diff options
author | kfg | 2015-06-10 19:17:24 +0200 |
---|---|---|
committer | kfg | 2015-06-10 19:17:24 +0200 |
commit | 13f329c21fc664c5c716f5d29fd9ea8f625c9f32 (patch) | |
tree | 69dfb51deb119c7b16a6b5d8442880e73dd7f2fd /rhbz1037945_CVE-2013-1447.patch | |
download | aur-13f329c21fc664c5c716f5d29fd9ea8f625c9f32.tar.gz |
Initial import
Diffstat (limited to 'rhbz1037945_CVE-2013-1447.patch')
-rw-r--r-- | rhbz1037945_CVE-2013-1447.patch | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/rhbz1037945_CVE-2013-1447.patch b/rhbz1037945_CVE-2013-1447.patch new file mode 100644 index 000000000000..c12839005d20 --- /dev/null +++ b/rhbz1037945_CVE-2013-1447.patch @@ -0,0 +1,71 @@ +diff -rupN openjpeg-1.5.2/libopenjpeg/jp2.c openjpeg-1.5.2-new/libopenjpeg/jp2.c +--- openjpeg-1.5.2/libopenjpeg/jp2.c 2014-03-27 11:58:08.000000000 +0100 ++++ openjpeg-1.5.2-new/libopenjpeg/jp2.c 2014-04-03 23:45:10.084005901 +0200 +@@ -957,6 +968,13 @@ static opj_bool jp2_read_ftyp(opj_jp2_t + } + jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int)); + ++ if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) { ++ opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box " ++ "(expected %d, but only %d left)\n", ++ ((int)jp2->numcl * 4), cio_numbytesleft(cio)); ++ return OPJ_FALSE; ++ } ++ + for (i = 0; i < (int)jp2->numcl; i++) { + jp2->cl[i] = cio_read(cio, 4); /* CLi */ + } +diff -rupN openjpeg-1.5.2/libopenjpeg/opj_malloc.h openjpeg-1.5.2-new/libopenjpeg/opj_malloc.h +--- openjpeg-1.5.2/libopenjpeg/opj_malloc.h 2014-03-27 11:58:08.000000000 +0100 ++++ openjpeg-1.5.2-new/libopenjpeg/opj_malloc.h 2014-04-03 23:45:40.743555542 +0200 +@@ -48,7 +48,7 @@ Allocate an uninitialized memory block + #ifdef ALLOC_PERF_OPT + void * OPJ_CALLCONV opj_malloc(size_t size); + #else +-#define opj_malloc(size) malloc(size) ++#define opj_malloc(size) calloc(1, size) + #endif + + /** +diff -rupN openjpeg-1.5.2/libopenjpeg/t2.c openjpeg-1.5.2-new/libopenjpeg/t2.c +--- openjpeg-1.5.2/libopenjpeg/t2.c 2014-03-27 11:58:08.000000000 +0100 ++++ openjpeg-1.5.2-new/libopenjpeg/t2.c 2014-04-03 23:46:52.870848475 +0200 +@@ -341,6 +341,11 @@ static int t2_decode_packet(opj_t2_t* t2 + int precno = pi->precno; /* precinct value */ + int layno = pi->layno; /* quality layer value */ + ++ if (!&(tile->comps[compno])) { ++ opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n"); ++ return -999; ++ } ++ + unsigned char *hd = NULL; + int present; + +diff -rupN openjpeg-1.5.2/libopenjpeg/tcd.c openjpeg-1.5.2-new/libopenjpeg/tcd.c +--- openjpeg-1.5.2/libopenjpeg/tcd.c 2014-04-03 23:31:42.490473672 +0200 ++++ openjpeg-1.5.2-new/libopenjpeg/tcd.c 2014-04-03 23:47:57.835012876 +0200 +@@ -672,8 +672,8 @@ void tcd_malloc_decode(opj_tcd_t *tcd, o + y1 = j == 0 ? tilec->y1 : int_max(y1, (unsigned int) tilec->y1); + } + +- w = int_ceildivpow2(x1 - x0, image->comps[i].factor); +- h = int_ceildivpow2(y1 - y0, image->comps[i].factor); ++ w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor); ++ h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor); + + image->comps[i].w = w; + image->comps[i].h = h; +@@ -1391,6 +1391,12 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, + return OPJ_FALSE; + } + ++ /* The code below assumes that numcomps > 0 */ ++ if (tile->numcomps <= 0) { ++ opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n"); ++ return OPJ_TRUE; ++ } ++ + /*------------------TIER1-----------------*/ + + t1_time = opj_clock(); /* time needed to decode a tile */ |