guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: gnu: openjpeg: Fix CVE-2017-14164.


From: Efraim Flashner
Subject: 02/02: gnu: openjpeg: Fix CVE-2017-14164.
Date: Sun, 10 Sep 2017 15:01:45 -0400 (EDT)

efraim pushed a commit to branch master
in repository guix.

commit 338b58e0ea880f7cccbe43de21eccbf1440ac6af
Author: Efraim Flashner <address@hidden>
Date:   Sun Sep 10 22:00:35 2017 +0300

    gnu: openjpeg: Fix CVE-2017-14164.
    
    * gnu/packages/image.scm (openjpeg)[source]: Add patch.
    * gnu/packages/patches/openjpeg-CVE-2017-14164.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/image.scm                             |  3 +-
 gnu/packages/patches/openjpeg-CVE-2017-14164.patch | 89 ++++++++++++++++++++++
 3 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 43eac77..c92b93d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -895,6 +895,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/openjpeg-CVE-2017-14041.patch           \
   %D%/packages/patches/openjpeg-CVE-2017-14151.patch           \
   %D%/packages/patches/openjpeg-CVE-2017-14152.patch           \
+  %D%/packages/patches/openjpeg-CVE-2017-14164.patch           \
   %D%/packages/patches/openldap-CVE-2017-9287.patch            \
   %D%/packages/patches/openocd-nrf52.patch                     \
   %D%/packages/patches/openssl-runpath.patch                   \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 3bb8de1..d45f08d 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -524,7 +524,8 @@ work.")
                                  "openjpeg-CVE-2017-14040.patch"
                                  "openjpeg-CVE-2017-14041.patch"
                                  "openjpeg-CVE-2017-14151.patch"
-                                 "openjpeg-CVE-2017-14152.patch"))))
+                                 "openjpeg-CVE-2017-14152.patch"
+                                 "openjpeg-CVE-2017-14164.patch"))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch 
b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
new file mode 100644
index 0000000..2bfc5a6
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
@@ -0,0 +1,89 @@
+https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
+http://openwall.com/lists/oss-security/2017/09/06/3
+
+From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
+From: Even Rouault <address@hidden>
+Date: Wed, 16 Aug 2017 17:09:10 +0200
+Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
+ (#991)
+
+---
+ src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 54b490a8c..16915452e 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+  * Writes the SOT marker (Start of tile-part)
+  *
+  * @param       p_j2k            J2K codec.
+- * @param       p_data           FIXME DOC
+- * @param       p_data_written   FIXME DOC
++ * @param       p_data           Output buffer
++ * @param       p_total_data_size Output buffer size
++ * @param       p_data_written   Number of bytes written into stream
+  * @param       p_stream         the stream to write data to.
+  * @param       p_manager        the user event manager.
+ */
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+                                   OPJ_BYTE * p_data,
++                                  OPJ_UINT32 p_total_data_size,
+                                   OPJ_UINT32 * p_data_written,
+                                   const opj_stream_private_t *p_stream,
+                                   opj_event_mgr_t * p_manager);
+@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+ 
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+                                   OPJ_BYTE * p_data,
++                                  OPJ_UINT32 p_total_data_size,
+                                   OPJ_UINT32 * p_data_written,
+                                   const opj_stream_private_t *p_stream,
+                                   opj_event_mgr_t * p_manager
+@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+     OPJ_UNUSED(p_stream);
+     OPJ_UNUSED(p_manager);
+ 
++    if (p_total_data_size < 12) {
++        opj_event_msg(p_manager, EVT_ERROR,
++                      "Not enough bytes in output buffer to write SOT 
marker\n");
++        return OPJ_FALSE;
++    }
++
+     opj_write_bytes(p_data, J2K_MS_SOT,
+                     2);                                 /* SOT */
+     p_data += 2;
+@@ -11480,7 +11489,8 @@ static OPJ_BOOL 
opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
+ 
+     l_current_nb_bytes_written = 0;
+     l_begin_data = p_data;
+-    if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, 
p_stream,
++    if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
++                            &l_current_nb_bytes_written, p_stream,
+                             p_manager)) {
+         return OPJ_FALSE;
+     }
+@@ -11572,7 +11582,10 @@ static OPJ_BOOL 
opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+         l_part_tile_size = 0;
+         l_begin_data = p_data;
+ 
+-        if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, 
p_stream,
++        if (! opj_j2k_write_sot(p_j2k, p_data,
++                                p_total_data_size,
++                                &l_current_nb_bytes_written,
++                                p_stream,
+                                 p_manager)) {
+             return OPJ_FALSE;
+         }
+@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t 
*p_j2k,
+             l_part_tile_size = 0;
+             l_begin_data = p_data;
+ 
+-            if (! opj_j2k_write_sot(p_j2k, p_data, 
&l_current_nb_bytes_written, p_stream,
++            if (! opj_j2k_write_sot(p_j2k, p_data,
++                                    p_total_data_size,
++                                    &l_current_nb_bytes_written, p_stream,
+                                     p_manager)) {
+                 return OPJ_FALSE;
+             }



reply via email to

[Prev in Thread] Current Thread [Next in Thread]