diff options
Diffstat (limited to 'extra/openjpeg')
| -rw-r--r-- | extra/openjpeg/PKGBUILD | 52 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5-r2029.patch | 77 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5-r2031.patch | 24 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5-r2032.patch | 30 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5-r2033.patch | 49 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5.1-CVE-2013-1447.patch | 165 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch | 60 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch | 53 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5.1-CVE-2013-6053.patch | 12 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5.1-CVE-2013-6887.patch | 30 | ||||
| -rw-r--r-- | extra/openjpeg/openjpeg-1.5.1-doxygen_timestamp.patch | 24 |
11 files changed, 569 insertions, 7 deletions
diff --git a/extra/openjpeg/PKGBUILD b/extra/openjpeg/PKGBUILD index a54d97558..65e9f357b 100644 --- a/extra/openjpeg/PKGBUILD +++ b/extra/openjpeg/PKGBUILD @@ -1,28 +1,66 @@ -# $Id: PKGBUILD 198355 2013-10-30 14:21:56Z allan $ +# $Id: PKGBUILD 205844 2014-02-11 15:10:57Z jgc $ # Maintainer: Jan de Groot <jgc@archlinux.org> pkgname=openjpeg pkgver=1.5.1 -pkgrel=1 +pkgrel=2 pkgdesc="An open source JPEG 2000 codec" arch=(i686 x86_64) license=('BSD') url="http://www.openjpeg.org" depends=('zlib') -source=(http://openjpeg.googlecode.com/files/openjpeg-${pkgver}.tar.gz) -sha1sums=('1b0b74d1af4c297fd82806a9325bb544caf9bb8b') +makedepends=('libtiff' 'lcms2' 'libpng' 'doxygen') +optdepends=('lcms2: j2k_to_image and image_to_j2k programs' + 'libpng: j2k_to_image and image_to_j2k programs') +source=(http://openjpeg.googlecode.com/files/openjpeg-${pkgver}.tar.gz + openjpeg-1.5.1-CVE-2013-1447.patch + openjpeg-1.5.1-CVE-2013-6045.patch + openjpeg-1.5.1-CVE-2013-6052.patch + openjpeg-1.5.1-CVE-2013-6053.patch + openjpeg-1.5.1-CVE-2013-6887.patch + openjpeg-1.5.1-doxygen_timestamp.patch + openjpeg-1.5-r2029.patch + openjpeg-1.5-r2031.patch + openjpeg-1.5-r2032.patch + openjpeg-1.5-r2033.patch) +sha1sums=('1b0b74d1af4c297fd82806a9325bb544caf9bb8b' + 'f2baf9bde105c96c7016be907cd278f2878be2b9' + 'f3764e473bd35508e83643a9257979eaa2c89c36' + '1d600a13432b977c46a5b74bf87bf1b5a130abfb' + '8d2da4b912d7e930abec31a956b678f62566884c' + '038e471597decf36de0c7c78915744054704c601' + '339677795a567c0f91b62141847b8e5dda53e763' + '1cd97c1be5cedad136894db2b16f856a28387aeb' + 'f68108dd25c7ed278678de11d5713fba87ab6017' + '222769c17e69022902d4e49c9dc5294361a00c85' + '9ec5c1e0909c8946a174733a598fbe38675a0c9c') + +prepare() { + cd $pkgname-$pkgver + patch -Np1 -i ../openjpeg-1.5.1-doxygen_timestamp.patch + patch -Np0 -i ../openjpeg-1.5-r2029.patch + patch -Np0 -i ../openjpeg-1.5-r2031.patch + patch -Np0 -i ../openjpeg-1.5-r2032.patch + patch -Np0 -i ../openjpeg-1.5-r2033.patch + patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-6052.patch + patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-6053.patch +# patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-6045.patch + patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-1447.patch + patch -Np1 -i ../openjpeg-1.5.1-CVE-2013-6887.patch +} build() { - cd "${srcdir}/${pkgname}-${pkgver}" + cd $pkgname-$pkgver + autoreconf -fi # make sure we use system libs rm -rf thirdparty ./configure --prefix=/usr \ - --disable-static --disable-silent-rules + --enable-shared --disable-static --disable-silent-rules make } package() { - cd "${srcdir}/${pkgname}-${pkgver}" + cd $pkgname-$pkgver make DESTDIR="${pkgdir}" install install -m755 -d "${pkgdir}/usr/share/licenses/openjpeg" install -m644 LICENSE "${pkgdir}/usr/share/licenses/openjpeg/LICENSE" diff --git a/extra/openjpeg/openjpeg-1.5-r2029.patch b/extra/openjpeg/openjpeg-1.5-r2029.patch new file mode 100644 index 000000000..a1a819a8c --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5-r2029.patch @@ -0,0 +1,77 @@ +Index: libopenjpeg/jp2.c +=================================================================== +--- libopenjpeg/jp2.c (revision 2028) ++++ libopenjpeg/jp2.c (revision 2029) +@@ -173,6 +173,10 @@ + else if (box->length == 0) { + box->length = cio_numbytesleft(cio) + 8; + } ++ if (box->length < 0) { ++ opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n"); ++ return OPJ_FALSE; // TODO: actually check jp2_read_boxhdr's return value ++ } + + return OPJ_TRUE; + } +@@ -654,6 +658,7 @@ + opj_event_msg(cinfo, EVT_ERROR, "Expected JP2H Marker\n"); + return OPJ_FALSE; + } ++ if (box.length <= 8) return OPJ_FALSE; + cio_skip(cio, box.length - 8); + + if(cio->bp >= cio->end) return OPJ_FALSE; +@@ -679,6 +684,7 @@ + { + if( !jp2_read_colr(jp2, cio, &box, color)) + { ++ if (box.length <= 8) return OPJ_FALSE; + cio_seek(cio, box.init_pos + 8); + cio_skip(cio, box.length - 8); + } +@@ -689,6 +695,7 @@ + { + if( !jp2_read_cdef(jp2, cio, &box, color)) + { ++ if (box.length <= 8) return OPJ_FALSE; + cio_seek(cio, box.init_pos + 8); + cio_skip(cio, box.length - 8); + } +@@ -699,6 +706,7 @@ + { + if( !jp2_read_pclr(jp2, cio, &box, color)) + { ++ if (box.length <= 8) return OPJ_FALSE; + cio_seek(cio, box.init_pos + 8); + cio_skip(cio, box.length - 8); + } +@@ -709,12 +717,14 @@ + { + if( !jp2_read_cmap(jp2, cio, &box, color)) + { ++ if (box.length <= 8) return OPJ_FALSE; + cio_seek(cio, box.init_pos + 8); + cio_skip(cio, box.length - 8); + } + if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; + continue; + } ++ if (box.length <= 8) return OPJ_FALSE; + cio_seek(cio, box.init_pos + 8); + cio_skip(cio, box.length - 8); + if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; +@@ -910,12 +920,14 @@ + } + do { + if(JP2_JP2C != box.type) { ++ if (box.length <= 8) return OPJ_FALSE; + cio_skip(cio, box.length - 8); + if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE; + } + } while(JP2_JP2C != box.type); + + *j2k_codestream_offset = cio_tell(cio); ++ if (box.length <= 8) return OPJ_FALSE; + *j2k_codestream_length = box.length - 8; + + return OPJ_TRUE; diff --git a/extra/openjpeg/openjpeg-1.5-r2031.patch b/extra/openjpeg/openjpeg-1.5-r2031.patch new file mode 100644 index 000000000..d8249acad --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5-r2031.patch @@ -0,0 +1,24 @@ +Index: libopenjpeg/jpwl/Makefile.am +=================================================================== +--- libopenjpeg/jpwl/Makefile.am (revision 2030) ++++ libopenjpeg/jpwl/Makefile.am (revision 2031) +@@ -18,7 +18,6 @@ + ../pi.c \ + ../raw.c \ + ../t1.c \ +-../t1_generate_luts.c \ + ../t2.c \ + ../tcd.c \ + ../tgt.c \ +Index: libopenjpeg/Makefile.am +=================================================================== +--- libopenjpeg/Makefile.am (revision 2030) ++++ libopenjpeg/Makefile.am (revision 2031) +@@ -35,7 +35,6 @@ + pi.c \ + raw.c \ + t1.c \ +-t1_generate_luts.c \ + t2.c \ + tcd.c \ + tgt.c \ diff --git a/extra/openjpeg/openjpeg-1.5-r2032.patch b/extra/openjpeg/openjpeg-1.5-r2032.patch new file mode 100644 index 000000000..3d7d4fa7c --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5-r2032.patch @@ -0,0 +1,30 @@ +Index: libopenjpeg/j2k.c +=================================================================== +--- libopenjpeg/j2k.c (revision 2031) ++++ libopenjpeg/j2k.c (revision 2032) +@@ -468,6 +468,12 @@ + } + #endif /* USE_JPWL */ + ++ /* prevent division by zero */ ++ if (!(cp->tdx * cp->tdy)) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: invalid tile size (tdx: %d, tdy: %d)\n", cp->tdx, cp->tdy); ++ return; ++ } ++ + image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t)); + for (i = 0; i < image->numcomps; i++) { + int tmp, w, h; +@@ -506,6 +512,12 @@ + } + #endif /* USE_JPWL */ + ++ /* prevent division by zero */ ++ if (!(image->comps[i].dx * image->comps[i].dy)) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: invalid component size (dx: %d, dy: %d)\n", image->comps[i].dx, image->comps[i].dy); ++ return; ++ } ++ + /* TODO: unused ? */ + w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); + h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy); diff --git a/extra/openjpeg/openjpeg-1.5-r2033.patch b/extra/openjpeg/openjpeg-1.5-r2033.patch new file mode 100644 index 000000000..a84513913 --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5-r2033.patch @@ -0,0 +1,49 @@ +Index: libopenjpeg/j2k.c +=================================================================== +--- libopenjpeg/j2k.c (revision 2032) ++++ libopenjpeg/j2k.c (revision 2033) +@@ -835,6 +835,12 @@ + + len = cio_read(cio, 2); /* Lcoc */ + compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */ ++ if (compno >= image->numcomps) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "bad component number in COC (%d out of a maximum of %d)\n", ++ compno, image->numcomps); ++ return; ++ } + tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */ + j2k_read_cox(j2k, compno); + } +@@ -1016,9 +1022,16 @@ + + /* keep your private count of tiles */ + backup_compno++; +- }; ++ } + #endif /* USE_JPWL */ + ++ if ((compno < 0) || (compno >= numcomp)) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "bad component number in QCC (%d out of a maximum of %d)\n", ++ compno, j2k->image->numcomps); ++ return; ++ } ++ + j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2)); + } + +@@ -1602,6 +1615,13 @@ + }; + #endif /* USE_JPWL */ + ++ if (compno >= numcomps) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "bad component number in RGN (%d out of a maximum of %d)\n", ++ compno, j2k->image->numcomps); ++ return; ++ } ++ + tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ + } + diff --git a/extra/openjpeg/openjpeg-1.5.1-CVE-2013-1447.patch b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-1447.patch new file mode 100644 index 000000000..a0e372325 --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-1447.patch @@ -0,0 +1,165 @@ +diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/cio.c +--- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-1447 2014-01-07 15:12:20.517748762 -0600 ++++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 15:12:20.533748592 -0600 +@@ -107,6 +107,11 @@ int OPJ_CALLCONV cio_tell(opj_cio_t *cio + * pos : position, in number of bytes, from the beginning of the stream + */ + void OPJ_CALLCONV cio_seek(opj_cio_t *cio, int pos) { ++ if ((cio->start + pos) > cio->end) { ++ opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to seek past the end of the codestream (start = %d, change = %d, end = %d\n", cio->start, pos, cio->end); ++ cio->bp = cio->end; ++ return; ++ } + cio->bp = cio->start + pos; + } + +@@ -114,6 +119,7 @@ void OPJ_CALLCONV cio_seek(opj_cio_t *ci + * Number of bytes left before the end of the stream. + */ + int cio_numbytesleft(opj_cio_t *cio) { ++ assert((cio->end - cio->bp) >= 0); + return cio->end - cio->bp; + } + +@@ -191,6 +197,11 @@ unsigned int cio_read(opj_cio_t *cio, in + */ + void cio_skip(opj_cio_t *cio, int n) { + assert((cio->bp + n) >= cio->bp); ++ if (((cio->bp + n) < cio->start) || ((cio->bp + n) > cio->end)) { ++ opj_event_msg(cio->cinfo, EVT_ERROR, "error: trying to skip bytes past the end of the codestream (current = %d, change = %d, end = %d\n", cio->bp, n, cio->end); ++ cio->bp = cio->end; ++ return; ++ } + cio->bp += n; + } + +diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-1447 2014-01-07 15:12:20.525748677 -0600 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:12:20.534748582 -0600 +@@ -476,7 +476,7 @@ static void j2k_read_siz(opj_j2k_t *j2k) + + image->comps = (opj_image_comp_t*) opj_calloc(image->numcomps, sizeof(opj_image_comp_t)); + for (i = 0; i < image->numcomps; i++) { +- int tmp, w, h; ++ int tmp/*, w, h*/; + tmp = cio_read(cio, 1); /* Ssiz_i */ + image->comps[i].prec = (tmp & 0x7f) + 1; + image->comps[i].sgnd = tmp >> 7; +@@ -511,6 +511,14 @@ static void j2k_read_siz(opj_j2k_t *j2k) + + } + #endif /* USE_JPWL */ ++ { ++ if (!(image->comps[i].dx * image->comps[i].dy)) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "JPWL: bad XRsiz_%d/YRsiz_%d (%d x %d)\n", ++ i, i, image->comps[i].dx, image->comps[i].dy); ++ return; ++ } ++ } + + /* prevent division by zero */ + if (!(image->comps[i].dx * image->comps[i].dy)) { +@@ -519,8 +527,8 @@ static void j2k_read_siz(opj_j2k_t *j2k) + } + + /* TODO: unused ? */ +- w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); +- h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy); ++/* w = int_ceildiv(image->x1 - image->x0, image->comps[i].dx); ++ h = int_ceildiv(image->y1 - image->y0, image->comps[i].dy);*/ + + image->comps[i].resno_decoded = 0; /* number of resolution decoded */ + image->comps[i].factor = cp->reduce; /* reducing factor per component */ +@@ -2015,6 +2023,11 @@ opj_image_t* j2k_decode(opj_j2k_t *j2k, + } + if (j2k->state == J2K_STATE_NEOC) { + j2k_read_eoc(j2k); ++ /* Check one last time for errors during decoding before returning */ ++ if (j2k->state & J2K_STATE_ERR) { ++ opj_image_destroy(image); ++ return NULL; ++ } + } + + if (j2k->state != J2K_STATE_MT) { +diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/jp2.c +--- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-1447 2014-01-07 15:12:20.518748752 -0600 ++++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 15:12:20.535748571 -0600 +@@ -819,6 +819,17 @@ void jp2_write_jp2h(opj_jp2_t *jp2, opj_ + + jp2_write_ihdr(jp2, cio); + ++ { ++ int curpos = cio_tell(cio); ++ cio_seek(cio, box.init_pos); ++ cio_skip(cio, box.length); ++ if ((cio_tell(cio) - box.init_pos) != box.length) { ++ opj_event_msg(jp2->cinfo, EVT_ERROR, "Box size exceeds size of codestream (expected: %d, real: %d)\n", box.length, (cio_tell(cio) - box.init_pos)); ++ return OPJ_FALSE; ++ } ++ cio_seek(cio, curpos); ++ } ++ + if (jp2->bpc == 255) { + jp2_write_bpcc(jp2, cio); + } +@@ -871,6 +882,13 @@ static opj_bool jp2_read_ftyp(opj_jp2_t + jp2->numcl = (box.length - 16) / 4; + jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int)); + ++ if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) { ++ opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box " ++ "(expected %d, but only %d left)\n", ++ ((int)jp2->numcl * 4), cio_numbytesleft(cio)); ++ return OPJ_FALSE; ++ } ++ + for (i = 0; i < (int)jp2->numcl; i++) { + jp2->cl[i] = cio_read(cio, 4); /* CLi */ + } +diff -up openjpeg-1.5.1/libopenjpeg/t2.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/t2.c +--- openjpeg-1.5.1/libopenjpeg/t2.c.CVE-2013-1447 2012-09-13 02:58:39.000000000 -0500 ++++ openjpeg-1.5.1/libopenjpeg/t2.c 2014-01-07 15:12:20.535748571 -0600 +@@ -340,6 +340,11 @@ static int t2_decode_packet(opj_t2_t* t2 + int precno = pi->precno; /* precinct value */ + int layno = pi->layno; /* quality layer value */ + ++ if (!&(tile->comps[compno])) { ++ opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n"); ++ return -999; ++ } ++ + opj_tcd_resolution_t* res = &tile->comps[compno].resolutions[resno]; + + unsigned char *hd = NULL; +diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-1447 openjpeg-1.5.1/libopenjpeg/tcd.c +--- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-1447 2014-01-07 15:12:20.526748667 -0600 ++++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-01-07 15:12:20.536748561 -0600 +@@ -667,8 +667,8 @@ void tcd_malloc_decode(opj_tcd_t *tcd, o + y1 = j == 0 ? tilec->y1 : int_max(y1, (unsigned int) tilec->y1); + } + +- w = int_ceildivpow2(x1 - x0, image->comps[i].factor); +- h = int_ceildivpow2(y1 - y0, image->comps[i].factor); ++ w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor); ++ h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor); + + image->comps[i].w = w; + image->comps[i].h = h; +@@ -1381,7 +1381,15 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, + if (l == -999) { + eof = 1; + opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: incomplete bistream\n"); ++ return OPJ_FALSE; + } ++ ++ /* The code below assumes that numcomps > 0 */ ++ if (tile->numcomps <= 0) { ++ opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n"); ++ return OPJ_TRUE; ++ } ++ + + /*------------------TIER1-----------------*/ + diff --git a/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch new file mode 100644 index 000000000..f45566f36 --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6045.patch @@ -0,0 +1,60 @@ +diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 2014-01-07 15:11:30.622278207 -0600 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:11:30.626278165 -0600 +@@ -1076,6 +1076,17 @@ static void j2k_read_poc(opj_j2k_t *j2k) + tcp->POC = 1; + len = cio_read(cio, 2); /* Lpoc */ + numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2)); ++ ++ { ++ /* old_poc < 0 "just in case" */ ++ int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0])); ++ if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n", ++ (numpchgs + old_poc), maxpocs); ++ return; ++ } ++ } + + for (i = old_poc; i < numpchgs + old_poc; i++) { + opj_poc_t *poc; +@@ -1622,6 +1633,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k) + return; + } + ++ /* totlen is negative or larger than the bytes left!!! */ ++ if (compno >= numcomps) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "JPWL: bad component number in RGN (%d when there are only %d)\n", ++ compno, numcomps); ++ return; ++ } ++ + tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ + } + +diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/tcd.c +--- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 2012-09-13 02:58:39.000000000 -0500 ++++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-01-07 15:11:30.626278165 -0600 +@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, + return OPJ_FALSE; + } + ++ int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0); + for (compno = 0; compno < tile->numcomps; ++compno) { + opj_tcd_tilecomp_t* tilec = &tile->comps[compno]; ++ int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0)); ++ /* Later-on it is assumed that all components are of at least comp0size blocks */ ++ if (compcsize < comp0size) ++ { ++ opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks " ++ "while component 0 has %d blocks\n", compno, compcsize, comp0size); ++ return OPJ_FALSE; ++ } + /* The +3 is headroom required by the vectorized DWT */ +- tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int)); ++ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); + if (tilec->data == NULL) + { + opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); diff --git a/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch new file mode 100644 index 000000000..a157f39a7 --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6052.patch @@ -0,0 +1,53 @@ +diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/cio.c +--- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 2012-09-13 02:58:39.000000000 -0500 ++++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 14:43:14.213256439 -0600 +@@ -30,6 +30,7 @@ + */ + + #include "opj_includes.h" ++#include <assert.h> + + /* ----------------------------------------------------------------------- */ + +@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns + * Read a byte. + */ + unsigned char cio_bytein(opj_cio_t *cio) { ++ if (cio->bp < cio->start) { ++ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); ++ abort(); ++ return 0; ++ } + if (cio->bp >= cio->end) { + opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); + return 0; +@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in + unsigned int v; + v = 0; + for (i = n - 1; i >= 0; i--) { +- v += cio_bytein(cio) << (i << 3); ++ v += (unsigned int)cio_bytein(cio) << (i << 3); + } + return v; + } +@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in + * n : number of bytes to skip + */ + void cio_skip(opj_cio_t *cio, int n) { ++ assert((cio->bp + n) >= cio->bp); + cio->bp += n; + } + +diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/jp2.c +--- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 2014-01-07 14:43:14.201256566 -0600 ++++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 14:43:14.214256428 -0600 +@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm + } + else if (box->length == 0) { + box->length = cio_numbytesleft(cio) + 8; ++ } else if (box->length < 0) { ++ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n"); ++ return OPJ_FALSE; + } + if (box->length < 0) { + opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n"); diff --git a/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6053.patch b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6053.patch new file mode 100644 index 000000000..292084a98 --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6053.patch @@ -0,0 +1,12 @@ +diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6053 openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6053 2014-01-07 14:44:40.086344624 -0600 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 14:44:40.092344561 -0600 +@@ -422,7 +422,7 @@ static void j2k_read_siz(opj_j2k_t *j2k) + + if ((image->x0<0)||(image->x1<0)||(image->y0<0)||(image->y1<0)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, +- "%s: invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n", ++ "invalid image size (x0:%d, x1:%d, y0:%d, y1:%d)\n", + image->x0,image->x1,image->y0,image->y1); + return; + } diff --git a/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6887.patch b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6887.patch new file mode 100644 index 000000000..f9d68ef4b --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5.1-CVE-2013-6887.patch @@ -0,0 +1,30 @@ +diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6887 openjpeg-1.5.1/libopenjpeg/j2k.c +--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6887 2014-01-07 15:13:20.297114457 -0600 ++++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:13:20.302114404 -0600 +@@ -1697,8 +1697,11 @@ static void j2k_read_eoc(opj_j2k_t *j2k) + else { + for (i = 0; i < j2k->cp->tileno_size; i++) { + tileno = j2k->cp->tileno[i]; +- opj_free(j2k->tile_data[tileno]); +- j2k->tile_data[tileno] = NULL; ++ /* not sure if this can actually happen */ ++ if (tileno != -1) { ++ opj_free(j2k->tile_data[tileno]); ++ j2k->tile_data[tileno] = NULL; ++ } + } + } + if (j2k->state & J2K_STATE_ERR) +@@ -1858,8 +1861,10 @@ void j2k_destroy_decompress(opj_j2k_t *j + if(j2k->cp != NULL) { + for (i = 0; i < j2k->cp->tileno_size; i++) { + int tileno = j2k->cp->tileno[i]; +- opj_free(j2k->tile_data[tileno]); +- j2k->tile_data[tileno] = NULL; ++ if (tileno != -1) { ++ opj_free(j2k->tile_data[tileno]); ++ j2k->tile_data[tileno] = NULL; ++ } + } + } + diff --git a/extra/openjpeg/openjpeg-1.5.1-doxygen_timestamp.patch b/extra/openjpeg/openjpeg-1.5.1-doxygen_timestamp.patch new file mode 100644 index 000000000..2f5999992 --- /dev/null +++ b/extra/openjpeg/openjpeg-1.5.1-doxygen_timestamp.patch @@ -0,0 +1,24 @@ +diff -up openjpeg-1.5.1/doc/Doxyfile.dox.cmake.in.doxygen_timestamp openjpeg-1.5.1/doc/Doxyfile.dox.cmake.in +--- openjpeg-1.5.1/doc/Doxyfile.dox.cmake.in.doxygen_timestamp 2012-09-13 02:58:39.000000000 -0500 ++++ openjpeg-1.5.1/doc/Doxyfile.dox.cmake.in 2012-12-06 15:23:35.079838524 -0600 +@@ -148,7 +148,7 @@ HTML_STYLESHEET = + HTML_COLORSTYLE_HUE = 220 + HTML_COLORSTYLE_SAT = 100 + HTML_COLORSTYLE_GAMMA = 80 +-HTML_TIMESTAMP = YES ++HTML_TIMESTAMP = NO + HTML_ALIGN_MEMBERS = YES + HTML_DYNAMIC_SECTIONS = NO + GENERATE_DOCSET = NO +diff -up openjpeg-1.5.1/doc/Doxyfile.dox.doxygen_timestamp openjpeg-1.5.1/doc/Doxyfile.dox +--- openjpeg-1.5.1/doc/Doxyfile.dox.doxygen_timestamp 2012-09-13 02:58:39.000000000 -0500 ++++ openjpeg-1.5.1/doc/Doxyfile.dox 2012-12-06 15:23:37.177813275 -0600 +@@ -147,7 +147,7 @@ HTML_STYLESHEET = + HTML_COLORSTYLE_HUE = 220 + HTML_COLORSTYLE_SAT = 100 + HTML_COLORSTYLE_GAMMA = 80 +-HTML_TIMESTAMP = YES ++HTML_TIMESTAMP = NO + HTML_ALIGN_MEMBERS = YES + HTML_DYNAMIC_SECTIONS = NO + GENERATE_DOCSET = NO |