CVE-2012-3358: A heap-based buffer overflow was found in the way OpenJPEG, an open-source JPEG 2000 codec written in C language, performed parsing of JPEG2000 having certain number of tiles and tilesizes. A remote attacker could provide a specially crafted JPEG 2000 file, which when opened in an application linked against openjpeg would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application. http://code.google.com/p/openjpeg/source/detail?r=1727 Bump PKGREVISION. pkglint cleanups while here.

(wiz)

 @@ -1,3 +1,3 @@
 The OpenJPEG library is an open-source JPEG 2000 codec written in C.  It
 has been developed in order to promote the use of JPEG 2000 and is
 licensed under a BSD license.

 @@ -1,21 +1,22 @@
-# $NetBSD: Makefile,v 1.2 2012/03/24 13:25:00 drochner Exp $
+# $NetBSD: Makefile,v 1.3 2012/07/11 09:07:21 wiz Exp $
+#
 DISTNAME=		openjpeg-1.5.0
 PKGREVISION=		1
 CATEGORIES=		graphics
 MASTER_SITES=		http://openjpeg.googlecode.com/files/
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.openjpeg.org/
 COMMENT=		JPEG 2000 library
 LICENSE=		2-clause-bsd
 PKG_DESTDIR_SUPPORT=	user-destdir
 LICENSE=		2-clause-bsd
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--disable-doc
 USE_LIBTOOL=		yes
 CFLAGS+=	-DHAVE_POSIX_MEMALIGN
 .include "../../mk/bsd.pkg.mk"

 @@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.2 2012/03/24 13:25:01 drochner Exp $
+$NetBSD: distinfo,v 1.3 2012/07/11 09:07:21 wiz Exp $
 SHA1 (openjpeg-1.5.0.tar.gz) = dce705ae45f137e4698a8cf39d1fbf22bc434fa8
 RMD160 (openjpeg-1.5.0.tar.gz) = ffa85dbb0a3ba1545bc6974f4950f466789c04ef
 Size (openjpeg-1.5.0.tar.gz) = 2117572 bytes
 SHA1 (patch-aa) = 503b565958dc74a17b68f968a44c5c861d84b343
 SHA1 (patch-libopenjpeg_j2k.c) = 3ea7816b479dbba7822d20b187a6916e4d882e37

$NetBSD: patch-libopenjpeg_j2k.c,v 1.1 2012/07/11 09:07:21 wiz Exp $ CVE-2012-3358: A heap-based buffer overflow was found in the way OpenJPEG, an open-source JPEG 2000 codec written in C language, performed parsing of JPEG2000 having certain number of tiles and tilesizes. A remote attacker could provide a specially crafted JPEG 2000 file, which when opened in an application linked against openjpeg would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application. http://code.google.com/p/openjpeg/source/detail?r=1727 --- libopenjpeg/j2k.c.orig 2012-02-07 10:49:55.000000000 +0000 +++ libopenjpeg/j2k.c @@ -1269,7 +1269,7 @@ static void j2k_read_sot(opj_j2k_t *j2k) static int backup_tileno = 0; /* tileno is negative or larger than the number of tiles!!! */ - if ((tileno < 0) || (tileno > (cp->tw * cp->th))) { + if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) { opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: bad tile number (%d out of a maximum of %d)\n", tileno, (cp->tw * cp->th)); @@ -1286,8 +1286,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) /* keep your private count of tiles */ backup_tileno++; - }; + } + else #endif /* USE_JPWL */ + { + /* tileno is negative or larger than the number of tiles!!! */ + if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad tile number (%d out of a maximum of %d)\n", + tileno, (cp->tw * cp->th)); + return; + } + } if (cp->tileno_size == 0) { cp->tileno[cp->tileno_size] = tileno; @@ -1325,8 +1335,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) totlen); } - }; + } + else #endif /* USE_JPWL */ + { + /* totlen is negative or larger than the bytes left!!! */ + if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad tile byte size (%d bytes against %d bytes left)\n", + totlen, cio_numbytesleft(cio) + 8); + return; + } + } if (!totlen) totlen = cio_numbytesleft(cio) + 8;