A new user interface for you! Read more...

File openjpeg2-CVE-2016-9580-CVE-2016-9581.patch of Package openjpeg2

From 4cacf5c1148d422e9afb4152dd7469ccc0610185 Mon Sep 17 00:00:00 2001
From: Hans Petter Jansson <hpj@cl.no>
Date: Thu, 15 Dec 2016 01:04:54 +0100
Subject: [PATCH 9/9] CVE-2016-9580, CVE-2016-9581

---
 src/bin/jp2/convert.c | 87 +++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 74 insertions(+), 13 deletions(-)

diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index d21671d..f08d094 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -2249,16 +2249,17 @@ if(v > 65535) v = 65535; else if(v < 0) v = 0;
 
 int imagetotif(opj_image_t * image, const char *outfile) 
 {
-    int width, height, imgsize;
-    int bps,index,adjust, sgnd;
+    uint32 width, height, bps;
+    int imgsize;
+    int index,adjust, sgnd;
     int ushift, dshift, has_alpha, force16;
     TIFF *tif;
     tdata_t buf;
     tstrip_t strip;
-    tsize_t strip_size;
+    tmsize_t strip_size;
 
     ushift = dshift = force16 = has_alpha = 0;
-    bps = (int)image->comps[0].prec;
+    bps = (uint32)image->comps[0].prec;
 
     if(bps > 8 && bps < 16)
     {
@@ -2281,7 +2282,7 @@ int imagetotif(opj_image_t * image, const char *outfile)
         return 1;
     }
     sgnd = (int)image->comps[0].sgnd;
-    adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0;
+    adjust = sgnd ? (int)(1 << (image->comps[0].prec - 1)) : 0;
 
     if(image->numcomps >= 3
             && image->comps[0].dx == image->comps[1].dx
@@ -2293,8 +2294,8 @@ int imagetotif(opj_image_t * image, const char *outfile)
     {
         has_alpha = (image->numcomps == 4);
 
-        width   = (int)image->comps[0].w;
-        height  = (int)image->comps[0].h;
+        width   = (uint32)image->comps[0].w;
+        height  = (uint32)image->comps[0].h;
         imgsize = width * height ;
 
         TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, width);
@@ -2651,15 +2652,15 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
     TIFF *tif;
     tdata_t buf;
     tstrip_t strip;
-    tsize_t strip_size;
+    tmsize_t strip_size;
     int j, numcomps, w, h,index;
     OPJ_COLOR_SPACE color_space;
     opj_image_cmptparm_t cmptparm[4]; /* RGBA */
     opj_image_t *image = NULL;
     int imgsize = 0;
     int has_alpha = 0;
-    unsigned short tiBps, tiPhoto, tiSf, tiSpp, tiPC;
-    unsigned int tiWidth, tiHeight;
+    uint32 tiBps, tiPhoto, tiSf, tiSpp, tiPC;
+    uint32 tiWidth, tiHeight;
     OPJ_BOOL is_cinema = OPJ_IS_CINEMA(parameters->rsiz);
 
     tif = TIFFOpen(filename, "r");
@@ -2679,13 +2680,22 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
     TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp);
     TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto);
     TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC);
+
+    if(tiWidth == 0 || tiHeight == 0) {
+        fprintf(stderr,"tiftoimage: Bad values for width(%u) "
+                "and/or height(%u)\n\tAborting.\n",tiWidth,tiHeight);
+        TIFFClose(tif);
+        return NULL;
+    }
+
     w= (int)tiWidth;
     h= (int)tiHeight;
 
     if(tiBps != 8 && tiBps != 16 && tiBps != 12) tiBps = 0;
     if(tiPhoto != 1 && tiPhoto != 2) tiPhoto = 0;
+    if(tiSpp > 4) tiSpp = 0;
 
-    if( !tiBps || !tiPhoto)
+    if( !tiBps || !tiPhoto || !tiSpp)
     {
         if( !tiBps)
      fprintf(stderr,"tiftoimage: Bits=%d, Only 8 and 16 bits"
@@ -2694,6 +2704,9 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
             if( !tiPhoto)
                 fprintf(stderr,"tiftoimage: Bad color format %d.\n\tOnly RGB(A)"
                         " and GRAY(A) has been implemented\n",(int) tiPhoto);
+        else
+            if( !tiSpp)
+                    fprintf(stderr,"tiftoimage: Bad value for samples per pixel == %hu.\n", tiSpp);
 
         fprintf(stderr,"\tAborting\n");
         TIFFClose(tif);
@@ -2786,8 +2799,23 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
         image->y0 = (OPJ_UINT32)parameters->image_offset_y0;
         image->x1 =	!image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 :
                                  image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
+        if(image->x1 <= image->x0) {
+            fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. "
+                    "image->x0(%d)\n\tAborting.\n",image->x1,image->x0);
+            TIFFClose(tif);
+            opj_image_destroy(image);
+            return NULL;
+        }
+
         image->y1 =	!image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 :
                                  image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
+        if(image->y1 <= image->y0) {
+            fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. "
+                    "image->y0(%d)\n\tAborting.\n",image->y1,image->y0);
+            TIFFClose(tif);
+            opj_image_destroy(image);
+            return NULL;
+        }
 
         buf = _TIFFmalloc(TIFFStripSize(tif));
 
@@ -2800,10 +2828,20 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
         {
             unsigned char *dat8;
             int step;
-            tsize_t i, ssize;
+            tmsize_t i, ssize;
             ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
             dat8 = (unsigned char*)buf;
 
+            ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
+            if(ssize < 1 || ssize > strip_size) {
+                fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) "
+                        "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size);
+                _TIFFfree(buf);
+                TIFFClose(tif);
+                opj_image_destroy(image);
+                return NULL;
+            }
+
             if(tiBps == 16)
             {
                 step = 6 + has_alpha + has_alpha;
@@ -2936,8 +2974,22 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
         image->y0 = (OPJ_UINT32)parameters->image_offset_y0;
         image->x1 =	!image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 :
                                  image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
+        if(image->x1 <= image->x0) {
+            fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. "
+                    "image->x0(%d)\n\tAborting.\n",image->x1,image->x0);
+            TIFFClose(tif);
+            opj_image_destroy(image);
+            return NULL;
+        }
         image->y1 =	!image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 :
                                  image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
+        if(image->y1 <= image->y0) {
+            fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. "
+                    "image->y0(%d)\n\tAborting.\n",image->y1,image->y0);
+            TIFFClose(tif);
+            opj_image_destroy(image);
+            return NULL;
+        }
 
         buf = _TIFFmalloc(TIFFStripSize(tif));
 
@@ -2949,12 +3001,21 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
         for(strip = 0; strip < TIFFNumberOfStrips(tif); strip++)
         {
             unsigned char *dat8;
-            tsize_t i, ssize;
+            tmsize_t i, ssize;
             int step;
 
             ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
             dat8 = (unsigned char*)buf;
 
+            if(ssize < 1 || ssize > strip_size) {
+                fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) "
+                        "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size);
+                _TIFFfree(buf);
+                TIFFClose(tif);
+                opj_image_destroy(image);
+                return NULL;
+            }
+
             if(tiBps == 16)
             {
                 step = 2 + has_alpha + has_alpha;
-- 
1.8.4.5