File openjpeg2-CVE-2018-20846.patch of Package openjpeg2

Overview Repositories Revisions Requests Users Attributes Meta

File openjpeg2-CVE-2018-20846.patch of Package openjpeg2

Index: openjpeg-2.1.0/src/lib/openjp2/pi.c
===================================================================
--- openjpeg-2.1.0.orig/src/lib/openjp2/pi.c
+++ openjpeg-2.1.0/src/lib/openjp2/pi.c
@@ -257,6 +257,9 @@ OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterato
 				}
 				for (pi->precno = pi->poc.precno0; pi->precno < pi->poc.precno1; pi->precno++) {
 					index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+					if (index >= pi->include_size) {
+						return OPJ_FALSE;
+					}
 					if (!pi->include[index]) {
 						pi->include[index] = 1;
 						return OPJ_TRUE;
@@ -296,6 +299,9 @@ OPJ_BOOL opj_pi_next_rlcp(opj_pi_iterato
 				}
 				for (pi->precno = pi->poc.precno0; pi->precno < pi->poc.precno1; pi->precno++) {
 					index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+					if (index >= pi->include_size) {
+						return OPJ_FALSE;
+					}
 					if (!pi->include[index]) {
 						pi->include[index] = 1;
 						return OPJ_TRUE;
@@ -382,6 +388,9 @@ if (!pi->tp_on){
 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+						if (index >= pi->include_size) {
+							return OPJ_FALSE;
+						}
 						if (!pi->include[index]) {
 							pi->include[index] = 1;
 							return OPJ_TRUE;
@@ -488,6 +497,9 @@ OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterato
 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+						if (index >= pi->include_size) {
+							return OPJ_FALSE;
+						}
 						if (!pi->include[index]) {
 							pi->include[index] = 1;
 							return OPJ_TRUE;
@@ -571,6 +583,9 @@ OPJ_BOOL opj_pi_next_cprl(opj_pi_iterato
 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+						if (index >= pi->include_size) {
+							return OPJ_FALSE;
+						}
 						if (!pi->include[index]) {
 							pi->include[index] = 1;
 							return OPJ_TRUE;
@@ -1273,9 +1288,10 @@ opj_pi_iterator_t *opj_pi_create_decode(
 	/* memory allocation for include */
 	/* prevent an integer overflow issue */
 	l_current_pi->include = 00;
-	if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
+	if (l_step_l <= (UINT_MAX / (l_tcp->numlayers + 1U)))
 	{
-		l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16));
+		l_current_pi->include_size = (l_tcp->numlayers + 1U) * l_step_l;
+		l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, sizeof(OPJ_INT16));
 	}
 
 	if
@@ -1373,6 +1389,7 @@ opj_pi_iterator_t *opj_pi_create_decode(
 		}
 		/* special treatment*/
 		l_current_pi->include = (l_current_pi-1)->include;
+		l_current_pi->include_size = (l_current_pi-1)->include_size;
 		++l_current_pi;
 	}
 	opj_free(l_tmp_data);
@@ -1476,7 +1493,8 @@ opj_pi_iterator_t *opj_pi_initialise_enc
 	l_current_pi = l_pi;
 
 	/* memory allocation for include*/
-	l_current_pi->include = (OPJ_INT16*) opj_calloc(l_tcp->numlayers * l_step_l, sizeof(OPJ_INT16));
+	l_current_pi->include_size = l_tcp->numlayers * l_step_l;
+	l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, sizeof(OPJ_INT16));
 	if (!l_current_pi->include) {
 		opj_free(l_tmp_data);
 		opj_free(l_tmp_ptr);
@@ -1561,6 +1579,7 @@ opj_pi_iterator_t *opj_pi_initialise_enc
 
 		/* special treatment*/
 		l_current_pi->include = (l_current_pi-1)->include;
+		l_current_pi->include_size = (l_current_pi-1)->include_size;
 		++l_current_pi;
 	}
 
Index: openjpeg-2.1.0/src/lib/openjp2/pi.h
===================================================================
--- openjpeg-2.1.0.orig/src/lib/openjp2/pi.h
+++ openjpeg-2.1.0/src/lib/openjp2/pi.h
@@ -75,6 +75,8 @@ typedef struct opj_pi_iterator {
   OPJ_BYTE tp_on;
   /** precise if the packet has been already used (usefull for progression order change) */
   OPJ_INT16 *include;
+  /** Number of elements in include array */
+  OPJ_UINT32 include_size;
   /** layer step used to localize the packet in the include vector */
   OPJ_UINT32 step_l;
   /** resolution step used to localize the packet in the include vector */

Places

File openjpeg2-CVE-2018-20846.patch of Package openjpeg2

Places