fix CVE-2020-27814

2021-02-20 09:30:41 +08:00 · 2021-02-20 09:30:41 +08:00 · 2a5de0e9af
commit 2a5de0e9af
parent e62bcb7c1d
2 changed files with 48 additions and 1 deletions
--- a/backport-CVE-2020-27814.patch
+++ b/backport-CVE-2020-27814.patch
@ -0,0 +1,43 @@
+From eaa098b59b346cb88e4d10d505061f669d7134fc Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 23 Nov 2020 13:49:05 +0100
+Subject: [PATCH] Encoder: grow buffer size in
+ opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
+ opj_mqc_flush (fixes #1283)
+
+reference:
+https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc
+https://github.com/uclouvain/openjpeg/commit/15cf3d95814dc931ca0ecb132f81cb152e051bae
+https://github.com/uclouvain/openjpeg/commit/649298dcf84b2f20cfe458d887c1591db47372a6
+https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9
+
+---
+ src/lib/openjp2/tcd.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index be3b843..673cca2 100644
+--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
+@@ -1219,10 +1219,16 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
+
+     /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+     /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+    /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */
+    /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */
+    /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */
+    /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */
+    /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */
+    /* and +74 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -n 8 -s 7,7 -I) */
+     /* TODO: is there a theoretical upper-bound for the compressed code */
+     /* block size ? */
+-    l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+-                                   (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+    l_data_size = 74 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+                                    (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+     if (l_data_size > p_code_block->data_size) {
+         if (p_code_block->data) {
+--
+2.23.0
+
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -1,6 +1,6 @@
 Name:           openjpeg2
 Version:        2.3.1
-Release:        3
+Release:        4
 Summary:        C-Library for JPEG 2000
 License:        BSD and MIT
 URL:            https://github.com/uclouvain/openjpeg
@ -12,6 +12,7 @@ Patch1:         openjpeg2_opj2.patch
 Patch6000:	CVE-2016-10505.patch
 Patch6001:	CVE-2016-7445.patch
 Patch6002:      CVE-2020-15389.patch
+Patch6003:      backport-CVE-2020-27814.patch

 BuildRequires:  cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen

@ -87,6 +88,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.
 %{_mandir}/man3/*.3*

 %changelog
+* Sat Feb 20 2021 jinzhimin <jinzhimin2@huawei.com> - 2.3.1-4
+- fix CVE-2020-27814
+
 * Sat Jul 25 2020 zhangnaru <zhangnaru@huawei.com> -2.3.1-3
 - fix CVE-2020-15389