openjpeg2/openjpeg2-CVE-2016-10504.patch

commit 0a915d5e6b49c8428a28d0b858b9e274851b4b1c
Author: Hans Petter Jansson <hpj@cl.no>
Date:   Fri Sep 8 00:22:18 2017 +0200

    openjpeg2-CVE-2016-10504.patch

diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index 985ac5f..2e116b2 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1088,8 +1088,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_cod
 {
 	OPJ_UINT32 l_data_size;
 	
-	l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
-	
+	/* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+	l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+	                               (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
 	if (l_data_size > p_code_block->data_size) {
 		if (p_code_block->data) {
 			opj_free(p_code_block->data - 1); /* again, why -1 */
Accepting request 523789 from home:hpjansson:openjpeg2-cve-factory Add security fixes: openjpeg2-CVE-2016-10504.patch (CVE-2016-10504, bsc#1056351), openjpeg2-CVE-2016-10505.patch (CVE-2016-10505, bsc#1056363), openjpeg2-CVE-2016-10506.patch (CVE-2016-10506, bsc#1056396), openjpeg2-CVE-2017-12982.patch (CVE-2017-12982, bsc#1054696), openjpeg2-CVE-2017-14039.patch (CVE-2017-14039, CVE-2017-14164, bsc#1056622, bsc#1057511), openjpeg2-CVE-2017-14040.patch (CVE-2017-14040, bsc#1056621), openjpeg2-CVE-2017-14041.patch (CVE-2017-14041, bsc#1056562), openjpeg2-CVE-2017-14151.patch (CVE-2017-14151, bsc#1057336), openjpeg2-CVE-2017-14152.patch (CVE-2017-14152, bsc#1057335), most of which are critical, including heap and stack overwrites, over-reads and division by zero errors. OBS-URL: https://build.opensuse.org/request/show/523789 OBS-URL: https://build.opensuse.org/package/show/graphics/openjpeg2?expand=0&rev=28 2017-09-13 14:11:10 +00:00			`commit 0a915d5e6b49c8428a28d0b858b9e274851b4b1c`
			`Author: Hans Petter Jansson <hpj@cl.no>`
			`Date: Fri Sep 8 00:22:18 2017 +0200`

			`openjpeg2-CVE-2016-10504.patch`

			`diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c`
			`index 985ac5f..2e116b2 100644`
			`--- a/src/lib/openjp2/tcd.c`
			`+++ b/src/lib/openjp2/tcd.c`
			`@@ -1088,8 +1088,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_cod`
			`{`
			`OPJ_UINT32 l_data_size;`

			`- l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));`
			`-`
			`+ /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */`
			`+ l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *`
			`+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));`
			`+`
			`if (l_data_size > p_code_block->data_size) {`
			`if (p_code_block->data) {`
			`opj_free(p_code_block->data - 1); /* again, why -1 */`