Initial import

author: kfg 2015-06-10 19:17:24 +0200
committer: kfg 2015-06-10 19:17:24 +0200
commit: 13f329c21fc664c5c716f5d29fd9ea8f625c9f32 (patch)
tree: 69dfb51deb119c7b16a6b5d8442880e73dd7f2fd /rhbz1037945_CVE-2013-1447.patch
download: aur-13f329c21fc664c5c716f5d29fd9ea8f625c9f32.tar.gz
1 files changed, 71 insertions, 0 deletions
diff --git a/rhbz1037945_CVE-2013-1447.patch b/rhbz1037945_CVE-2013-1447.patch
new file mode 100644
index 000000000000..c12839005d20
--- /dev/null
+++ b/rhbz1037945_CVE-2013-1447.patch
@@ -0,0 +1,71 @@
+diff -rupN openjpeg-1.5.2/libopenjpeg/jp2.c openjpeg-1.5.2-new/libopenjpeg/jp2.c
+--- openjpeg-1.5.2/libopenjpeg/jp2.c	2014-03-27 11:58:08.000000000 +0100
++++ openjpeg-1.5.2-new/libopenjpeg/jp2.c	2014-04-03 23:45:10.084005901 +0200
+@@ -957,6 +968,13 @@ static opj_bool jp2_read_ftyp(opj_jp2_t
+ 	}
+ 	jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int));
+ 
++	if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) {
++		opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box "
++				"(expected %d, but only %d left)\n",
++				((int)jp2->numcl * 4), cio_numbytesleft(cio));
++		return OPJ_FALSE;
++	}
++
+ 	for (i = 0; i < (int)jp2->numcl; i++) {
+ 		jp2->cl[i] = cio_read(cio, 4);	/* CLi */
+ 	}
+diff -rupN openjpeg-1.5.2/libopenjpeg/opj_malloc.h openjpeg-1.5.2-new/libopenjpeg/opj_malloc.h
+--- openjpeg-1.5.2/libopenjpeg/opj_malloc.h	2014-03-27 11:58:08.000000000 +0100
++++ openjpeg-1.5.2-new/libopenjpeg/opj_malloc.h	2014-04-03 23:45:40.743555542 +0200
+@@ -48,7 +48,7 @@ Allocate an uninitialized memory block
+ #ifdef ALLOC_PERF_OPT
+ void * OPJ_CALLCONV opj_malloc(size_t size);
+ #else
+-#define opj_malloc(size) malloc(size)
++#define opj_malloc(size) calloc(1, size)
+ #endif
+ 
+ /**
+diff -rupN openjpeg-1.5.2/libopenjpeg/t2.c openjpeg-1.5.2-new/libopenjpeg/t2.c
+--- openjpeg-1.5.2/libopenjpeg/t2.c	2014-03-27 11:58:08.000000000 +0100
++++ openjpeg-1.5.2-new/libopenjpeg/t2.c	2014-04-03 23:46:52.870848475 +0200
+@@ -341,6 +341,11 @@ static int t2_decode_packet(opj_t2_t* t2
+ 	int precno = pi->precno;	/* precinct value */
+ 	int layno  = pi->layno;		/* quality layer value */
+ 
++	if (!&(tile->comps[compno])) {
++		opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n");
++		return -999;
++	}
++
+ 	unsigned char *hd = NULL;
+ 	int present;
+ 	
+diff -rupN openjpeg-1.5.2/libopenjpeg/tcd.c openjpeg-1.5.2-new/libopenjpeg/tcd.c
+--- openjpeg-1.5.2/libopenjpeg/tcd.c	2014-04-03 23:31:42.490473672 +0200
++++ openjpeg-1.5.2-new/libopenjpeg/tcd.c	2014-04-03 23:47:57.835012876 +0200
+@@ -672,8 +672,8 @@ void tcd_malloc_decode(opj_tcd_t *tcd, o
+ 			y1 = j == 0 ? tilec->y1 : int_max(y1,	(unsigned int) tilec->y1);
+ 		}
+ 
+-		w = int_ceildivpow2(x1 - x0, image->comps[i].factor);
+-		h = int_ceildivpow2(y1 - y0, image->comps[i].factor);
++		w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor);
++		h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor);
+ 
+ 		image->comps[i].w = w;
+ 		image->comps[i].h = h;
+@@ -1391,6 +1391,12 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
+     return OPJ_FALSE;
+ 	}
+ 	
++	/* The code below assumes that numcomps > 0 */
++	if (tile->numcomps <= 0) {
++		opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n");
++		return OPJ_TRUE;
++	}
++
+ 	/*------------------TIER1-----------------*/
+ 	
+ 	t1_time = opj_clock();	/* time needed to decode a tile */
author	kfg	2015-06-10 19:17:24 +0200
committer	kfg	2015-06-10 19:17:24 +0200
commit	13f329c21fc664c5c716f5d29fd9ea8f625c9f32 (patch)
tree	69dfb51deb119c7b16a6b5d8442880e73dd7f2fd /rhbz1037945_CVE-2013-1447.patch
download	aur-13f329c21fc664c5c716f5d29fd9ea8f625c9f32.tar.gz