1 files changed, 72 insertions, 0 deletions

diff --git a/main/openjpeg/CVE-2017-14039.patch b/main/openjpeg/CVE-2017-14039.patch
new file mode 100644
index 00000000000..b8fcea0bbb4
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14039.patch
@@ -0,0 +1,72 @@
+From c535531f03369623b9b833ef41952c62257b507e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 16 Aug 2017 17:20:29 +0200
+Subject: [PATCH] opj_t2_encode_packet(): fix potential write heap buffer
+ overflow (#992)
+
+---
+ src/lib/openjp2/j2k.c |  7 ++++++-
+ src/lib/openjp2/t2.c  | 18 ++++++++++++++++++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 16915452e..6c1f55f47 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -4215,7 +4215,6 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+     assert(p_stream != 00);
+ 
+     OPJ_UNUSED(p_stream);
+-    OPJ_UNUSED(p_manager);
+ 
+     if (p_total_data_size < 12) {
+         opj_event_msg(p_manager, EVT_ERROR,
+@@ -4617,6 +4616,12 @@ static OPJ_BOOL opj_j2k_write_sod(opj_j2k_t *p_j2k,
+ 
+     OPJ_UNUSED(p_stream);
+ 
++    if (p_total_data_size < 4) {
++        opj_event_msg(p_manager, EVT_ERROR,
++                      "Not enough bytes in output buffer to write SOD marker\n");
++        return OPJ_FALSE;
++    }
++
+     opj_write_bytes(p_data, J2K_MS_SOD,
+                     2);                                 /* SOD */
+     p_data += 2;
+diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
+index 9d31acda8..0fd5300c6 100644
+--- a/src/lib/openjp2/t2.c
++++ b/src/lib/openjp2/t2.c
+@@ -629,6 +629,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno,
+ 
+     /* <SOP 0xff91> */
+     if (tcp->csty & J2K_CP_CSTY_SOP) {
++        if (length < 6) {
++            if (p_t2_mode == FINAL_PASS) {
++                opj_event_msg(p_manager, EVT_ERROR,
++                              "opj_t2_encode_packet(): only %u bytes remaining in "
++                              "output buffer. %u needed.\n",
++                              length, 6);
++            }
++            return OPJ_FALSE;
++        }
+         c[0] = 255;
+         c[1] = 145;
+         c[2] = 0;
+@@ -817,6 +826,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno,
+ 
+     /* <EPH 0xff92> */
+     if (tcp->csty & J2K_CP_CSTY_EPH) {
++        if (length < 2) {
++            if (p_t2_mode == FINAL_PASS) {
++                opj_event_msg(p_manager, EVT_ERROR,
++                              "opj_t2_encode_packet(): only %u bytes remaining in "
++                              "output buffer. %u needed.\n",
++                              length, 2);
++            }
++            return OPJ_FALSE;
++        }
+         c[0] = 255;
+         c[1] = 146;
+         c += 2;