From 7ab73c4addad7cf5358b988943871ea85192f692 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 7 Oct 2015 22:17:12 -0400 Subject: gnu: openjpeg-2.x: Add fix for CVE-2015-6581. * gnu/packages/patches/openjpeg-CVE-2015-6581.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/image.scm (openjpeg, openjpeg-2.0)[source]: Add patch. --- gnu-system.am | 1 + gnu/packages/image.scm | 6 ++- gnu/packages/patches/openjpeg-CVE-2015-6581.patch | 47 +++++++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/openjpeg-CVE-2015-6581.patch diff --git a/gnu-system.am b/gnu-system.am index 577c6e8c07..35d2da4701 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -572,6 +572,7 @@ dist_patch_DATA = \ gnu/packages/patches/nvi-dbpagesize-binpower.patch \ gnu/packages/patches/nvi-db4.patch \ gnu/packages/patches/openexr-missing-samples.patch \ + gnu/packages/patches/openjpeg-CVE-2015-6581.patch \ gnu/packages/patches/openjpeg-use-after-free-fix.patch \ gnu/packages/patches/openssl-runpath.patch \ gnu/packages/patches/openssl-c-rehash.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 26f1be9a2f..23ad59ce9a 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -272,7 +272,8 @@ work.") version ".tar.gz")) (sha256 (base32 "00zzm303zvv4ijzancrsb1cqbph3pgz0nky92k9qx3fq9y0vnchj")) - (patches (list (search-patch "openjpeg-use-after-free-fix.patch"))))) + (patches (map search-patch '("openjpeg-use-after-free-fix.patch" + "openjpeg-CVE-2015-6581.patch"))))) (build-system cmake-build-system) (arguments ;; Trying to run `$ make check' results in a no rule fault. @@ -308,7 +309,8 @@ error-resilience, a Java-viewer for j2k-images, ...") version ".tar.gz")) (sha256 (base32 "1c2xc3nl2mg511b63rk7hrckmy14681p1m44mzw3n1fyqnjm0b0z")) - (patches (list (search-patch "openjpeg-use-after-free-fix.patch"))))))) + (patches (map search-patch '("openjpeg-use-after-free-fix.patch" + "openjpeg-CVE-2015-6581.patch"))))))) (define-public openjpeg-1 (package (inherit openjpeg) diff --git a/gnu/packages/patches/openjpeg-CVE-2015-6581.patch b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch new file mode 100644 index 0000000000..7ce03501f4 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch @@ -0,0 +1,47 @@ +From 0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 Mon Sep 17 00:00:00 2001 +From: Matthieu Darbois +Date: Tue, 19 May 2015 21:57:27 +0000 +Subject: [PATCH] [trunk] Correct potential double free on malloc failure in + opj_j2k_copy_default_tcp_and_create_tcp (fixes issue 492) + +--- + src/lib/openjp2/j2k.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 8c62a39..cbdd368 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -7365,6 +7365,12 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2 + l_tcp->cod = 0; + l_tcp->ppt = 0; + l_tcp->ppt_data = 00; ++ /* Remove memory not owned by this tile in case of early error return. */ ++ l_tcp->m_mct_decoding_matrix = 00; ++ l_tcp->m_nb_max_mct_records = 0; ++ l_tcp->m_mct_records = 00; ++ l_tcp->m_nb_max_mcc_records = 0; ++ l_tcp->m_mcc_records = 00; + /* Reconnect the tile-compo coding parameters pointer to the current tile coding parameters*/ + l_tcp->tccps = l_current_tccp; + +@@ -7402,6 +7408,8 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2 + + ++l_src_mct_rec; + ++l_dest_mct_rec; ++ /* Update with each pass to free exactly what has been allocated on early return. */ ++ l_tcp->m_nb_max_mct_records += 1; + } + + /* Get the mcc_record of the dflt_tile_cp and copy them into the current tile cp*/ +@@ -7411,6 +7419,7 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2 + return OPJ_FALSE; + } + memcpy(l_tcp->m_mcc_records,l_default_tcp->m_mcc_records,l_mcc_records_size); ++ l_tcp->m_nb_max_mcc_records = l_default_tcp->m_nb_max_mcc_records; + + /* Copy the mcc record data from dflt_tile_cp to the current tile*/ + l_src_mcc_rec = l_default_tcp->m_mcc_records; +-- +2.5.0 + -- cgit v1.2.3