From patchwork Tue Mar 14 22:58:21 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 738974 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vjVX91DdLz9s1h for ; Wed, 15 Mar 2017 09:58:33 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="qimB+fHJ"; dkim-atps=neutral Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7D01A88179; Tue, 14 Mar 2017 22:58:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yYKOM8r7FZ5y; Tue, 14 Mar 2017 22:58:29 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id A52C088178; Tue, 14 Mar 2017 22:58:29 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 1F7201C1011 for ; Tue, 14 Mar 2017 22:58:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 159EB88E2C for ; Tue, 14 Mar 2017 22:58:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z2kp2iB9thf for ; Tue, 14 Mar 2017 22:58:28 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67]) by whitealder.osuosl.org (Postfix) with ESMTPS id BED5686C53 for ; Tue, 14 Mar 2017 22:58:27 +0000 (UTC) Received: by mail-wm0-f67.google.com with SMTP id z63so2105239wmg.2 for ; Tue, 14 Mar 2017 15:58:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=MPHZB3gJr9+x14r6+dzVVw8czEt73LLyC14NBOB/AvU=; b=qimB+fHJUHpIT6OQD1N0xrjXGsGySQW2u6V5wrwWJLVywdIhYgwAoam+i2dP6trD9P 8G20SdAA4gGIuiDwY9/G8SahgEJcgFz31x+l7PcyPI+PEJR433SQzY6y5RqL5vHPBSWw /dYh7rl6v0ALsoxapcrGxbq/cVNq38uTDLjNGkqHWaWchbFczIhCneNPmgzadqVh3LAc pAaEv+SdGR4MMpPFJecmIwOUPsL8xdRMPD3/VRXbzQuNZUz/1JKGNtnON+hQJCa8V3dB sI+fmJXMc9dlxvR2Z7XLKckb+sdDWI3UalS+bNO5OvUmPm22OY9BJg6TIED9gJjBtMBY 2k1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=MPHZB3gJr9+x14r6+dzVVw8czEt73LLyC14NBOB/AvU=; b=tXzPCnF01OKzfJCsZkgp7p2qptsLGPv4/2CpizVNJK+swnsNxTW9eDn9WiWCoxTqbm mD4fs4+4ttp0Vha/ENCe5tQHo7GVrdn5y9yIqLK/MjKimLeI8gUG3EYKT5jqavq27DUJ FlpLMpGRNwyaE6TwikixBW7/bMza/76P2TMwUk3KWbHgt76ZpiMH8whwTqzPTfX2Nr+W /iGx+AyFylYPPUiU+5XIjmImsR5T1egnW0pqMY9dzPRWjjGKLx665CAmP4qIfi81lNUV WMXjki7EwtmevX2kBfA2XcOgqZ4kub7e6dqsBqSi2Kcf3IThGwrehRfZYdjCVNDswkE/ IoQQ== X-Gm-Message-State: AFeK/H2MAZS8oXxTdLBVJqupttjtxc2Mehm3ske58JafdBjnnVbnhj8m3NHNhMMuGY8Dbg== X-Received: by 10.28.139.134 with SMTP id n128mr16162592wmd.132.1489532305938; Tue, 14 Mar 2017 15:58:25 -0700 (PDT) Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id i203sm1501247wmf.12.2017.03.14.15.58.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 14 Mar 2017 15:58:25 -0700 (PDT) Received: from peko by dell.be.48ers.dk with local (Exim 4.88) (envelope-from ) id 1cnvOa-00082x-1Y; Tue, 14 Mar 2017 23:58:24 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Tue, 14 Mar 2017 23:58:21 +0100 Message-Id: <20170314225822.30891-1-peter@korsgaard.com> X-Mailer: git-send-email 2.11.0 Subject: [Buildroot] [PATCH 1/2] jasper: add upstream security fix for CVE-2017-6850 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes a NULL pointer dereference in jp2_cdef_destroy: https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c/ https://github.com/mdadams/jasper/issues/112 Signed-off-by: Peter Korsgaard --- ...due-to-uninitialized-data-in-the-JP2-deco.patch | 286 +++++++++++++++++++++ 1 file changed, 286 insertions(+) create mode 100644 package/jasper/0002-Fixed-bugs-due-to-uninitialized-data-in-the-JP2-deco.patch diff --git a/package/jasper/0002-Fixed-bugs-due-to-uninitialized-data-in-the-JP2-deco.patch b/package/jasper/0002-Fixed-bugs-due-to-uninitialized-data-in-the-JP2-deco.patch new file mode 100644 index 000000000..be8472053 --- /dev/null +++ b/package/jasper/0002-Fixed-bugs-due-to-uninitialized-data-in-the-JP2-deco.patch @@ -0,0 +1,286 @@ +From e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 4 Mar 2017 14:43:24 -0800 +Subject: [PATCH] Fixed bugs due to uninitialized data in the JP2 decoder. + Also, added some comments marking I/O stream interfaces that probably need to + be changed (in the long term) to fix integer overflow problems. + +Signed-off-by: Peter Korsgaard +--- + src/libjasper/base/jas_stream.c | 18 +++++++++++++++++ + src/libjasper/jp2/jp2_cod.c | 44 ++++++++++++++++++++++++++++------------- + 2 files changed, 48 insertions(+), 14 deletions(-) + +diff --git a/src/libjasper/base/jas_stream.c b/src/libjasper/base/jas_stream.c +index 327ee57..d70408f 100644 +--- a/src/libjasper/base/jas_stream.c ++++ b/src/libjasper/base/jas_stream.c +@@ -664,6 +664,7 @@ int jas_stream_ungetc(jas_stream_t *stream, int c) + return 0; + } + ++/* FIXME integral type */ + int jas_stream_read(jas_stream_t *stream, void *buf, int cnt) + { + int n; +@@ -690,6 +691,7 @@ int jas_stream_read(jas_stream_t *stream, void *buf, int cnt) + return n; + } + ++/* FIXME integral type */ + int jas_stream_write(jas_stream_t *stream, const void *buf, int cnt) + { + int n; +@@ -742,6 +744,7 @@ int jas_stream_puts(jas_stream_t *stream, const char *s) + return 0; + } + ++/* FIXME integral type */ + char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) + { + int c; +@@ -765,6 +768,7 @@ char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) + return buf; + } + ++/* FIXME integral type */ + int jas_stream_gobble(jas_stream_t *stream, int n) + { + int m; +@@ -783,6 +787,7 @@ int jas_stream_gobble(jas_stream_t *stream, int n) + return n; + } + ++/* FIXME integral type */ + int jas_stream_pad(jas_stream_t *stream, int n, int c) + { + int m; +@@ -885,6 +890,7 @@ long jas_stream_tell(jas_stream_t *stream) + * Buffer initialization code. + \******************************************************************************/ + ++/* FIXME integral type */ + static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, + int bufsize) + { +@@ -1060,6 +1066,7 @@ static int jas_strtoopenmode(const char *s) + return openmode; + } + ++/* FIXME integral type */ + int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n) + { + int all; +@@ -1085,6 +1092,7 @@ int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n) + return 0; + } + ++/* FIXME integral type */ + long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt) + { + int old; +@@ -1094,6 +1102,7 @@ long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt) + return old; + } + ++/* FIXME integral type */ + int jas_stream_display(jas_stream_t *stream, FILE *fp, int n) + { + unsigned char buf[16]; +@@ -1168,6 +1177,7 @@ long jas_stream_length(jas_stream_t *stream) + * Memory stream object. + \******************************************************************************/ + ++/* FIXME integral type */ + static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt) + { + ssize_t n; +@@ -1209,6 +1219,7 @@ static int mem_resize(jas_stream_memobj_t *m, size_t bufsize) + return 0; + } + ++/* FIXME integral type */ + static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt) + { + size_t n; +@@ -1264,6 +1275,7 @@ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt) + return ret; + } + ++/* FIXME integral type */ + static long mem_seek(jas_stream_obj_t *obj, long offset, int origin) + { + jas_stream_memobj_t *m = (jas_stream_memobj_t *)obj; +@@ -1310,6 +1322,7 @@ static int mem_close(jas_stream_obj_t *obj) + * File stream object. + \******************************************************************************/ + ++/* FIXME integral type */ + static int file_read(jas_stream_obj_t *obj, char *buf, int cnt) + { + jas_stream_fileobj_t *fileobj; +@@ -1318,6 +1331,7 @@ static int file_read(jas_stream_obj_t *obj, char *buf, int cnt) + return read(fileobj->fd, buf, cnt); + } + ++/* FIXME integral type */ + static int file_write(jas_stream_obj_t *obj, char *buf, int cnt) + { + jas_stream_fileobj_t *fileobj; +@@ -1326,6 +1340,7 @@ static int file_write(jas_stream_obj_t *obj, char *buf, int cnt) + return write(fileobj->fd, buf, cnt); + } + ++/* FIXME integral type */ + static long file_seek(jas_stream_obj_t *obj, long offset, int origin) + { + jas_stream_fileobj_t *fileobj; +@@ -1352,6 +1367,7 @@ static int file_close(jas_stream_obj_t *obj) + * Stdio file stream object. + \******************************************************************************/ + ++/* FIXME integral type */ + static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt) + { + FILE *fp; +@@ -1367,6 +1383,7 @@ static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt) + return result; + } + ++/* FIXME integral type */ + static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt) + { + FILE *fp; +@@ -1377,6 +1394,7 @@ static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt) + return (n != JAS_CAST(size_t, cnt)) ? (-1) : cnt; + } + ++/* FIXME integral type */ + static long sfile_seek(jas_stream_obj_t *obj, long offset, int origin) + { + FILE *fp; +diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c +index 7f3608a..8d98a2c 100644 +--- a/src/libjasper/jp2/jp2_cod.c ++++ b/src/libjasper/jp2/jp2_cod.c +@@ -183,15 +183,28 @@ jp2_boxinfo_t jp2_boxinfo_unk = { + * Box constructor. + \******************************************************************************/ + +-jp2_box_t *jp2_box_create(int type) ++jp2_box_t *jp2_box_create0() + { + jp2_box_t *box; +- jp2_boxinfo_t *boxinfo; +- + if (!(box = jas_malloc(sizeof(jp2_box_t)))) { + return 0; + } + memset(box, 0, sizeof(jp2_box_t)); ++ box->type = 0; ++ box->len = 0; ++ // Mark the box data as never having been constructed ++ // so that we will not errantly attempt to destroy it later. ++ box->ops = &jp2_boxinfo_unk.ops; ++ return box; ++} ++ ++jp2_box_t *jp2_box_create(int type) ++{ ++ jp2_box_t *box; ++ jp2_boxinfo_t *boxinfo; ++ if (!(box = jp2_box_create0())) { ++ return 0; ++ } + box->type = type; + box->len = 0; + if (!(boxinfo = jp2_boxinfolookup(type))) { +@@ -248,14 +261,9 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) + box = 0; + tmpstream = 0; + +- if (!(box = jas_malloc(sizeof(jp2_box_t)))) { ++ if (!(box = jp2_box_create0())) { + goto error; + } +- +- // Mark the box data as never having been constructed +- // so that we will not errantly attempt to destroy it later. +- box->ops = &jp2_boxinfo_unk.ops; +- + if (jp2_getuint32(in, &len) || jp2_getuint32(in, &box->type)) { + goto error; + } +@@ -263,10 +271,12 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) + box->info = boxinfo; + box->len = len; + JAS_DBGLOG(10, ( +- "preliminary processing of JP2 box: type=%c%s%c (0x%08x); length=%d\n", ++ "preliminary processing of JP2 box: " ++ "type=%c%s%c (0x%08x); length=%"PRIuFAST32"\n", + '"', boxinfo->name, '"', box->type, box->len + )); + if (box->len == 1) { ++ JAS_DBGLOG(10, ("big length\n")); + if (jp2_getuint64(in, &extlen)) { + goto error; + } +@@ -382,6 +392,7 @@ static int jp2_bpcc_getdata(jp2_box_t *box, jas_stream_t *in) + { + jp2_bpcc_t *bpcc = &box->data.bpcc; + unsigned int i; ++ bpcc->bpcs = 0; + bpcc->numcmpts = box->datalen; + if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { + return -1; +@@ -462,6 +473,7 @@ static int jp2_cdef_getdata(jp2_box_t *box, jas_stream_t *in) + jp2_cdef_t *cdef = &box->data.cdef; + jp2_cdefchan_t *chan; + unsigned int channo; ++ cdef->ents = 0; + if (jp2_getuint16(in, &cdef->numchans)) { + return -1; + } +@@ -518,7 +530,9 @@ int jp2_box_put(jp2_box_t *box, jas_stream_t *out) + } + + if (dataflag) { +- if (jas_stream_copy(out, tmpstream, box->len - JP2_BOX_HDRLEN(false))) { ++ if (jas_stream_copy(out, tmpstream, box->len - ++ JP2_BOX_HDRLEN(false))) { ++ jas_eprintf("cannot copy box data\n"); + goto error; + } + jas_stream_close(tmpstream); +@@ -777,6 +791,7 @@ static int jp2_cmap_getdata(jp2_box_t *box, jas_stream_t *in) + jp2_cmap_t *cmap = &box->data.cmap; + jp2_cmapent_t *ent; + unsigned int i; ++ cmap->ents = 0; + + cmap->numchans = (box->datalen) / 4; + if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { +@@ -835,6 +850,7 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in) + int_fast32_t x; + + pclr->lutdata = 0; ++ pclr->bpc = 0; + + if (jp2_getuint16(in, &pclr->numlutents) || + jp2_getuint8(in, &pclr->numchans)) { +@@ -869,9 +885,9 @@ static int jp2_pclr_putdata(jp2_box_t *box, jas_stream_t *out) + #if 0 + jp2_pclr_t *pclr = &box->data.pclr; + #endif +-/* Eliminate warning about unused variable. */ +-box = 0; +-out = 0; ++ /* Eliminate warning about unused variable. */ ++ box = 0; ++ out = 0; + return -1; + } + +-- +2.11.0 +