diff --git a/CVE-2016-10505.patch b/CVE-2016-10505.patch deleted file mode 100644 index 161df03..0000000 --- a/CVE-2016-10505.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -Nur openjpeg-2.3.1_bak/src/bin/common/color.c openjpeg-2.3.1/src/bin/common/color.c ---- openjpeg-2.3.1_bak/src/bin/common/color.c 2019-10-14 06:31:49.372000000 -0400 -+++ openjpeg-2.3.1/src/bin/common/color.c 2019-10-14 06:33:30.080000000 -0400 -@@ -126,6 +126,7 @@ - d1 = g = (int*)opj_image_data_alloc(sizeof(int) * max); - d2 = b = (int*)opj_image_data_alloc(sizeof(int) * max); - -+ if(y == NULL || cb == NULL || cr == NULL) goto fails; - if (r == NULL || g == NULL || b == NULL) { - goto fails; - } -@@ -178,6 +179,7 @@ - d1 = g = (int*)opj_image_data_alloc(sizeof(int) * max); - d2 = b = (int*)opj_image_data_alloc(sizeof(int) * max); - -+ if(y == NULL || cb == NULL || cr == NULL) goto fails; - if (r == NULL || g == NULL || b == NULL) { - goto fails; - } -@@ -1062,6 +1064,7 @@ - (image->comps[0].dx != image->comps[2].dx) - || (image->comps[0].dy != image->comps[1].dy) || - (image->comps[0].dy != image->comps[2].dy) -+ || !image->comps [0].data || !image->comps [1].data || !image->comps [2].data - ) { - fprintf(stderr, "%s:%d:color_esycc_to_rgb\n\tCAN NOT CONVERT\n", __FILE__, - __LINE__); -diff -Nur openjpeg-2.3.1_bak/src/bin/jp2/convertbmp.c openjpeg-2.3.1/src/bin/jp2/convertbmp.c ---- openjpeg-2.3.1_bak/src/bin/jp2/convertbmp.c 2019-10-14 06:31:49.372000000 -0400 -+++ openjpeg-2.3.1/src/bin/jp2/convertbmp.c 2019-10-14 06:34:34.480000000 -0400 -@@ -889,6 +889,13 @@ - image->comps[0].prec); - return 1; - } -+ -+ for (i = 0; i < image->numcomps; i++) { -+ if (image->comps[i].data == NULL) { -+ fprintf(stderr, "Missing image data\n"); -+ return 1; -+ } -+ } - if (image->numcomps >= 3 && image->comps[0].dx == image->comps[1].dx - && image->comps[1].dx == image->comps[2].dx - && image->comps[0].dy == image->comps[1].dy - diff --git a/CVE-2016-7445.patch b/CVE-2016-7445.patch deleted file mode 100644 index ef74c29..0000000 --- a/CVE-2016-7445.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -Nur openjpeg-2.3.1_old/src/bin/jpwl/convert.c openjpeg-2.3.1/src/bin/jpwl/convert.c ---- openjpeg-2.3.1_old/src/bin/jpwl/convert.c 2019-10-15 16:06:40.623000000 +0800 -+++ openjpeg-2.3.1/src/bin/jpwl/convert.c 2019-10-15 16:08:59.642000000 +0800 -@@ -1730,8 +1730,10 @@ - - if (!have_wh) { - s = skip_int(s, &ph->width); -+ if(s == NULL || *s == 0) return; - - s = skip_int(s, &ph->height); -+ if(s == NULL || *s == 0) return; - - have_wh = 1; - -@@ -1744,6 +1746,7 @@ - if (format == 2 || format == 3 || format == 5 || format == 6) { - /* P2, P3, P5, P6: */ - s = skip_int(s, &ph->maxval); -+ if(s == NULL || *s == 0) return; - - if (ph->maxval > 65535) { - return; - diff --git a/CVE-2020-15389.patch b/CVE-2020-15389.patch deleted file mode 100644 index af75c9b..0000000 --- a/CVE-2020-15389.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cf56972d371a0557f30d5de64b4b9d2e87c74a6a Mon Sep 17 00:00:00 2001 -From: zhangnaru -Date: Sat, 25 Jul 2020 10:48:34 +0800 -Subject: [PATCH] CVE-2020-15389 - ---- - src/bin/jp2/opj_decompress.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c -index 4b9583b..af1661e 100644 ---- a/src/bin/jp2/opj_decompress.c -+++ b/src/bin/jp2/opj_decompress.c -@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original) - int main(int argc, char **argv) - { - opj_decompress_parameters parameters; /* decompression parameters */ -- opj_image_t* image = NULL; -- opj_stream_t *l_stream = NULL; /* Stream */ -- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ -- opj_codestream_index_t* cstr_index = NULL; - - OPJ_INT32 num_images, imageno; - img_fol_t img_fol; -@@ -1393,6 +1389,10 @@ int main(int argc, char **argv) - - /*Decoding image one by one*/ - for (imageno = 0; imageno < num_images ; imageno++) { -+ opj_image_t* image = NULL; -+ opj_stream_t *l_stream = NULL; /* stream */ -+ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ -+ opj_codestream_index_t* cstr_index = NULL; - - if (!parameters.quiet) { - fprintf(stderr, "\n"); --- -2.23.0 - diff --git a/backport-CVE-2020-27814.patch b/backport-CVE-2020-27814.patch deleted file mode 100644 index 35c22da..0000000 --- a/backport-CVE-2020-27814.patch +++ /dev/null @@ -1,43 +0,0 @@ -From eaa098b59b346cb88e4d10d505061f669d7134fc Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 23 Nov 2020 13:49:05 +0100 -Subject: [PATCH] Encoder: grow buffer size in - opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in - opj_mqc_flush (fixes #1283) - -reference: -https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc -https://github.com/uclouvain/openjpeg/commit/15cf3d95814dc931ca0ecb132f81cb152e051bae -https://github.com/uclouvain/openjpeg/commit/649298dcf84b2f20cfe458d887c1591db47372a6 -https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9 - ---- - src/lib/openjp2/tcd.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c -index be3b843..673cca2 100644 ---- a/src/lib/openjp2/tcd.c -+++ b/src/lib/openjp2/tcd.c -@@ -1219,10 +1219,16 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t * - - /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ - /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ -+ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ -+ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ -+ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ -+ /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */ -+ /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */ -+ /* and +74 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -n 8 -s 7,7 -I) */ - /* TODO: is there a theoretical upper-bound for the compressed code */ - /* block size ? */ -- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * -- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); -+ l_data_size = 74 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * -+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); - - if (l_data_size > p_code_block->data_size) { - if (p_code_block->data) { --- -2.23.0 - diff --git a/backport-CVE-2020-27823.patch b/backport-CVE-2020-27823.patch deleted file mode 100644 index b8bfb39..0000000 --- a/backport-CVE-2020-27823.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 30 Nov 2020 22:31:51 +0100 -Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is - used, that would result in a heap buffer overflow (fixes #1284) - -reason:CVE-2020-27823 -Conflict:NA -Reference:https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919 - ---- - src/bin/jp2/convertpng.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c -index 328c91beb..00f596e27 100644 ---- a/src/bin/jp2/convertpng.c -+++ b/src/bin/jp2/convertpng.c -@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params) - image->x0 = (OPJ_UINT32)params->image_offset_x0; - image->y0 = (OPJ_UINT32)params->image_offset_y0; - image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32) -- params->subsampling_dx + 1 + image->x0); -+ params->subsampling_dx + 1); - image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32) -- params->subsampling_dy + 1 + image->y0); -+ params->subsampling_dy + 1); - - row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32)); - if (row32s == NULL) { diff --git a/backport-CVE-2020-27824.patch b/backport-CVE-2020-27824.patch deleted file mode 100644 index ebc3743..0000000 --- a/backport-CVE-2020-27824.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 30 Nov 2020 22:37:07 +0100 -Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible - conversion when too many decomposition levels are specified (fixes #1286) - -reason:CVE-2020-27824 -Conflict:NA -Reference:https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d - ---- - src/lib/openjp2/dwt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c -index ee9eb5e63..4164ba090 100644 ---- a/src/lib/openjp2/dwt.c -+++ b/src/lib/openjp2/dwt.c -@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec) - if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) { - stepsize = 1.0; - } else { -- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level]; -+ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient); - stepsize = (1 << (gain)) / norm; - } - opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0), diff --git a/backport-CVE-2020-27841.patch b/backport-CVE-2020-27841.patch deleted file mode 100644 index dd360bd..0000000 --- a/backport-CVE-2020-27841.patch +++ /dev/null @@ -1,245 +0,0 @@ -From 00383e162ae2f8fc951f5745bf1011771acb8dce Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Wed, 2 Dec 2020 14:02:17 +0100 -Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs - https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836) - -reason:CVE-2020-27841 -Conflict:NA -Reference:https://github.com/uclouvain/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce - ---- - src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++--------------- - src/lib/openjp2/pi.h | 10 +++++++-- - src/lib/openjp2/t2.c | 4 ++-- - 3 files changed, 42 insertions(+), 21 deletions(-) - -diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c -index 3dcdd4e9d..d62b8d74a 100644 ---- a/src/lib/openjp2/pi.c -+++ b/src/lib/openjp2/pi.c -@@ -194,10 +194,12 @@ static void opj_get_all_encoding_parameters(const opj_image_t *p_image, - * @param p_image the image used to initialize the packet iterator (in fact only the number of components is relevant. - * @param p_cp the coding parameters. - * @param tileno the index of the tile from which creating the packet iterator. -+ * @param manager Event manager - */ - static opj_pi_iterator_t * opj_pi_create(const opj_image_t *p_image, - const opj_cp_t *p_cp, -- OPJ_UINT32 tileno); -+ OPJ_UINT32 tileno, -+ opj_event_mgr_t* manager); - /** - * FIXME DOC - */ -@@ -232,12 +234,6 @@ static OPJ_BOOL opj_pi_check_next_level(OPJ_INT32 pos, - ========================================================== - */ - --static void opj_pi_emit_error(opj_pi_iterator_t * pi, const char* msg) --{ -- (void)pi; -- (void)msg; --} -- - static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi) - { - opj_pi_comp_t *comp = NULL; -@@ -274,7 +270,7 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi) - /* include should be resized when a POC arises, or */ - /* the POC should be rejected */ - if (index >= pi->include_size) { -- opj_pi_emit_error(pi, "Invalid access to pi->include"); -+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); - return OPJ_FALSE; - } - if (!pi->include[index]) { -@@ -320,7 +316,7 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_iterator_t * pi) - index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * - pi->step_c + pi->precno * pi->step_p; - if (index >= pi->include_size) { -- opj_pi_emit_error(pi, "Invalid access to pi->include"); -+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); - return OPJ_FALSE; - } - if (!pi->include[index]) { -@@ -451,7 +447,7 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi) - index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * - pi->step_c + pi->precno * pi->step_p; - if (index >= pi->include_size) { -- opj_pi_emit_error(pi, "Invalid access to pi->include"); -+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); - return OPJ_FALSE; - } - if (!pi->include[index]) { -@@ -475,6 +471,13 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) - opj_pi_resolution_t *res = NULL; - OPJ_UINT32 index = 0; - -+ if (pi->poc.compno0 >= pi->numcomps || -+ pi->poc.compno1 >= pi->numcomps + 1) { -+ opj_event_msg(pi->manager, EVT_ERROR, -+ "opj_pi_next_pcrl(): invalid compno0/compno1"); -+ return OPJ_FALSE; -+ } -+ - if (!pi->first) { - comp = &pi->comps[pi->compno]; - goto LABEL_SKIP; -@@ -582,7 +585,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) - index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * - pi->step_c + pi->precno * pi->step_p; - if (index >= pi->include_size) { -- opj_pi_emit_error(pi, "Invalid access to pi->include"); -+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); - return OPJ_FALSE; - } - if (!pi->include[index]) { -@@ -606,6 +609,13 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) - opj_pi_resolution_t *res = NULL; - OPJ_UINT32 index = 0; - -+ if (pi->poc.compno0 >= pi->numcomps || -+ pi->poc.compno1 >= pi->numcomps + 1) { -+ opj_event_msg(pi->manager, EVT_ERROR, -+ "opj_pi_next_cprl(): invalid compno0/compno1"); -+ return OPJ_FALSE; -+ } -+ - if (!pi->first) { - comp = &pi->comps[pi->compno]; - goto LABEL_SKIP; -@@ -710,7 +720,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) - index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * - pi->step_c + pi->precno * pi->step_p; - if (index >= pi->include_size) { -- opj_pi_emit_error(pi, "Invalid access to pi->include"); -+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); - return OPJ_FALSE; - } - if (!pi->include[index]) { -@@ -987,7 +997,8 @@ static void opj_get_all_encoding_parameters(const opj_image_t *p_image, - - static opj_pi_iterator_t * opj_pi_create(const opj_image_t *image, - const opj_cp_t *cp, -- OPJ_UINT32 tileno) -+ OPJ_UINT32 tileno, -+ opj_event_mgr_t* manager) - { - /* loop*/ - OPJ_UINT32 pino, compno; -@@ -1021,6 +1032,8 @@ static opj_pi_iterator_t * opj_pi_create(const opj_image_t *image, - l_current_pi = l_pi; - for (pino = 0; pino < l_poc_bound ; ++pino) { - -+ l_current_pi->manager = manager; -+ - l_current_pi->comps = (opj_pi_comp_t*) opj_calloc(image->numcomps, - sizeof(opj_pi_comp_t)); - if (! l_current_pi->comps) { -@@ -1358,7 +1371,8 @@ static OPJ_BOOL opj_pi_check_next_level(OPJ_INT32 pos, - */ - opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, - opj_cp_t *p_cp, -- OPJ_UINT32 p_tile_no) -+ OPJ_UINT32 p_tile_no, -+ opj_event_mgr_t* manager) - { - OPJ_UINT32 numcomps = p_image->numcomps; - -@@ -1413,7 +1427,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, - } - - /* memory allocation for pi */ -- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); -+ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); - if (!l_pi) { - opj_free(l_tmp_data); - opj_free(l_tmp_ptr); -@@ -1580,7 +1594,8 @@ OPJ_UINT32 opj_get_encoding_packet_count(const opj_image_t *p_image, - opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, - opj_cp_t *p_cp, - OPJ_UINT32 p_tile_no, -- J2K_T2_MODE p_t2_mode) -+ J2K_T2_MODE p_t2_mode, -+ opj_event_mgr_t* manager) - { - OPJ_UINT32 numcomps = p_image->numcomps; - -@@ -1634,7 +1649,7 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, - } - - /* memory allocation for pi*/ -- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); -+ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); - if (!l_pi) { - opj_free(l_tmp_data); - opj_free(l_tmp_ptr); -diff --git a/src/lib/openjp2/pi.h b/src/lib/openjp2/pi.h -index 7fb3417fe..0320523b7 100644 ---- a/src/lib/openjp2/pi.h -+++ b/src/lib/openjp2/pi.h -@@ -107,6 +107,8 @@ typedef struct opj_pi_iterator { - OPJ_UINT32 x, y; - /** FIXME DOC*/ - OPJ_UINT32 dx, dy; -+ /** event manager */ -+ opj_event_mgr_t* manager; - } opj_pi_iterator_t; - - /** @name Exported functions */ -@@ -119,13 +121,15 @@ typedef struct opj_pi_iterator { - * @param cp the coding parameters. - * @param tileno index of the tile being encoded. - * @param t2_mode the type of pass for generating the packet iterator -+ * @param manager Event manager - * - * @return a list of packet iterator that points to the first packet of the tile (not true). - */ - opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *image, - opj_cp_t *cp, - OPJ_UINT32 tileno, -- J2K_T2_MODE t2_mode); -+ J2K_T2_MODE t2_mode, -+ opj_event_mgr_t* manager); - - /** - * Updates the encoding parameters of the codec. -@@ -161,12 +165,14 @@ Create a packet iterator for Decoder - @param image Raw image for which the packets will be listed - @param cp Coding parameters - @param tileno Number that identifies the tile for which to list the packets -+@param manager Event manager - @return Returns a packet iterator that points to the first packet of the tile - @see opj_pi_destroy - */ - opj_pi_iterator_t *opj_pi_create_decode(opj_image_t * image, - opj_cp_t * cp, -- OPJ_UINT32 tileno); -+ OPJ_UINT32 tileno, -+ opj_event_mgr_t* manager); - /** - * Destroys a packet iterator array. - * -diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c -index e452edd19..3b1162a1b 100644 ---- a/src/lib/openjp2/t2.c -+++ b/src/lib/openjp2/t2.c -@@ -245,7 +245,7 @@ OPJ_BOOL opj_t2_encode_packets(opj_t2_t* p_t2, - l_image->numcomps : 1; - OPJ_UINT32 l_nb_pocs = l_tcp->numpocs + 1; - -- l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode); -+ l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode, p_manager); - if (!l_pi) { - return OPJ_FALSE; - } -@@ -425,7 +425,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, - #endif - - /* create a packet iterator */ -- l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no); -+ l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no, p_manager); - if (!l_pi) { - return OPJ_FALSE; - } diff --git a/backport-CVE-2020-27843.patch b/backport-CVE-2020-27843.patch deleted file mode 100644 index 2fac7b2..0000000 --- a/backport-CVE-2020-27843.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 38d661a3897052c7ff0b39b30c29cb067e130121 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Wed, 2 Dec 2020 13:13:26 +0100 -Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1297, - but likely not the proper fix - ---- - src/lib/openjp2/t2.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c -index e452edd19..55f07c0ca 100644 ---- a/src/lib/openjp2/t2.c -+++ b/src/lib/openjp2/t2.c -@@ -815,6 +815,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno, - continue; - } - -+ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1297 */ -+ /* but likely not a proper fix. */ -+ if (precno >= res->pw * res->ph) { -+ opj_event_msg(p_manager, EVT_ERROR, -+ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", -+ precno, res->pw * res->ph); -+ return OPJ_FALSE; -+ } -+ - prc = &band->precincts[precno]; - l_nb_blocks = prc->cw * prc->ch; - cblk = prc->cblks.enc; diff --git a/backport-CVE-2020-27845.patch b/backport-CVE-2020-27845.patch deleted file mode 100644 index 8019107..0000000 --- a/backport-CVE-2020-27845.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Fri, 4 Dec 2020 20:45:25 +0100 -Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302) - ---- - src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c -index d62b8d74a..4f7dd50f1 100644 ---- a/src/lib/openjp2/pi.c -+++ b/src/lib/openjp2/pi.c -@@ -240,6 +240,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi) - opj_pi_resolution_t *res = NULL; - OPJ_UINT32 index = 0; - -+ if (pi->poc.compno0 >= pi->numcomps || -+ pi->poc.compno1 >= pi->numcomps + 1) { -+ opj_event_msg(pi->manager, EVT_ERROR, -+ "opj_pi_next_lrcp(): invalid compno0/compno1\n"); -+ return OPJ_FALSE; -+ } -+ - if (!pi->first) { - comp = &pi->comps[pi->compno]; - res = &comp->resolutions[pi->resno]; -@@ -293,6 +300,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_iterator_t * pi) - opj_pi_resolution_t *res = NULL; - OPJ_UINT32 index = 0; - -+ if (pi->poc.compno0 >= pi->numcomps || -+ pi->poc.compno1 >= pi->numcomps + 1) { -+ opj_event_msg(pi->manager, EVT_ERROR, -+ "opj_pi_next_rlcp(): invalid compno0/compno1\n"); -+ return OPJ_FALSE; -+ } -+ - if (!pi->first) { - comp = &pi->comps[pi->compno]; - res = &comp->resolutions[pi->resno]; -@@ -339,6 +353,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi) - opj_pi_resolution_t *res = NULL; - OPJ_UINT32 index = 0; - -+ if (pi->poc.compno0 >= pi->numcomps || -+ pi->poc.compno1 >= pi->numcomps + 1) { -+ opj_event_msg(pi->manager, EVT_ERROR, -+ "opj_pi_next_rpcl(): invalid compno0/compno1\n"); -+ return OPJ_FALSE; -+ } -+ - if (!pi->first) { - goto LABEL_SKIP; - } else { -@@ -474,7 +495,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) - if (pi->poc.compno0 >= pi->numcomps || - pi->poc.compno1 >= pi->numcomps + 1) { - opj_event_msg(pi->manager, EVT_ERROR, -- "opj_pi_next_pcrl(): invalid compno0/compno1"); -+ "opj_pi_next_pcrl(): invalid compno0/compno1\n"); - return OPJ_FALSE; - } - -@@ -612,7 +633,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) - if (pi->poc.compno0 >= pi->numcomps || - pi->poc.compno1 >= pi->numcomps + 1) { - opj_event_msg(pi->manager, EVT_ERROR, -- "opj_pi_next_cprl(): invalid compno0/compno1"); -+ "opj_pi_next_cprl(): invalid compno0/compno1\n"); - return OPJ_FALSE; - } - diff --git a/backport-CVE-2020-6851.patch b/backport-CVE-2020-6851.patch deleted file mode 100644 index ca2d842..0000000 --- a/backport-CVE-2020-6851.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 11 Jan 2020 01:51:19 +0100 -Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose - coordinates are beyond INT_MAX (fixes #1228) - -Conflict:NA -Reference:https://github.com/uclouvain/openjpeg/commit/46c1eff9e98bbcf794d042f7b2e3d45556e805ce ---- - src/lib/openjp2/j2k.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff -Naur a_openjpeg/src/lib/openjp2/j2k.c b_openjpeg/src/lib/openjp2/j2k.c ---- a_openjpeg/src/lib/openjp2/j2k.c 2020-05-28 09:19:53.024612881 -0400 -+++ b_openjpeg/src/lib/openjp2/j2k.c 2020-05-28 09:29:55.623612881 -0400 -@@ -9236,6 +9236,14 @@ - l_img_comp = p_image->comps; - for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { - OPJ_INT32 l_h, l_w; -+ if (p_image->x0 > (OPJ_UINT32)INT_MAX || -+ p_image->y0 > (OPJ_UINT32)INT_MAX || -+ p_image->x1 > (OPJ_UINT32)INT_MAX || -+ p_image->y1 > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(p_manager, EVT_ERROR, -+ "Image coordinates above INT_MAX are not supported\n"); -+ return OPJ_FALSE; -+ } - - l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, - (OPJ_INT32)l_img_comp->dx); - diff --git a/backport-CVE-2020-8112.patch b/backport-CVE-2020-8112.patch deleted file mode 100644 index e218134..0000000 --- a/backport-CVE-2020-8112.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 30 Jan 2020 00:59:57 +0100 -Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow - -That could lead to later assertion failures. - -Fixes #1231 / CVE-2020-8112 - -Conflict:NA -Reference:https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074 ---- - src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff -Naur a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c ---- a/src/lib/openjp2/tcd.c 2020-06-01 17:05:36.781309518 -0400 -+++ b/src/lib/openjp2/tcd.c 2020-06-01 17:08:08.504309518 -0400 -@@ -905,8 +905,24 @@ - /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ - l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; - l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; -- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; -- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; -+ { -+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, -+ (OPJ_INT32)l_pdx)) << l_pdx; -+ if (tmp > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); -+ return OPJ_FALSE; -+ } -+ l_br_prc_x_end = (OPJ_INT32)tmp; -+ } -+ { -+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, -+ (OPJ_INT32)l_pdy)) << l_pdy; -+ if (tmp > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); -+ return OPJ_FALSE; -+ } -+ l_br_prc_y_end = (OPJ_INT32)tmp; -+ } - /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ - - l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( - diff --git a/backport-avoid-integer-overflow.patch b/backport-avoid-integer-overflow.patch deleted file mode 100644 index 2a1ab68..0000000 --- a/backport-avoid-integer-overflow.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 4cb1f663049aab96e122d1ff16f601d0cc0be976 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 17 Nov 2019 01:18:26 +0100 -Subject: [PATCH] pi.c: avoid integer overflow, resulting in later invalid - access to memory in opj_t2_decode_packets(). Fixes - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979 - -reason:avoid integer overflow, resulting in later invalid -Conflict:NA -Reference:https://github.com/uclouvain/openjpeg/commit/4cb1f663049aab96e122d1ff16f601d0cc0be976 - ---- - src/lib/openjp2/pi.c | 24 ++++++++++++------------ - src/lib/openjp2/pi.h | 4 ++-- - 2 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c -index 4a6ed68e2..3ddb4a0c5 100644 ---- a/src/lib/openjp2/pi.c -+++ b/src/lib/openjp2/pi.c -@@ -376,10 +376,10 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi) - pi->poc.tx1 = pi->tx1; - } - for (pi->resno = pi->poc.resno0; pi->resno < pi->poc.resno1; pi->resno++) { -- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; -- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { -- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; -- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { -+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; -+ pi->y += (pi->dy - (pi->y % pi->dy))) { -+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; -+ pi->x += (pi->dx - (pi->x % pi->dx))) { - for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) { - OPJ_UINT32 levelno; - OPJ_INT32 trx0, try0; -@@ -508,10 +508,10 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) - pi->poc.ty1 = pi->ty1; - pi->poc.tx1 = pi->tx1; - } -- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; -- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { -- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; -- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { -+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; -+ pi->y += (pi->dy - (pi->y % pi->dy))) { -+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; -+ pi->x += (pi->dx - (pi->x % pi->dx))) { - for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) { - comp = &pi->comps[pi->compno]; - for (pi->resno = pi->poc.resno0; -@@ -639,10 +639,10 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) - pi->poc.ty1 = pi->ty1; - pi->poc.tx1 = pi->tx1; - } -- for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; -- pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { -- for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; -- pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { -+ for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; -+ pi->y += (pi->dy - (pi->y % pi->dy))) { -+ for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; -+ pi->x += (pi->dx - (pi->x % pi->dx))) { - for (pi->resno = pi->poc.resno0; - pi->resno < opj_uint_min(pi->poc.resno1, comp->numresolutions); pi->resno++) { - OPJ_UINT32 levelno; -diff --git a/src/lib/openjp2/pi.h b/src/lib/openjp2/pi.h -index 8c0dc25c1..873802089 100644 ---- a/src/lib/openjp2/pi.h -+++ b/src/lib/openjp2/pi.h -@@ -102,9 +102,9 @@ typedef struct opj_pi_iterator { - /** Components*/ - opj_pi_comp_t *comps; - /** FIXME DOC*/ -- OPJ_INT32 tx0, ty0, tx1, ty1; -+ OPJ_UINT32 tx0, ty0, tx1, ty1; - /** FIXME DOC*/ -- OPJ_INT32 x, y; -+ OPJ_UINT32 x, y; - /** FIXME DOC*/ - OPJ_UINT32 dx, dy; - } opj_pi_iterator_t; diff --git a/heap-buffer-overflow.patch b/heap-buffer-overflow.patch new file mode 100644 index 0000000..e606555 --- /dev/null +++ b/heap-buffer-overflow.patch @@ -0,0 +1,22 @@ +diff -rupN --no-dereference openjpeg-2.4.0/src/bin/common/color.c openjpeg-2.4.0-new/src/bin/common/color.c +--- openjpeg-2.4.0/src/bin/common/color.c 2020-12-28 21:59:39.000000000 +0100 ++++ openjpeg-2.4.0-new/src/bin/common/color.c 2021-05-27 23:46:46.961130438 +0200 +@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t * + + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); + +- ++y; ++ if (*y != img->comps[0].data[loopmaxh]) ++ ++y; + ++r; + ++g; + ++b; +- ++cb; +- ++cr; ++ if (*cb != img->comps[1].data[loopmaxh]) ++ ++cb; ++ if (*cr != img->comps[2].data[loopmaxh]) ++ ++cr; + } + if (j < maxw) { + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); diff --git a/openjpeg-2.3.1.tar.gz b/openjpeg-2.3.1.tar.gz deleted file mode 100644 index 13416d2..0000000 Binary files a/openjpeg-2.3.1.tar.gz and /dev/null differ diff --git a/openjpeg-2.4.0.tar.gz b/openjpeg-2.4.0.tar.gz new file mode 100644 index 0000000..7e7f4e7 Binary files /dev/null and b/openjpeg-2.4.0.tar.gz differ diff --git a/openjpeg2.spec b/openjpeg2.spec index 2257357..8792f46 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -1,32 +1,17 @@ Name: openjpeg2 -Version: 2.3.1 -Release: 7 +Version: 2.4.0 +Release: 1 Summary: C-Library for JPEG 2000 License: BSD and MIT URL: https://github.com/uclouvain/openjpeg -Source0: https://github.com/uclouvain/openjpeg/archive/v%{version}/openjpeg-%{version}.tar.gz +Source0: https://github.com/uclouvain/openjpeg/archive/openjpeg-2.4.0.tar.gz -Patch0: openjpeg2_remove-thirdparty.patch -Patch1: openjpeg2_opj2.patch +Patch0: openjpeg2_opj2.patch +Patch1: heap-buffer-overflow.patch -Patch6000: CVE-2016-10505.patch -Patch6001: CVE-2016-7445.patch -Patch6002: CVE-2020-15389.patch -Patch6003: backport-avoid-integer-overflow.patch -Patch6004: backport-CVE-2020-27814.patch -Patch6005: backport-CVE-2020-27841.patch -Patch6006: backport-CVE-2020-27843.patch -Patch6007: backport-CVE-2020-27845.patch -Patch6008: backport-CVE-2020-8112.patch -Patch6009: backport-CVE-2020-6851.patch -Patch6010: backport-CVE-2020-27823.patch -Patch6011: backport-CVE-2020-27824.patch -Patch6012: backport-CVE-2021-29338.patch +Patch6000: backport-CVE-2021-29338.patch -BuildRequires: cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen - -Provides: %{name}-tools -Obsoletes: %{name}-tools +BuildRequires: cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen java-devel xerces-j2 %description OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order @@ -42,12 +27,22 @@ Requires: %{name}%{?_isa} = %{version}-%{release} The %{name}-devel package contains libraries and header files for developing applications that use OpenJPEG 2. +%package tools +Summary: OpenJPEG 2 command line tools +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +Command line tools for JPEG 2000 file manipulation, using OpenJPEG2: + * opj2_compress + * opj2_decompress + * opj2_dump + %package_help %prep %autosetup -n openjpeg-%{version} -p1 -rm -rf thirdparty +# rm -rf thirdparty %build mkdir %{_target_platform} @@ -84,9 +79,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump. %files devel %defattr(-,root,root) -%{_includedir}/openjpeg-2.3/*.h +%{_includedir}/openjpeg-2.4/*.h %{_libdir}/*.so -%{_libdir}/openjpeg-2.3/ +%{_libdir}/openjpeg-2.4/ %{_libdir}/pkgconfig/libopenjp2.pc %files help @@ -96,7 +91,18 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump. %{_mandir}/man1/*.1* %{_mandir}/man3/*.3* +%files tools +%{_bindir}/opj2_compress +%{_bindir}/opj2_decompress +%{_bindir}/opj2_dump +%{_mandir}/man1/opj2_compress.1* +%{_mandir}/man1/opj2_decompress.1* +%{_mandir}/man1/opj2_dump.1* + %changelog +* Sat Dec 04 2021 xingxing - 2.4.0-1 +- update to 2.4.0 + * Fri Sep 24 2021 yangcheng - 2.3.1-7 - fix CVE-2021-29338 diff --git a/openjpeg2_remove-thirdparty.patch b/openjpeg2_remove-thirdparty.patch deleted file mode 100644 index 12ac763..0000000 --- a/openjpeg2_remove-thirdparty.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -rupN openjpeg-2.3.1/CMakeLists.txt openjpeg-2.3.1-new/CMakeLists.txt ---- openjpeg-2.3.1/CMakeLists.txt 2019-04-02 14:45:15.000000000 +0200 -+++ openjpeg-2.3.1-new/CMakeLists.txt 2019-04-02 16:14:13.688252343 +0200 -@@ -278,7 +278,6 @@ if(BUILD_CODEC OR BUILD_MJ2) - # OFF: It will only build 3rd party libs if they are not found on the system - # ON: 3rd party libs will ALWAYS be build, and used - option(BUILD_THIRDPARTY "Build the thirdparty executables if it is needed" OFF) -- add_subdirectory(thirdparty) - add_subdirectory(src/bin) - endif () - add_subdirectory(wrapping)