pool/openjpeg2
SHA256
6
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openjpeg2/openjpeg2-CVE-2017-14039.patch
Ismail Dönmez 96b2424330 Accepting request 523789 from home:hpjansson:openjpeg2-cve-factory 
Add security fixes:
  openjpeg2-CVE-2016-10504.patch (CVE-2016-10504, bsc#1056351),
  openjpeg2-CVE-2016-10505.patch (CVE-2016-10505, bsc#1056363),
  openjpeg2-CVE-2016-10506.patch (CVE-2016-10506, bsc#1056396),
  openjpeg2-CVE-2017-12982.patch (CVE-2017-12982, bsc#1054696),
  openjpeg2-CVE-2017-14039.patch (CVE-2017-14039, CVE-2017-14164,
  bsc#1056622, bsc#1057511),
  openjpeg2-CVE-2017-14040.patch (CVE-2017-14040, bsc#1056621),
  openjpeg2-CVE-2017-14041.patch (CVE-2017-14041, bsc#1056562),
  openjpeg2-CVE-2017-14151.patch (CVE-2017-14151, bsc#1057336),
  openjpeg2-CVE-2017-14152.patch (CVE-2017-14152, bsc#1057335),
  most of which are critical, including heap and stack overwrites,
  over-reads and division by zero errors.

OBS-URL: https://build.opensuse.org/request/show/523789
OBS-URL: https://build.opensuse.org/package/show/graphics/openjpeg2?expand=0&rev=28
2017-09-13 14:11:10 +00:00

100 lines
4.5 KiB
Diff
Raw Blame History

diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 5cefffd..1844ac3 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -826,6 +826,7 @@ static OPJ_BOOL opj_j2k_write_tlm( opj_j2k_t *p_j2k,
*/
static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k,
OPJ_BYTE * p_data,
+ OPJ_UINT32 p_total_data_size,
OPJ_UINT32 * p_data_written,
const opj_stream_private_t *p_stream,
opj_event_mgr_t * p_manager );
@@ -3963,6 +3964,7 @@ static OPJ_BOOL opj_j2k_write_tlm( opj_j2k_t *p_j2k,
static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k,
OPJ_BYTE * p_data,
+ OPJ_UINT32 p_total_data_size,
OPJ_UINT32 * p_data_written,
const opj_stream_private_t *p_stream,
opj_event_mgr_t * p_manager
@@ -3973,6 +3975,12 @@ static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k,
assert(p_manager != 00);
assert(p_stream != 00);
+ if (p_total_data_size < 12) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Not enough bytes in output buffer to write SOT marker\n");
+ return OPJ_FALSE;
+ }
+
opj_write_bytes(p_data,J2K_MS_SOT,2); /* SOT */
p_data += 2;
@@ -4308,6 +4316,12 @@ static OPJ_BOOL opj_j2k_write_sod( opj_j2k_t *p_j2k,
assert(p_manager != 00);
assert(p_stream != 00);
+ if (p_total_data_size < 4) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Not enough bytes in output buffer to write SOD marker\n");
+ return OPJ_FALSE;
+ }
+
opj_write_bytes(p_data,J2K_MS_SOD,2); /* SOD */
p_data += 2;
@@ -10625,7 +10639,7 @@ static OPJ_BOOL opj_j2k_write_first_tile_part (opj_j2k_t *p_j2k,
l_current_nb_bytes_written = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager))
+ if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager))
{
return OPJ_FALSE;
}
@@ -10712,7 +10726,7 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts( opj_j2k_t *p_j2k,
l_part_tile_size = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) {
+ if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager)) {
return OPJ_FALSE;
}
@@ -10752,7 +10766,7 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts( opj_j2k_t *p_j2k,
l_part_tile_size = 0;
l_begin_data = p_data;
- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) {
+ if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager)) {
return OPJ_FALSE;
}
diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
index 5a8d440..f14cea8 100644
--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
@@ -585,6 +585,10 @@ static OPJ_BOOL opj_t2_encode_packet( OPJ_UINT32 tileno,
/* <SOP 0xff91> */
if (tcp->csty & J2K_CP_CSTY_SOP) {
+ if (length < 6) {
+ return OPJ_FALSE;
+ }
+
c[0] = 255;
c[1] = 145;
c[2] = 0;
@@ -731,6 +735,10 @@ static OPJ_BOOL opj_t2_encode_packet( OPJ_UINT32 tileno,
/* <EPH 0xff92> */
if (tcp->csty & J2K_CP_CSTY_EPH) {
+ if (length < 2) {
+ return OPJ_FALSE;
+ }
+
c[0] = 255;
c[1] = 146;
c += 2;
Reference in New Issue View Git Blame Copy Permalink