current/SOURCES/openjpeg-1.5.1-CVE-2013-6052.patch

diff -rupN openjpeg-1.5.1/libopenjpeg/cio.c openjpeg-1.5.1-new/libopenjpeg/cio.c
--- openjpeg-1.5.1/libopenjpeg/cio.c    2012-09-13 09:58:39.000000000 +0200
+++ openjpeg-1.5.1-new/libopenjpeg/cio.c        2013-12-05 10:25:07.717415888 +0100
@@ -30,6 +30,7 @@
  */
 
 #include "opj_includes.h"
+#include <assert.h>
 
 /* ----------------------------------------------------------------------- */
 
@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns
  * Read a byte.
  */
 unsigned char cio_bytein(opj_cio_t *cio) {
+       if (cio->bp < cio->start) {
+               opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
+               abort();
+               return 0;
+       }
        if (cio->bp >= cio->end) {
                opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
                return 0;
@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in
        unsigned int v;
        v = 0;
        for (i = n - 1; i >= 0; i--) {
-               v += cio_bytein(cio) << (i << 3);
+               v += (unsigned int)cio_bytein(cio) << (i << 3);
        }
        return v;
 }
@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in
  * n : number of bytes to skip
  */
 void cio_skip(opj_cio_t *cio, int n) {
+       assert((cio->bp + n) >= cio->bp);
        cio->bp += n;
 }
 
diff -rupN openjpeg-1.5.1/libopenjpeg/jp2.c openjpeg-1.5.1-new/libopenjpeg/jp2.c
--- openjpeg-1.5.1/libopenjpeg/jp2.c    2012-09-13 09:58:39.000000000 +0200
+++ openjpeg-1.5.1-new/libopenjpeg/jp2.c        2013-12-05 10:25:07.718415907 +0100
@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm
        }
        else if (box->length == 0) {
                box->length = cio_numbytesleft(cio) + 8;
+       } else if (box->length < 0) {
+               opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n");
+               return OPJ_FALSE;
        }
        
        return OPJ_TRUE;
1	diff -rupN openjpeg-1.5.1/libopenjpeg/cio.c openjpeg-1.5.1-new/libopenjpeg/cio.c
2	--- openjpeg-1.5.1/libopenjpeg/cio.c 2012-09-13 09:58:39.000000000 +0200
3	+++ openjpeg-1.5.1-new/libopenjpeg/cio.c 2013-12-05 10:25:07.717415888 +0100
4	@@ -30,6 +30,7 @@
5	*/
6
7	#include "opj_includes.h"
8	+#include <assert.h>
9
10	/* ----------------------------------------------------------------------- */
11
12	@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns
13	* Read a byte.
14	*/
15	unsigned char cio_bytein(opj_cio_t *cio) {
16	+ if (cio->bp < cio->start) {
17	+ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
18	+ abort();
19	+ return 0;
20	+ }
21	if (cio->bp >= cio->end) {
22	opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
23	return 0;
24	@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in
25	unsigned int v;
26	v = 0;
27	for (i = n - 1; i >= 0; i--) {
28	- v += cio_bytein(cio) << (i << 3);
29	+ v += (unsigned int)cio_bytein(cio) << (i << 3);
30	}
31	return v;
32	}
33	@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in
34	* n : number of bytes to skip
35	*/
36	void cio_skip(opj_cio_t *cio, int n) {
37	+ assert((cio->bp + n) >= cio->bp);
38	cio->bp += n;
39	}
40
41	diff -rupN openjpeg-1.5.1/libopenjpeg/jp2.c openjpeg-1.5.1-new/libopenjpeg/jp2.c
42	--- openjpeg-1.5.1/libopenjpeg/jp2.c 2012-09-13 09:58:39.000000000 +0200
43	+++ openjpeg-1.5.1-new/libopenjpeg/jp2.c 2013-12-05 10:25:07.718415907 +0100
44	@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm
45	}
46	else if (box->length == 0) {
47	box->length = cio_numbytesleft(cio) + 8;
48	+ } else if (box->length < 0) {
49	+ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n");
50	+ return OPJ_FALSE;
51	}
52
53	return OPJ_TRUE;