Even Rouault [Fri, 29 Mar 2019 10:17:39 +0000 (11:17 +0100)]
opj_t1_encode_cblks: fix UBSAN signed integer overflow
Fixes #1053 / CVE-2018-5727
Note: I don't consider this issue to be a security vulnerability, in
practice.
At least with gcc or clang compilers on x86_64 which generate the same
assembly code with or without that fix.
Hugo Lefeuvre [Fri, 14 Dec 2018 03:58:40 +0000 (04:58 +0100)]
convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
ichlubna [Fri, 16 Nov 2018 08:40:31 +0000 (09:40 +0100)]
openjp3d: Int overflow fixed (#1159)
When compressing a lot of slices (starting from 44 FullHD slices with 3 8bit components in our experiments) the rate values are high enough to cause an int overflow that leads to negative lengths and wrong results. The cast happens too late.
Hugo Lefeuvre [Wed, 7 Nov 2018 17:48:29 +0000 (18:48 +0100)]
jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.
Karol Babioch [Fri, 2 Mar 2018 13:40:58 +0000 (14:40 +0100)]
opj_mj2_extract: Check provided output prefix for length
This uses snprintf() with correct buffer length instead of sprintf(), which
prevents a buffer overflow when providing a long output prefix. Furthermore
the program exits with an error when the provided output prefix is too long.
Hugo Lefeuvre [Sat, 22 Sep 2018 18:33:19 +0000 (14:33 -0400)]
convertbmp: fix issues with zero bitmasks
In the case where a BMP file declares compression 3 (BI_BITFIELDS)
with header size <= 56, all bitmask values keep their initialization
value 0. This may lead to various undefined behavior later e.g. when
doing 1 << (l_comp->prec - 1).
This issue does not affect files with bit count 16 because of a check
added in 16240e2 which sets default values to the color masks if they
are all 0.
This commit adds similar checks for the 32 bit case.
Also, if a BMP file declares compression 3 with header size >= 56 and
intentional 0 bitmasks, the same issue will be triggered in both the
16 and 32 bit count case.
This commit adds checks to bmp_read_info_header() rejecting BMP files
with "intentional" 0 bitmasks. These checks might be removed in the
future when proper handling of zero bitmasks will be available in
openjpeg2.
Stefan Weil [Wed, 5 Sep 2018 19:51:30 +0000 (21:51 +0200)]
openjp2/jp2: Fix two format strings
Compiler warnings:
src/lib/openjp2/jp2.c:1008:35: warning:
too many arguments for format [-Wformat-extra-args]
src/lib/openjp2/j2k.c:1928:73: warning:
format ‘%d’ expects argument of type ‘int’, but argument 4 has type ‘OPJ_OFF_T {aka long int}’ [-Wformat=]
Even Rouault [Wed, 20 Jun 2018 12:54:09 +0000 (14:54 +0200)]
Avoid assertion when running opj_j2k_merge_ppt() several time due to e6674f7ed66abdb32a0be5944f618722b6a7b5d5 revert. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2785
Even Rouault [Wed, 20 Jun 2018 12:38:41 +0000 (14:38 +0200)]
Revert "Avoid assertion in opj_j2k_merge_ppt() in case premature EOC is encountered in opj_j2k_read_tile_header(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2785. Credit to OSS Fuzz" (fixes #1120)
Karol Babioch [Fri, 2 Mar 2018 13:03:03 +0000 (14:03 +0100)]
mj2: Add missing variable to format string in fprintf() invocation in meta_out.c
This adds the appropriate variables to the invocation of fprintf(). They were
specified in the format string, but were missing in the actual call. This
fixes #1074 and #1075.
Even Rouault [Sun, 11 Feb 2018 12:31:04 +0000 (13:31 +0100)]
Avoid out-of-bounds write overflow due to uint32 overflow computation on images with huge dimensions. Credit to Google Autofuzz project for providing test case
Even Rouault [Mon, 8 Jan 2018 08:38:44 +0000 (09:38 +0100)]
opj_t2_encode_packet(): disable setting empty packet header bit to 1 when there is an empty packet
This effectively reverts commit 2609fb8077125b5b31f1bcc2f98c12ff1e6572d7
since it has been reported that
such packets cause decoding issues with cinema J2K hardware
decoders: https://groups.google.com/forum/#!topic/openjpeg/M7M_fLX_Bco
Even Rouault [Thu, 30 Nov 2017 13:48:34 +0000 (14:48 +0100)]
opj_j2k_read_cod: remove check for 'No more than one COD marker per tile' (fixes #1043)
This check was added per https://github.com/uclouvain/openjpeg/commit/daed8cc9195555e101ab708a501af2dfe6d5e001
to fix https://github.com/uclouvain/openjpeg/issues/476 , but it does not seem
to be necessary with latest master (issue476.jp2 doesn't cause memory issues),
and breaks reading legit files.