summaryrefslogtreecommitdiffstats
path: root/openjpeg2_CVE-2020-27823.patch
diff options
context:
space:
mode:
Diffstat (limited to 'openjpeg2_CVE-2020-27823.patch')
-rw-r--r--openjpeg2_CVE-2020-27823.patch26
1 files changed, 26 insertions, 0 deletions
diff --git a/openjpeg2_CVE-2020-27823.patch b/openjpeg2_CVE-2020-27823.patch
new file mode 100644
index 0000000..02fa0ac
--- /dev/null
+++ b/openjpeg2_CVE-2020-27823.patch
@@ -0,0 +1,26 @@
+From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:31:51 +0100
+Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
+ used, that would result in a heap buffer overflow (fixes #1284)
+
+---
+ src/bin/jp2/convertpng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
+index 328c91beb..00f596e27 100644
+--- a/src/bin/jp2/convertpng.c
++++ b/src/bin/jp2/convertpng.c
+@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
+ image->x0 = (OPJ_UINT32)params->image_offset_x0;
+ image->y0 = (OPJ_UINT32)params->image_offset_y0;
+ image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32)
+- params->subsampling_dx + 1 + image->x0);
++ params->subsampling_dx + 1);
+ image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)
+- params->subsampling_dy + 1 + image->y0);
++ params->subsampling_dy + 1);
+
+ row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32));
+ if (row32s == NULL) {
generated by cgit (git 2.34.1) at 2024-05-12 01:13:26 +0000