From 338b58e0ea880f7cccbe43de21eccbf1440ac6af Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 10 Sep 2017 22:00:35 +0300 Subject: gnu: openjpeg: Fix CVE-2017-14164. * gnu/packages/image.scm (openjpeg)[source]: Add patch. * gnu/packages/patches/openjpeg-CVE-2017-14164.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/packages/patches/openjpeg-CVE-2017-14164.patch | 89 ++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14164.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch new file mode 100644 index 0000000000..2bfc5a6a85 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch @@ -0,0 +1,89 @@ +https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch +http://openwall.com/lists/oss-security/2017/09/06/3 + +From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Wed, 16 Aug 2017 17:09:10 +0200 +Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow + (#991) + +--- + src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 54b490a8c..16915452e 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k, + * Writes the SOT marker (Start of tile-part) + * + * @param p_j2k J2K codec. +- * @param p_data FIXME DOC +- * @param p_data_written FIXME DOC ++ * @param p_data Output buffer ++ * @param p_total_data_size Output buffer size ++ * @param p_data_written Number of bytes written into stream + * @param p_stream the stream to write data to. + * @param p_manager the user event manager. + */ + static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_BYTE * p_data, ++ OPJ_UINT32 p_total_data_size, + OPJ_UINT32 * p_data_written, + const opj_stream_private_t *p_stream, + opj_event_mgr_t * p_manager); +@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k, + + static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_BYTE * p_data, ++ OPJ_UINT32 p_total_data_size, + OPJ_UINT32 * p_data_written, + const opj_stream_private_t *p_stream, + opj_event_mgr_t * p_manager +@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_UNUSED(p_stream); + OPJ_UNUSED(p_manager); + ++ if (p_total_data_size < 12) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Not enough bytes in output buffer to write SOT marker\n"); ++ return OPJ_FALSE; ++ } ++ + opj_write_bytes(p_data, J2K_MS_SOT, + 2); /* SOT */ + p_data += 2; +@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k, + + l_current_nb_bytes_written = 0; + l_begin_data = p_data; +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size, ++ &l_current_nb_bytes_written, p_stream, + p_manager)) { + return OPJ_FALSE; + } +@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k, + l_part_tile_size = 0; + l_begin_data = p_data; + +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, ++ p_total_data_size, ++ &l_current_nb_bytes_written, ++ p_stream, + p_manager)) { + return OPJ_FALSE; + } +@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k, + l_part_tile_size = 0; + l_begin_data = p_data; + +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, ++ p_total_data_size, ++ &l_current_nb_bytes_written, p_stream, + p_manager)) { + return OPJ_FALSE; + } -- cgit 1.4.1