gnu/packages/patches/openjpeg-CVE-2017-14040.patch

   1 http://openwall.com/lists/oss-security/2017/08/28/3
   2 https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch
   3
   4 From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
   5 From: Even Rouault <even.rouault@spatialys.com>
   6 Date: Thu, 17 Aug 2017 11:47:40 +0200
   7 Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
   8  fixes unaligned load (#995)
   9
  10 ---
  11  src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
  12  1 file changed, 27 insertions(+), 12 deletions(-)
  13
  14 diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
  15 index a4eb81f6a..73dfc8d5f 100644
  16 --- a/src/bin/jp2/convert.c
  17 +++ b/src/bin/jp2/convert.c
  18 @@ -580,13 +580,10 @@ struct tga_header {
  19  };
  20  #endif /* INFORMATION_ONLY */
  21
  22 -static unsigned short get_ushort(const unsigned char *data)
  23 +/* Returns a ushort from a little-endian serialized value */
  24 +static unsigned short get_tga_ushort(const unsigned char *data)
  25  {
  26 -    unsigned short val = *(const unsigned short *)data;
  27 -#ifdef OPJ_BIG_ENDIAN
  28 -    val = ((val & 0xffU) << 8) | (val >> 8);
  29 -#endif
  30 -    return val;
  31 +    return data[0] | (data[1] << 8);
  32  }
  33
  34  #define TGA_HEADER_SIZE 18
  35 @@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
  36      id_len = tga[0];
  37      /*cmap_type = tga[1];*/
  38      image_type = tga[2];
  39 -    /*cmap_index = get_ushort(&tga[3]);*/
  40 -    cmap_len = get_ushort(&tga[5]);
  41 +    /*cmap_index = get_tga_ushort(&tga[3]);*/
  42 +    cmap_len = get_tga_ushort(&tga[5]);
  43      cmap_entry_size = tga[7];
  44
  45
  46  #if 0
  47 -    x_origin = get_ushort(&tga[8]);
  48 -    y_origin = get_ushort(&tga[10]);
  49 +    x_origin = get_tga_ushort(&tga[8]);
  50 +    y_origin = get_tga_ushort(&tga[10]);
  51  #endif
  52 -    image_w = get_ushort(&tga[12]);
  53 -    image_h = get_ushort(&tga[14]);
  54 +    image_w = get_tga_ushort(&tga[12]);
  55 +    image_h = get_tga_ushort(&tga[14]);
  56      pixel_depth = tga[16];
  57      image_desc  = tga[17];
  58
  59 @@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
  60          color_space = OPJ_CLRSPC_SRGB;
  61      }
  62
  63 +    /* If the declared file size is > 10 MB, check that the file is big */
  64 +    /* enough to avoid excessive memory allocations */
  65 +    if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
  66 +        char ch;
  67 +        OPJ_UINT64 expected_file_size =
  68 +            (OPJ_UINT64)image_width * image_height * numcomps;
  69 +        long curpos = ftell(f);
  70 +        if (expected_file_size > (OPJ_UINT64)INT_MAX) {
  71 +            expected_file_size = (OPJ_UINT64)INT_MAX;
  72 +        }
  73 +        fseek(f, (long)expected_file_size - 1, SEEK_SET);
  74 +        if (fread(&ch, 1, 1, f) != 1) {
  75 +            fclose(f);
  76 +            return NULL;
  77 +        }
  78 +        fseek(f, curpos, SEEK_SET);
  79 +    }
  80 +
  81      subsampling_dx = parameters->subsampling_dx;
  82      subsampling_dy = parameters->subsampling_dy;
  83