summarylogtreecommitdiffstats
path: root/rhbz1037945_CVE-2013-1447.patch
blob: c12839005d20f3f8425212b42e95d4451def795f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

diff -rupN openjpeg-1.5.2/libopenjpeg/jp2.c openjpeg-1.5.2-new/libopenjpeg/jp2.c
--- openjpeg-1.5.2/libopenjpeg/jp2.c	2014-03-27 11:58:08.000000000 +0100
+++ openjpeg-1.5.2-new/libopenjpeg/jp2.c	2014-04-03 23:45:10.084005901 +0200
@@ -957,6 +968,13 @@ static opj_bool jp2_read_ftyp(opj_jp2_t
 	}
 	jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int));
 
+	if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) {
+		opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box "
+				"(expected %d, but only %d left)\n",
+				((int)jp2->numcl * 4), cio_numbytesleft(cio));
+		return OPJ_FALSE;
+	}
+
 	for (i = 0; i < (int)jp2->numcl; i++) {
 		jp2->cl[i] = cio_read(cio, 4);	/* CLi */
 	}
diff -rupN openjpeg-1.5.2/libopenjpeg/opj_malloc.h openjpeg-1.5.2-new/libopenjpeg/opj_malloc.h
--- openjpeg-1.5.2/libopenjpeg/opj_malloc.h	2014-03-27 11:58:08.000000000 +0100
+++ openjpeg-1.5.2-new/libopenjpeg/opj_malloc.h	2014-04-03 23:45:40.743555542 +0200
@@ -48,7 +48,7 @@ Allocate an uninitialized memory block
 #ifdef ALLOC_PERF_OPT
 void * OPJ_CALLCONV opj_malloc(size_t size);
 #else
-#define opj_malloc(size) malloc(size)
+#define opj_malloc(size) calloc(1, size)
 #endif
 
 /**
diff -rupN openjpeg-1.5.2/libopenjpeg/t2.c openjpeg-1.5.2-new/libopenjpeg/t2.c
--- openjpeg-1.5.2/libopenjpeg/t2.c	2014-03-27 11:58:08.000000000 +0100
+++ openjpeg-1.5.2-new/libopenjpeg/t2.c	2014-04-03 23:46:52.870848475 +0200
@@ -341,6 +341,11 @@ static int t2_decode_packet(opj_t2_t* t2
 	int precno = pi->precno;	/* precinct value */
 	int layno  = pi->layno;		/* quality layer value */
 
+	if (!&(tile->comps[compno])) {
+		opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n");
+		return -999;
+	}
+
 	unsigned char *hd = NULL;
 	int present;
 	
diff -rupN openjpeg-1.5.2/libopenjpeg/tcd.c openjpeg-1.5.2-new/libopenjpeg/tcd.c
--- openjpeg-1.5.2/libopenjpeg/tcd.c	2014-04-03 23:31:42.490473672 +0200
+++ openjpeg-1.5.2-new/libopenjpeg/tcd.c	2014-04-03 23:47:57.835012876 +0200
@@ -672,8 +672,8 @@ void tcd_malloc_decode(opj_tcd_t *tcd, o
 			y1 = j == 0 ? tilec->y1 : int_max(y1,	(unsigned int) tilec->y1);
 		}
 
-		w = int_ceildivpow2(x1 - x0, image->comps[i].factor);
-		h = int_ceildivpow2(y1 - y0, image->comps[i].factor);
+		w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor);
+		h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor);
 
 		image->comps[i].w = w;
 		image->comps[i].h = h;
@@ -1391,6 +1391,12 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
     return OPJ_FALSE;
 	}
 	
+	/* The code below assumes that numcomps > 0 */
+	if (tile->numcomps <= 0) {
+		opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n");
+		return OPJ_TRUE;
+	}
+
 	/*------------------TIER1-----------------*/
 	
 	t1_time = opj_clock();	/* time needed to decode a tile */