Package init

CVE-2017-17480.patch

@@ -0,0 +1,42 @@
+From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Mon, 22 Oct 2018 16:59:41 +0200
+Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow
+
+Missing buffer length formatter in fscanf call might lead to write
+stack buffer overflow.
+
+fixes #1044 (CVE-2017-17480)
+---
+ src/bin/jp3d/convert.c | 4 ++--
+ src/bin/jpwl/convert.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
+index 23fd70b04..acad8f82a 100644
+--- a/src/bin/jp3d/convert.c
++++ b/src/bin/jp3d/convert.c
+@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
+         fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
+ 
+         fseek(f, 0, SEEK_SET);
+-        fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
+-               signtmp, &prec, temp, &w, temp, &h);
++        fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
++               &endian2, signtmp, &prec, temp, &w, temp, &h);
+ 
+         i = 0;
+         sign = '+';
+diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
+index f3bb670b0..73c1be729 100644
+--- a/src/bin/jpwl/convert.c
++++ b/src/bin/jpwl/convert.c
+@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
+     }
+ 
+     fseek(f, 0, SEEK_SET);
+-    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
++    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+         fprintf(stderr,
+                 "ERROR: Failed to read the right number of element from the fscanf() function!\n");

CVE-2018-5785.patch

@@ -0,0 +1,79 @@
+From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Sat, 22 Sep 2018 14:33:19 -0400
+Subject: [PATCH] convertbmp: fix issues with zero bitmasks
+
+In the case where a BMP file declares compression 3 (BI_BITFIELDS)
+with header size <= 56, all bitmask values keep their initialization
+value 0. This may lead to various undefined behavior later e.g. when
+doing 1 << (l_comp->prec - 1).
+
+This issue does not affect files with bit count 16 because of a check
+added in 16240e2 which sets default values to the color masks if they
+are all 0.
+
+This commit adds similar checks for the 32 bit case.
+
+Also, if a BMP file declares compression 3 with header size >= 56 and
+intentional 0 bitmasks, the same issue will be triggered in both the
+16 and 32 bit count case.
+
+This commit adds checks to bmp_read_info_header() rejecting BMP files
+with "intentional" 0 bitmasks. These checks might be removed in the
+future when proper handling of zero bitmasks will be available in
+openjpeg2.
+
+fixes #1057 (CVE-2018-5785)
+---
+ src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 084f70bb7..7fde99ab3 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
+         header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biRedMask) {
++            fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
++            return OPJ_FALSE;
++        }
++
+         header->biGreenMask  = (OPJ_UINT32)getc(IN);
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biGreenMask) {
++            fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
++            return OPJ_FALSE;
++        }
++
+         header->biBlueMask  = (OPJ_UINT32)getc(IN);
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biBlueMask) {
++            fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
++            return OPJ_FALSE;
++        }
++
+         header->biAlphaMask  = (OPJ_UINT32)getc(IN);
+         header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
+@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
+         bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
+                          0x00000000U);
+     } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
++        if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
++                (Info_h.biBlueMask == 0U)) {
++            Info_h.biRedMask   = 0x00FF0000U;
++            Info_h.biGreenMask = 0x0000FF00U;
++            Info_h.biBlueMask  = 0x000000FFU;
++        }
+         bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
+                          Info_h.biBlueMask, Info_h.biAlphaMask);
+     } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */

CVE-2018-7648.patch

@@ -0,0 +1,32 @@
+From 6d8c0c06ee32dc03ba80acd48334e98728e56cf5 Mon Sep 17 00:00:00 2001
+From: Karol Babioch <kbabioch@suse.de>
+Date: Fri, 2 Mar 2018 14:40:58 +0100
+Subject: [PATCH] opj_mj2_extract: Check provided output prefix for length
+
+This uses snprintf() with correct buffer length instead of sprintf(). This
+prevents a buffer overflow when providing a long output prefix. Furthermore
+the program exits with an error when the provided output prefix is too long.
+
+Fixes #1088.
+---
+ src/bin/mj2/opj_mj2_extract.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/bin/mj2/opj_mj2_extract.c b/src/bin/mj2/opj_mj2_extract.c
+index a062e17d8..244110523 100644
+--- a/src/bin/mj2/opj_mj2_extract.c
++++ b/src/bin/mj2/opj_mj2_extract.c
+@@ -140,7 +140,12 @@ int main(int argc, char *argv[])
+         fread(frame_codestream, sample->sample_size - 8, 1,
+               file); /* Assuming that jp and ftyp markers size do*/
+ 
+-        sprintf(outfilename, "%s_%05d.j2k", argv[2], snum);
++        int num = snprintf(outfilename, sizeof(outfilename), "%s_%05d.j2k", argv[2], snum);
++        if (num >= sizeof(outfilename)) {
++            fprintf(stderr, "maximum length of output prefix exceeded\n");
++            return 1;
++        }
++
+         outfile = fopen(outfilename, "wb");
+         if (!outfile) {
+             fprintf(stderr, "failed to open %s for writing\n", outfilename);

openjpeg2.spec

@@ -0,0 +1,87 @@
+Name:           openjpeg2
+Version:        2.3.1
+Release:        1
+Summary:        C-Library for JPEG 2000
+License:        BSD and MIT
+URL:            https://github.com/uclouvain/openjpeg
+Source0:        https://github.com/uclouvain/openjpeg/archive/v%{version}/openjpeg-%{version}.tar.gz
+
+Patch0:         openjpeg2_remove-thirdparty.patch
+Patch1:         openjpeg2_opj2.patch
+
+BuildRequires:  cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen
+
+Provides:       %{name}-tools
+Obsoletes:      %{name}-tools
+
+%description
+OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order
+to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic
+Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a
+JPEG 2000 Reference Software.
+
+%package        devel
+Summary:        Development files for OpenJPEG 2
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description    devel
+The %{name}-devel package contains libraries and header files for developing
+applications that use OpenJPEG 2.
+
+%package_help
+
+%prep
+%autosetup -n openjpeg-%{version} -p1 
+
+rm -rf thirdparty
+
+%build
+mkdir %{_target_platform}
+pushd %{_target_platform}
+%cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DOPENJPEG_INSTALL_LIB_DIR=%{_lib} \
+    %{?optional_components:-DBUILD_MJ2=ON -DBUILD_JPWL=ON -DBUILD_JPIP=ON -DBUILD_JP3D=ON} \
+    -DBUILD_DOC=ON \
+    -DBUILD_STATIC_LIBS=OFF \
+    -DBUILD_SHARED_LIBS=ON \
+    %{?runcheck:-DBUILD_TESTING:BOOL=ON -DOPJ_DATA_ROOT=$PWD/../data} \
+    ..
+popd
+
+%make_build VERBOSE=1 -C %{_target_platform}
+
+
+%install
+%make_install -C %{_target_platform}
+
+mv %{buildroot}%{_mandir}/man1/opj_compress.1 %{buildroot}%{_mandir}/man1/opj2_compress.1
+mv %{buildroot}%{_mandir}/man1/opj_decompress.1 %{buildroot}%{_mandir}/man1/opj2_decompress.1
+mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.1
+
+%ldconfig_scriptlets
+
+%files
+%defattr(-,root,root)
+%{!?_licensedir:%global license %doc}
+%doc AUTHORS.md
+%license LICENSE
+%{_libdir}/libopenjp2.so.*
+%{_bindir}/opj2*
+%exclude %{_datadir}/doc/
+
+%files devel
+%defattr(-,root,root)
+%{_includedir}/openjpeg-2.3/*.h
+%{_libdir}/*.so
+%{_libdir}/openjpeg-2.3/
+%{_libdir}/pkgconfig/libopenjp2.pc
+
+%files help
+%defattr(-,root,root)
+%doc %{_target_platform}/doc/html
+%doc NEWS.md README.md THANKS.md
+%{_mandir}/man1/*.1*
+%{_mandir}/man3/*.3*
+
+%changelog
+* Thu Sep 19 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.3.1-1
+- Package init

openjpeg2_install.patch

@@ -0,0 +1,11 @@
+diff -rupN openjpeg-2.3.0/src/lib/openjp2/CMakeLists.txt openjpeg-2.3.0-new/src/lib/openjp2/CMakeLists.txt
+--- openjpeg-2.3.0/src/lib/openjp2/CMakeLists.txt	2017-10-05 00:23:14.000000000 +0200
++++ openjpeg-2.3.0-new/src/lib/openjp2/CMakeLists.txt	2017-12-25 13:53:07.000000000 +0100
+@@ -99,6 +99,7 @@ else()
+     set(INSTALL_LIBS ${OPENJPEG_LIBRARY_NAME} openjp2_static)
+   else()
+     add_library(${OPENJPEG_LIBRARY_NAME} ${OPENJPEG_SRCS})
++    set(INSTALL_LIBS ${OPENJPEG_LIBRARY_NAME})
+   endif()
+ endif()
+ 

openjpeg2_opj2.patch

@@ -0,0 +1,12 @@
+diff -rupN openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt
+--- openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt	2019-04-02 14:45:15.000000000 +0200
++++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt	2019-04-02 16:14:13.726252297 +0200
+@@ -44,6 +44,8 @@ endif()
+ # Loop over all executables:
+ foreach(exe opj_decompress opj_compress opj_dump)
+   add_executable(${exe} ${exe}.c ${common_SRCS})
++  string(REPLACE "opj_" "opj2_" exe2 ${exe})
++  set_target_properties(${exe} PROPERTIES OUTPUT_NAME ${exe2})
+   if(NOT ${CMAKE_VERSION} VERSION_LESS "2.8.12")
+     target_compile_options(${exe} PRIVATE ${OPENJP2_COMPILE_OPTIONS})
+   endif()

openjpeg2_remove-thirdparty.patch

@@ -0,0 +1,11 @@
+diff -rupN openjpeg-2.3.1/CMakeLists.txt openjpeg-2.3.1-new/CMakeLists.txt
+--- openjpeg-2.3.1/CMakeLists.txt	2019-04-02 14:45:15.000000000 +0200
++++ openjpeg-2.3.1-new/CMakeLists.txt	2019-04-02 16:14:13.688252343 +0200
+@@ -278,7 +278,6 @@ if(BUILD_CODEC OR BUILD_MJ2)
+   # OFF: It will only build 3rd party libs if they are not found on the system
+   # ON: 3rd party libs will ALWAYS be build, and used
+   option(BUILD_THIRDPARTY "Build the thirdparty executables if it is needed" OFF)
+-  add_subdirectory(thirdparty)
+   add_subdirectory(src/bin)
+ endif ()
+ add_subdirectory(wrapping)