Package: openjpeg
Version: 1.3+dfsg-4.2
Severity: important
Tags: security patch fixed-upstream
Hi Mathieu,
We have found a heap-buffer overflow issue in openjpeg, when decoding
j2k image files. I am attaching a patch to this email.
We will be making this issue public on 9-July-2012 Monday.
Sorry for the short notice, let me know if you need more time.
This issue affects both version 1.4 and 1.5
--
Huzaifa Sidhpurwala / Red Hat Security Response Team
Enforce sanity checks on tile number and tile length, even when the (rather
broken) USE_JPWL code isn't enabled.
diff -Naur OpenJPEG_v1_3.orig/libopenjpeg/j2k.c OpenJPEG_v1_3/libopenjpeg/j2k.c
--- OpenJPEG_v1_3.orig/libopenjpeg/j2k.c 2007-12-19 07:28:40.000000000 -0500
+++ OpenJPEG_v1_3/libopenjpeg/j2k.c 2010-11-02 12:50:57.342204186 -0400
@@ -1282,7 +1282,7 @@
static int backup_tileno = 0;
/* tileno is negative or larger than the number of tiles!!! */
- if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
+ if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
opj_event_msg(j2k->cinfo, EVT_ERROR,
"JPWL: bad tile number (%d out of a maximum of %d)\n",
tileno, (cp->tw * cp->th));
@@ -1299,8 +1299,18 @@
/* keep your private count of tiles */
backup_tileno++;
- };
+ }
+ else
#endif /* USE_JPWL */
+ {
+ /* tileno is negative or larger than the number of tiles!!! */
+ if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "JPWL: bad tile number (%d out of a maximum of %d)\n",
+ tileno, (cp->tw * cp->th));
+ return;
+ }
+ }
if (cp->tileno_size == 0) {
cp->tileno[cp->tileno_size] = tileno;
@@ -1338,8 +1348,18 @@
totlen);
}
- };
+ }
+ else
#endif /* USE_JPWL */
+ {
+ /* totlen is negative or larger than the bytes left!!! */
+ if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "JPWL: bad tile byte size (%d bytes against %d bytes left)\n",
+ totlen, cio_numbytesleft(cio) + 8);
+ return;
+ }
+ }
if (!totlen)
totlen = cio_numbytesleft(cio) + 8;
