pool/openjpeg2
SHA256
6
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 769224 from graphics

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/769224
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openjpeg2?expand=0&rev=14
This commit is contained in:
Dominique Leuenberger 2020-02-06 12:05:23 +00:00 committed by Git OBS Bridge
commit 571d47751f
7 changed files with 354 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
024b8407392cb0b8.patch Normal file
View File

@ -0,0 +1,29 @@
From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 11 Jan 2020 01:51:19 +0100
Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
coordinates are beyond INT_MAX (fixes #1228)
---
src/lib/openjp2/j2k.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 14f6ff41a..922550eb1 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image,
l_img_comp = p_image->comps;
for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
OPJ_INT32 l_h, l_w;
+ if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
+ p_image->y0 > (OPJ_UINT32)INT_MAX ||
+ p_image->x1 > (OPJ_UINT32)INT_MAX ||
+ p_image->y1 > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Image coordinates above INT_MAX are not supported\n");
+ return OPJ_FALSE;
+ }
l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
(OPJ_INT32)l_img_comp->dx);

43
05f9b91e60debda0.patch Normal file
View File

@ -0,0 +1,43 @@
From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 30 Jan 2020 00:59:57 +0100
Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow
That could lead to later assertion failures.
Fixes #1231 / CVE-2020-8112
---
src/lib/openjp2/tcd.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index deecc4dff..aa419030a 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
/* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
+ (OPJ_INT32)l_pdx)) << l_pdx;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_x_end = (OPJ_INT32)tmp;
+ }
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
+ (OPJ_INT32)l_pdy)) << l_pdy;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_y_end = (OPJ_INT32)tmp;
+ }
/*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((

68
21399f6b7d318fcd.patch Normal file
View File

@ -0,0 +1,68 @@
From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001
From: Young Xiao <YangX92@hotmail.com>
Date: Sat, 16 Mar 2019 19:57:27 +0800
Subject: [PATCH] convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
See commit 8ee335227bbc for details.
Signed-off-by: Young Xiao <YangX92@hotmail.com>
---
src/bin/jp2/convertbmp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index 0af52f816..ec34f535b 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
}
} else { /* absolute mode */
c = getc(IN);
@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
c1 = (OPJ_UINT8)getc(IN);
}
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
+ written++;
}
if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
getc(IN);
@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
}
}
} /* while(y < height) */
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
return OPJ_TRUE;
}

83
3aef207f90e937d4.patch Normal file
View File

@ -0,0 +1,83 @@
From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001
From: Young Xiao <YangX92@hotmail.com>
Date: Sat, 16 Mar 2019 20:09:59 +0800
Subject: [PATCH] bmp_read_rle4_data(): avoid potential infinite loop
---
src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index ec34f535b..2fc4e9bc4 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
while (y < height) {
int c = getc(IN);
if (c == EOF) {
- break;
+ return OPJ_FALSE;
}
if (c) { /* encoded mode */
- int j;
- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN);
+ int j, c1_int;
+ OPJ_UINT8 c1;
+
+ c1_int = getc(IN);
+ if (c1_int == EOF) {
+ return OPJ_FALSE;
+ }
+ c1 = (OPJ_UINT8)c1_int;
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
} else { /* absolute mode */
c = getc(IN);
if (c == EOF) {
- break;
+ return OPJ_FALSE;
}
if (c == 0x00) { /* EOL */
@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
break;
} else if (c == 0x02) { /* MOVE by dxdy */
c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
x += (OPJ_UINT32)c;
c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
y += (OPJ_UINT32)c;
pix = pData + y * stride + x;
} else { /* 03 .. 255 : absolute mode */
@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
if ((j & 1) == 0) {
- c1 = (OPJ_UINT8)getc(IN);
+ int c1_int;
+ c1_int = getc(IN);
+ if (c1_int == EOF) {
+ return OPJ_FALSE;
+ }
+ c1 = (OPJ_UINT8)c1_int;
}
*pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU));
written++;
}
if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */
- getc(IN);
+ c = getc(IN);
+ if (c == EOF) {
+ return OPJ_FALSE;
+ }
}
}
}

77
4cb1f663049aab96.patch Normal file
View File

@ -0,0 +1,77 @@
From 4cb1f663049aab96e122d1ff16f601d0cc0be976 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 17 Nov 2019 01:18:26 +0100
Subject: [PATCH] pi.c: avoid integer overflow, resulting in later invalid
access to memory in opj_t2_decode_packets(). Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979
---
src/lib/openjp2/pi.c | 24 ++++++++++++------------
src/lib/openjp2/pi.h | 4 ++--
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index 4a6ed68e2..3ddb4a0c5 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -376,10 +376,10 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi)
pi->poc.tx1 = pi->tx1;
}
for (pi->resno = pi->poc.resno0; pi->resno < pi->poc.resno1; pi->resno++) {
- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1;
- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) {
- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1;
- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) {
+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1;
+ pi->y += (pi->dy - (pi->y % pi->dy))) {
+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1;
+ pi->x += (pi->dx - (pi->x % pi->dx))) {
for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) {
OPJ_UINT32 levelno;
OPJ_INT32 trx0, try0;
@@ -508,10 +508,10 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi)
pi->poc.ty1 = pi->ty1;
pi->poc.tx1 = pi->tx1;
}
- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1;
- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) {
- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1;
- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) {
+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1;
+ pi->y += (pi->dy - (pi->y % pi->dy))) {
+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1;
+ pi->x += (pi->dx - (pi->x % pi->dx))) {
for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) {
comp = &pi->comps[pi->compno];
for (pi->resno = pi->poc.resno0;
@@ -639,10 +639,10 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi)
pi->poc.ty1 = pi->ty1;
pi->poc.tx1 = pi->tx1;
}
- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1;
- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) {
- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1;
- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) {
+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1;
+ pi->y += (pi->dy - (pi->y % pi->dy))) {
+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1;
+ pi->x += (pi->dx - (pi->x % pi->dx))) {
for (pi->resno = pi->poc.resno0;
pi->resno < opj_uint_min(pi->poc.resno1, comp->numresolutions); pi->resno++) {
OPJ_UINT32 levelno;
diff --git a/src/lib/openjp2/pi.h b/src/lib/openjp2/pi.h
index 8c0dc25c1..873802089 100644
--- a/src/lib/openjp2/pi.h
+++ b/src/lib/openjp2/pi.h
@@ -102,9 +102,9 @@ typedef struct opj_pi_iterator {
/** Components*/
opj_pi_comp_t *comps;
/** FIXME DOC*/
- OPJ_INT32 tx0, ty0, tx1, ty1;
+ OPJ_UINT32 tx0, ty0, tx1, ty1;
/** FIXME DOC*/
- OPJ_INT32 x, y;
+ OPJ_UINT32 x, y;
/** FIXME DOC*/
OPJ_UINT32 dx, dy;
} opj_pi_iterator_t;

14
openjpeg2.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Fri Jan 31 16:21:36 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
- Fix several security relevant bugs:
* 21399f6b7d318fcd.patch (like CVE-2018-6616, but rle4 instead
of rle8, bsc#1079845)
* 3aef207f90e937d4.patch (CVE-2019-12973, bsc#1140359)
* 4cb1f663049aab96.patch (OSS-fuzz,
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979)
* 024b8407392cb0b8.patch (CVE-2020-6851, bsc#1160782)
* 05f9b91e60debda0.patch (CVE-2020-8112, bsc#1162090)
- Use upstream pkgconfig file
- Move API documentation from devel package to devel-doc
-------------------------------------------------------------------
Tue Apr 02 10:41:57 UTC 2019 - mvetter@suse.com

63
openjpeg2.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openjpeg2
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -25,9 +25,19 @@ Release: 0
Summary: Opensource JPEG 2000 Codec Implementation
License: BSD-2-Clause
Group: Productivity/Graphics/Other
Url: http://www.openjpeg.org/
URL: http://www.openjpeg.org/
Source0: https://github.com/uclouvain/openjpeg/archive/v%{version}.tar.gz#/openjpeg-%{version}.tar.gz
Source1: baselibs.conf
# PATCH-FIX-UPSTREAM -- like CVE-2018-6616, but rle4 instead of rle8, bsc#1079845, https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcd.patch
Patch0: 21399f6b7d318fcd.patch
# PATCH-FIX-UPSTREAM -- CVE-2019-12973, bsc#1140359, https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4.patch
Patch1: 3aef207f90e937d4.patch
# PATCH-FIX-UPSTREAM -- OSS-fuzz, https://github.com/uclouvain/openjpeg/commit/4cb1f663049aab96.patch
Patch2: 4cb1f663049aab96.patch
# PATCH-FIX-UPSTREAM -- CVE-2020-6851, bsc#1160782, https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b8.patch
Patch3: 024b8407392cb0b8.patch
# PATCH-FIX-UPSTREAM -- CVE-2020-8112, bsc#1162090, https://github.com/uclouvain/openjpeg/commit/05f9b91e60debda0.patch
Patch4: 05f9b91e60debda0.patch
BuildRequires: cmake > 2.8.2
BuildRequires: doxygen
BuildRequires: fdupes
@ -61,6 +71,7 @@ Summary: Development files for %{name}
Group: Development/Libraries/Other
Requires: %{library_name} = %{version}
Requires: %{name} = %{version}
Recommends: %{name}-devel-doc
%description devel
The OpenJPEG library is an open-source JPEG 2000 codec written in C language.
@ -70,12 +81,25 @@ still-image compression standard from the Joint Photographic Experts Group
This package provides the development files for %{name}.
%package devel-doc
Summary: API documentation for %{name}
Group: Documentation/HTML
Recommends: %{library_name} = %{version}
Recommends: %{name} = %{version}
%description devel-doc
The OpenJPEG library is an open-source JPEG 2000 codec written in C language.
This package provides the API documentation for %{name}.
%prep
%setup -q -n openjpeg-%{version}
%autopatch -p1
# do not embed timestamps into html documentation
sed -i 's|^HTML_TIMESTAMP[ =].*$|HTML_TIMESTAMP = NO|' doc/Doxyfile.dox.cmake.in
# ensure no bundled libraries are used
# ensure no bundled libraries are used, but keep thirdparty/CMakeLists.txt
for d in thirdparty/*; do
[ -d "$d" ] && rm -rf "$d"
done
@ -90,28 +114,16 @@ done
-DBUILD_TESTING=OFF \
-DBUILD_DOC=ON \
-DBUILD_THIRDPARTY=OFF \
-DOPENJPEG_INSTALL_LIB_DIR=%{_lib}
-DOPENJPEG_INSTALL_LIB_DIR=%{_lib} \
-DOPENJPEG_INSTALL_DOC_DIR=share/doc/packages/%{name}-devel-doc
make %{?_smp_mflags} VERBOSE=1 all doc
cat << END > libopenjp2.pc
Name: openjpeg
Version: %{version}
Url: %{url}
Description: Opensource JPEG 2000 Codec Implementation
Libs: -L%{_libdir} -lopenjp2
Libs.private: -lm
Cflags: -I%{_includedir}/openjpeg-%{base_version}
END
%fdupes -s doc/html/
%install
%cmake_install
mkdir -p %{buildroot}%{_libdir}/pkgconfig/
install -m 644 build/libopenjp2.pc %{buildroot}%{_libdir}/pkgconfig/
rm -rf %{buildroot}%{_datadir}/doc
rm %{buildroot}%{_defaultdocdir}/%{name}-devel-doc/LICENSE
mv %{buildroot}%{_prefix}/share/doc/html %{buildroot}%{_defaultdocdir}/%{name}-devel-doc
%fdupes %{buildroot}%{_defaultdocdir}
%post -n %{library_name} -p /sbin/ldconfig
@ -119,7 +131,7 @@ rm -rf %{buildroot}%{_datadir}/doc
%files
%defattr(-,root,root,-)
%doc AUTHORS.md CHANGELOG.md NEWS.md LICENSE README.md THANKS.md
%license LICENSE
%{_bindir}/opj_*
%{_mandir}/man1/opj_*.1%{ext_man}
@ -129,11 +141,16 @@ rm -rf %{buildroot}%{_datadir}/doc
%files devel
%defattr(-,root,root,-)
%doc build/doc/html/
%{_includedir}/openjpeg-%{base_version}/
%{_libdir}/libopenjp2.so
%{_libdir}/pkgconfig/libopenjp2.pc
%{_libdir}/openjpeg-%{base_version}/
%{_mandir}/man3/libopenjp2.3%{ext_man}
%files devel-doc
%defattr(-,root,root,-)
%license LICENSE
%doc AUTHORS.md CHANGELOG.md NEWS.md README.md THANKS.md
%doc %{_defaultdocdir}/%{name}-devel-doc/html
%changelog