1 files changed, 77 insertions, 0 deletions

diff --git a/extra/openjpeg/openjpeg-1.5-r2029.patch b/extra/openjpeg/openjpeg-1.5-r2029.patch
new file mode 100644
index 000000000..a1a819a8c
--- /dev/null
+++ b/extra/openjpeg/openjpeg-1.5-r2029.patch
@@ -0,0 +1,77 @@
+Index: libopenjpeg/jp2.c
+===================================================================
+--- libopenjpeg/jp2.c	(revision 2028)
++++ libopenjpeg/jp2.c	(revision 2029)
+@@ -173,6 +173,10 @@
+ 	else if (box->length == 0) {
+ 		box->length = cio_numbytesleft(cio) + 8;
+ 	}
++	if (box->length < 0) {
++		opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n");
++		return OPJ_FALSE; // TODO: actually check jp2_read_boxhdr's return value
++	}
+ 	
+ 	return OPJ_TRUE;
+ }
+@@ -654,6 +658,7 @@
+         opj_event_msg(cinfo, EVT_ERROR, "Expected JP2H Marker\n");
+         return OPJ_FALSE;
+         }
++	  if (box.length <= 8) return OPJ_FALSE;
+       cio_skip(cio, box.length - 8);
+ 
+       if(cio->bp >= cio->end) return OPJ_FALSE;
+@@ -679,6 +684,7 @@
+       {
+       if( !jp2_read_colr(jp2, cio, &box, color))
+         {
++        if (box.length <= 8) return OPJ_FALSE;
+         cio_seek(cio, box.init_pos + 8);
+         cio_skip(cio, box.length - 8);
+         }
+@@ -689,6 +695,7 @@
+       {
+       if( !jp2_read_cdef(jp2, cio, &box, color))
+         {
++        if (box.length <= 8) return OPJ_FALSE;
+         cio_seek(cio, box.init_pos + 8);
+         cio_skip(cio, box.length - 8);
+         }
+@@ -699,6 +706,7 @@
+       {
+       if( !jp2_read_pclr(jp2, cio, &box, color))
+         {
++        if (box.length <= 8) return OPJ_FALSE;
+         cio_seek(cio, box.init_pos + 8);
+         cio_skip(cio, box.length - 8);
+         }
+@@ -709,12 +717,14 @@
+       {
+       if( !jp2_read_cmap(jp2, cio, &box, color))
+         {
++        if (box.length <= 8) return OPJ_FALSE;
+         cio_seek(cio, box.init_pos + 8);
+         cio_skip(cio, box.length - 8);
+         }
+       if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
+       continue;
+       }
++    if (box.length <= 8) return OPJ_FALSE;
+     cio_seek(cio, box.init_pos + 8);
+     cio_skip(cio, box.length - 8);
+     if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
+@@ -910,12 +920,14 @@
+   }
+ 	do {
+ 		if(JP2_JP2C != box.type) {
++			if (box.length <= 8) return OPJ_FALSE;
+ 			cio_skip(cio, box.length - 8);
+ 			if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
+ 		}
+ 	} while(JP2_JP2C != box.type);
+ 
+ 	*j2k_codestream_offset = cio_tell(cio);
++	if (box.length <= 8) return OPJ_FALSE;
+ 	*j2k_codestream_length = box.length - 8;
+ 
+ 	return OPJ_TRUE;