update code
This commit is contained in:
zhuchunyi
parent
833ca6e5d1
commit
43e87c2c3a
@ -1,42 +0,0 @@
|
||||
From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Lefeuvre <hle@debian.org>
|
||||
Date: Mon, 22 Oct 2018 16:59:41 +0200
|
||||
Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow
|
||||
|
||||
Missing buffer length formatter in fscanf call might lead to write
|
||||
stack buffer overflow.
|
||||
|
||||
fixes #1044 (CVE-2017-17480)
|
||||
---
|
||||
src/bin/jp3d/convert.c | 4 ++--
|
||||
src/bin/jpwl/convert.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
|
||||
index 23fd70b04..acad8f82a 100644
|
||||
--- a/src/bin/jp3d/convert.c
|
||||
+++ b/src/bin/jp3d/convert.c
|
||||
@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
|
||||
fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
|
||||
|
||||
fseek(f, 0, SEEK_SET);
|
||||
- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
|
||||
- signtmp, &prec, temp, &w, temp, &h);
|
||||
+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
|
||||
+ &endian2, signtmp, &prec, temp, &w, temp, &h);
|
||||
|
||||
i = 0;
|
||||
sign = '+';
|
||||
diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
|
||||
index f3bb670b0..73c1be729 100644
|
||||
--- a/src/bin/jpwl/convert.c
|
||||
+++ b/src/bin/jpwl/convert.c
|
||||
@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
|
||||
}
|
||||
|
||||
fseek(f, 0, SEEK_SET);
|
||||
- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
|
||||
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
|
||||
&endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
|
||||
fprintf(stderr,
|
||||
"ERROR: Failed to read the right number of element from the fscanf() function!\n");
|
||||
@ -1,79 +0,0 @@
|
||||
From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Lefeuvre <hle@debian.org>
|
||||
Date: Sat, 22 Sep 2018 14:33:19 -0400
|
||||
Subject: [PATCH] convertbmp: fix issues with zero bitmasks
|
||||
|
||||
In the case where a BMP file declares compression 3 (BI_BITFIELDS)
|
||||
with header size <= 56, all bitmask values keep their initialization
|
||||
value 0. This may lead to various undefined behavior later e.g. when
|
||||
doing 1 << (l_comp->prec - 1).
|
||||
|
||||
This issue does not affect files with bit count 16 because of a check
|
||||
added in 16240e2 which sets default values to the color masks if they
|
||||
are all 0.
|
||||
|
||||
This commit adds similar checks for the 32 bit case.
|
||||
|
||||
Also, if a BMP file declares compression 3 with header size >= 56 and
|
||||
intentional 0 bitmasks, the same issue will be triggered in both the
|
||||
16 and 32 bit count case.
|
||||
|
||||
This commit adds checks to bmp_read_info_header() rejecting BMP files
|
||||
with "intentional" 0 bitmasks. These checks might be removed in the
|
||||
future when proper handling of zero bitmasks will be available in
|
||||
openjpeg2.
|
||||
|
||||
fixes #1057 (CVE-2018-5785)
|
||||
---
|
||||
src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
|
||||
index 084f70bb7..7fde99ab3 100644
|
||||
--- a/src/bin/jp2/convertbmp.c
|
||||
+++ b/src/bin/jp2/convertbmp.c
|
||||
@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
|
||||
header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biRedMask) {
|
||||
+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biGreenMask = (OPJ_UINT32)getc(IN);
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biGreenMask) {
|
||||
+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biBlueMask = (OPJ_UINT32)getc(IN);
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
|
||||
|
||||
+ if (!header->biBlueMask) {
|
||||
+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
|
||||
+ return OPJ_FALSE;
|
||||
+ }
|
||||
+
|
||||
header->biAlphaMask = (OPJ_UINT32)getc(IN);
|
||||
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
|
||||
header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
|
||||
@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
|
||||
bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
|
||||
0x00000000U);
|
||||
} else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
|
||||
+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
|
||||
+ (Info_h.biBlueMask == 0U)) {
|
||||
+ Info_h.biRedMask = 0x00FF0000U;
|
||||
+ Info_h.biGreenMask = 0x0000FF00U;
|
||||
+ Info_h.biBlueMask = 0x000000FFU;
|
||||
+ }
|
||||
bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
|
||||
Info_h.biBlueMask, Info_h.biAlphaMask);
|
||||
} else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
|
||||
@ -1,32 +0,0 @@
|
||||
From 6d8c0c06ee32dc03ba80acd48334e98728e56cf5 Mon Sep 17 00:00:00 2001
|
||||
From: Karol Babioch <kbabioch@suse.de>
|
||||
Date: Fri, 2 Mar 2018 14:40:58 +0100
|
||||
Subject: [PATCH] opj_mj2_extract: Check provided output prefix for length
|
||||
|
||||
This uses snprintf() with correct buffer length instead of sprintf(). This
|
||||
prevents a buffer overflow when providing a long output prefix. Furthermore
|
||||
the program exits with an error when the provided output prefix is too long.
|
||||
|
||||
Fixes #1088.
|
||||
---
|
||||
src/bin/mj2/opj_mj2_extract.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/bin/mj2/opj_mj2_extract.c b/src/bin/mj2/opj_mj2_extract.c
|
||||
index a062e17d8..244110523 100644
|
||||
--- a/src/bin/mj2/opj_mj2_extract.c
|
||||
+++ b/src/bin/mj2/opj_mj2_extract.c
|
||||
@@ -140,7 +140,12 @@ int main(int argc, char *argv[])
|
||||
fread(frame_codestream, sample->sample_size - 8, 1,
|
||||
file); /* Assuming that jp and ftyp markers size do*/
|
||||
|
||||
- sprintf(outfilename, "%s_%05d.j2k", argv[2], snum);
|
||||
+ int num = snprintf(outfilename, sizeof(outfilename), "%s_%05d.j2k", argv[2], snum);
|
||||
+ if (num >= sizeof(outfilename)) {
|
||||
+ fprintf(stderr, "maximum length of output prefix exceeded\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
outfile = fopen(outfilename, "wb");
|
||||
if (!outfile) {
|
||||
fprintf(stderr, "failed to open %s for writing\n", outfilename);
|
||||
@ -1,11 +0,0 @@
|
||||
diff -rupN openjpeg-2.3.0/src/lib/openjp2/CMakeLists.txt openjpeg-2.3.0-new/src/lib/openjp2/CMakeLists.txt
|
||||
--- openjpeg-2.3.0/src/lib/openjp2/CMakeLists.txt 2017-10-05 00:23:14.000000000 +0200
|
||||
+++ openjpeg-2.3.0-new/src/lib/openjp2/CMakeLists.txt 2017-12-25 13:53:07.000000000 +0100
|
||||
@@ -99,6 +99,7 @@ else()
|
||||
set(INSTALL_LIBS ${OPENJPEG_LIBRARY_NAME} openjp2_static)
|
||||
else()
|
||||
add_library(${OPENJPEG_LIBRARY_NAME} ${OPENJPEG_SRCS})
|
||||
+ set(INSTALL_LIBS ${OPENJPEG_LIBRARY_NAME})
|
||||
endif()
|
||||
endif()
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user