Commit Graph

2778 Commits

Author SHA1 Message Date
Sebastian Rasmussen f3ee448815 openjp2/j2k: Validate all SGcod/SPcod/SPcoc parameter values.
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue #1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

input/nonregression/edf_c2_20.jp2 contains an SPcod(H) value
of 17, but according to Table A-20 of the specification only
values 0 and 1 are valid. input/nonregression/issue826.jp2
contains a SGcod(B) value of 2, but according to Table A-17
of the specification only values 0 and 1 are valid.
input/nonregression/oss-fuzz2785.jp2 contains a SGcod(B)
value of 32, but it is likewise limited to 0 or 1. These test
cases have been updated to consistently fail to parse the
headers since they contain out of bounds values.

This fixes issue #1210.
2019-09-04 05:14:41 +02:00
Sebastian Rasmussen d801bd4e62 openjp2/j2k: Make comments adhere to specification.
The function is used to read both SPcod and SPcoc, so all
comments should refer to both marker segments' parameter names.
2019-09-04 05:14:30 +02:00
Even Rouault e66125fe26
Merge pull request #1164 from sebras/master
openjp2/j2k: Report error if all wanted components are not decoded.
2019-09-03 17:03:54 +02:00
Even Rouault 8db9d25dcf
opj_decompress_fuzzer: remove checks regarding input dimensions (fixes #1079) 2019-06-15 09:55:16 +02:00
Even Rouault f4d6578359
test_decode_area.c: assign tdy to *ptileh instead of *ptilew (fixes #1195) 2019-05-26 11:06:30 +02:00
Even Rouault 9b7620ee7a
Merge pull request #1185 from Young-X/fix
Fix several potential vulnerabilities
2019-04-26 19:52:52 +02:00
Even Rouault 4f447c6e18
Merge pull request #1192 from rouault/poc_fixes
compression: emit POC marker when only one single POC is requested (f…
2019-04-25 15:32:22 +02:00
Even Rouault a94cfbd533
Change opj_j2k_check_poc_val() to take into account tile number 2019-04-25 15:06:45 +02:00
Even Rouault bdec5ae272
Add test for previous commit 2019-04-25 14:40:56 +02:00
Even Rouault 6423163141
Fix POC in multi-tile scenarios: avoid almost endless loop when a tile has no POC settings 2019-04-25 14:40:56 +02:00
Even Rouault b86717fdd3
Add test for previous commit 2019-04-25 14:40:56 +02:00
Even Rouault 23883458b9
opj_j2k_check_poc_val(): prevent potential write outside of allocated array 2019-04-25 14:40:56 +02:00
Even Rouault 6589c609f6
opj_j2k_check_poc_val(): fix starting index for checking layer dimension
The standard mandates that the layer index always starts at zero for every
progression.
2019-04-25 14:40:55 +02:00
Even Rouault 1e3a57563d
compression: emit POC marker when only one single POC is requested (fixes #1191) 2019-04-25 14:40:55 +02:00
Even Rouault 5dd75f62e2
j2k.c: use correct naming convention for total_data_size variable 2019-04-23 16:52:21 +02:00
Young Xiao 3aef207f90 bmp_read_rle4_data(): avoid potential infinite loop 2019-04-15 16:10:18 +08:00
Young Xiao 21399f6b7d convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.

This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.

See commit 8ee335227b for details.

Signed-off-by: Young Xiao <YangX92@hotmail.com>
2019-04-15 16:10:18 +08:00
Antonin Descampe d0dd894ae2 Comment back opj_previous_version in abi_check.sh 2019-04-02 15:37:38 +02:00
Antonin Descampe 291e45bb04 Update version number for automatic abi check 2019-04-02 15:12:59 +02:00
Antonin Descampe 5709632545 update token for appveyor auto release 2019-04-02 14:45:15 +02:00
Antonin Descampe 8b9a89bc2e update token for automatic release 2019-04-02 14:25:09 +02:00
Antonin Descampe d1d422c126 Update for release 2.3.1 2019-04-02 12:08:52 +02:00
Antonin Descampe d3b0b8927a
Update for release 2.3.1 2019-04-02 11:03:16 +02:00
Antonin Descampe c7798bb0c6
update for release 2.3.1 2019-04-02 11:02:20 +02:00
Antonin Descampe 8196ab531e
Update BUILD version for release 2.3.1 2019-04-02 11:00:58 +02:00
Even Rouault 69a7a312dc
Merge pull request #1188 from rouault/fix_abi_check
abi-check.sh: fix broken download URL
2019-03-29 12:25:39 +01:00
Even Rouault 5151426d6e
abi-check.sh: fix broken download URL 2019-03-29 11:53:23 +01:00
Even Rouault d6b8aed561
Merge pull request #1187 from rouault/fix_ubsan_in_opj_t1_encode_cblks
opj_t1_encode_cblks: fix UBSAN signed integer overflow
2019-03-29 11:52:38 +01:00
Even Rouault a1d32a596a
opj_t1_encode_cblks: fix UBSAN signed integer overflow
Fixes #1053 / CVE-2018-5727

Note: I don't consider this issue to be a security vulnerability, in
practice.
At least with gcc or clang compilers on x86_64 which generate the same
assembly code with or without that fix.
2019-03-29 11:17:39 +01:00
Even Rouault 25b815dc46
Revert "[JPWL] tgatoimage(): avoid excessive memory allocation attempt,"
This reverts commit 05be308446.

This commit doesn't compile due to missing OPJ_UINT64 type
2019-03-29 10:44:35 +01:00
Even Rouault e1740e7ce7
Revert "[MJ2] Avoid index out of bounds access to pi->include[]"
This reverts commit c277159986.

The commit didn't compile. include_size is not defined in openmj2
2019-03-29 10:40:58 +01:00
Sebastian Rasmussen b2751967ec openjp2/j2k: Report error if all wanted components are not decoded.
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes #1158.
2019-02-21 16:48:02 +08:00
Even Rouault 51f097e6d5
Merge pull request #1172 from hlef/master
convertbmp: detect invalid file dimensions early (CVE-2018-6616)
2018-12-21 16:41:00 +01:00
Hugo Lefeuvre 8ee335227b convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.

This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.

Fixes #1059 (CVE-2018-6616).
2018-12-14 05:10:35 +01:00
Even Rouault e7640f58f1
Merge pull request #1168 from Young-X/fix_dev
Fix multiple potential vulnerabilities and bugs
2018-12-07 21:27:38 +01:00
Young Xiao 05be308446 [JPWL] tgatoimage(): avoid excessive memory allocation attempt,
and fixes unaligned load

Signed-off-by: Young Xiao <YangX92@hotmail.com>
2018-11-28 14:44:06 +08:00
Young_X bd88611ed9 [JP3D] To avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423
Signed-off-by: Young_X <YangX92@hotmail.com>
2018-11-28 14:39:15 +08:00
Young_X ce9583d1d7 [JPWL] opj_compress: reorder checks related to code block dimensions to avoid potential int overflow
Signed-off-by: Young_X <YangX92@hotmail.com>
2018-11-28 14:39:14 +08:00
Young_X c58df14990 [OPENJP2] change the way to compute *p_tx0, *p_tx1, *p_ty0, *p_ty1 in function
opj_get_encoding_parameters

Signed-off-by: Young_X <YangX92@hotmail.com>
2018-11-28 14:39:14 +08:00
Young_X c277159986 [MJ2] Avoid index out of bounds access to pi->include[]
Signed-off-by: Young_X <YangX92@hotmail.com>
2018-11-28 14:39:14 +08:00
Even Rouault e0f5212888
Merge pull request #1170 from rouault/fix_color_apply_icc_profile
color_apply_icc_profile: avoid potential heap buffer overflow
2018-11-28 00:04:30 +01:00
Even Rouault 2e5ab1d998
color_apply_icc_profile: avoid potential heap buffer overflow
Derived from a patch by Thuan Pham
2018-11-27 23:31:30 +01:00
Young_X 46822d0edd [JPWL] imagetotga(): fix read heap buffer overflow if numcomps < 3 (#987)
Signed-off-by: Young_X <YangX92@hotmail.com>
2018-11-23 17:08:57 +08:00
Young_X 619e1b086e [JPWL] fix CVE-2018-16375
Signed-off-by: Young_X <YangX92@hotmail.com>
2018-11-23 17:08:56 +08:00
Young_X c5bd64ea14 [MJ2] To avoid divisions by zero / undefined behaviour on shift
Signed-off-by: Young_X <YangX92@hotmail.com>
2018-11-23 14:47:36 +08:00
Even Rouault 92023cd6c3
Merge pull request #1160 from hlef/master
jp3d/jpwl convert: fix write stack buffer overflow
2018-11-16 09:42:19 +01:00
ichlubna c196b23b90 openjp3d: Int overflow fixed (#1159)
When compressing a lot of slices (starting from 44 FullHD slices with 3 8bit components in our experiments) the rate values are high enough to cause an int overflow that leads to negative lengths and wrong results. The cast happens too late.
2018-11-16 09:40:31 +01:00
Hugo Lefeuvre cab352e249 jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.

Add != null check.

This commit addresses #1152 (CVE-2018-18088).
2018-11-07 18:53:18 +01:00
Hugo Lefeuvre 0bc90e4062 jp3d/jpwl convert: fix write stack buffer overflow
Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow.

fixes #1044 (CVE-2017-17480)
2018-11-01 09:05:26 +01:00
Stefan Weil 948332e6ed Fix some potential overflow issues (#1161)
* Fix some potential overflow issues

Put sizeof to the beginning of the multiplication to enforce that
size_t instead of smaller integer types is used for the calculation.

This fixes warnings from LGTM:

    Multiplication result may overflow 'unsigned int'
    before it is converted to 'unsigned long'.

It also allows removing some type casts.

Signed-off-by: Stefan Weil <sw@weilnetz.de>

* Fix code indentation

Signed-off-by: Stefan Weil <sw@weilnetz.de>
2018-10-31 20:44:30 +01:00