File openjpeg-CVE-2018-20846.patch of Package openjpeg.26661
Index: openjpeg-1.5.2/libopenjpeg/pi.c
===================================================================
--- openjpeg-1.5.2.orig/libopenjpeg/pi.c
+++ openjpeg-1.5.2/libopenjpeg/pi.c
@@ -106,6 +106,9 @@ static opj_bool pi_next_lrcp(opj_pi_iter
}
for (pi->precno = pi->poc.precno0; pi->precno < pi->poc.precno1; pi->precno++) {
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+ return OPJ_FALSE;
+ }
if (!pi->include[index]) {
pi->include[index] = 1;
return OPJ_TRUE;
@@ -145,6 +148,9 @@ static opj_bool pi_next_rlcp(opj_pi_iter
}
for (pi->precno = pi->poc.precno0; pi->precno < pi->poc.precno1; pi->precno++) {
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+ return OPJ_FALSE;
+ }
if (!pi->include[index]) {
pi->include[index] = 1;
return OPJ_TRUE;
@@ -234,6 +240,9 @@ if (!pi->tp_on){
pi->precno = prci + prcj * res->pw;
for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+ return OPJ_FALSE;
+ }
if (!pi->include[index]) {
pi->include[index] = 1;
return OPJ_TRUE;
@@ -322,6 +331,9 @@ static opj_bool pi_next_pcrl(opj_pi_iter
pi->precno = prci + prcj * res->pw;
for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+ return OPJ_FALSE;
+ }
if (!pi->include[index]) {
pi->include[index] = 1;
return OPJ_TRUE;
@@ -408,6 +420,9 @@ static opj_bool pi_next_cprl(opj_pi_iter
pi->precno = prci + prcj * res->pw;
for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ if (index >= pi->include_size) {
+ return OPJ_FALSE;
+ }
if (!pi->include[index]) {
pi->include[index] = 1;
return OPJ_TRUE;
@@ -523,7 +538,8 @@ opj_pi_iterator_t *pi_create_decode(opj_
pi[pino].step_l = maxres * pi[pino].step_r;
if (pino == 0) {
- pi[pino].include = (short int*) opj_calloc(image->numcomps * maxres * tcp->numlayers * maxprec, sizeof(short int));
+ pi[pino].include_size = image->numcomps * maxres * tcp->numlayers * maxprec;
+ pi[pino].include = (short int*) opj_calloc(pi[pino].include_size, sizeof(short int));
if(!pi[pino].include) {
/* TODO: throw an error */
pi_destroy(pi, cp, tileno);
@@ -532,6 +548,7 @@ opj_pi_iterator_t *pi_create_decode(opj_
}
else {
pi[pino].include = pi[pino - 1].include;
+ pi[pino].include_size = pi[pino - 1].include_size;
}
if (tcp->POC == 0) {
@@ -663,7 +680,8 @@ opj_pi_iterator_t *pi_initialise_encode(
}
if (pino == 0) {
- pi[pino].include = (short int*) opj_calloc(tcp->numlayers * pi[pino].step_l, sizeof(short int));
+ pi[pino].include_size = tcp->numlayers * pi[pino].step_l;
+ pi[pino].include = (short int*) opj_calloc(pi[pino].include_size, sizeof(short int));
if(!pi[pino].include) {
pi_destroy(pi, cp, tileno);
return NULL;
@@ -671,6 +689,7 @@ opj_pi_iterator_t *pi_initialise_encode(
}
else {
pi[pino].include = pi[pino - 1].include;
+ pi[pino].include_size = pi[pino - 1].include_size;
}
/* Generation of boundaries for each prog flag*/
Index: openjpeg-1.5.2/libopenjpeg/pi.h
===================================================================
--- openjpeg-1.5.2.orig/libopenjpeg/pi.h
+++ openjpeg-1.5.2/libopenjpeg/pi.h
@@ -69,6 +69,8 @@ typedef struct opj_pi_iterator {
char tp_on;
/** precise if the packet has been already used (usefull for progression order change) */
short int *include;
+ /** Number of elements in include array */
+ int include_size;
/** layer step used to localize the packet in the include vector */
int step_l;
/** resolution step used to localize the packet in the include vector */
