File openjpeg2-CVE-2017-14040.patch of Package openjpeg2.7252

Overview Repositories Revisions Requests Users Attributes Meta

File openjpeg2-CVE-2017-14040.patch of Package openjpeg2.7252

diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index 1bae6a3..0d7d720 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -41,6 +41,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 
 #ifdef OPJ_HAVE_LIBTIFF
 #include <tiffio.h>
@@ -98,14 +99,9 @@ struct tga_header
 };
 #endif /* INFORMATION_ONLY */
 
-static unsigned short get_ushort(unsigned short val) {
-
-#ifdef OPJ_BIG_ENDIAN
-    return( ((val & 0xff) << 8) + (val >> 8) );
-#else
-    return( val );
-#endif
-
+/* Returns a ushort from a little-endian serialized value */
+static unsigned short get_tga_ushort(const unsigned char *data) {
+    return data[0] | (data[1] << 8);
 }
 
 #define TGA_HEADER_SIZE 18
@@ -132,17 +128,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
     id_len = (unsigned char)tga[0];
     /*cmap_type = (unsigned char)tga[1];*/
     image_type = (unsigned char)tga[2];
-    /*cmap_index = get_ushort(*(unsigned short*)(&tga[3]));*/
-    cmap_len = get_ushort(*(unsigned short*)(&tga[5]));
+    /*cmap_index = get_tga_ushort(&tga[3]);*/
+    cmap_len = get_tga_ushort (&tga[5]);
     cmap_entry_size = (unsigned char)tga[7];
 
 
 #if 0
-    x_origin = get_ushort(*(unsigned short*)(&tga[8]));
-    y_origin = get_ushort(*(unsigned short*)(&tga[10]));
+    x_origin = get_tga_ushort(&tga[8]);
+    y_origin = get_tga_ushort(&tga[10]);
 #endif
-    image_w = get_ushort(*(unsigned short*)(&tga[12]));
-    image_h = get_ushort(*(unsigned short*)(&tga[14]));
+    image_w = get_tga_ushort(&tga[12]);
+    image_h = get_tga_ushort(&tga[14]);
     pixel_depth = (unsigned char)tga[16];
     image_desc  = (unsigned char)tga[17];
 
@@ -301,6 +297,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) {
         color_space = OPJ_CLRSPC_SRGB;
     }
 
+    /* If the declared file size is > 10 MB, check that the file is big */
+    /* enough to avoid excessive memory allocations */
+    if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
+        char ch;
+        OPJ_UINT64 expected_file_size =
+            (OPJ_UINT64)image_width * image_height * numcomps;
+        long curpos = ftell(f);
+        if (expected_file_size > (OPJ_UINT64)INT_MAX) {
+            expected_file_size = (OPJ_UINT64)INT_MAX;
+        }
+        fseek(f, (long)expected_file_size - 1, SEEK_SET);
+        if (fread(&ch, 1, 1, f) != 1) {
+            fclose(f);
+            return NULL;
+        }
+        fseek(f, curpos, SEEK_SET);
+    }
+
     subsampling_dx = parameters->subsampling_dx;
     subsampling_dy = parameters->subsampling_dy;

Places

File openjpeg2-CVE-2017-14040.patch of Package openjpeg2.7252

Places