aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-10-07 22:17:12 -0400
committerMark H Weaver <mhw@netris.org>2015-10-07 22:18:13 -0400
commit7ab73c4addad7cf5358b988943871ea85192f692 (patch)
treedaac18417460238dbc4bbfe805dfa7889a630e77 /gnu
parentd04efa0fff908de0f8822a27582b4b1c3dcae553 (diff)
downloadpatches-7ab73c4addad7cf5358b988943871ea85192f692.tar
patches-7ab73c4addad7cf5358b988943871ea85192f692.tar.gz
gnu: openjpeg-2.x: Add fix for CVE-2015-6581.
* gnu/packages/patches/openjpeg-CVE-2015-6581.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/image.scm (openjpeg, openjpeg-2.0)[source]: Add patch.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/packages/image.scm6
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2015-6581.patch47
2 files changed, 51 insertions, 2 deletions
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 26f1be9a2f..23ad59ce9a 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -272,7 +272,8 @@ work.")
version ".tar.gz"))
(sha256
(base32 "00zzm303zvv4ijzancrsb1cqbph3pgz0nky92k9qx3fq9y0vnchj"))
- (patches (list (search-patch "openjpeg-use-after-free-fix.patch")))))
+ (patches (map search-patch '("openjpeg-use-after-free-fix.patch"
+ "openjpeg-CVE-2015-6581.patch")))))
(build-system cmake-build-system)
(arguments
;; Trying to run `$ make check' results in a no rule fault.
@@ -308,7 +309,8 @@ error-resilience, a Java-viewer for j2k-images, ...")
version ".tar.gz"))
(sha256
(base32 "1c2xc3nl2mg511b63rk7hrckmy14681p1m44mzw3n1fyqnjm0b0z"))
- (patches (list (search-patch "openjpeg-use-after-free-fix.patch")))))))
+ (patches (map search-patch '("openjpeg-use-after-free-fix.patch"
+ "openjpeg-CVE-2015-6581.patch")))))))
(define-public openjpeg-1
(package (inherit openjpeg)
diff --git a/gnu/packages/patches/openjpeg-CVE-2015-6581.patch b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch
new file mode 100644
index 0000000000..7ce03501f4
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch
@@ -0,0 +1,47 @@
+From 0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 Mon Sep 17 00:00:00 2001
+From: Matthieu Darbois <mayeut@users.noreply.github.com>
+Date: Tue, 19 May 2015 21:57:27 +0000
+Subject: [PATCH] [trunk] Correct potential double free on malloc failure in
+ opj_j2k_copy_default_tcp_and_create_tcp (fixes issue 492)
+
+---
+ src/lib/openjp2/j2k.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 8c62a39..cbdd368 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -7365,6 +7365,12 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2
+ l_tcp->cod = 0;
+ l_tcp->ppt = 0;
+ l_tcp->ppt_data = 00;
++ /* Remove memory not owned by this tile in case of early error return. */
++ l_tcp->m_mct_decoding_matrix = 00;
++ l_tcp->m_nb_max_mct_records = 0;
++ l_tcp->m_mct_records = 00;
++ l_tcp->m_nb_max_mcc_records = 0;
++ l_tcp->m_mcc_records = 00;
+ /* Reconnect the tile-compo coding parameters pointer to the current tile coding parameters*/
+ l_tcp->tccps = l_current_tccp;
+
+@@ -7402,6 +7408,8 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2
+
+ ++l_src_mct_rec;
+ ++l_dest_mct_rec;
++ /* Update with each pass to free exactly what has been allocated on early return. */
++ l_tcp->m_nb_max_mct_records += 1;
+ }
+
+ /* Get the mcc_record of the dflt_tile_cp and copy them into the current tile cp*/
+@@ -7411,6 +7419,7 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2
+ return OPJ_FALSE;
+ }
+ memcpy(l_tcp->m_mcc_records,l_default_tcp->m_mcc_records,l_mcc_records_size);
++ l_tcp->m_nb_max_mcc_records = l_default_tcp->m_nb_max_mcc_records;
+
+ /* Copy the mcc record data from dflt_tile_cp to the current tile*/
+ l_src_mcc_rec = l_default_tcp->m_mcc_records;
+--
+2.5.0
+