openjpeg: Fix CVE-2020-6851

Backport patch from upstream to fix heap-based buffer overflow Upstream-Status: Backport CVE: CVE-2020-6851 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Sakib Sajal <Sakib.Sajal@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Yue Tao <Yue.Tao@windriver.com> 2020-03-11 12:11:48 -0700
committer: Khem Raj <raj.khem@gmail.com> 2020-03-11 15:30:18 -0700
commit: 6ce0a9c9f74a448d3ba80e3b648f797e03220122 (patch)
tree: 01e6c9bf70b646c2c66f08988643f4158df92594
parent: 721f234bd2e99bf2e562c0fa79efeb01b7e9df10 (diff)
download: meta-openembedded-6ce0a9c9f74a448d3ba80e3b648f797e03220122.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-6851.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-6851.patch
new file mode 100644
index 0000000000..9f2fc901f9
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-6851.patch
@@ -0,0 +1,32 @@
+From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 11 Jan 2020 01:51:19 +0100
+Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
+ coordinates are beyond INT_MAX (fixes #1228)
+---
+ src/lib/openjp2/j2k.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 14f6ff41..922550eb 100644
+--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
+@@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dim
+     l_img_comp = p_image->comps;
+     for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
+         OPJ_INT32 l_h, l_w;
+        if (p_image->x0 > (OPJ_UINT32)INT_MAX ||
+                p_image->y0 > (OPJ_UINT32)INT_MAX ||
+                p_image->x1 > (OPJ_UINT32)INT_MAX ||
+                p_image->y1 > (OPJ_UINT32)INT_MAX) {
+            opj_event_msg(p_manager, EVT_ERROR,
+                          "Image coordinates above INT_MAX are not supported\n");
+            return OPJ_FALSE;
+        }
+ 
+         l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
+                          (OPJ_INT32)l_img_comp->dx);
+-- 
+2.17.1
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
index ffd4099b43..4045148dd0 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
@@ -8,6 +8,7 @@ DEPENDS = "libpng tiff lcms zlib"
 SRC_URI = " \
    git://github.com/uclouvain/openjpeg.git \
    file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \
+    file://CVE-2020-6851.patch \
 "
 SRCREV = "57096325457f96d8cd07bd3af04fe81d7a2ba788"
 S = "${WORKDIR}/git"
author	Yue Tao <Yue.Tao@windriver.com>	2020-03-11 12:11:48 -0700
committer	Khem Raj <raj.khem@gmail.com>	2020-03-11 15:30:18 -0700
commit	6ce0a9c9f74a448d3ba80e3b648f797e03220122 (patch)
tree	01e6c9bf70b646c2c66f08988643f4158df92594
parent	721f234bd2e99bf2e562c0fa79efeb01b7e9df10 (diff)
download	meta-openembedded-6ce0a9c9f74a448d3ba80e3b648f797e03220122.tar.gz

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-6851.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-6851.patch new file mode 100644 index 0000000000..9f2fc901f9 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-6851.patch
@@ -0,0 +1,32 @@
		1	From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sat, 11 Jan 2020 01:51:19 +0100
		4	Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
		5	coordinates are beyond INT_MAX (fixes #1228)
		6
		7	---
		8	src/lib/openjp2/j2k.c \| 8 ++++++++
		9	1 file changed, 8 insertions(+)
		10
		11	diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
		12	index 14f6ff41..922550eb 100644
		13	--- a/src/lib/openjp2/j2k.c
		14	+++ b/src/lib/openjp2/j2k.c
		15	@@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dim
		16	l_img_comp = p_image->comps;
		17	for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
		18	OPJ_INT32 l_h, l_w;
		19	+ if (p_image->x0 > (OPJ_UINT32)INT_MAX \|\|
		20	+ p_image->y0 > (OPJ_UINT32)INT_MAX \|\|
		21	+ p_image->x1 > (OPJ_UINT32)INT_MAX \|\|
		22	+ p_image->y1 > (OPJ_UINT32)INT_MAX) {
		23	+ opj_event_msg(p_manager, EVT_ERROR,
		24	+ "Image coordinates above INT_MAX are not supported\n");
		25	+ return OPJ_FALSE;
		26	+ }
		27
		28	l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0,
		29	(OPJ_INT32)l_img_comp->dx);
		30	--
		31	2.17.1
		32


diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb index ffd4099b43..4045148dd0 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
@@ -8,6 +8,7 @@ DEPENDS = "libpng tiff lcms zlib"
8	SRC_URI = " \	8	SRC_URI = " \
9	git://github.com/uclouvain/openjpeg.git \	9	git://github.com/uclouvain/openjpeg.git \
10	file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \	10	file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \
		11	file://CVE-2020-6851.patch \
11	"	12	"
12	SRCREV = "57096325457f96d8cd07bd3af04fe81d7a2ba788"	13	SRCREV = "57096325457f96d8cd07bd3af04fe81d7a2ba788"
13	S = "${WORKDIR}/git"	14	S = "${WORKDIR}/git"