1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
|
From 00383e162ae2f8fc951f5745bf1011771acb8dce Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 2 Dec 2020 14:02:17 +0100
Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs
https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836)
Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
CVE: CVE-2020-27841
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++---------------
src/lib/openjp2/pi.h | 10 +++++++--
src/lib/openjp2/t2.c | 4 ++--
3 files changed, 42 insertions(+), 21 deletions(-)
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -192,10 +192,12 @@ static void opj_get_all_encoding_paramet
* @param p_image the image used to initialize the packet iterator (in fact only the number of components is relevant.
* @param p_cp the coding parameters.
* @param tileno the index of the tile from which creating the packet iterator.
+ * @param manager Event manager
*/
static opj_pi_iterator_t * opj_pi_create(const opj_image_t *p_image,
const opj_cp_t *p_cp,
- OPJ_UINT32 tileno);
+ OPJ_UINT32 tileno,
+ opj_event_mgr_t* manager);
/**
* FIXME DOC
*/
@@ -230,12 +232,6 @@ static OPJ_BOOL opj_pi_check_next_level(
==========================================================
*/
-static void opj_pi_emit_error(opj_pi_iterator_t * pi, const char* msg)
-{
- (void)pi;
- (void)msg;
-}
-
static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi)
{
opj_pi_comp_t *comp = NULL;
@@ -272,7 +268,7 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_
/* include should be resized when a POC arises, or */
/* the POC should be rejected */
if (index >= pi->include_size) {
- opj_pi_emit_error(pi, "Invalid access to pi->include");
+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
return OPJ_FALSE;
}
if (!pi->include[index]) {
@@ -318,7 +314,7 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno *
pi->step_c + pi->precno * pi->step_p;
if (index >= pi->include_size) {
- opj_pi_emit_error(pi, "Invalid access to pi->include");
+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
return OPJ_FALSE;
}
if (!pi->include[index]) {
@@ -449,7 +445,7 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno *
pi->step_c + pi->precno * pi->step_p;
if (index >= pi->include_size) {
- opj_pi_emit_error(pi, "Invalid access to pi->include");
+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
return OPJ_FALSE;
}
if (!pi->include[index]) {
@@ -473,6 +469,13 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
opj_pi_resolution_t *res = NULL;
OPJ_UINT32 index = 0;
+ if (pi->poc.compno0 >= pi->numcomps ||
+ pi->poc.compno1 >= pi->numcomps + 1) {
+ opj_event_msg(pi->manager, EVT_ERROR,
+ "opj_pi_next_pcrl(): invalid compno0/compno1");
+ return OPJ_FALSE;
+ }
+
if (!pi->first) {
comp = &pi->comps[pi->compno];
goto LABEL_SKIP;
@@ -580,7 +583,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno *
pi->step_c + pi->precno * pi->step_p;
if (index >= pi->include_size) {
- opj_pi_emit_error(pi, "Invalid access to pi->include");
+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
return OPJ_FALSE;
}
if (!pi->include[index]) {
@@ -604,6 +607,13 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
opj_pi_resolution_t *res = NULL;
OPJ_UINT32 index = 0;
+ if (pi->poc.compno0 >= pi->numcomps ||
+ pi->poc.compno1 >= pi->numcomps + 1) {
+ opj_event_msg(pi->manager, EVT_ERROR,
+ "opj_pi_next_cprl(): invalid compno0/compno1");
+ return OPJ_FALSE;
+ }
+
if (!pi->first) {
comp = &pi->comps[pi->compno];
goto LABEL_SKIP;
@@ -708,7 +718,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno *
pi->step_c + pi->precno * pi->step_p;
if (index >= pi->include_size) {
- opj_pi_emit_error(pi, "Invalid access to pi->include");
+ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include");
return OPJ_FALSE;
}
if (!pi->include[index]) {
@@ -981,7 +991,8 @@ static void opj_get_all_encoding_paramet
static opj_pi_iterator_t * opj_pi_create(const opj_image_t *image,
const opj_cp_t *cp,
- OPJ_UINT32 tileno)
+ OPJ_UINT32 tileno,
+ opj_event_mgr_t* manager)
{
/* loop*/
OPJ_UINT32 pino, compno;
@@ -1015,6 +1026,8 @@ static opj_pi_iterator_t * opj_pi_create
l_current_pi = l_pi;
for (pino = 0; pino < l_poc_bound ; ++pino) {
+ l_current_pi->manager = manager;
+
l_current_pi->comps = (opj_pi_comp_t*) opj_calloc(image->numcomps,
sizeof(opj_pi_comp_t));
if (! l_current_pi->comps) {
@@ -1352,7 +1365,8 @@ static OPJ_BOOL opj_pi_check_next_level(
*/
opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
opj_cp_t *p_cp,
- OPJ_UINT32 p_tile_no)
+ OPJ_UINT32 p_tile_no,
+ opj_event_mgr_t* manager)
{
OPJ_UINT32 numcomps = p_image->numcomps;
@@ -1407,7 +1421,7 @@ opj_pi_iterator_t *opj_pi_create_decode(
}
/* memory allocation for pi */
- l_pi = opj_pi_create(p_image, p_cp, p_tile_no);
+ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager);
if (!l_pi) {
opj_free(l_tmp_data);
opj_free(l_tmp_ptr);
@@ -1552,7 +1566,8 @@ opj_pi_iterator_t *opj_pi_create_decode(
opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image,
opj_cp_t *p_cp,
OPJ_UINT32 p_tile_no,
- J2K_T2_MODE p_t2_mode)
+ J2K_T2_MODE p_t2_mode,
+ opj_event_mgr_t* manager)
{
OPJ_UINT32 numcomps = p_image->numcomps;
@@ -1606,7 +1621,7 @@ opj_pi_iterator_t *opj_pi_initialise_enc
}
/* memory allocation for pi*/
- l_pi = opj_pi_create(p_image, p_cp, p_tile_no);
+ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager);
if (!l_pi) {
opj_free(l_tmp_data);
opj_free(l_tmp_ptr);
--- a/src/lib/openjp2/pi.h
+++ b/src/lib/openjp2/pi.h
@@ -107,6 +107,8 @@ typedef struct opj_pi_iterator {
OPJ_INT32 x, y;
/** FIXME DOC*/
OPJ_UINT32 dx, dy;
+ /** event manager */
+ opj_event_mgr_t* manager;
} opj_pi_iterator_t;
/** @name Exported functions */
@@ -119,13 +121,15 @@ typedef struct opj_pi_iterator {
* @param cp the coding parameters.
* @param tileno index of the tile being encoded.
* @param t2_mode the type of pass for generating the packet iterator
+ * @param manager Event manager
*
* @return a list of packet iterator that points to the first packet of the tile (not true).
*/
opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *image,
opj_cp_t *cp,
OPJ_UINT32 tileno,
- J2K_T2_MODE t2_mode);
+ J2K_T2_MODE t2_mode,
+ opj_event_mgr_t* manager);
/**
* Updates the encoding parameters of the codec.
@@ -161,12 +165,14 @@ Create a packet iterator for Decoder
@param image Raw image for which the packets will be listed
@param cp Coding parameters
@param tileno Number that identifies the tile for which to list the packets
+@param manager Event manager
@return Returns a packet iterator that points to the first packet of the tile
@see opj_pi_destroy
*/
opj_pi_iterator_t *opj_pi_create_decode(opj_image_t * image,
opj_cp_t * cp,
- OPJ_UINT32 tileno);
+ OPJ_UINT32 tileno,
+ opj_event_mgr_t* manager);
/**
* Destroys a packet iterator array.
*
--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
@@ -244,7 +244,7 @@ OPJ_BOOL opj_t2_encode_packets(opj_t2_t*
l_image->numcomps : 1;
OPJ_UINT32 l_nb_pocs = l_tcp->numpocs + 1;
- l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode);
+ l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode, p_manager);
if (!l_pi) {
return OPJ_FALSE;
}
@@ -405,7 +405,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t
#endif
/* create a packet iterator */
- l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no);
+ l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no, p_manager);
if (!l_pi) {
return OPJ_FALSE;
}
|
