diff options
Diffstat (limited to 'extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch')
-rw-r--r-- | extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch new file mode 100644 index 000000000..f45566f36 --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch @@ -0,0 +1,60 @@ +diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 2014-01-07 15:11:30.622278207 -0600 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:11:30.626278165 -0600 +@@ -1076,6 +1076,17 @@ static void j2k_read_poc(opj_j2k_t *j2k) + tcp->POC = 1; + len = cio_read(cio, 2); /* Lpoc */ + numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2)); ++ ++ { ++ /* old_poc < 0 "just in case" */ ++ int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0])); ++ if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n", ++ (numpchgs + old_poc), maxpocs); ++ return; ++ } ++ } + + for (i = old_poc; i < numpchgs + old_poc; i++) { + opj_poc_t *poc; +@@ -1622,6 +1633,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k) + return; + } + ++ /* totlen is negative or larger than the bytes left!!! */ ++ if (compno >= numcomps) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "JPWL: bad component number in RGN (%d when there are only %d)\n", ++ compno, numcomps); ++ return; ++ } ++ + tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ + } + +diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/tcd.c +--- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 2012-09-13 02:58:39.000000000 -0500 ++++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-01-07 15:11:30.626278165 -0600 +@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, + return OPJ_FALSE; + } + ++ int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0); + for (compno = 0; compno < tile->numcomps; ++compno) { + opj_tcd_tilecomp_t* tilec = &tile->comps[compno]; ++ int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0)); ++ /* Later-on it is assumed that all components are of at least comp0size blocks */ ++ if (compcsize < comp0size) ++ { ++ opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks " ++ "while component 0 has %d blocks\n", compno, compcsize, comp0size); ++ return OPJ_FALSE; ++ } + /* The +3 is headroom required by the vectorized DWT */ +- tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int)); ++ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); + if (tilec->data == NULL) + { + opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); |