From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 22 Oct 2018 16:59:41 +0200
Subject: [PATCH 1/2] jp3d/jpwl convert: fix write stack buffer overflow

Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow.

fixes #1044 (CVE-2017-17480)
---
 src/bin/jp3d/convert.c | 4 ++--
 src/bin/jpwl/convert.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c
index 23fd70b0..acad8f82 100644
--- a/src/bin/jp3d/convert.c
+++ b/src/bin/jp3d/convert.c
@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters)
         fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
 
         fseek(f, 0, SEEK_SET);
-        fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
-               signtmp, &prec, temp, &w, temp, &h);
+        fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+               &endian2, signtmp, &prec, temp, &w, temp, &h);
 
         i = 0;
         sign = '+';
diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c
index f3bb670b..73c1be72 100644
--- a/src/bin/jpwl/convert.c
+++ b/src/bin/jpwl/convert.c
@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
     }
 
     fseek(f, 0, SEEK_SET);
-    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
+    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
         fprintf(stderr,
                 "ERROR: Failed to read the right number of element from the fscanf() function!\n");

From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Wed, 7 Nov 2018 18:48:29 +0100
Subject: [PATCH 2/2] jp2: convert: fix null pointer dereference

Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.

Add != null check.

This commit addresses #1152 (CVE-2018-18088).
---
 src/bin/jp2/convert.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index fa02e31c..e670cd82 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split)
                 opj_version(), wr, hr, max);
 
         red = image->comps[compno].data;
+        if (!red) {
+            fclose(fdest);
+            continue;
+        }
+
         adjustR =
             (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);