Overview

File openjpeg-CVE-2018-14423.patch of Package openjpeg.26661

Index: openjpeg-1.5.2/libopenjpeg/pi.c
===================================================================
--- openjpeg-1.5.2.orig/libopenjpeg/pi.c
+++ openjpeg-1.5.2/libopenjpeg/pi.c
@@ -209,6 +209,13 @@ if (!pi->tp_on){
 					try1 = int_ceildiv(pi->ty1, comp->dy << levelno);
 					rpx = res->pdx + levelno;
 					rpy = res->pdy + levelno;
+
+					/* To avoid divisions by zero / undefined behaviour on shift */
+					if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+						rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
+						continue;
+					}
+
 					if (!((pi->y % (comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
 						continue;	
 					}
@@ -290,6 +297,13 @@ static opj_bool pi_next_pcrl(opj_pi_iter
 					try1 = int_ceildiv(pi->ty1, comp->dy << levelno);
 					rpx = res->pdx + levelno;
 					rpy = res->pdy + levelno;
+
+					/* To avoid divisions by zero / undefined behaviour on shift */
+					if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+						rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
+						continue;
+					}
+
 					if (!((pi->y % (comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
 						continue;	
 					}
@@ -369,6 +383,13 @@ static opj_bool pi_next_cprl(opj_pi_iter
 					try1 = int_ceildiv(pi->ty1, comp->dy << levelno);
 					rpx = res->pdx + levelno;
 					rpy = res->pdy + levelno;
+
+					/* To avoid divisions by zero / undefined behaviour on shift */
+					if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+						rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
+						continue;
+					}
+
 					if (!((pi->y % (comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
 						continue;	
 					}
openSUSE Build Service is sponsored by
Places