1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 4 Dec 2020 20:45:25 +0100
Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302)
Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
CVE: CVE-2020-27845
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -238,6 +238,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_
opj_pi_resolution_t *res = NULL;
OPJ_UINT32 index = 0;
+ if (pi->poc.compno0 >= pi->numcomps ||
+ pi->poc.compno1 >= pi->numcomps + 1) {
+ opj_event_msg(pi->manager, EVT_ERROR,
+ "opj_pi_next_lrcp(): invalid compno0/compno1\n");
+ return OPJ_FALSE;
+ }
+
if (!pi->first) {
comp = &pi->comps[pi->compno];
res = &comp->resolutions[pi->resno];
@@ -291,6 +298,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_
opj_pi_resolution_t *res = NULL;
OPJ_UINT32 index = 0;
+ if (pi->poc.compno0 >= pi->numcomps ||
+ pi->poc.compno1 >= pi->numcomps + 1) {
+ opj_event_msg(pi->manager, EVT_ERROR,
+ "opj_pi_next_rlcp(): invalid compno0/compno1\n");
+ return OPJ_FALSE;
+ }
+
if (!pi->first) {
comp = &pi->comps[pi->compno];
res = &comp->resolutions[pi->resno];
@@ -337,6 +351,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_
opj_pi_resolution_t *res = NULL;
OPJ_UINT32 index = 0;
+ if (pi->poc.compno0 >= pi->numcomps ||
+ pi->poc.compno1 >= pi->numcomps + 1) {
+ opj_event_msg(pi->manager, EVT_ERROR,
+ "opj_pi_next_rpcl(): invalid compno0/compno1\n");
+ return OPJ_FALSE;
+ }
+
if (!pi->first) {
goto LABEL_SKIP;
} else {
@@ -472,7 +493,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
if (pi->poc.compno0 >= pi->numcomps ||
pi->poc.compno1 >= pi->numcomps + 1) {
opj_event_msg(pi->manager, EVT_ERROR,
- "opj_pi_next_pcrl(): invalid compno0/compno1");
+ "opj_pi_next_pcrl(): invalid compno0/compno1\n");
return OPJ_FALSE;
}
@@ -610,7 +631,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
if (pi->poc.compno0 >= pi->numcomps ||
pi->poc.compno1 >= pi->numcomps + 1) {
opj_event_msg(pi->manager, EVT_ERROR,
- "opj_pi_next_cprl(): invalid compno0/compno1");
+ "opj_pi_next_cprl(): invalid compno0/compno1\n");
return OPJ_FALSE;
}
|