HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: openjpeg: Fix CVE-2017-14164.
[jackhill/guix/guix.git] / gnu / packages / patches / openjpeg-CVE-2017-14164.patch
1 https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
2 http://openwall.com/lists/oss-security/2017/09/06/3
3
4 From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
5 From: Even Rouault <even.rouault@spatialys.com>
6 Date: Wed, 16 Aug 2017 17:09:10 +0200
7 Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
8 (#991)
9
10 ---
11 src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
12 1 file changed, 20 insertions(+), 5 deletions(-)
13
14 diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
15 index 54b490a8c..16915452e 100644
16 --- a/src/lib/openjp2/j2k.c
17 +++ b/src/lib/openjp2/j2k.c
18 @@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
19 * Writes the SOT marker (Start of tile-part)
20 *
21 * @param p_j2k J2K codec.
22 - * @param p_data FIXME DOC
23 - * @param p_data_written FIXME DOC
24 + * @param p_data Output buffer
25 + * @param p_total_data_size Output buffer size
26 + * @param p_data_written Number of bytes written into stream
27 * @param p_stream the stream to write data to.
28 * @param p_manager the user event manager.
29 */
30 static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
31 OPJ_BYTE * p_data,
32 + OPJ_UINT32 p_total_data_size,
33 OPJ_UINT32 * p_data_written,
34 const opj_stream_private_t *p_stream,
35 opj_event_mgr_t * p_manager);
36 @@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
37
38 static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
39 OPJ_BYTE * p_data,
40 + OPJ_UINT32 p_total_data_size,
41 OPJ_UINT32 * p_data_written,
42 const opj_stream_private_t *p_stream,
43 opj_event_mgr_t * p_manager
44 @@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
45 OPJ_UNUSED(p_stream);
46 OPJ_UNUSED(p_manager);
47
48 + if (p_total_data_size < 12) {
49 + opj_event_msg(p_manager, EVT_ERROR,
50 + "Not enough bytes in output buffer to write SOT marker\n");
51 + return OPJ_FALSE;
52 + }
53 +
54 opj_write_bytes(p_data, J2K_MS_SOT,
55 2); /* SOT */
56 p_data += 2;
57 @@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
58
59 l_current_nb_bytes_written = 0;
60 l_begin_data = p_data;
61 - if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
62 + if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
63 + &l_current_nb_bytes_written, p_stream,
64 p_manager)) {
65 return OPJ_FALSE;
66 }
67 @@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
68 l_part_tile_size = 0;
69 l_begin_data = p_data;
70
71 - if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
72 + if (! opj_j2k_write_sot(p_j2k, p_data,
73 + p_total_data_size,
74 + &l_current_nb_bytes_written,
75 + p_stream,
76 p_manager)) {
77 return OPJ_FALSE;
78 }
79 @@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
80 l_part_tile_size = 0;
81 l_begin_data = p_data;
82
83 - if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
84 + if (! opj_j2k_write_sot(p_j2k, p_data,
85 + p_total_data_size,
86 + &l_current_nb_bytes_written, p_stream,
87 p_manager)) {
88 return OPJ_FALSE;
89 }
jackhill's copy of GNU Guix: https://guix.gnu.org/