1 files changed, 60 insertions, 0 deletions

diff --git a/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch
new file mode 100644
index 000000000..f45566f36
--- /dev/null
+++ b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch
@@ -0,0 +1,60 @@
+diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/j2k.c
+--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045	2014-01-07 15:11:30.622278207 -0600
++++ openjpeg-1.5.1/libopenjpeg/j2k.c	2014-01-07 15:11:30.626278165 -0600
+@@ -1076,6 +1076,17 @@ static void j2k_read_poc(opj_j2k_t *j2k)
+ 	tcp->POC = 1;
+ 	len = cio_read(cio, 2);		/* Lpoc */
+ 	numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2));
++
++	{
++		/* old_poc < 0 "just in case" */
++		int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0]));
++		if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) {
++			opj_event_msg(j2k->cinfo, EVT_ERROR,
++				"JPWL: bad number of progression order changes (%d out of a maximum of %d)\n",
++				(numpchgs + old_poc), maxpocs);
++			return;
++		}
++	}
+ 	
+ 	for (i = old_poc; i < numpchgs + old_poc; i++) {
+ 		opj_poc_t *poc;
+@@ -1622,6 +1633,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k)
+     return;
+   }
+ 
++	/* totlen is negative or larger than the bytes left!!! */
++	if (compno >= numcomps) {
++		opj_event_msg(j2k->cinfo, EVT_ERROR,
++			"JPWL: bad component number in RGN (%d when there are only %d)\n",
++			compno, numcomps);
++		return;
++	}
++
+ 	tcp->tccps[compno].roishift = cio_read(cio, 1);				/* SPrgn */
+ }
+ 
+diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/tcd.c
+--- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045	2012-09-13 02:58:39.000000000 -0500
++++ openjpeg-1.5.1/libopenjpeg/tcd.c	2014-01-07 15:11:30.626278165 -0600
+@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
+         return OPJ_FALSE;
+     }
+ 
++	int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0);
+ 	for (compno = 0; compno < tile->numcomps; ++compno) {
+ 		opj_tcd_tilecomp_t* tilec = &tile->comps[compno];
++		int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0));
++		/* Later-on it is assumed that all components are of at least comp0size blocks */
++		if (compcsize < comp0size)
++		{
++			opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks "
++				"while component 0 has %d blocks\n", compno, compcsize, comp0size);
++			return OPJ_FALSE;
++		}
+ 		/* The +3 is headroom required by the vectorized DWT */
+-		tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int));
++		tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
+         if (tilec->data == NULL)
+         {
+             opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");