:58:40 +0100
Subject: [PATCH] convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Fixes #1059 (CVE-2018-6616).
---
openjpeg/src/bin/jp2/convertbmp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- openjpeg/src/bin/jp2/convertbmp.c
+++ openjpeg/src/bin/jp2/convertbmp.c 2019-09-12 08:22:52.272682353 +0000
@@ -519,14 +519,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE*
static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -546,6 +546,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = c1;
+ written++;
}
} else {
c = getc(IN);
@@ -583,6 +584,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
}
c1 = (OPJ_UINT8)c1_int;
*pix = c1;
+ written++;
}
if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
c = getc(IN);
@@ -593,6 +595,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
}
}
}/* while() */
+
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
+
return OPJ_TRUE;
}