1 https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
2 http://openwall.com/lists/oss-security/2017/09/06/3
4 From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
5 From: Even Rouault <even.rouault@spatialys.com>
6 Date: Wed, 16 Aug 2017 17:09:10 +0200
7 Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
11 src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
12 1 file changed, 20 insertions(+), 5 deletions(-)
14 diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
15 index 54b490a8c..16915452e 100644
16 --- a/src/lib/openjp2/j2k.c
17 +++ b/src/lib/openjp2/j2k.c
18 @@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
19 * Writes the SOT marker (Start of tile-part)
21 * @param p_j2k J2K codec.
22 - * @param p_data FIXME DOC
23 - * @param p_data_written FIXME DOC
24 + * @param p_data Output buffer
25 + * @param p_total_data_size Output buffer size
26 + * @param p_data_written Number of bytes written into stream
27 * @param p_stream the stream to write data to.
28 * @param p_manager the user event manager.
30 static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
32 + OPJ_UINT32 p_total_data_size,
33 OPJ_UINT32 * p_data_written,
34 const opj_stream_private_t *p_stream,
35 opj_event_mgr_t * p_manager);
36 @@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
38 static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
40 + OPJ_UINT32 p_total_data_size,
41 OPJ_UINT32 * p_data_written,
42 const opj_stream_private_t *p_stream,
43 opj_event_mgr_t * p_manager
44 @@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
46 OPJ_UNUSED(p_manager);
48 + if (p_total_data_size < 12) {
49 + opj_event_msg(p_manager, EVT_ERROR,
50 + "Not enough bytes in output buffer to write SOT marker\n");
54 opj_write_bytes(p_data, J2K_MS_SOT,
57 @@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
59 l_current_nb_bytes_written = 0;
60 l_begin_data = p_data;
61 - if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
62 + if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
63 + &l_current_nb_bytes_written, p_stream,
67 @@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
69 l_begin_data = p_data;
71 - if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
72 + if (! opj_j2k_write_sot(p_j2k, p_data,
74 + &l_current_nb_bytes_written,
79 @@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
81 l_begin_data = p_data;
83 - if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
84 + if (! opj_j2k_write_sot(p_j2k, p_data,
86 + &l_current_nb_bytes_written, p_stream,