File openjpeg2-CVE-2016-9580-CVE-2016-9581.patch of Package openjpeg2.36921
From 4cacf5c1148d422e9afb4152dd7469ccc0610185 Mon Sep 17 00:00:00 2001
From: Hans Petter Jansson <hpj@cl.no>
Date: Thu, 15 Dec 2016 01:04:54 +0100
Subject: [PATCH 9/9] CVE-2016-9580, CVE-2016-9581
---
src/bin/jp2/convert.c | 87 +++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 74 insertions(+), 13 deletions(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index d21671d..f08d094 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -2249,16 +2249,17 @@ if(v > 65535) v = 65535; else if(v < 0) v = 0;
int imagetotif(opj_image_t * image, const char *outfile)
{
- int width, height, imgsize;
- int bps,index,adjust, sgnd;
+ uint32 width, height, bps;
+ int imgsize;
+ int index,adjust, sgnd;
int ushift, dshift, has_alpha, force16;
TIFF *tif;
tdata_t buf;
tstrip_t strip;
- tsize_t strip_size;
+ tmsize_t strip_size;
ushift = dshift = force16 = has_alpha = 0;
- bps = (int)image->comps[0].prec;
+ bps = (uint32)image->comps[0].prec;
if(bps > 8 && bps < 16)
{
@@ -2281,7 +2282,7 @@ int imagetotif(opj_image_t * image, const char *outfile)
return 1;
}
sgnd = (int)image->comps[0].sgnd;
- adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0;
+ adjust = sgnd ? (int)(1 << (image->comps[0].prec - 1)) : 0;
if(image->numcomps >= 3
&& image->comps[0].dx == image->comps[1].dx
@@ -2293,8 +2294,8 @@ int imagetotif(opj_image_t * image, const char *outfile)
{
has_alpha = (image->numcomps == 4);
- width = (int)image->comps[0].w;
- height = (int)image->comps[0].h;
+ width = (uint32)image->comps[0].w;
+ height = (uint32)image->comps[0].h;
imgsize = width * height ;
TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, width);
@@ -2651,15 +2652,15 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
TIFF *tif;
tdata_t buf;
tstrip_t strip;
- tsize_t strip_size;
+ tmsize_t strip_size;
int j, numcomps, w, h,index;
OPJ_COLOR_SPACE color_space;
opj_image_cmptparm_t cmptparm[4]; /* RGBA */
opj_image_t *image = NULL;
int imgsize = 0;
int has_alpha = 0;
- unsigned short tiBps, tiPhoto, tiSf, tiSpp, tiPC;
- unsigned int tiWidth, tiHeight;
+ uint32 tiBps, tiPhoto, tiSf, tiSpp, tiPC;
+ uint32 tiWidth, tiHeight;
OPJ_BOOL is_cinema = OPJ_IS_CINEMA(parameters->rsiz);
tif = TIFFOpen(filename, "r");
@@ -2679,13 +2680,22 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto);
TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC);
+
+ if(tiWidth == 0 || tiHeight == 0) {
+ fprintf(stderr,"tiftoimage: Bad values for width(%u) "
+ "and/or height(%u)\n\tAborting.\n",tiWidth,tiHeight);
+ TIFFClose(tif);
+ return NULL;
+ }
+
w= (int)tiWidth;
h= (int)tiHeight;
if(tiBps != 8 && tiBps != 16 && tiBps != 12) tiBps = 0;
if(tiPhoto != 1 && tiPhoto != 2) tiPhoto = 0;
+ if(tiSpp > 4) tiSpp = 0;
- if( !tiBps || !tiPhoto)
+ if( !tiBps || !tiPhoto || !tiSpp)
{
if( !tiBps)
fprintf(stderr,"tiftoimage: Bits=%d, Only 8 and 16 bits"
@@ -2694,6 +2704,9 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
if( !tiPhoto)
fprintf(stderr,"tiftoimage: Bad color format %d.\n\tOnly RGB(A)"
" and GRAY(A) has been implemented\n",(int) tiPhoto);
+ else
+ if( !tiSpp)
+ fprintf(stderr,"tiftoimage: Bad value for samples per pixel == %hu.\n", tiSpp);
fprintf(stderr,"\tAborting\n");
TIFFClose(tif);
@@ -2786,8 +2799,23 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
image->y0 = (OPJ_UINT32)parameters->image_offset_y0;
image->x1 = !image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 :
image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
+ if(image->x1 <= image->x0) {
+ fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. "
+ "image->x0(%d)\n\tAborting.\n",image->x1,image->x0);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
+
image->y1 = !image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 :
image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
+ if(image->y1 <= image->y0) {
+ fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. "
+ "image->y0(%d)\n\tAborting.\n",image->y1,image->y0);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
buf = _TIFFmalloc(TIFFStripSize(tif));
@@ -2800,10 +2828,20 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
{
unsigned char *dat8;
int step;
- tsize_t i, ssize;
+ tmsize_t i, ssize;
ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
dat8 = (unsigned char*)buf;
+ ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
+ if(ssize < 1 || ssize > strip_size) {
+ fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) "
+ "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size);
+ _TIFFfree(buf);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
+
if(tiBps == 16)
{
step = 6 + has_alpha + has_alpha;
@@ -2936,8 +2974,22 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
image->y0 = (OPJ_UINT32)parameters->image_offset_y0;
image->x1 = !image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 :
image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
+ if(image->x1 <= image->x0) {
+ fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. "
+ "image->x0(%d)\n\tAborting.\n",image->x1,image->x0);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
image->y1 = !image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 :
image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
+ if(image->y1 <= image->y0) {
+ fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. "
+ "image->y0(%d)\n\tAborting.\n",image->y1,image->y0);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
buf = _TIFFmalloc(TIFFStripSize(tif));
@@ -2949,12 +3001,21 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
for(strip = 0; strip < TIFFNumberOfStrips(tif); strip++)
{
unsigned char *dat8;
- tsize_t i, ssize;
+ tmsize_t i, ssize;
int step;
ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
dat8 = (unsigned char*)buf;
+ if(ssize < 1 || ssize > strip_size) {
+ fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) "
+ "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size);
+ _TIFFfree(buf);
+ TIFFClose(tif);
+ opj_image_destroy(image);
+ return NULL;
+ }
+
if(tiBps == 16)
{
step = 2 + has_alpha + has_alpha;
--
1.8.4.5
