File openjpeg2-CVE-2016-1923.patch of Package openjpeg2

Overview Repositories Revisions Requests Users Attributes Meta

File openjpeg2-CVE-2016-1923.patch of Package openjpeg2

diff --git a/src/lib/openjp2/opj_includes.h b/src/lib/openjp2/opj_includes.h
index d9238b1..a86fd5e 100644
--- a/src/lib/openjp2/opj_includes.h
+++ b/src/lib/openjp2/opj_includes.h
@@ -46,6 +46,7 @@
 */
 #include <memory.h>
 #include <stdlib.h>
+#include <limits.h>
 #include <string.h>
 #include <math.h>
 #include <float.h>
diff --git a/src/lib/openjp2/opj_intmath.h b/src/lib/openjp2/opj_intmath.h
index f0b3e51..120ea7c 100644
--- a/src/lib/openjp2/opj_intmath.h
+++ b/src/lib/openjp2/opj_intmath.h
@@ -116,7 +116,7 @@ static INLINE OPJ_INT32 opj_int_abs(OPJ_INT32 a) {
 Divide an integer and round upwards
 @return Returns a divided by b
 */
-static INLINE OPJ_INT32 opj_int_ceildiv(OPJ_INT32 a, OPJ_INT32 b) {
+static INLINE OPJ_INT64 opj_int_ceildiv(OPJ_INT64 a, OPJ_INT64 b) {
   assert(b);
 	return (a + b - 1) / b;
 }
@@ -140,7 +140,7 @@ static INLINE OPJ_INT32 opj_int_ceildivpow2(OPJ_INT32 a, OPJ_INT32 b) {
 Divide an integer by a power of 2 and round downwards
 @return Returns a divided by 2^b
 */
-static INLINE OPJ_INT32 opj_int_floordivpow2(OPJ_INT32 a, OPJ_INT32 b) {
+static INLINE OPJ_INT64 opj_int_floordivpow2(OPJ_INT64 a, OPJ_INT64 b) {
 	return a >> b;
 }
 /**
diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index e27930b..23c4421 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -437,14 +437,39 @@ OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) {
 					OPJ_INT32 trx1, try1;
 					OPJ_UINT32 rpx, rpy;
 					OPJ_INT32 prci, prcj;
+					if (pi->resno >= comp->numresolutions) {
+						continue;
+					}
 					res = &comp->resolutions[pi->resno];
 					levelno = comp->numresolutions - 1 - pi->resno;
+					/* Avoids division by zero */
+					/* Relates to id_000004,sig_06,src_000679,op_arith8,pos_49,val_-17 */
+					/* of  https://github.com/uclouvain/openjpeg/issues/938 */
+					if (levelno >= 32 ||
+					    ((comp->dx << levelno) >> levelno) != comp->dx ||
+					    ((comp->dy << levelno) >> levelno) != comp->dy) {
+						continue;
+					}
+					if ((comp->dx << levelno) > INT_MAX ||
+					    (comp->dy << levelno) > INT_MAX) {
+						continue;
+					}
 					trx0 = opj_int_ceildiv(pi->tx0, (OPJ_INT32)(comp->dx << levelno));
 					try0 = opj_int_ceildiv(pi->ty0, (OPJ_INT32)(comp->dy << levelno));
 					trx1 = opj_int_ceildiv(pi->tx1, (OPJ_INT32)(comp->dx << levelno));
 					try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno));
 					rpx = res->pdx + levelno;
 					rpy = res->pdy + levelno;
+
+					/* To avoid divisions by zero / undefined behaviour on shift */
+					/* in below tests */
+					/* Fixes reading id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 */
+					/* of https://github.com/uclouvain/openjpeg/issues/938 */
+					if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+					    rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
+						continue;
+					}
+
 					if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
 						continue;	
 					}
@@ -456,10 +481,10 @@ OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) {
 					
 					if ((trx0==trx1)||(try0==try1)) continue;
 					
-					prci = opj_int_floordivpow2(opj_int_ceildiv(pi->x, (OPJ_INT32)(comp->dx << levelno)), (OPJ_INT32)res->pdx)
-						 - opj_int_floordivpow2(trx0, (OPJ_INT32)res->pdx);
-					prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
-						 - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
+					prci = opj_int_floordivpow2(opj_int_ceildiv(pi->x, (OPJ_INT64)(comp->dx << levelno)), (OPJ_INT64)res->pdx)
+						 - opj_int_floordivpow2(trx0, (OPJ_INT64)res->pdx);
+					prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT64)(comp->dy << levelno)), (OPJ_INT64)res->pdy)
+						 - opj_int_floordivpow2(try0, (OPJ_INT64)res->pdy);
 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;

Places

File openjpeg2-CVE-2016-1923.patch of Package openjpeg2

Places