From 9147c9517a7110f8aef3db38f004a9dff607b50f Mon Sep 17 00:00:00 2001 From: Markus Koschany Date: Mon, 22 Jan 2018 23:49:10 +0100 Subject: [PATCH 1/5] java9 Gbp-Pq: Name java9.patch --- src/bin/jpip/CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bin/jpip/CMakeLists.txt b/src/bin/jpip/CMakeLists.txt index 301d885..b412510 100644 --- a/src/bin/jpip/CMakeLists.txt +++ b/src/bin/jpip/CMakeLists.txt @@ -61,10 +61,10 @@ find_package(Java 1.5 COMPONENTS Development) # javac, jar # User can override this: if(NOT DEFINED JAVA_SOURCE_VERSION) - set(JAVA_SOURCE_VERSION 1.5) + set(JAVA_SOURCE_VERSION 1.7) endif() if(NOT DEFINED JAVA_TARGET_VERSION) - set(JAVA_TARGET_VERSION 1.5) + set(JAVA_TARGET_VERSION 1.7) endif() # Only build the java viewer if dev is found: From 1a67a19c2e7038b22a4e4edff91730ed188c3719 Mon Sep 17 00:00:00 2001 From: Young Xiao Date: Sat, 16 Mar 2019 19:57:27 +0800 Subject: [PATCH 2/5] [PATCH] convertbmp: detect invalid file dimensions early width/length dimensions read from bmp headers are not necessarily valid. For instance they may have been maliciously set to very large values with the intention to cause DoS (large memory allocation, stack overflow). In these cases we want to detect the invalid size as early as possible. This commit introduces a counter which verifies that the number of written bytes corresponds to the advertized width/length. See commit 8ee335227bbc for details. Signed-off-by: Young Xiao Gbp-Pq: Name CVE-2019-12973-1.patch --- src/bin/jp2/convertbmp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c index 0af52f8..ec34f53 100644 --- a/src/bin/jp2/convertbmp.c +++ b/src/bin/jp2/convertbmp.c @@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) { - OPJ_UINT32 x, y; + OPJ_UINT32 x, y, written; OPJ_UINT8 *pix; const OPJ_UINT8 *beyond; beyond = pData + stride * height; pix = pData; - x = y = 0U; + x = y = written = 0U; while (y < height) { int c = getc(IN); if (c == EOF) { @@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; } } else { /* absolute mode */ c = getc(IN); @@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, c1 = (OPJ_UINT8)getc(IN); } *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; } if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ getc(IN); @@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, } } } /* while(y < height) */ + if (written != width * height) { + fprintf(stderr, "warning, image's actual size does not match advertized one\n"); + return OPJ_FALSE; + } return OPJ_TRUE; } From 7ff9b4fd9b1524af8935fc3fc4c108e55ba6afef Mon Sep 17 00:00:00 2001 From: Young Xiao Date: Sat, 16 Mar 2019 20:09:59 +0800 Subject: [PATCH 3/5] [PATCH] bmp_read_rle4_data(): avoid potential infinite loop Gbp-Pq: Name CVE-2019-12973-2.patch --- src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c index ec34f53..2fc4e9b 100644 --- a/src/bin/jp2/convertbmp.c +++ b/src/bin/jp2/convertbmp.c @@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, while (y < height) { int c = getc(IN); if (c == EOF) { - break; + return OPJ_FALSE; } if (c) { /* encoded mode */ - int j; - OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); + int j, c1_int; + OPJ_UINT8 c1; + + c1_int = getc(IN); + if (c1_int == EOF) { + return OPJ_FALSE; + } + c1 = (OPJ_UINT8)c1_int; for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { @@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, } else { /* absolute mode */ c = getc(IN); if (c == EOF) { - break; + return OPJ_FALSE; } if (c == 0x00) { /* EOL */ @@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, break; } else if (c == 0x02) { /* MOVE by dxdy */ c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } x += (OPJ_UINT32)c; c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } y += (OPJ_UINT32)c; pix = pData + y * stride + x; } else { /* 03 .. 255 : absolute mode */ @@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { if ((j & 1) == 0) { - c1 = (OPJ_UINT8)getc(IN); + int c1_int; + c1_int = getc(IN); + if (c1_int == EOF) { + return OPJ_FALSE; + } + c1 = (OPJ_UINT8)c1_int; } *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); written++; } if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ - getc(IN); + c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } } } } From ff08967f85df1b902fed06f448d57ed3124a6153 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 11 Jan 2020 01:51:19 +0100 Subject: [PATCH 4/5] [PATCH] opj_j2k_update_image_dimensions(): reject images whose coordinates are beyond INT_MAX (fixes #1228) Gbp-Pq: Name CVE-2020-6851.patch --- src/lib/openjp2/j2k.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 4169cd6..9e9a30f 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, l_img_comp = p_image->comps; for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { OPJ_INT32 l_h, l_w; + if (p_image->x0 > (OPJ_UINT32)INT_MAX || + p_image->y0 > (OPJ_UINT32)INT_MAX || + p_image->x1 > (OPJ_UINT32)INT_MAX || + p_image->y1 > (OPJ_UINT32)INT_MAX) { + opj_event_msg(p_manager, EVT_ERROR, + "Image coordinates above INT_MAX are not supported\n"); + return OPJ_FALSE; + } l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, (OPJ_INT32)l_img_comp->dx); From 2eee49d87c9daabcdd528d106b4510d38a0b2179 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Thu, 30 Jan 2020 00:59:57 +0100 Subject: [PATCH 5/5] [PATCH] opj_tcd_init_tile(): avoid integer overflow That could lead to later assertion failures. Fixes #1231 / CVE-2020-8112 Gbp-Pq: Name CVE-2020-8112.patch --- src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index be3b843..647991c 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; - l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; - l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; + { + OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, + (OPJ_INT32)l_pdx)) << l_pdx; + if (tmp > (OPJ_UINT32)INT_MAX) { + opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); + return OPJ_FALSE; + } + l_br_prc_x_end = (OPJ_INT32)tmp; + } + { + OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, + (OPJ_INT32)l_pdy)) << l_pdy; + if (tmp > (OPJ_UINT32)INT_MAX) { + opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); + return OPJ_FALSE; + } + l_br_prc_y_end = (OPJ_INT32)tmp; + } /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((