meta-openembedded/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 4 Dec 2020 20:45:25 +0100
Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302)

Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
CVE: CVE-2020-27845
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
 src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -238,6 +238,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_
     opj_pi_resolution_t *res = NULL;
     OPJ_UINT32 index = 0;
 
+    if (pi->poc.compno0 >= pi->numcomps ||
+            pi->poc.compno1 >= pi->numcomps + 1) {
+        opj_event_msg(pi->manager, EVT_ERROR,
+                      "opj_pi_next_lrcp(): invalid compno0/compno1\n");
+        return OPJ_FALSE;
+    }
+
     if (!pi->first) {
         comp = &pi->comps[pi->compno];
         res = &comp->resolutions[pi->resno];
@@ -291,6 +298,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_
     opj_pi_resolution_t *res = NULL;
     OPJ_UINT32 index = 0;
 
+    if (pi->poc.compno0 >= pi->numcomps ||
+            pi->poc.compno1 >= pi->numcomps + 1) {
+        opj_event_msg(pi->manager, EVT_ERROR,
+                      "opj_pi_next_rlcp(): invalid compno0/compno1\n");
+        return OPJ_FALSE;
+    }
+
     if (!pi->first) {
         comp = &pi->comps[pi->compno];
         res = &comp->resolutions[pi->resno];
@@ -337,6 +351,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_
     opj_pi_resolution_t *res = NULL;
     OPJ_UINT32 index = 0;
 
+    if (pi->poc.compno0 >= pi->numcomps ||
+            pi->poc.compno1 >= pi->numcomps + 1) {
+        opj_event_msg(pi->manager, EVT_ERROR,
+                      "opj_pi_next_rpcl(): invalid compno0/compno1\n");
+        return OPJ_FALSE;
+    }
+
     if (!pi->first) {
         goto LABEL_SKIP;
     } else {
@@ -472,7 +493,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
     if (pi->poc.compno0 >= pi->numcomps ||
             pi->poc.compno1 >= pi->numcomps + 1) {
         opj_event_msg(pi->manager, EVT_ERROR,
-                      "opj_pi_next_pcrl(): invalid compno0/compno1");
+                      "opj_pi_next_pcrl(): invalid compno0/compno1\n");
         return OPJ_FALSE;
     }
 
@@ -610,7 +631,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
     if (pi->poc.compno0 >= pi->numcomps ||
             pi->poc.compno1 >= pi->numcomps + 1) {
         opj_event_msg(pi->manager, EVT_ERROR,
-                      "opj_pi_next_cprl(): invalid compno0/compno1");
+                      "opj_pi_next_cprl(): invalid compno0/compno1\n");
         return OPJ_FALSE;
     }