openjpeg2/openjpeg2-CVE-2017-14151.patch

diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index 2e116b2..2f50bfe 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1087,10 +1087,13 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate (opj_tcd_cblk_enc_t * p_code_blo
 static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_code_block)
 {
 	OPJ_UINT32 l_data_size;
-	
-	/* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
-	l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
-	                               (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+	/* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+	/* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+	/* TODO: is there a theoretical upper-bound for the compressed code */
+	/* block size ? */
+	l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+				       (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
 
 	if (l_data_size > p_code_block->data_size) {
 		if (p_code_block->data) {
Accepting request 523789 from home:hpjansson:openjpeg2-cve-factory Add security fixes: openjpeg2-CVE-2016-10504.patch (CVE-2016-10504, bsc#1056351), openjpeg2-CVE-2016-10505.patch (CVE-2016-10505, bsc#1056363), openjpeg2-CVE-2016-10506.patch (CVE-2016-10506, bsc#1056396), openjpeg2-CVE-2017-12982.patch (CVE-2017-12982, bsc#1054696), openjpeg2-CVE-2017-14039.patch (CVE-2017-14039, CVE-2017-14164, bsc#1056622, bsc#1057511), openjpeg2-CVE-2017-14040.patch (CVE-2017-14040, bsc#1056621), openjpeg2-CVE-2017-14041.patch (CVE-2017-14041, bsc#1056562), openjpeg2-CVE-2017-14151.patch (CVE-2017-14151, bsc#1057336), openjpeg2-CVE-2017-14152.patch (CVE-2017-14152, bsc#1057335), most of which are critical, including heap and stack overwrites, over-reads and division by zero errors. OBS-URL: https://build.opensuse.org/request/show/523789 OBS-URL: https://build.opensuse.org/package/show/graphics/openjpeg2?expand=0&rev=28 2017-09-13 14:11:10 +00:00			`diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c`
			`index 2e116b2..2f50bfe 100644`
			`--- a/src/lib/openjp2/tcd.c`
			`+++ b/src/lib/openjp2/tcd.c`
			`@@ -1087,10 +1087,13 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate (opj_tcd_cblk_enc_t * p_code_blo`
			`static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_code_block)`
			`{`
			`OPJ_UINT32 l_data_size;`
			`-`
			`- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */`
			`- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *`
			`- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));`
			`+`
			`+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */`
			`+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */`
			`+ /* TODO: is there a theoretical upper-bound for the compressed code */`
			`+ /* block size ? */`
			`+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *`
			`+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));`

			`if (l_data_size > p_code_block->data_size) {`
			`if (p_code_block->data) {`