| @@ -1,35 +1,38 @@ | | | @@ -1,35 +1,38 @@ |
1 | $NetBSD: patch-src_lib_openmj2_t2.c,v 1.1 2019/11/26 23:10:22 sevan Exp $ | | 1 | $NetBSD: patch-src_lib_openmj2_t2.c,v 1.2 2019/11/26 23:24:25 sevan Exp $ |
2 | | | 2 | |
3 | CVE-2018-16376 | | 3 | CVE-2018-16376 |
4 | https://github.com/uclouvain/openjpeg/issues/1127 | | 4 | https://github.com/uclouvain/openjpeg/issues/1127 |
5 | https://nvd.nist.gov/vuln/detail/CVE-2018-16376 | | 5 | https://nvd.nist.gov/vuln/detail/CVE-2018-16376 |
6 | | | 6 | |
7 | --- src/lib/openmj2/t2.c.orig 2019-11-26 22:37:00.687890833 +0000 | | 7 | --- src/lib/openmj2/t2.c.orig 2019-04-02 12:45:15.000000000 +0000 |
8 | +++ src/lib/openmj2/t2.c | | 8 | +++ src/lib/openmj2/t2.c |
9 | @@ -166,6 +166,12 @@ static int t2_encode_packet(opj_tcd_tile | | 9 | @@ -166,6 +166,15 @@ static int t2_encode_packet(opj_tcd_tile |
10 | | | 10 | |
11 | /* <SOP 0xff91> */ | | 11 | /* <SOP 0xff91> */ |
12 | if (tcp->csty & J2K_CP_CSTY_SOP) { | | 12 | if (tcp->csty & J2K_CP_CSTY_SOP) { |
13 | + if (length < 6) { | | 13 | + if (length < 6) { |
14 | + if (p_t2_mode == FINAL_PASS) { | | 14 | + if (p_t2_mode == FINAL_PASS) { |
15 | + opj_event_msg(p_manager, EVT_ERROR, | | 15 | + opj_event_msg(p_manager, EVT_ERROR, |
16 | + "opj_t2_encode_packet(): only %u bytes remaining in " | | 16 | + "opj_t2_encode_packet(): only %u bytes remaining in " |
17 | + "output buffer. %u needed.\n", | | 17 | + "output buffer. %u needed.\n", |
18 | + length, 6); | | 18 | + length, 6); |
| | | 19 | + } |
| | | 20 | + return OPJ_FALSE; |
| | | 21 | + } |
19 | c[0] = 255; | | 22 | c[0] = 255; |
20 | c[1] = 145; | | 23 | c[1] = 145; |
21 | c[2] = 0; | | 24 | c[2] = 0; |
22 | @@ -272,6 +278,15 @@ static int t2_encode_packet(opj_tcd_tile | | 25 | @@ -272,6 +281,15 @@ static int t2_encode_packet(opj_tcd_tile |
23 | | | 26 | |
24 | /* <EPH 0xff92> */ | | 27 | /* <EPH 0xff92> */ |
25 | if (tcp->csty & J2K_CP_CSTY_EPH) { | | 28 | if (tcp->csty & J2K_CP_CSTY_EPH) { |
26 | + if (length < 2) { | | 29 | + if (length < 2) { |
27 | + if (p_t2_mode == FINAL_PASS) { | | 30 | + if (p_t2_mode == FINAL_PASS) { |
28 | + opj_event_msg(p_manager, EVT_ERROR, | | 31 | + opj_event_msg(p_manager, EVT_ERROR, |
29 | + "opj_t2_encode_packet(): only %u bytes remaining in " | | 32 | + "opj_t2_encode_packet(): only %u bytes remaining in " |
30 | + "output buffer. %u needed.\n", | | 33 | + "output buffer. %u needed.\n", |
31 | + length, 2); | | 34 | + length, 2); |
32 | + } | | 35 | + } |
33 | + return OPJ_FALSE; | | 36 | + return OPJ_FALSE; |
34 | + } | | 37 | + } |
35 | c[0] = 255; | | 38 | c[0] = 255; |