pool/openjpeg2
SHA256
6
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openjpeg2/openjpeg2-CVE-2017-14040.patch
Ismail Dönmez 96b2424330 Accepting request 523789 from home:hpjansson:openjpeg2-cve-factory 
Add security fixes:
  openjpeg2-CVE-2016-10504.patch (CVE-2016-10504, bsc#1056351),
  openjpeg2-CVE-2016-10505.patch (CVE-2016-10505, bsc#1056363),
  openjpeg2-CVE-2016-10506.patch (CVE-2016-10506, bsc#1056396),
  openjpeg2-CVE-2017-12982.patch (CVE-2017-12982, bsc#1054696),
  openjpeg2-CVE-2017-14039.patch (CVE-2017-14039, CVE-2017-14164,
  bsc#1056622, bsc#1057511),
  openjpeg2-CVE-2017-14040.patch (CVE-2017-14040, bsc#1056621),
  openjpeg2-CVE-2017-14041.patch (CVE-2017-14041, bsc#1056562),
  openjpeg2-CVE-2017-14151.patch (CVE-2017-14151, bsc#1057336),
  openjpeg2-CVE-2017-14152.patch (CVE-2017-14152, bsc#1057335),
  most of which are critical, including heap and stack overwrites,
  over-reads and division by zero errors.

OBS-URL: https://build.opensuse.org/request/show/523789
OBS-URL: https://build.opensuse.org/package/show/graphics/openjpeg2?expand=0&rev=28
2017-09-13 14:11:10 +00:00

78 lines
2.4 KiB
Diff
Raw Blame History

diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index deee4f6..f28c98d 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -41,6 +41,7 @@
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
#include "openjpeg.h"
#include "convert.h"
@@ -558,12 +559,9 @@ struct tga_header
};
#endif /* INFORMATION_ONLY */
-static unsigned short get_ushort(const unsigned char *data) {
- unsigned short val = *(const unsigned short *)data;
-#ifdef OPJ_BIG_ENDIAN
- val = ((val & 0xffU) << 8) | (val >> 8);
-#endif
- return val;
+/* Returns a ushort from a little-endian serialized value */
+static unsigned short get_tga_ushort(const unsigned char *data) {
+ return data[0] | (data[1] << 8);
}
#define TGA_HEADER_SIZE 18
@@ -589,17 +587,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
id_len = tga[0];
/*cmap_type = tga[1];*/
image_type = tga[2];
- /*cmap_index = get_ushort(&tga[3]);*/
- cmap_len = get_ushort(&tga[5]);
+ /*cmap_index = get_tga_ushort(&tga[3]);*/
+ cmap_len = get_tga_ushort(&tga[5]);
cmap_entry_size = tga[7];
#if 0
- x_origin = get_ushort(&tga[8]);
- y_origin = get_ushort(&tga[10]);
+ x_origin = get_tga_ushort(&tga[8]);
+ y_origin = get_tga_ushort(&tga[10]);
#endif
- image_w = get_ushort(&tga[12]);
- image_h = get_ushort(&tga[14]);
+ image_w = get_tga_ushort(&tga[12]);
+ image_h = get_tga_ushort(&tga[14]);
pixel_depth = tga[16];
image_desc = tga[17];
@@ -763,6 +761,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) {
color_space = OPJ_CLRSPC_SRGB;
}
+ /* If the declared file size is > 10 MB, check that the file is big */
+ /* enough to avoid excessive memory allocations */
+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
+ char ch;
+ OPJ_UINT64 expected_file_size =
+ (OPJ_UINT64)image_width * image_height * numcomps;
+ long curpos = ftell(f);
+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
+ expected_file_size = (OPJ_UINT64)INT_MAX;
+ }
+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
+ if (fread(&ch, 1, 1, f) != 1) {
+ fclose(f);
+ return NULL;
+ }
+ fseek(f, curpos, SEEK_SET);
+ }
+
subsampling_dx = parameters->subsampling_dx;
subsampling_dy = parameters->subsampling_dy;
Reference in New Issue View Git Blame Copy Permalink