aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-11-22 15:53:10 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2018-11-22 17:17:26 +0100
commitc1056d67e6379994bfff3cc8ff60b100bb94f0a0 (patch)
tree718330e86d028f88dc544e93758052390f6fde8b
parent07b44d0ab16346876de776763036d792759e63b7 (diff)
main/openjpeg: security fixes (CVE-2017-17480,CVE-2018-18088)
also remove unused patches fixes #9681
-rw-r--r--main/openjpeg/APKBUILD12
-rw-r--r--main/openjpeg/CVE-2016-7163-1.patch33
-rw-r--r--main/openjpeg/CVE-2016-7163-2.patch26
-rw-r--r--main/openjpeg/CVE-2016-9580-9581.patch242
-rw-r--r--main/openjpeg/CVE-2017-12982.patch25
-rw-r--r--main/openjpeg/CVE-2017-14040.patch80
-rw-r--r--main/openjpeg/CVE-2017-14041.patch22
-rw-r--r--main/openjpeg/CVE-2017-14151.patch43
-rw-r--r--main/openjpeg/CVE-2017-14152.patch35
-rw-r--r--main/openjpeg/CVE-2017-14164.patch86
-rw-r--r--main/openjpeg/CVE-2017-17480.patch42
-rw-r--r--main/openjpeg/CVE-2018-18088.patch34
12 files changed, 86 insertions, 594 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index db353ad30dc..b56fefe699b 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -9,7 +9,10 @@ arch="all"
license="BSD"
makedepends="libpng-dev tiff-dev lcms2-dev doxygen cmake"
subpackages="$pkgname-dev $pkgname-tools"
-source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
+ CVE-2017-17480.patch
+ CVE-2018-18088.patch
+ "
builddir="${srcdir}/$pkgname-$pkgver"
build() {
@@ -23,6 +26,9 @@ build() {
}
# secfixes:
+# 2.3.0-r1:
+# - CVE-2017-17480
+# - CVE-2018-18088
# 2.3.0-r0:
# - CVE-2017-14039
# 2.2.0-r2:
@@ -48,4 +54,6 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz"
+sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz
+15f4292ab6e19ecad1d47772ea28154bc7bbf9b9ba68467c5750e0c823efe3657e5973c08b81456f649fb789b6772ddaf5122f23a530ae0f6a9e5adb61c51c74 CVE-2017-17480.patch
+24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch"
diff --git a/main/openjpeg/CVE-2016-7163-1.patch b/main/openjpeg/CVE-2016-7163-1.patch
deleted file mode 100644
index c7d277a5623..00000000000
--- a/main/openjpeg/CVE-2016-7163-1.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From c16bc057ba3f125051c9966cf1f5b68a05681de4 Mon Sep 17 00:00:00 2001
-From: trylab <trylab@users.noreply.github.com>
-Date: Tue, 6 Sep 2016 13:55:49 +0800
-Subject: [PATCH] Fix an integer overflow issue (#809)
-
-Prevent an integer overflow issue in function opj_pi_create_decode of
-pi.c.
----
- src/lib/openjp2/pi.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
-index cffad66..36e2ff0 100644
---- a/src/lib/openjp2/pi.c
-+++ b/src/lib/openjp2/pi.c
-@@ -1237,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
- l_current_pi = l_pi;
-
- /* memory allocation for include */
-- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
-+ /* prevent an integer overflow issue */
-+ l_current_pi->include = 00;
-+ if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
-+ {
-+ l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
-+ }
-+
- if
- (!l_current_pi->include)
- {
---
-2.10.0
-
diff --git a/main/openjpeg/CVE-2016-7163-2.patch b/main/openjpeg/CVE-2016-7163-2.patch
deleted file mode 100644
index 71af3d75618..00000000000
--- a/main/openjpeg/CVE-2016-7163-2.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From ef01f18dfc6780b776d0674ed3e7415c6ef54d24 Mon Sep 17 00:00:00 2001
-From: Matthieu Darbois <mayeut@users.noreply.github.com>
-Date: Thu, 8 Sep 2016 07:34:46 +0200
-Subject: [PATCH] Cast to size_t before multiplication
-
-Need to cast to size_t before multiplication otherwise overflow check is useless.
----
- src/lib/openjp2/pi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
-index 36e2ff0..809b33d 100644
---- a/src/lib/openjp2/pi.c
-+++ b/src/lib/openjp2/pi.c
-@@ -1241,7 +1241,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
- l_current_pi->include = 00;
- if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
- {
-- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
-+ l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16));
- }
-
- if
---
-2.10.0
-
diff --git a/main/openjpeg/CVE-2016-9580-9581.patch b/main/openjpeg/CVE-2016-9580-9581.patch
deleted file mode 100644
index 064e7419c34..00000000000
--- a/main/openjpeg/CVE-2016-9580-9581.patch
+++ /dev/null
@@ -1,242 +0,0 @@
-From cadff5fb6e73398de26a92e96d3d7cac893af255 Mon Sep 17 00:00:00 2001
-From: szukw000 <szukw000@arcor.de>
-Date: Fri, 9 Dec 2016 08:29:55 +0100
-Subject: [PATCH] These changes repair bugs of #871 and #872
-
----
- src/bin/jp2/converttif.c | 107 +++++++++++++++++++++++++++++++----------------
- 1 file changed, 70 insertions(+), 37 deletions(-)
-
-diff --git a/src/bin/jp2/converttif.c b/src/bin/jp2/converttif.c
-index 143d3be..c690f8b 100644
---- a/src/bin/jp2/converttif.c
-+++ b/src/bin/jp2/converttif.c
-@@ -553,20 +553,18 @@ static void tif_32sto16u(const OPJ_INT32* pSrc, OPJ_UINT16* pDst, OPJ_SIZE_T len
-
- int imagetotif(opj_image_t * image, const char *outfile)
- {
-- int width, height;
-- int bps,adjust, sgnd;
-- int tiPhoto;
-+ uint32 width, height, bps, tiPhoto;
-+ int adjust, sgnd;
- TIFF *tif;
- tdata_t buf;
-- tsize_t strip_size;
-+ tmsize_t strip_size, rowStride;
- OPJ_UINT32 i, numcomps;
-- OPJ_SIZE_T rowStride;
- OPJ_INT32* buffer32s = NULL;
- OPJ_INT32 const* planes[4];
- convert_32s_PXCX cvtPxToCx = NULL;
- convert_32sXXx_C1R cvt32sToTif = NULL;
-
-- bps = (int)image->comps[0].prec;
-+ bps = (uint32)image->comps[0].prec;
- planes[0] = image->comps[0].data;
-
- numcomps = image->numcomps;
-@@ -674,13 +672,13 @@ int imagetotif(opj_image_t * image, const char *outfile)
- break;
- }
- sgnd = (int)image->comps[0].sgnd;
-- adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0;
-- width = (int)image->comps[0].w;
-- height = (int)image->comps[0].h;
-+ adjust = sgnd ? (int)(1 << (image->comps[0].prec - 1)) : 0;
-+ width = (uint32)image->comps[0].w;
-+ height = (uint32)image->comps[0].h;
-
- TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, width);
- TIFFSetField(tif, TIFFTAG_IMAGELENGTH, height);
-- TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, numcomps);
-+ TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, (uint32)numcomps);
- TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, bps);
- TIFFSetField(tif, TIFFTAG_ORIENTATION, ORIENTATION_TOPLEFT);
- TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
-@@ -688,8 +686,8 @@ int imagetotif(opj_image_t * image, const char *outfile)
- TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, 1);
-
- strip_size = TIFFStripSize(tif);
-- rowStride = ((OPJ_SIZE_T)width * numcomps * (OPJ_SIZE_T)bps + 7U) / 8U;
-- if (rowStride != (OPJ_SIZE_T)strip_size) {
-+ rowStride = (width * numcomps * bps + 7U) / 8U;
-+ if (rowStride != strip_size) {
- fprintf(stderr, "Invalid TIFF strip size\n");
- TIFFClose(tif);
- return 1;
-@@ -699,7 +697,7 @@ int imagetotif(opj_image_t * image, const char *outfile)
- TIFFClose(tif);
- return 1;
- }
-- buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)width * numcomps * sizeof(OPJ_INT32));
-+ buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(width * numcomps * sizeof(OPJ_INT32)));
- if (buffer32s == NULL) {
- _TIFFfree(buf);
- TIFFClose(tif);
-@@ -1211,20 +1209,19 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
- TIFF *tif;
- tdata_t buf;
- tstrip_t strip;
-- tsize_t strip_size;
-+ tmsize_t strip_size;
- int j, currentPlane, numcomps = 0, w, h;
- OPJ_COLOR_SPACE color_space = OPJ_CLRSPC_UNKNOWN;
- opj_image_cmptparm_t cmptparm[4]; /* RGBA */
- opj_image_t *image = NULL;
- int has_alpha = 0;
-- unsigned short tiBps, tiPhoto, tiSf, tiSpp, tiPC;
-- unsigned int tiWidth, tiHeight;
-+ uint32 tiBps, tiPhoto, tiSf, tiSpp, tiPC, tiWidth, tiHeight;
- OPJ_BOOL is_cinema = OPJ_IS_CINEMA(parameters->rsiz);
- convert_XXx32s_C1R cvtTifTo32s = NULL;
- convert_32s_CXPX cvtCxToPx = NULL;
- OPJ_INT32* buffer32s = NULL;
- OPJ_INT32* planes[4];
-- OPJ_SIZE_T rowStride;
-+ tmsize_t rowStride;
-
- tif = TIFFOpen(filename, "r");
-
-@@ -1243,22 +1240,35 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
- TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp);
- TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto);
- TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC);
-- w= (int)tiWidth;
-- h= (int)tiHeight;
--
-- if(tiBps > 16U) {
-- fprintf(stderr,"tiftoimage: Bits=%d, Only 1 to 16 bits implemented\n",tiBps);
-- fprintf(stderr,"\tAborting\n");
-+
-+ if(tiSpp == 0 || tiSpp > 4) { /* should be 1 ... 4 */
-+ fprintf(stderr,"tiftoimage: Bad value for samples per pixel == %hu.\n"
-+ "\tAborting.\n", tiSpp);
-+ TIFFClose(tif);
-+ return NULL;
-+ }
-+ if(tiBps > 16U || tiBps == 0) {
-+ fprintf(stderr,"tiftoimage: Bad values for Bits == %d.\n"
-+ "\tMax. 16 Bits are allowed here.\n\tAborting.\n",tiBps);
- TIFFClose(tif);
- return NULL;
- }
- if(tiPhoto != PHOTOMETRIC_MINISBLACK && tiPhoto != PHOTOMETRIC_RGB) {
-- fprintf(stderr,"tiftoimage: Bad color format %d.\n\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto);
-+ fprintf(stderr,"tiftoimage: Bad color format %d.\n"
-+ "\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto);
- fprintf(stderr,"\tAborting\n");
- TIFFClose(tif);
- return NULL;
- }
--
-+ if(tiWidth == 0 || tiHeight == 0) {
-+ fprintf(stderr,"tiftoimage: Bad values for width(%u) "
-+ "and/or height(%u)\n\tAborting.\n",tiWidth,tiHeight);
-+ TIFFClose(tif);
-+ return NULL;
-+ }
-+ w= (int)tiWidth;
-+ h= (int)tiHeight;
-+
- switch (tiBps) {
- case 1:
- case 2:
-@@ -1312,7 +1322,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
-
- TIFFGetFieldDefaulted(tif, TIFFTAG_EXTRASAMPLES,
- &extrasamples, &sampleinfo);
--
-+
- if(extrasamples >= 1)
- {
- switch(sampleinfo[0])
-@@ -1333,7 +1343,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
- else /* extrasamples == 0 */
- if(tiSpp == 4 || tiSpp == 2) has_alpha = 1;
- }
--
-+
- /* initialize image components */
- memset(&cmptparm[0], 0, 4 * sizeof(opj_image_cmptparm_t));
-
-@@ -1346,7 +1356,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
- } else {
- is_cinema = 0U;
- }
--
-+
- if(tiPhoto == PHOTOMETRIC_RGB) /* RGB(A) */
- {
- numcomps = 3 + has_alpha;
-@@ -1384,10 +1394,24 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
- image->x0 = (OPJ_UINT32)parameters->image_offset_x0;
- image->y0 = (OPJ_UINT32)parameters->image_offset_y0;
- image->x1 = !image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 :
-- image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
-+ image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
-+ if(image->x1 <= image->x0) {
-+ fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. "
-+ "image->x0(%d)\n\tAborting.\n",image->x1,image->x0);
-+ TIFFClose(tif);
-+ opj_image_destroy(image);
-+ return NULL;
-+ }
- image->y1 = !image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 :
-- image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
--
-+ image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
-+ if(image->y1 <= image->y0) {
-+ fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. "
-+ "image->y0(%d)\n\tAborting.\n",image->y1,image->y0);
-+ TIFFClose(tif);
-+ opj_image_destroy(image);
-+ return NULL;
-+ }
-+
- for(j = 0; j < numcomps; j++)
- {
- planes[j] = image->comps[j].data;
-@@ -1395,15 +1419,15 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
- image->comps[numcomps - 1].alpha = (OPJ_UINT16)(1 - (numcomps & 1));
-
- strip_size = TIFFStripSize(tif);
--
-+
- buf = _TIFFmalloc(strip_size);
- if (buf == NULL) {
- TIFFClose(tif);
- opj_image_destroy(image);
- return NULL;
- }
-- rowStride = ((OPJ_SIZE_T)w * tiSpp * tiBps + 7U) / 8U;
-- buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)w * tiSpp * sizeof(OPJ_INT32));
-+ rowStride = (w * tiSpp * tiBps + 7U) / 8U;
-+ buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(w * tiSpp * sizeof(OPJ_INT32)));
- if (buffer32s == NULL) {
- _TIFFfree(buf);
- TIFFClose(tif);
-@@ -1421,11 +1445,20 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
- for(; (h > 0) && (strip < TIFFNumberOfStrips(tif)); strip++)
- {
- const OPJ_UINT8 *dat8;
-- OPJ_SIZE_T ssize;
-+ tmsize_t ssize;
-
-- ssize = (OPJ_SIZE_T)TIFFReadEncodedStrip(tif, strip, buf, strip_size);
-+ ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
-+ if(ssize < 1 || ssize > strip_size) {
-+ fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) "
-+ "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size);
-+ _TIFFfree(buf);
-+ _TIFFfree(buffer32s);
-+ TIFFClose(tif);
-+ opj_image_destroy(image);
-+ return NULL;
-+ }
- dat8 = (const OPJ_UINT8*)buf;
--
-+
- while (ssize >= rowStride) {
- cvtTifTo32s(dat8, buffer32s, (OPJ_SIZE_T)w * tiSpp);
- cvtCxToPx(buffer32s, planes, (OPJ_SIZE_T)w);
diff --git a/main/openjpeg/CVE-2017-12982.patch b/main/openjpeg/CVE-2017-12982.patch
deleted file mode 100644
index 724cf602d1c..00000000000
--- a/main/openjpeg/CVE-2017-12982.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From baf0c1ad4572daa89caa3b12985bdd93530f0dd7 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 14 Aug 2017 17:26:58 +0200
-Subject: [PATCH] bmp_read_info_header(): reject bmp files with biBitCount == 0
- (#983)
-
----
- src/bin/jp2/convertbmp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
-index b49e7a080..2715fdf24 100644
---- a/src/bin/jp2/convertbmp.c
-+++ b/src/bin/jp2/convertbmp.c
-@@ -392,6 +392,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
-
- header->biBitCount = (OPJ_UINT16)getc(IN);
- header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8);
-+ if (header->biBitCount == 0) {
-+ fprintf(stderr, "Error, invalid biBitCount %d\n", 0);
-+ return OPJ_FALSE;
-+ }
-
- if (header->biSize >= 40U) {
- header->biCompression = (OPJ_UINT32)getc(IN);
diff --git a/main/openjpeg/CVE-2017-14040.patch b/main/openjpeg/CVE-2017-14040.patch
deleted file mode 100644
index dd9183dad1a..00000000000
--- a/main/openjpeg/CVE-2017-14040.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 17 Aug 2017 11:47:40 +0200
-Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
- fixes unaligned load (#995)
-
----
- src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
- 1 file changed, 27 insertions(+), 12 deletions(-)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index a4eb81f6a..73dfc8d5f 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -580,13 +580,10 @@ struct tga_header {
- };
- #endif /* INFORMATION_ONLY */
-
--static unsigned short get_ushort(const unsigned char *data)
-+/* Returns a ushort from a little-endian serialized value */
-+static unsigned short get_tga_ushort(const unsigned char *data)
- {
-- unsigned short val = *(const unsigned short *)data;
--#ifdef OPJ_BIG_ENDIAN
-- val = ((val & 0xffU) << 8) | (val >> 8);
--#endif
-- return val;
-+ return data[0] | (data[1] << 8);
- }
-
- #define TGA_HEADER_SIZE 18
-@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
- id_len = tga[0];
- /*cmap_type = tga[1];*/
- image_type = tga[2];
-- /*cmap_index = get_ushort(&tga[3]);*/
-- cmap_len = get_ushort(&tga[5]);
-+ /*cmap_index = get_tga_ushort(&tga[3]);*/
-+ cmap_len = get_tga_ushort(&tga[5]);
- cmap_entry_size = tga[7];
-
-
- #if 0
-- x_origin = get_ushort(&tga[8]);
-- y_origin = get_ushort(&tga[10]);
-+ x_origin = get_tga_ushort(&tga[8]);
-+ y_origin = get_tga_ushort(&tga[10]);
- #endif
-- image_w = get_ushort(&tga[12]);
-- image_h = get_ushort(&tga[14]);
-+ image_w = get_tga_ushort(&tga[12]);
-+ image_h = get_tga_ushort(&tga[14]);
- pixel_depth = tga[16];
- image_desc = tga[17];
-
-@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
- color_space = OPJ_CLRSPC_SRGB;
- }
-
-+ /* If the declared file size is > 10 MB, check that the file is big */
-+ /* enough to avoid excessive memory allocations */
-+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
-+ char ch;
-+ OPJ_UINT64 expected_file_size =
-+ (OPJ_UINT64)image_width * image_height * numcomps;
-+ long curpos = ftell(f);
-+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
-+ expected_file_size = (OPJ_UINT64)INT_MAX;
-+ }
-+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
-+ if (fread(&ch, 1, 1, f) != 1) {
-+ fclose(f);
-+ return NULL;
-+ }
-+ fseek(f, curpos, SEEK_SET);
-+ }
-+
- subsampling_dx = parameters->subsampling_dx;
- subsampling_dy = parameters->subsampling_dy;
-
diff --git a/main/openjpeg/CVE-2017-14041.patch b/main/openjpeg/CVE-2017-14041.patch
deleted file mode 100644
index ebfe1ad27f1..00000000000
--- a/main/openjpeg/CVE-2017-14041.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Fri, 18 Aug 2017 13:39:20 +0200
-Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
-
----
- src/bin/jp2/convert.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index 5459f7d44..e606c9be7 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
- }
-
- fseek(f, 0, SEEK_SET);
-- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
-+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
- &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
- fclose(f);
- fprintf(stderr,
diff --git a/main/openjpeg/CVE-2017-14151.patch b/main/openjpeg/CVE-2017-14151.patch
deleted file mode 100644
index c8a1fd65f1a..00000000000
--- a/main/openjpeg/CVE-2017-14151.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 14 Aug 2017 17:20:37 +0200
-Subject: [PATCH] Encoder: grow buffer size in
- opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
- opj_mqc_flush (#982)
-
----
- src/lib/openjp2/tcd.c | 7 +++++--
- tests/nonregression/test_suite.ctest.in | 2 ++
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
-index 301c7213e..53cdcf64d 100644
---- a/src/lib/openjp2/tcd.c
-+++ b/src/lib/openjp2/tcd.c
-@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
- {
- OPJ_UINT32 l_data_size;
-
-- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
-- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
-+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
-+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
-+ /* TODO: is there a theoretical upper-bound for the compressed code */
-+ /* block size ? */
-+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
-
- if (l_data_size > p_code_block->data_size) {
-diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
-index aaf40d7d0..ffd964c2a 100644
---- a/tests/nonregression/test_suite.ctest.in
-+++ b/tests/nonregression/test_suite.ctest.in
-@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
- # Same rate as Bretagne2_4.j2k
- opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
-
-+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
-+
- # DECODER TEST SUITE
- opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
- opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/main/openjpeg/CVE-2017-14152.patch b/main/openjpeg/CVE-2017-14152.patch
deleted file mode 100644
index d165090a1a7..00000000000
--- a/main/openjpeg/CVE-2017-14152.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Tue, 15 Aug 2017 11:55:58 +0200
-Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
- opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
-
----
- src/lib/openjp2/j2k.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index a2521ebbc..54b490a8c 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
-
- /* Precincts */
- parameters->csty |= 0x01;
-- parameters->res_spec = parameters->numresolution - 1;
-- for (i = 0; i < parameters->res_spec; i++) {
-- parameters->prcw_init[i] = 256;
-- parameters->prch_init[i] = 256;
-+ if (parameters->numresolution == 1) {
-+ parameters->res_spec = 1;
-+ parameters->prcw_init[0] = 128;
-+ parameters->prch_init[0] = 128;
-+ } else {
-+ parameters->res_spec = parameters->numresolution - 1;
-+ for (i = 0; i < parameters->res_spec; i++) {
-+ parameters->prcw_init[i] = 256;
-+ parameters->prch_init[i] = 256;
-+ }
- }
-
- /* The progression order shall be CPRL */
diff --git a/main/openjpeg/CVE-2017-14164.patch b/main/openjpeg/CVE-2017-14164.patch
deleted file mode 100644
index a61b0151803..00000000000
--- a/main/openjpeg/CVE-2017-14164.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Wed, 16 Aug 2017 17:09:10 +0200
-Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
- (#991)
-
----
- src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
- 1 file changed, 20 insertions(+), 5 deletions(-)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index 54b490a8c..16915452e 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
- * Writes the SOT marker (Start of tile-part)
- *
- * @param p_j2k J2K codec.
-- * @param p_data FIXME DOC
-- * @param p_data_written FIXME DOC
-+ * @param p_data Output buffer
-+ * @param p_total_data_size Output buffer size
-+ * @param p_data_written Number of bytes written into stream
- * @param p_stream the stream to write data to.
- * @param p_manager the user event manager.
- */
- static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
- OPJ_BYTE * p_data,
-+ OPJ_UINT32 p_total_data_size,
- OPJ_UINT32 * p_data_written,
- const opj_stream_private_t *p_stream,
- opj_event_mgr_t * p_manager);
-@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
-
- static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
- OPJ_BYTE * p_data,
-+ OPJ_UINT32 p_total_data_size,
- OPJ_UINT32 * p_data_written,
- const opj_stream_private_t *p_stream,
- opj_event_mgr_t * p_manager
-@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
- OPJ_UNUSED(p_stream);
- OPJ_UNUSED(p_manager);
-
-+ if (p_total_data_size < 12) {
-+ opj_event_msg(p_manager, EVT_ERROR,
-+ "Not enough bytes in output buffer to write SOT marker\n");
-+ return OPJ_FALSE;
-+ }
-+
- opj_write_bytes(p_data, J2K_MS_SOT,
- 2); /* SOT */
- p_data += 2;
-@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
-
- l_current_nb_bytes_written = 0;
- l_begin_data = p_data;
-- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
-+ &l_current_nb_bytes_written, p_stream,
- p_manager)) {
- return OPJ_FALSE;
- }
-@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
- l_part_tile_size = 0;
- l_begin_data = p_data;
-
-- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+ if (! opj_j2k_write_sot(p_j2k, p_data,
-+ p_total_data_size,
-+ &l_current_nb_bytes_written,
-+ p_stream,
- p_manager)) {
- return OPJ_FALSE;
- }
-@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
- l_part_tile_size = 0;
- l_begin_data = p_data;
-
-- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+ if (! opj_j2k_write_sot(p_j2k, p_data,
-+ p_total_data_size,
-+ &l_current_nb_bytes_written, p_stream,
- p_manager)) {
- return OPJ_FALSE;
- }
diff --git a/main/openjpeg/CVE-2017-17480.patch b/main/openjpeg/CVE-2017-17480.patch
new file mode 100644
index 00000000000..032315c1d22
--- /dev/null
+++ b/main/openjpeg/CVE-2017-17480.patch
@@ -0,0 +1,42 @@
+From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Mon, 22 Oct 2018 16:59:41 +0200
+Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow
+
+Missing buffer length formatter in fscanf call might lead to write
+stack buffer overflow.
+
+fixes #1044 (CVE-2017-17480)
+---
+ src/bin/jp3d/convert.c | 4 ++--
+ src/bin/jpwl/convert.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
+index 23fd70b04..acad8f82a 100644
+--- a/src/bin/jp3d/convert.c
++++ b/src/bin/jp3d/convert.c
+@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
+ fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
+
+ fseek(f, 0, SEEK_SET);
+- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
+- signtmp, &prec, temp, &w, temp, &h);
++ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
++ &endian2, signtmp, &prec, temp, &w, temp, &h);
+
+ i = 0;
+ sign = '+';
+diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
+index f3bb670b0..73c1be729 100644
+--- a/src/bin/jpwl/convert.c
++++ b/src/bin/jpwl/convert.c
+@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
+ }
+
+ fseek(f, 0, SEEK_SET);
+- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+ fprintf(stderr,
+ "ERROR: Failed to read the right number of element from the fscanf() function!\n");
diff --git a/main/openjpeg/CVE-2018-18088.patch b/main/openjpeg/CVE-2018-18088.patch
new file mode 100644
index 00000000000..e6927dc904b
--- /dev/null
+++ b/main/openjpeg/CVE-2018-18088.patch
@@ -0,0 +1,34 @@
+From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Wed, 7 Nov 2018 18:48:29 +0100
+Subject: [PATCH] jp2: convert: fix null pointer dereference
+
+Tile components in a JP2 image might have null data pointer by defining a
+zero component size (for example using large horizontal or vertical
+sampling periods). This null data pointer leads to null image component
+data pointer, causing crash when dereferenced without != null check in
+imagetopnm.
+
+Add != null check.
+
+This commit addresses #1152 (CVE-2018-18088).
+---
+ src/bin/jp2/convert.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index fa02e31c5..e670cd82f 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
+ opj_version(), wr, hr, max);
+
+ red = image->comps[compno].data;
++ if (!red) {
++ fclose(fdest);
++ continue;
++ }
++
+ adjustR =
+ (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
+