Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
ghostscript.12578
openjpeg4gs-CVE-2018-6616-8ee33522.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openjpeg4gs-CVE-2018-6616-8ee33522.patch of Package ghostscript.12578
From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Fri, 14 Dec 2018 04:58:40 +0100 Subject: [PATCH] convertbmp: detect invalid file dimensions early width/length dimensions read from bmp headers are not necessarily valid. For instance they may have been maliciously set to very large values with the intention to cause DoS (large memory allocation, stack overflow). In these cases we want to detect the invalid size as early as possible. This commit introduces a counter which verifies that the number of written bytes corresponds to the advertized width/length. Fixes #1059 (CVE-2018-6616). --- openjpeg/src/bin/jp2/convertbmp.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- openjpeg/src/bin/jp2/convertbmp.c +++ openjpeg/src/bin/jp2/convertbmp.c 2019-09-12 08:22:52.272682353 +0000 @@ -519,14 +519,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) { - OPJ_UINT32 x, y; + OPJ_UINT32 x, y, written; OPJ_UINT8 *pix; const OPJ_UINT8 *beyond; beyond = pData + stride * height; pix = pData; - x = y = 0U; + x = y = written = 0U; while (y < height) { int c = getc(IN); if (c == EOF) { @@ -546,6 +546,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { *pix = c1; + written++; } } else { c = getc(IN); @@ -583,6 +584,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* } c1 = (OPJ_UINT8)c1_int; *pix = c1; + written++; } if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ c = getc(IN); @@ -593,6 +595,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* } } }/* while() */ + + if (written != width * height) { + fprintf(stderr, "warning, image's actual size does not match advertized one\n"); + return OPJ_FALSE; + } + return OPJ_TRUE; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor