diff options
Diffstat (limited to 'extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch')
-rw-r--r-- | extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch new file mode 100644 index 000000000..a157f39a7 --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch @@ -0,0 +1,53 @@ +diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/cio.c +--- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 2012-09-13 02:58:39.000000000 -0500 ++++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 14:43:14.213256439 -0600 +@@ -30,6 +30,7 @@ + */ + + #include "opj_includes.h" ++#include <assert.h> + + /* ----------------------------------------------------------------------- */ + +@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns + * Read a byte. + */ + unsigned char cio_bytein(opj_cio_t *cio) { ++ if (cio->bp < cio->start) { ++ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); ++ abort(); ++ return 0; ++ } + if (cio->bp >= cio->end) { + opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); + return 0; +@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in + unsigned int v; + v = 0; + for (i = n - 1; i >= 0; i--) { +- v += cio_bytein(cio) << (i << 3); ++ v += (unsigned int)cio_bytein(cio) << (i << 3); + } + return v; + } +@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in + * n : number of bytes to skip + */ + void cio_skip(opj_cio_t *cio, int n) { ++ assert((cio->bp + n) >= cio->bp); + cio->bp += n; + } + +diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/jp2.c +--- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 2014-01-07 14:43:14.201256566 -0600 ++++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 14:43:14.214256428 -0600 +@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm + } + else if (box->length == 0) { + box->length = cio_numbytesleft(cio) + 8; ++ } else if (box->length < 0) { ++ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n"); ++ return OPJ_FALSE; + } + if (box->length < 0) { + opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n"); |