From c5b81e81a14554c7a808f5344bcd6aafa972d322 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 6 Oct 2017 08:27:22 +0200 Subject: v2.3.0 --- 2cd30c2b06ce332dede81cccad8b334cde997281.patch | 80 -------------------------- 4241ae6fbbf1de9658764a80944dc8108f2b4154.patch | 35 ----------- afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch | 43 -------------- baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch | 25 -------- e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch | 22 ------- openjpeg2-static.spec | 35 ++++++----- 6 files changed, 17 insertions(+), 223 deletions(-) delete mode 100644 2cd30c2b06ce332dede81cccad8b334cde997281.patch delete mode 100644 4241ae6fbbf1de9658764a80944dc8108f2b4154.patch delete mode 100644 afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch delete mode 100644 baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch delete mode 100644 e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch diff --git a/2cd30c2b06ce332dede81cccad8b334cde997281.patch b/2cd30c2b06ce332dede81cccad8b334cde997281.patch deleted file mode 100644 index dd9183d..0000000 --- a/2cd30c2b06ce332dede81cccad8b334cde997281.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 17 Aug 2017 11:47:40 +0200 -Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and - fixes unaligned load (#995) - ---- - src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------ - 1 file changed, 27 insertions(+), 12 deletions(-) - -diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c -index a4eb81f6a..73dfc8d5f 100644 ---- a/src/bin/jp2/convert.c -+++ b/src/bin/jp2/convert.c -@@ -580,13 +580,10 @@ struct tga_header { - }; - #endif /* INFORMATION_ONLY */ - --static unsigned short get_ushort(const unsigned char *data) -+/* Returns a ushort from a little-endian serialized value */ -+static unsigned short get_tga_ushort(const unsigned char *data) - { -- unsigned short val = *(const unsigned short *)data; --#ifdef OPJ_BIG_ENDIAN -- val = ((val & 0xffU) << 8) | (val >> 8); --#endif -- return val; -+ return data[0] | (data[1] << 8); - } - - #define TGA_HEADER_SIZE 18 -@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel, - id_len = tga[0]; - /*cmap_type = tga[1];*/ - image_type = tga[2]; -- /*cmap_index = get_ushort(&tga[3]);*/ -- cmap_len = get_ushort(&tga[5]); -+ /*cmap_index = get_tga_ushort(&tga[3]);*/ -+ cmap_len = get_tga_ushort(&tga[5]); - cmap_entry_size = tga[7]; - - - #if 0 -- x_origin = get_ushort(&tga[8]); -- y_origin = get_ushort(&tga[10]); -+ x_origin = get_tga_ushort(&tga[8]); -+ y_origin = get_tga_ushort(&tga[10]); - #endif -- image_w = get_ushort(&tga[12]); -- image_h = get_ushort(&tga[14]); -+ image_w = get_tga_ushort(&tga[12]); -+ image_h = get_tga_ushort(&tga[14]); - pixel_depth = tga[16]; - image_desc = tga[17]; - -@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) - color_space = OPJ_CLRSPC_SRGB; - } - -+ /* If the declared file size is > 10 MB, check that the file is big */ -+ /* enough to avoid excessive memory allocations */ -+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) { -+ char ch; -+ OPJ_UINT64 expected_file_size = -+ (OPJ_UINT64)image_width * image_height * numcomps; -+ long curpos = ftell(f); -+ if (expected_file_size > (OPJ_UINT64)INT_MAX) { -+ expected_file_size = (OPJ_UINT64)INT_MAX; -+ } -+ fseek(f, (long)expected_file_size - 1, SEEK_SET); -+ if (fread(&ch, 1, 1, f) != 1) { -+ fclose(f); -+ return NULL; -+ } -+ fseek(f, curpos, SEEK_SET); -+ } -+ - subsampling_dx = parameters->subsampling_dx; - subsampling_dy = parameters->subsampling_dy; - diff --git a/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch b/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch deleted file mode 100644 index d165090..0000000 --- a/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 15 Aug 2017 11:55:58 +0200 -Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in - opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985) - ---- - src/lib/openjp2/j2k.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c -index a2521ebbc..54b490a8c 100644 ---- a/src/lib/openjp2/j2k.c -+++ b/src/lib/openjp2/j2k.c -@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters, - - /* Precincts */ - parameters->csty |= 0x01; -- parameters->res_spec = parameters->numresolution - 1; -- for (i = 0; i < parameters->res_spec; i++) { -- parameters->prcw_init[i] = 256; -- parameters->prch_init[i] = 256; -+ if (parameters->numresolution == 1) { -+ parameters->res_spec = 1; -+ parameters->prcw_init[0] = 128; -+ parameters->prch_init[0] = 128; -+ } else { -+ parameters->res_spec = parameters->numresolution - 1; -+ for (i = 0; i < parameters->res_spec; i++) { -+ parameters->prcw_init[i] = 256; -+ parameters->prch_init[i] = 256; -+ } - } - - /* The progression order shall be CPRL */ diff --git a/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch b/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch deleted file mode 100644 index c8a1fd6..0000000 --- a/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch +++ /dev/null @@ -1,43 +0,0 @@ -From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 14 Aug 2017 17:20:37 +0200 -Subject: [PATCH] Encoder: grow buffer size in - opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in - opj_mqc_flush (#982) - ---- - src/lib/openjp2/tcd.c | 7 +++++-- - tests/nonregression/test_suite.ctest.in | 2 ++ - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c -index 301c7213e..53cdcf64d 100644 ---- a/src/lib/openjp2/tcd.c -+++ b/src/lib/openjp2/tcd.c -@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t * - { - OPJ_UINT32 l_data_size; - -- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ -- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * -+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ -+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ -+ /* TODO: is there a theoretical upper-bound for the compressed code */ -+ /* block size ? */ -+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * - (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); - - if (l_data_size > p_code_block->data_size) { -diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in -index aaf40d7d0..ffd964c2a 100644 ---- a/tests/nonregression/test_suite.ctest.in -+++ b/tests/nonregression/test_suite.ctest.in -@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban - # Same rate as Bretagne2_4.j2k - opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800 - -+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1 -+ - # DECODER TEST SUITE - opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx - opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx diff --git a/baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch b/baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch deleted file mode 100644 index 724cf60..0000000 --- a/baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch +++ /dev/null @@ -1,25 +0,0 @@ -From baf0c1ad4572daa89caa3b12985bdd93530f0dd7 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 14 Aug 2017 17:26:58 +0200 -Subject: [PATCH] bmp_read_info_header(): reject bmp files with biBitCount == 0 - (#983) - ---- - src/bin/jp2/convertbmp.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c -index b49e7a080..2715fdf24 100644 ---- a/src/bin/jp2/convertbmp.c -+++ b/src/bin/jp2/convertbmp.c -@@ -392,6 +392,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header) - - header->biBitCount = (OPJ_UINT16)getc(IN); - header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8); -+ if (header->biBitCount == 0) { -+ fprintf(stderr, "Error, invalid biBitCount %d\n", 0); -+ return OPJ_FALSE; -+ } - - if (header->biSize >= 40U) { - header->biCompression = (OPJ_UINT32)getc(IN); diff --git a/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch b/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch deleted file mode 100644 index ebfe1ad..0000000 --- a/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch +++ /dev/null @@ -1,22 +0,0 @@ -From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Fri, 18 Aug 2017 13:39:20 +0200 -Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997) - ---- - src/bin/jp2/convert.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c -index 5459f7d44..e606c9be7 100644 ---- a/src/bin/jp2/convert.c -+++ b/src/bin/jp2/convert.c -@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) - } - - fseek(f, 0, SEEK_SET); -- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, -+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, - &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { - fclose(f); - fprintf(stderr, diff --git a/openjpeg2-static.spec b/openjpeg2-static.spec index db311f2..7639e74 100644 --- a/openjpeg2-static.spec +++ b/openjpeg2-static.spec @@ -1,5 +1,5 @@ # remirepo spec file from fedora -# adapted to produce static library +# adapted to produce only the static library # Conformance tests disabled by default since it requires 1 GB of test data #global runcheck 1 @@ -7,8 +7,8 @@ #global optional_components 1 Name: openjpeg2-static -Version: 2.2.0 -Release: 3%{?dist}.1 +Version: 2.3.0 +Release: 1%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -22,16 +22,6 @@ Source1: data.tar.xz # Remove bundled libraries Patch0: openjpeg2_remove-thirdparty.patch -# Backport fix for CVE-2017-12982 -Patch1: baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch -# Backport fix for CVE-2017-14041 -Patch2: e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch -# Backport fix for CVE-2017-14040 -Patch3: 2cd30c2b06ce332dede81cccad8b334cde997281.patch -# Backport fix for Heap-based buffer overflow in opj_write_bytes_LE in cio.c -Patch4: 4241ae6fbbf1de9658764a80944dc8108f2b4154.patch -# Backport fix for Heap-based buffer overflow in opj_mqc_flush in mqc.c -Patch5: afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch BuildRequires: cmake BuildRequires: zlib-devel @@ -277,12 +267,12 @@ make test -C %{_target_platform} %{_mandir}/man3/libopenjp2.3* %files devel -%dir %{_includedir}/openjpeg-2.2/ -%{_includedir}/openjpeg-2.2/openjpeg.h -%{_includedir}/openjpeg-2.2/opj_config.h -%{_includedir}/openjpeg-2.2/opj_stdint.h +%dir %{_includedir}/openjpeg-2.3/ +%{_includedir}/openjpeg-2.3/openjpeg.h +%{_includedir}/openjpeg-2.3/opj_config.h +%{_includedir}/openjpeg-2.3/opj_stdint.h %{_libdir}/libopenjp2.a -%{_libdir}/openjpeg-2.2/ +%{_libdir}/openjpeg-2.3/ %{_libdir}/pkgconfig/libopenjp2.pc %files devel-docs @@ -342,12 +332,21 @@ make test -C %{_target_platform} %changelog +* Fri Oct 6 2017 Remi Collet - 2.3.0-1 +- Update to 2.3.0 from Fedora + +* Thu Oct 05 2017 Sandro Mani - 2.3.0-1 +- Update to 2.3.0 + * Thu Oct 5 2017 Remi Collet - 2.2.0-4 - fix build flags * Wed Oct 4 2017 Remi Collet - 2.2.0-3 - build the static library +* Thu Sep 07 2017 Sandro Mani - 2.2.0-4 +- Backport fix for CVE-2017-14039 + * Thu Aug 31 2017 Sandro Mani - 2.2.0-3 - Backport more security fixes, including for CVE-2017-14041 and CVE-2017-14040 -- cgit