CVS commit: pkgsrc/graphics/openjpeg

["Sevan Janiyan" <sevan%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   sevan
Date:           Tue Nov 26 23:10:22 UTC 2019

Modified Files:
        pkgsrc/graphics/openjpeg: Makefile distinfo
Added Files:
        pkgsrc/graphics/openjpeg/patches: patch-src_lib_openmj2_t2.c

Log Message:
Patch for CVE-2018-16376


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 pkgsrc/graphics/openjpeg/Makefile
cvs rdiff -u -r1.14 -r1.15 pkgsrc/graphics/openjpeg/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/graphics/openjpeg/patches/patch-src_lib_openmj2_t2.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/openjpeg/Makefile
diff -u pkgsrc/graphics/openjpeg/Makefile:1.17 pkgsrc/graphics/openjpeg/Makefile:1.18
--- pkgsrc/graphics/openjpeg/Makefile:1.17      Wed Apr  3 08:04:08 2019
+++ pkgsrc/graphics/openjpeg/Makefile   Tue Nov 26 23:10:22 2019
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.17 2019/04/03 08:04:08 adam Exp $
+# $NetBSD: Makefile,v 1.18 2019/11/26 23:10:22 sevan Exp $
 
 DISTNAME=      openjpeg-2.3.1
+PKGREVISION=   1
 CATEGORIES=    graphics
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=uclouvain/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}

Index: pkgsrc/graphics/openjpeg/distinfo
diff -u pkgsrc/graphics/openjpeg/distinfo:1.14 pkgsrc/graphics/openjpeg/distinfo:1.15
--- pkgsrc/graphics/openjpeg/distinfo:1.14      Wed Apr  3 08:04:08 2019
+++ pkgsrc/graphics/openjpeg/distinfo   Tue Nov 26 23:10:22 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2019/04/03 08:04:08 adam Exp $
+$NetBSD: distinfo,v 1.15 2019/11/26 23:10:22 sevan Exp $
 
 SHA1 (openjpeg-2.3.1.tar.gz) = 38321fa9730252039ad0b7f247a160a8164f5871
 RMD160 (openjpeg-2.3.1.tar.gz) = 31b75aa70f5d26dd1b7e374a9e4b6be1842fefe7
@@ -8,3 +8,4 @@ SHA1 (patch-CMakeLists.txt) = 3738946db6
 SHA1 (patch-src_bin_jp2_CMakeLists.txt) = c9f709c23d6bab7a3c705640d66a00ec90ddabc7
 SHA1 (patch-src_lib_openjp2_CMakeLists.txt) = d839121ec2d008e5d3e1676d3e7ac3642bc946f7
 SHA1 (patch-src_lib_openjp2_opj__config__private.h.cmake.in) = fc0c170789dbe0a2ebc9dce0ef0d21aa6b2edd49
+SHA1 (patch-src_lib_openmj2_t2.c) = 7689b3d82a5d346707a3519f183757356e118a8c

Added files:

Index: pkgsrc/graphics/openjpeg/patches/patch-src_lib_openmj2_t2.c
diff -u /dev/null pkgsrc/graphics/openjpeg/patches/patch-src_lib_openmj2_t2.c:1.1
--- /dev/null   Tue Nov 26 23:10:22 2019
+++ pkgsrc/graphics/openjpeg/patches/patch-src_lib_openmj2_t2.c Tue Nov 26 23:10:22 2019
@@ -0,0 +1,37 @@
+$NetBSD: patch-src_lib_openmj2_t2.c,v 1.1 2019/11/26 23:10:22 sevan Exp $
+
+CVE-2018-16376
+https://github.com/uclouvain/openjpeg/issues/1127
+https://nvd.nist.gov/vuln/detail/CVE-2018-16376
+
+--- src/lib/openmj2/t2.c.orig  2019-11-26 22:37:00.687890833 +0000
++++ src/lib/openmj2/t2.c
+@@ -166,6 +166,12 @@ static int t2_encode_packet(opj_tcd_tile
+ 
+     /* <SOP 0xff91> */
+     if (tcp->csty & J2K_CP_CSTY_SOP) {
++      if (length < 6) {
++          if (p_t2_mode == FINAL_PASS) {
++              opj_event_msg(p_manager, EVT_ERROR,
++                              "opj_t2_encode_packet(): only %u bytes remaining in "
++                              "output buffer. %u needed.\n",
++                              length, 6);
+         c[0] = 255;
+         c[1] = 145;
+         c[2] = 0;
+@@ -272,6 +278,15 @@ static int t2_encode_packet(opj_tcd_tile
+ 
+     /* <EPH 0xff92> */
+     if (tcp->csty & J2K_CP_CSTY_EPH) {
++      if (length < 2) {
++          if (p_t2_mode == FINAL_PASS) {
++              opj_event_msg(p_manager, EVT_ERROR,
++                              "opj_t2_encode_packet(): only %u bytes remaining in "
++                              "output buffer. %u needed.\n",
++                              length, 2);
++          }
++          return OPJ_FALSE;
++      }
+         c[0] = 255;
+         c[1] = 146;
+         c += 2;