current/SOURCES/openjpeg-1.5.1-CVE-2013-6045.patch

diff -rupN openjpeg-1.5.1/libopenjpeg/j2k.c openjpeg-1.5.1-new/libopenjpeg/j2k.c
--- openjpeg-1.5.1/libopenjpeg/j2k.c    2013-12-05 10:26:15.000000000 +0100
+++ openjpeg-1.5.1-new/libopenjpeg/j2k.c        2013-12-05 10:32:34.752636957 +0100
@@ -823,6 +823,12 @@ static void j2k_read_coc(opj_j2k_t *j2k)
        
        len = cio_read(cio, 2);         /* Lcoc */
        compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */
+       if ((compno < 0) || (compno >= image->numcomps)) {
+               opj_event_msg(j2k->cinfo, EVT_ERROR ,
+                               "bad component number in COC (%d out of a maximum of %d)\n",
+                               compno, image->numcomps);
+               return;
+       }
        tcp->tccps[compno].csty = cio_read(cio, 1);     /* Scoc */
        j2k_read_cox(j2k, compno);
 }
@@ -1004,8 +1010,18 @@ static void j2k_read_qcc(opj_j2k_t *j2k)
 
                /* keep your private count of tiles */
                backup_compno++;
-       };
+       }
+       else
 #endif /* USE_JPWL */
+       {
+               /* compno is negative or larger than the number of components!!! */
+               if ((compno < 0) || (compno >= numcomp)) {
+                       opj_event_msg(j2k->cinfo, EVT_ERROR,
+                               "JPWL: bad component number in QCC (%d out of a maximum of %d)\n",
+                               compno, numcomp);
+                       return;
+               }
+       }
 
        j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2));
 }
@@ -1051,6 +1067,17 @@ static void j2k_read_poc(opj_j2k_t *j2k)
        tcp->POC = 1;
        len = cio_read(cio, 2);         /* Lpoc */
        numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2));
+
+       {
+               /* old_poc < 0 "just in case" */
+               int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0]));
+               if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) {
+                       opj_event_msg(j2k->cinfo, EVT_ERROR,
+                               "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n",
+                               (numpchgs + old_poc), maxpocs);
+                       return;
+               }
+       }
        
        for (i = old_poc; i < numpchgs + old_poc; i++) {
                opj_poc_t *poc;
@@ -1590,6 +1617,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k)
        };
 #endif /* USE_JPWL */
 
+       /* totlen is negative or larger than the bytes left!!! */
+       if (compno >= numcomps) {
+               opj_event_msg(j2k->cinfo, EVT_ERROR,
+                       "JPWL: bad component number in RGN (%d when there are only %d)\n",
+                       compno, numcomps);
+               return;
+       }
+
        tcp->tccps[compno].roishift = cio_read(cio, 1);                         /* SPrgn */
 }
 
diff -rupN openjpeg-1.5.1/libopenjpeg/tcd.c openjpeg-1.5.1-new/libopenjpeg/tcd.c
--- openjpeg-1.5.1/libopenjpeg/tcd.c    2012-09-13 09:58:39.000000000 +0200
+++ openjpeg-1.5.1-new/libopenjpeg/tcd.c        2013-12-05 10:32:21.721452575 +0100
@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
         return OPJ_FALSE;
     }
 
+       int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0);
        for (compno = 0; compno < tile->numcomps; ++compno) {
                opj_tcd_tilecomp_t* tilec = &tile->comps[compno];
+               int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0));
+               /* Later-on it is assumed that all components are of at least comp0size blocks */
+               if (compcsize < comp0size)
+               {
+                       opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks "
+                               "while component 0 has %d blocks\n", compno, compcsize, comp0size);
+                       return OPJ_FALSE;
+               }
                /* The +3 is headroom required by the vectorized DWT */
-               tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int));
+               tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
         if (tilec->data == NULL)
         {
             opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");
1	diff -rupN openjpeg-1.5.1/libopenjpeg/j2k.c openjpeg-1.5.1-new/libopenjpeg/j2k.c
2	--- openjpeg-1.5.1/libopenjpeg/j2k.c 2013-12-05 10:26:15.000000000 +0100
3	+++ openjpeg-1.5.1-new/libopenjpeg/j2k.c 2013-12-05 10:32:34.752636957 +0100
4	@@ -823,6 +823,12 @@ static void j2k_read_coc(opj_j2k_t *j2k)
5
6	len = cio_read(cio, 2); /* Lcoc */
7	compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */
8	+ if ((compno < 0) \|\| (compno >= image->numcomps)) {
9	+ opj_event_msg(j2k->cinfo, EVT_ERROR ,
10	+ "bad component number in COC (%d out of a maximum of %d)\n",
11	+ compno, image->numcomps);
12	+ return;
13	+ }
14	tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */
15	j2k_read_cox(j2k, compno);
16	}
17	@@ -1004,8 +1010,18 @@ static void j2k_read_qcc(opj_j2k_t *j2k)
18
19	/* keep your private count of tiles */
20	backup_compno++;
21	- };
22	+ }
23	+ else
24	#endif /* USE_JPWL */
25	+ {
26	+ /* compno is negative or larger than the number of components!!! */
27	+ if ((compno < 0) \|\| (compno >= numcomp)) {
28	+ opj_event_msg(j2k->cinfo, EVT_ERROR,
29	+ "JPWL: bad component number in QCC (%d out of a maximum of %d)\n",
30	+ compno, numcomp);
31	+ return;
32	+ }
33	+ }
34
35	j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2));
36	}
37	@@ -1051,6 +1067,17 @@ static void j2k_read_poc(opj_j2k_t *j2k)
38	tcp->POC = 1;
39	len = cio_read(cio, 2); /* Lpoc */
40	numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2));
41	+
42	+ {
43	+ /* old_poc < 0 "just in case" */
44	+ int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0]));
45	+ if ((old_poc < 0) \|\| ((numpchgs + old_poc) >= maxpocs)) {
46	+ opj_event_msg(j2k->cinfo, EVT_ERROR,
47	+ "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n",
48	+ (numpchgs + old_poc), maxpocs);
49	+ return;
50	+ }
51	+ }
52
53	for (i = old_poc; i < numpchgs + old_poc; i++) {
54	opj_poc_t *poc;
55	@@ -1590,6 +1617,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k)
56	};
57	#endif /* USE_JPWL */
58
59	+ /* totlen is negative or larger than the bytes left!!! */
60	+ if (compno >= numcomps) {
61	+ opj_event_msg(j2k->cinfo, EVT_ERROR,
62	+ "JPWL: bad component number in RGN (%d when there are only %d)\n",
63	+ compno, numcomps);
64	+ return;
65	+ }
66	+
67	tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */
68	}
69
70	diff -rupN openjpeg-1.5.1/libopenjpeg/tcd.c openjpeg-1.5.1-new/libopenjpeg/tcd.c
71	--- openjpeg-1.5.1/libopenjpeg/tcd.c 2012-09-13 09:58:39.000000000 +0200
72	+++ openjpeg-1.5.1-new/libopenjpeg/tcd.c 2013-12-05 10:32:21.721452575 +0100
73	@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
74	return OPJ_FALSE;
75	}
76
77	+ int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0);
78	for (compno = 0; compno < tile->numcomps; ++compno) {
79	opj_tcd_tilecomp_t* tilec = &tile->comps[compno];
80	+ int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0));
81	+ /* Later-on it is assumed that all components are of at least comp0size blocks */
82	+ if (compcsize < comp0size)
83	+ {
84	+ opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks "
85	+ "while component 0 has %d blocks\n", compno, compcsize, comp0size);
86	+ return OPJ_FALSE;
87	+ }
88	/* The +3 is headroom required by the vectorized DWT */
89	- tilec->data = (int) opj_aligned_malloc((((tilec->x1 - tilec->x0) (tilec->y1 - tilec->y0))+3) * sizeof(int));
90	+ tilec->data = (int) opj_aligned_malloc((comp0size+3) sizeof(int));
91	if (tilec->data == NULL)
92	{
93	opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");