Attachment #174758 for bug #212672

Lines 3-8 Link Here

(-)Makefile (+1 lines)
3		3
4	PORTNAME= openjpeg	4	PORTNAME= openjpeg
5	PORTVERSION= 2.1.1	5	PORTVERSION= 2.1.1
		6	PORTREVISION= 1
6	CATEGORIES= graphics	7	CATEGORIES= graphics
7		8
8	MAINTAINER= sunpoet@FreeBSD.org	9	MAINTAINER= sunpoet@FreeBSD.org




--- src/lib/openjp2/pi.c.orig	2016-09-14 00:01:22 UTC
+++ src/lib/openjp2/pi.c
@@ -1236,7 +1236,13 @@ opj_pi_iterator_t *opj_pi_create_decode(
 	l_current_pi = l_pi;
 
 	/* memory allocation for include */
-	l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+	/* prevent an integer overflow issue */
+	l_current_pi->include = 00;
+	if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
+	{
+		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+	}
+
 	if
 		(!l_current_pi->include)
 	{




--- src/lib/openjp2/tcd.c.orig	2016-09-14 00:02:27 UTC
+++ src/lib/openjp2/tcd.c
@@ -706,9 +706,20 @@ static INLINE OPJ_BOOL opj_tcd_init_tile
 	l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */
 	l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0);
 	l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1);
+	/* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */
+	if ((l_tile->x0 < 0) || (l_tile->x1 <= l_tile->x0)) {
+		opj_event_msg(manager, EVT_ERROR, "Tile X coordinates are not supported\n");
+		return OPJ_FALSE;
+	}
 	l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */
 	l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0);
 	l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1);
+	/* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */
+	if ((l_tile->y0 < 0) || (l_tile->y1 <= l_tile->y0)) {
+		opj_event_msg(manager, EVT_ERROR, "Tile Y coordinates are not supported\n");
+		return OPJ_FALSE;
+	}
+	
 
 	/* testcase 1888.pdf.asan.35.988 */
 	if (l_tccp->numresolutions == 0) {




--- tests/compare_dump_files.c.orig	2016-09-14 00:05:13 UTC
+++ tests/compare_dump_files.c
@@ -118,10 +118,10 @@ int main(int argc, char **argv)
   test_cmp_parameters inParam;
   FILE *fbase=NULL, *ftest=NULL;
   int same = 0;
-  char lbase[256];
-  char strbase[256];
-  char ltest[256];
-  char strtest[256];
+  char lbase[512];
+  char strbase[512];
+  char ltest[512];
+  char strtest[512];
 
   if( parse_cmdline_cmp(argc, argv, &inParam) == 1 )
     {
@@ -154,9 +154,9 @@ int main(int argc, char **argv)
 
   while (fgets(lbase, sizeof(lbase), fbase) && fgets(ltest,sizeof(ltest),ftest))
     {
-    int nbase = sscanf(lbase, "%255[^\r\n]", strbase);
-    int ntest = sscanf(ltest, "%255[^\r\n]", strtest);
-    assert( nbase != 255 && ntest != 255 );
+    int nbase = sscanf(lbase, "%511[^\r\n]", strbase);
+    int ntest = sscanf(ltest, "%511[^\r\n]", strtest);
+    assert( nbase != 511 && ntest != 511 );
     if( nbase != 1 || ntest != 1 )
       {
       fprintf(stderr, "could not parse line from files\n" );

Line 0 Link Here

(-)files/patch-tests_nonregression_test__suite.ctest.in (+9 lines)
	1	--- tests/nonregression/test_suite.ctest.in.orig 2016-09-14 00:06:50 UTC
	2	+++ tests/nonregression/test_suite.ctest.in
	3	@@ -505,3 +505,6 @@ opj_decompress -i @INPUT_NR_PATH@/issue2
	4	# issue 326 + PR 559: CIELab colorspace
	5	opj_decompress -i @INPUT_NR_PATH@/issue559-eci-090-CIELab.jp2 -o @TEMP_PATH@/issue559-eci-090-CIELab.jp2.pgx
	6	opj_decompress -i @INPUT_NR_PATH@/issue559-eci-091-CIELab.jp2 -o @TEMP_PATH@/issue559-eci-091-CIELab.jp2.pgx
	7	+# issue 823 (yes, not a typo, test image is issue822)
	8	+!opj_decompress -i @INPUT_NR_PATH@/issue822.jp2 -o @TEMP_PATH@/issue822.png
	9	+

Return to bug 212672

Line 0 Link Here

(-)files/patch-src_lib_openjp2_pi.c (+17 lines)
	1	--- src/lib/openjp2/pi.c.orig 2016-09-14 00:01:22 UTC
	2	+++ src/lib/openjp2/pi.c
	3	@@ -1236,7 +1236,13 @@ opj_pi_iterator_t *opj_pi_create_decode(
	4	l_current_pi = l_pi;
	5
	6	/* memory allocation for include */
	7	- l_current_pi->include = (OPJ_INT16) opj_calloc((l_tcp->numlayers +1) l_step_l, sizeof(OPJ_INT16));
	8	+ /* prevent an integer overflow issue */
	9	+ l_current_pi->include = 00;
	10	+ if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
	11	+ {
	12	+ l_current_pi->include = (OPJ_INT16) opj_calloc((l_tcp->numlayers +1) l_step_l, sizeof(OPJ_INT16));
	13	+ }
	14	+
	15	if
	16	(!l_current_pi->include)
	17	{

Line 0 Link Here

(-)files/patch-src_lib_openjp2_tcd.c (+23 lines)
	1	--- src/lib/openjp2/tcd.c.orig 2016-09-14 00:02:27 UTC
	2	+++ src/lib/openjp2/tcd.c
	3	@@ -706,9 +706,20 @@ static INLINE OPJ_BOOL opj_tcd_init_tile
	4	l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */
	5	l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0);
	6	l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1);
	7	+ /* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */
	8	+ if ((l_tile->x0 < 0) \|\| (l_tile->x1 <= l_tile->x0)) {
	9	+ opj_event_msg(manager, EVT_ERROR, "Tile X coordinates are not supported\n");
	10	+ return OPJ_FALSE;
	11	+ }
	12	l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */
	13	l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0);
	14	l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1);
	15	+ /* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */
	16	+ if ((l_tile->y0 < 0) \|\| (l_tile->y1 <= l_tile->y0)) {
	17	+ opj_event_msg(manager, EVT_ERROR, "Tile Y coordinates are not supported\n");
	18	+ return OPJ_FALSE;
	19	+ }
	20	+
	21
	22	/* testcase 1888.pdf.asan.35.988 */
	23	if (l_tccp->numresolutions == 0) {

Line 0 Link Here

(-)files/patch-tests_compare__dump__files.c (+30 lines)
	1	--- tests/compare_dump_files.c.orig 2016-09-14 00:05:13 UTC
	2	+++ tests/compare_dump_files.c
	3	@@ -118,10 +118,10 @@ int main(int argc, char **argv)
	4	test_cmp_parameters inParam;
	5	FILE fbase=NULL, ftest=NULL;
	6	int same = 0;
	7	- char lbase[256];
	8	- char strbase[256];
	9	- char ltest[256];
	10	- char strtest[256];
	11	+ char lbase[512];
	12	+ char strbase[512];
	13	+ char ltest[512];
	14	+ char strtest[512];
	15
	16	if( parse_cmdline_cmp(argc, argv, &inParam) == 1 )
	17	{
	18	@@ -154,9 +154,9 @@ int main(int argc, char **argv)
	19
	20	while (fgets(lbase, sizeof(lbase), fbase) && fgets(ltest,sizeof(ltest),ftest))
	21	{
	22	- int nbase = sscanf(lbase, "%255[^\r\n]", strbase);
	23	- int ntest = sscanf(ltest, "%255[^\r\n]", strtest);
	24	- assert( nbase != 255 && ntest != 255 );
	25	+ int nbase = sscanf(lbase, "%511[^\r\n]", strbase);
	26	+ int ntest = sscanf(ltest, "%511[^\r\n]", strtest);
	27	+ assert( nbase != 511 && ntest != 511 );
	28	if( nbase != 1 \|\| ntest != 1 )
	29	{
	30	fprintf(stderr, "could not parse line from files\n" );