main/openjpeg: security fixes (CVE-2016-9580, CVE-2016-9581). Fixes #6564

author: Francesco Colista <fcolista@alpinelinux.org> 2016-12-21 15:44:10 +0000
committer: Francesco Colista <fcolista@alpinelinux.org> 2016-12-21 15:44:10 +0000
commit: 91f0ed50281f76fcbbc7760fd7617e01b9a50c47 (patch)
tree: abc3d2cb26df78a868ff7f882a111a0220835924
parent: 1652fa54e02fa1bde13cb2965e69c57a9963b128 (diff)
2 files changed, 256 insertions, 5 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index 790da360654..f9c374e7bfe 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=openjpeg
 pkgver=2.1.2
-pkgrel=0
+pkgrel=1
 pkgdesc="Open-source implementation of JPEG2000 image codec"
 url="http://www.openjpeg.org/"
 arch="all"
@@ -12,7 +12,8 @@ depends_dev=""
 makedepends="$depends_dev libpng-dev tiff-dev lcms-dev doxygen cmake"
 install=""
 subpackages="$pkgname-dev $pkgname-tools"
-source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
+CVE-2016-9580-9581.patch"
 builddir="${srcdir}/$pkgname-$pkgver"
 
 build() {
@@ -26,6 +27,11 @@ build() {
 	make || return 1
 }
 
+# secfixes:
+#   2.1.2-r1:
+#     - CVE-2016-9580
+#     - CVE-2016-9581
+
 package() {
 	cd "$builddir"
 	make DESTDIR="$pkgdir" install || return 1
@@ -37,6 +43,9 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-md5sums="40a7bfdcc66280b3c1402a0eb1a27624  openjpeg-2.1.2.tar.gz"
-sha256sums="4ce77b6ef538ef090d9bde1d5eeff8b3069ab56c4906f083475517c2c023dfa7  openjpeg-2.1.2.tar.gz"
-sha512sums="411067e33c8e4da9921d0281e932a4ac2af592cf822bfad828daea9e2b9c414859455bcec6d912ce76460ea462fa4cbd94a401333bda5716ec017d18b8e5942c  openjpeg-2.1.2.tar.gz"
+md5sums="40a7bfdcc66280b3c1402a0eb1a27624  openjpeg-2.1.2.tar.gz
+a5971d486b670e76d5e473ff15e65405  CVE-2016-9580-9581.patch"
+sha256sums="4ce77b6ef538ef090d9bde1d5eeff8b3069ab56c4906f083475517c2c023dfa7  openjpeg-2.1.2.tar.gz
+e352e9480925a31804d965c673545eeaa32d0a47605abaaa09b515ca956058ba  CVE-2016-9580-9581.patch"
+sha512sums="411067e33c8e4da9921d0281e932a4ac2af592cf822bfad828daea9e2b9c414859455bcec6d912ce76460ea462fa4cbd94a401333bda5716ec017d18b8e5942c  openjpeg-2.1.2.tar.gz
+bffe1126c18296fdc1e7f98437e2b468b8b16c4903d504dc9abf24a9b8e02f18e86200038c5a59c061c40d41b42f6b378776ed0040559bb362a3a592928941d7  CVE-2016-9580-9581.patch"
diff --git a/main/openjpeg/CVE-2016-9580-9581.patch b/main/openjpeg/CVE-2016-9580-9581.patch
new file mode 100644
index 00000000000..064e7419c34
--- /dev/null
+++ b/main/openjpeg/CVE-2016-9580-9581.patch
@@ -0,0 +1,242 @@
+From cadff5fb6e73398de26a92e96d3d7cac893af255 Mon Sep 17 00:00:00 2001
+From: szukw000 <szukw000@arcor.de>
+Date: Fri, 9 Dec 2016 08:29:55 +0100
+Subject: [PATCH] These changes repair bugs of #871 and #872
+
+---
+ src/bin/jp2/converttif.c | 107 +++++++++++++++++++++++++++++++----------------
+ 1 file changed, 70 insertions(+), 37 deletions(-)
+
+diff --git a/src/bin/jp2/converttif.c b/src/bin/jp2/converttif.c
+index 143d3be..c690f8b 100644
+--- a/src/bin/jp2/converttif.c
++++ b/src/bin/jp2/converttif.c
+@@ -553,20 +553,18 @@ static void tif_32sto16u(const OPJ_INT32* pSrc, OPJ_UINT16* pDst, OPJ_SIZE_T len
+ 
+ int imagetotif(opj_image_t * image, const char *outfile)
+ {
+-	int width, height;
+-	int bps,adjust, sgnd;
+-	int tiPhoto;
++	uint32 width, height, bps, tiPhoto;
++	int adjust, sgnd;
+ 	TIFF *tif;
+ 	tdata_t buf;
+-	tsize_t strip_size;
++	tmsize_t strip_size, rowStride;
+ 	OPJ_UINT32 i, numcomps;
+-	OPJ_SIZE_T rowStride;
+ 	OPJ_INT32* buffer32s = NULL;
+ 	OPJ_INT32 const* planes[4];
+ 	convert_32s_PXCX cvtPxToCx = NULL;
+ 	convert_32sXXx_C1R cvt32sToTif = NULL;
+ 
+-	bps = (int)image->comps[0].prec;
++	bps = (uint32)image->comps[0].prec;
+ 	planes[0] = image->comps[0].data;
+ 	
+ 	numcomps = image->numcomps;
+@@ -674,13 +672,13 @@ int imagetotif(opj_image_t * image, const char *outfile)
+ 			break;
+ 	}
+ 	sgnd = (int)image->comps[0].sgnd;
+-	adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0;
+-	width   = (int)image->comps[0].w;
+-	height  = (int)image->comps[0].h;
++	adjust = sgnd ? (int)(1 << (image->comps[0].prec - 1)) : 0;
++	width   = (uint32)image->comps[0].w;
++	height  = (uint32)image->comps[0].h;
+ 	
+ 	TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, width);
+ 	TIFFSetField(tif, TIFFTAG_IMAGELENGTH, height);
+-	TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, numcomps);
++	TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, (uint32)numcomps);
+ 	TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, bps);
+ 	TIFFSetField(tif, TIFFTAG_ORIENTATION, ORIENTATION_TOPLEFT);
+ 	TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
+@@ -688,8 +686,8 @@ int imagetotif(opj_image_t * image, const char *outfile)
+ 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, 1);
+ 	
+ 	strip_size = TIFFStripSize(tif);
+-	rowStride = ((OPJ_SIZE_T)width * numcomps * (OPJ_SIZE_T)bps + 7U) / 8U;
+-	if (rowStride != (OPJ_SIZE_T)strip_size) {
++	rowStride = (width * numcomps * bps + 7U) / 8U;
++	if (rowStride != strip_size) {
+ 		fprintf(stderr, "Invalid TIFF strip size\n");
+ 		TIFFClose(tif);
+ 		return 1;
+@@ -699,7 +697,7 @@ int imagetotif(opj_image_t * image, const char *outfile)
+ 		TIFFClose(tif);
+ 		return 1;
+ 	}
+-	buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)width * numcomps * sizeof(OPJ_INT32));
++	buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(width * numcomps * sizeof(OPJ_INT32)));
+ 	if (buffer32s == NULL) {
+ 		_TIFFfree(buf);
+ 		TIFFClose(tif);
+@@ -1211,20 +1209,19 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	TIFF *tif;
+ 	tdata_t buf;
+ 	tstrip_t strip;
+-	tsize_t strip_size;
++	tmsize_t strip_size;
+ 	int j, currentPlane, numcomps = 0, w, h;
+ 	OPJ_COLOR_SPACE color_space = OPJ_CLRSPC_UNKNOWN;
+ 	opj_image_cmptparm_t cmptparm[4]; /* RGBA */
+ 	opj_image_t *image = NULL;
+ 	int has_alpha = 0;
+-	unsigned short tiBps, tiPhoto, tiSf, tiSpp, tiPC;
+-	unsigned int tiWidth, tiHeight;
++	uint32 tiBps, tiPhoto, tiSf, tiSpp, tiPC, tiWidth, tiHeight;
+ 	OPJ_BOOL is_cinema = OPJ_IS_CINEMA(parameters->rsiz);
+ 	convert_XXx32s_C1R cvtTifTo32s = NULL;
+ 	convert_32s_CXPX cvtCxToPx = NULL;
+ 	OPJ_INT32* buffer32s = NULL;
+ 	OPJ_INT32* planes[4];
+-	OPJ_SIZE_T rowStride;
++	tmsize_t rowStride;
+ 	
+ 	tif = TIFFOpen(filename, "r");
+ 	
+@@ -1243,22 +1240,35 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp);
+ 	TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto);
+ 	TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC);
+-	w= (int)tiWidth;
+-	h= (int)tiHeight;
+-	
+-	if(tiBps > 16U) {
+-		fprintf(stderr,"tiftoimage: Bits=%d, Only 1 to 16 bits implemented\n",tiBps);
+-		fprintf(stderr,"\tAborting\n");
++
++	if(tiSpp == 0 || tiSpp > 4) { /* should be 1 ... 4 */
++		fprintf(stderr,"tiftoimage: Bad value for samples per pixel == %hu.\n"
++		 "\tAborting.\n", tiSpp);
++		TIFFClose(tif);
++		return NULL;
++	}
++	if(tiBps > 16U || tiBps == 0) {
++		fprintf(stderr,"tiftoimage: Bad values for Bits == %d.\n"
++		 "\tMax. 16 Bits are allowed here.\n\tAborting.\n",tiBps);
+ 		TIFFClose(tif);
+ 		return NULL;
+ 	}
+ 	if(tiPhoto != PHOTOMETRIC_MINISBLACK && tiPhoto != PHOTOMETRIC_RGB) {
+-		fprintf(stderr,"tiftoimage: Bad color format %d.\n\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto);
++		fprintf(stderr,"tiftoimage: Bad color format %d.\n"
++		 "\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto);
+ 		fprintf(stderr,"\tAborting\n");
+ 		TIFFClose(tif);
+ 		return NULL;
+ 	}
+-	
++	if(tiWidth == 0 || tiHeight == 0) {
++		fprintf(stderr,"tiftoimage: Bad values for width(%u) "
++		 "and/or height(%u)\n\tAborting.\n",tiWidth,tiHeight);
++		TIFFClose(tif);
++		return NULL;
++	}
++	w= (int)tiWidth;
++	h= (int)tiHeight;
++
+ 	switch (tiBps) {
+ 		case 1:
+ 		case 2:
+@@ -1312,7 +1322,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 		
+ 		TIFFGetFieldDefaulted(tif, TIFFTAG_EXTRASAMPLES,
+ 													&extrasamples, &sampleinfo);
+-		
++
+ 		if(extrasamples >= 1)
+ 		{
+ 			switch(sampleinfo[0])
+@@ -1333,7 +1343,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 		else /* extrasamples == 0 */
+ 			if(tiSpp == 4 || tiSpp == 2) has_alpha = 1;
+ 	}
+-	
++
+ 	/* initialize image components */
+ 	memset(&cmptparm[0], 0, 4 * sizeof(opj_image_cmptparm_t));
+ 	
+@@ -1346,7 +1356,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	} else {
+ 		is_cinema = 0U;
+ 	}
+-	
++
+ 	if(tiPhoto == PHOTOMETRIC_RGB) /* RGB(A) */
+ 	{
+ 		numcomps = 3 + has_alpha;
+@@ -1384,10 +1394,24 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	image->x0 = (OPJ_UINT32)parameters->image_offset_x0;
+ 	image->y0 = (OPJ_UINT32)parameters->image_offset_y0;
+ 	image->x1 =	!image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 :
+-	image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
++	 image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
++	if(image->x1 <= image->x0) {
++		fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. "
++		 "image->x0(%d)\n\tAborting.\n",image->x1,image->x0);
++		TIFFClose(tif);
++		opj_image_destroy(image);
++		return NULL;
++	}
+ 	image->y1 =	!image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 :
+-	image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
+-
++	 image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
++	if(image->y1 <= image->y0) {
++		fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. "
++		 "image->y0(%d)\n\tAborting.\n",image->y1,image->y0);
++		TIFFClose(tif);
++		opj_image_destroy(image);
++		return NULL;
++	}
++	
+ 	for(j = 0; j < numcomps; j++)
+ 	{
+ 		planes[j] = image->comps[j].data;
+@@ -1395,15 +1419,15 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	image->comps[numcomps - 1].alpha = (OPJ_UINT16)(1 - (numcomps & 1));
+ 		
+ 	strip_size = TIFFStripSize(tif);
+-	
++
+ 	buf = _TIFFmalloc(strip_size);
+ 	if (buf == NULL) {
+ 		TIFFClose(tif);
+ 		opj_image_destroy(image);
+ 		return NULL;
+ 	}
+-	rowStride = ((OPJ_SIZE_T)w * tiSpp * tiBps + 7U) / 8U;
+-	buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)w * tiSpp * sizeof(OPJ_INT32));
++	rowStride = (w * tiSpp * tiBps + 7U) / 8U;
++	buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(w * tiSpp * sizeof(OPJ_INT32)));
+ 	if (buffer32s == NULL) {
+ 		_TIFFfree(buf);
+ 		TIFFClose(tif);
+@@ -1421,11 +1445,20 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 		for(; (h > 0) && (strip < TIFFNumberOfStrips(tif)); strip++)
+ 		{
+ 				const OPJ_UINT8 *dat8;
+-				OPJ_SIZE_T ssize;
++				tmsize_t ssize;
+ 				
+-				ssize = (OPJ_SIZE_T)TIFFReadEncodedStrip(tif, strip, buf, strip_size);
++				ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
++				if(ssize < 1 || ssize > strip_size) {
++					fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) "
++                     "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size);
++					_TIFFfree(buf);
++					_TIFFfree(buffer32s);
++					TIFFClose(tif);
++					opj_image_destroy(image);
++					return NULL;
++				}
+ 				dat8 = (const OPJ_UINT8*)buf;
+-				
++
+ 				while (ssize >= rowStride) {
+ 					cvtTifTo32s(dat8, buffer32s, (OPJ_SIZE_T)w * tiSpp);
+ 					cvtCxToPx(buffer32s, planes, (OPJ_SIZE_T)w);
author	Francesco Colista <fcolista@alpinelinux.org>	2016-12-21 15:44:10 +0000
committer	Francesco Colista <fcolista@alpinelinux.org>	2016-12-21 15:44:10 +0000
commit	91f0ed50281f76fcbbc7760fd7617e01b9a50c47 (patch)
tree	abc3d2cb26df78a868ff7f882a111a0220835924
parent	1652fa54e02fa1bde13cb2965e69c57a9963b128 (diff)