CVE-2012-3358:

A heap-based buffer overflow was found in the way OpenJPEG, an open-source JPEG 2000 codec written in C language, performed parsing of JPEG2000 having certain number of tiles and tilesizes. A remote attacker could provide a specially crafted JPEG 2000 file, which when opened in an application linked against openjpeg would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application. http://code.google.com/p/openjpeg/source/detail?r=1727 Bump PKGREVISION. pkglint cleanups while here.
2012-07-11 09:07:21 +00:00 · 2012-07-11 09:07:21 +00:00 · a562915eca
commit a562915eca
parent ae65fdb128
4 changed files with 70 additions and 4 deletions
--- a/graphics/openjpeg/DESCR
+++ b/graphics/openjpeg/DESCR
@ -1,3 +1,3 @@
 The OpenJPEG library is an open-source JPEG 2000 codec written in C.  It
 has been developed in order to promote the use of JPEG 2000 and is
-licensed under a BSD license.
+licensed under a BSD license.
--- a/graphics/openjpeg/Makefile
+++ b/graphics/openjpeg/Makefile
@ -1,16 +1,17 @@
-# $NetBSD: Makefile,v 1.2 2012/03/24 13:25:00 drochner Exp $
+# $NetBSD: Makefile,v 1.3 2012/07/11 09:07:21 wiz Exp $
 #

 DISTNAME=		openjpeg-1.5.0
+PKGREVISION=		1
 CATEGORIES=		graphics
 MASTER_SITES=		http://openjpeg.googlecode.com/files/

 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.openjpeg.org/
 COMMENT=		JPEG 2000 library
+LICENSE=		2-clause-bsd

 PKG_DESTDIR_SUPPORT=	user-destdir
-LICENSE=		2-clause-bsd

 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--disable-doc
--- a/graphics/openjpeg/distinfo
+++ b/graphics/openjpeg/distinfo
@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.2 2012/03/24 13:25:01 drochner Exp $
+$NetBSD: distinfo,v 1.3 2012/07/11 09:07:21 wiz Exp $

 SHA1 (openjpeg-1.5.0.tar.gz) = dce705ae45f137e4698a8cf39d1fbf22bc434fa8
 RMD160 (openjpeg-1.5.0.tar.gz) = ffa85dbb0a3ba1545bc6974f4950f466789c04ef
 Size (openjpeg-1.5.0.tar.gz) = 2117572 bytes
 SHA1 (patch-aa) = 503b565958dc74a17b68f968a44c5c861d84b343
+SHA1 (patch-libopenjpeg_j2k.c) = 3ea7816b479dbba7822d20b187a6916e4d882e37
--- a/graphics/openjpeg/patches/patch-libopenjpeg_j2k.c
+++ b/graphics/openjpeg/patches/patch-libopenjpeg_j2k.c
@ -0,0 +1,64 @@
+$NetBSD: patch-libopenjpeg_j2k.c,v 1.1 2012/07/11 09:07:21 wiz Exp $
+
+CVE-2012-3358:
+A heap-based buffer overflow was found in the way OpenJPEG, an
+open-source JPEG 2000 codec written in C language, performed parsing of
+JPEG2000 having certain number of tiles and tilesizes. A remote
+attacker could provide a specially crafted JPEG 2000 file, which when
+opened in an application linked against openjpeg would lead to that
+application crash, or, potentially arbitrary code execution with the
+privileges of the user running the application.
+
+http://code.google.com/p/openjpeg/source/detail?r=1727
+
+--- libopenjpeg/j2k.c.orig	2012-02-07 10:49:55.000000000 +0000
+++ libopenjpeg/j2k.c
+@@ -1269,7 +1269,7 @@ static void j2k_read_sot(opj_j2k_t *j2k)
+ 		static int backup_tileno = 0;
+ 
+ 		/* tileno is negative or larger than the number of tiles!!! */
+-		if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
+		if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+ 			opj_event_msg(j2k->cinfo, EVT_ERROR,
+ 				"JPWL: bad tile number (%d out of a maximum of %d)\n",
+ 				tileno, (cp->tw * cp->th));
+@@ -1286,8 +1286,18 @@ static void j2k_read_sot(opj_j2k_t *j2k)
+ 
+ 		/* keep your private count of tiles */
+ 		backup_tileno++;
+-	};
+	}
+  else
+ #endif /* USE_JPWL */
+  {
+    /* tileno is negative or larger than the number of tiles!!! */
+    if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+      opj_event_msg(j2k->cinfo, EVT_ERROR,
+        "JPWL: bad tile number (%d out of a maximum of %d)\n",
+        tileno, (cp->tw * cp->th));
+      return;
+    }
+  }
+ 	
+ 	if (cp->tileno_size == 0) {
+ 		cp->tileno[cp->tileno_size] = tileno;
+@@ -1325,8 +1335,18 @@ static void j2k_read_sot(opj_j2k_t *j2k)
+ 				totlen);
+ 		}
+ 
+-	};
+	}
+  else
+ #endif /* USE_JPWL */
+  {
+    /* totlen is negative or larger than the bytes left!!! */
+    if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) {
+      opj_event_msg(j2k->cinfo, EVT_ERROR,
+        "JPWL: bad tile byte size (%d bytes against %d bytes left)\n",
+        totlen, cio_numbytesleft(cio) + 8);
+      return;
+    }
+  }
+ 
+ 	if (!totlen)
+ 		totlen = cio_numbytesleft(cio) + 8;