packages/openjpeg2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-6851 CVE-2020-8112 CVE-2020-27823 CVE-2020-27824

Browse Source
This commit is contained in:
liuyumeng 2021-06-07 18:57:08 +08:00
parent 20f3ca487a
commit 53ccdba0b3
7 changed files with 233 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
backport-CVE-2020-27823.patch Normal file
View File

@ -0,0 +1,30 @@
From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 30 Nov 2020 22:31:51 +0100
Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
used, that would result in a heap buffer overflow (fixes #1284)
reason:CVE-2020-27823
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919
---
src/bin/jp2/convertpng.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
index 328c91beb..00f596e27 100644
--- a/src/bin/jp2/convertpng.c
+++ b/src/bin/jp2/convertpng.c
@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
image->x0 = (OPJ_UINT32)params->image_offset_x0;
image->y0 = (OPJ_UINT32)params->image_offset_y0;
image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32)
- params->subsampling_dx + 1 + image->x0);
+ params->subsampling_dx + 1);
image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)
- params->subsampling_dy + 1 + image->y0);
+ params->subsampling_dy + 1);
row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32));
if (row32s == NULL) {

27
backport-CVE-2020-27824.patch Normal file
View File

@ -0,0 +1,27 @@
From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 30 Nov 2020 22:37:07 +0100
Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible
conversion when too many decomposition levels are specified (fixes #1286)
reason:CVE-2020-27824
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d
---
src/lib/openjp2/dwt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
index ee9eb5e63..4164ba090 100644
--- a/src/lib/openjp2/dwt.c
+++ b/src/lib/openjp2/dwt.c
@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec)
if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {
stepsize = 1.0;
} else {
- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level];
+ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient);
stepsize = (1 << (gain)) / norm;
}
opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0),

6
backport-CVE-2020-27841.patch
View File

@ -4,6 +4,10 @@ Date: Wed, 2 Dec 2020 14:02:17 +0100
Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs
https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836)
reason:CVE-2020-27841
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce
---
src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++---------------
src/lib/openjp2/pi.h | 10 +++++++--
@ -176,7 +180,7 @@ index 7fb3417fe..0320523b7 100644
--- a/src/lib/openjp2/pi.h
+++ b/src/lib/openjp2/pi.h
@@ -107,6 +107,8 @@ typedef struct opj_pi_iterator {
OPJ_INT32 x, y;
OPJ_UINT32 x, y;
/** FIXME DOC*/
OPJ_UINT32 dx, dy;
+ /** event manager */

31
backport-CVE-2020-6851.patch Normal file
View File

@ -0,0 +1,31 @@
From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 11 Jan 2020 01:51:19 +0100
Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
coordinates are beyond INT_MAX (fixes #1228)
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/commit/46c1eff9e98bbcf794d042f7b2e3d45556e805ce
---
src/lib/openjp2/j2k.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff -Naur a_openjpeg/src/lib/openjp2/j2k.c b_openjpeg/src/lib/openjp2/j2k.c
--- a_openjpeg/src/lib/openjp2/j2k.c 2020-05-28 09:19:53.024612881 -0400
+++ b_openjpeg/src/lib/openjp2/j2k.c 2020-05-28 09:29:55.623612881 -0400
@@ -9236,6 +9236,14 @@
l_img_comp = p_image->comps;
for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
OPJ_INT32 l_h, l_w;
+ if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
+ p_image->y0 > (OPJ_UINT32)INT_MAX ||
+ p_image->x1 > (OPJ_UINT32)INT_MAX ||
+ p_image->y1 > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Image coordinates above INT_MAX are not supported\n");
+ return OPJ_FALSE;
+ }
l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
(OPJ_INT32)l_img_comp->dx);

46
backport-CVE-2020-8112.patch Normal file
View File

@ -0,0 +1,46 @@
From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 30 Jan 2020 00:59:57 +0100
Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow
That could lead to later assertion failures.
Fixes #1231 / CVE-2020-8112
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074
---
src/lib/openjp2/tcd.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff -Naur a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
--- a/src/lib/openjp2/tcd.c 2020-06-01 17:05:36.781309518 -0400
+++ b/src/lib/openjp2/tcd.c 2020-06-01 17:08:08.504309518 -0400
@@ -905,8 +905,24 @@
/* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
+ (OPJ_INT32)l_pdx)) << l_pdx;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_x_end = (OPJ_INT32)tmp;
+ }
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
+ (OPJ_INT32)l_pdy)) << l_pdy;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_y_end = (OPJ_INT32)tmp;
+ }
/*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((

81
backport-avoid-integer-overflow.patch Normal file
View File

@ -0,0 +1,81 @@
From 4cb1f663049aab96e122d1ff16f601d0cc0be976 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 17 Nov 2019 01:18:26 +0100
Subject: [PATCH] pi.c: avoid integer overflow, resulting in later invalid
access to memory in opj_t2_decode_packets(). Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979
reason:avoid integer overflow, resulting in later invalid
Conflict:NA
Reference:https://github.com/uclouvain/openjpeg/commit/4cb1f663049aab96e122d1ff16f601d0cc0be976
---
src/lib/openjp2/pi.c | 24 ++++++++++++------------
src/lib/openjp2/pi.h | 4 ++--
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index 4a6ed68e2..3ddb4a0c5 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -376,10 +376,10 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi)
pi->poc.tx1 = pi->tx1;
}
for (pi->resno = pi->poc.resno0; pi->resno < pi->poc.resno1; pi->resno++) {
- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1;
- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) {
- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1;
- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) {
+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1;
+ pi->y += (pi->dy - (pi->y % pi->dy))) {
+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1;
+ pi->x += (pi->dx - (pi->x % pi->dx))) {
for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) {
OPJ_UINT32 levelno;
OPJ_INT32 trx0, try0;
@@ -508,10 +508,10 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi)
pi->poc.ty1 = pi->ty1;
pi->poc.tx1 = pi->tx1;
}
- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1;
- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) {
- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1;
- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) {
+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1;
+ pi->y += (pi->dy - (pi->y % pi->dy))) {
+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1;
+ pi->x += (pi->dx - (pi->x % pi->dx))) {
for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) {
comp = &pi->comps[pi->compno];
for (pi->resno = pi->poc.resno0;
@@ -639,10 +639,10 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi)
pi->poc.ty1 = pi->ty1;
pi->poc.tx1 = pi->tx1;
}
- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1;
- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) {
- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1;
- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) {
+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1;
+ pi->y += (pi->dy - (pi->y % pi->dy))) {
+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1;
+ pi->x += (pi->dx - (pi->x % pi->dx))) {
for (pi->resno = pi->poc.resno0;
pi->resno < opj_uint_min(pi->poc.resno1, comp->numresolutions); pi->resno++) {
OPJ_UINT32 levelno;
diff --git a/src/lib/openjp2/pi.h b/src/lib/openjp2/pi.h
index 8c0dc25c1..873802089 100644
--- a/src/lib/openjp2/pi.h
+++ b/src/lib/openjp2/pi.h
@@ -102,9 +102,9 @@ typedef struct opj_pi_iterator {
/** Components*/
opj_pi_comp_t *comps;
/** FIXME DOC*/
- OPJ_INT32 tx0, ty0, tx1, ty1;
+ OPJ_UINT32 tx0, ty0, tx1, ty1;
/** FIXME DOC*/
- OPJ_INT32 x, y;
+ OPJ_UINT32 x, y;
/** FIXME DOC*/
OPJ_UINT32 dx, dy;
} opj_pi_iterator_t;

18
openjpeg2.spec
View File

@ -1,6 +1,6 @@
Name: openjpeg2
Version: 2.3.1
Release: 5
Release: 6
Summary: C-Library for JPEG 2000
License: BSD and MIT
URL: https://github.com/uclouvain/openjpeg
@ -12,10 +12,15 @@ Patch1: openjpeg2_opj2.patch
Patch6000: CVE-2016-10505.patch
Patch6001: CVE-2016-7445.patch
Patch6002: CVE-2020-15389.patch
Patch6003: backport-CVE-2020-27814.patch
Patch6004: backport-CVE-2020-27841.patch
Patch6005: backport-CVE-2020-27843.patch
Patch6006: backport-CVE-2020-27845.patch
Patch6003: backport-avoid-integer-overflow.patch
Patch6004: backport-CVE-2020-27814.patch
Patch6005: backport-CVE-2020-27841.patch
Patch6006: backport-CVE-2020-27843.patch
Patch6007: backport-CVE-2020-27845.patch
Patch6008: backport-CVE-2020-8112.patch
Patch6009: backport-CVE-2020-6851.patch
Patch6010: backport-CVE-2020-27823.patch
Patch6011: backport-CVE-2020-27824.patch
BuildRequires: cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen
@ -91,6 +96,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.
%{_mandir}/man3/*.3*
%changelog
* Tue Jun 8 2021 liuyumeng <liuyumeng5@huawei.com> - 2.3.1-6
- fix CVE-2020-8112 CVE-2020-6851 CVE-2020-27823 CVE-2020-27824,avoid integer overflow:pre-patch of CVE-2020-27841,fix fuzz
* Tue Feb 23 2021 jinzhimin <jinzhimin2@huawei.com> - 2.3.1-5
- fix CVE-2020-27841 CVE-2020-27843 CVE-2020-27845