| Age | Commit message (Collapse) | Author |
|---|
|
Fixes #1053 / CVE-2018-5727
Note: I don't consider this issue to be a security vulnerability, in
practice.
At least with gcc or clang compilers on x86_64 which generate the same
assembly code with or without that fix.
|
|
This reverts commit 05be3084460e46282ee63f04c72c451f3271fd28.
This commit doesn't compile due to missing OPJ_UINT64 type
|
|
This reverts commit c277159986c80142180fbe5efb256bbf3bdf3edc.
The commit didn't compile. include_size is not defined in openmj2
|
|
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Fixes #1059 (CVE-2018-6616).
|
|
Fix multiple potential vulnerabilities and bugs
|
|
and fixes unaligned load
Signed-off-by: Young Xiao <YangX92@hotmail.com>
|
|
(CVE-2018-14423
Signed-off-by: Young_X <YangX92@hotmail.com>
|
|
avoid potential int overflow
Signed-off-by: Young_X <YangX92@hotmail.com>
|
|
opj_get_encoding_parameters
Signed-off-by: Young_X <YangX92@hotmail.com>
|
|
Signed-off-by: Young_X <YangX92@hotmail.com>
|
|
Derived from a patch by Thuan Pham
|
|
Signed-off-by: Young_X <YangX92@hotmail.com>
|
|
Signed-off-by: Young_X <YangX92@hotmail.com>
|
|
Signed-off-by: Young_X <YangX92@hotmail.com>
|
|
jp3d/jpwl convert: fix write stack buffer overflow
|
|
When compressing a lot of slices (starting from 44 FullHD slices with 3 8bit components in our experiments) the rate values are high enough to cause an int overflow that leads to negative lengths and wrong results. The cast happens too late.
|
|
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.
Add != null check.
This commit addresses #1152 (CVE-2018-18088).
|
|
Missing buffer length formatter in fscanf call might lead to write
stack buffer overflow.
fixes #1044 (CVE-2017-17480)
|
|
* Fix some potential overflow issues
Put sizeof to the beginning of the multiplication to enforce that
size_t instead of smaller integer types is used for the calculation.
This fixes warnings from LGTM:
Multiplication result may overflow 'unsigned int'
before it is converted to 'unsigned long'.
It also allows removing some type casts.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
* Fix code indentation
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
Signed-off-by: Nikola Forró <nforro@redhat.com>
|
|
|
|
CVE-2018-5785: fix issues with zero bitmasks
|
|
(fixes #1125)
|
|
|
|
This uses snprintf() with correct buffer length instead of sprintf(), which
prevents a buffer overflow when providing a long output prefix. Furthermore
the program exits with an error when the provided output prefix is too long.
Fixes #1088.
|
|
|
|
|
|
Cast on uint ceildiv
|
|
Use local type declaration for POSIX standard type only for MS compiler
|
|
Fix some typos in code comments and documentation
|
|
Changes in pnmtoimage if image data are missing
|
|
In the case where a BMP file declares compression 3 (BI_BITFIELDS)
with header size <= 56, all bitmask values keep their initialization
value 0. This may lead to various undefined behavior later e.g. when
doing 1 << (l_comp->prec - 1).
This issue does not affect files with bit count 16 because of a check
added in 16240e2 which sets default values to the color masks if they
are all 0.
This commit adds similar checks for the 32 bit case.
Also, if a BMP file declares compression 3 with header size >= 56 and
intentional 0 bitmasks, the same issue will be triggered in both the
16 and 32 bit count case.
This commit adds checks to bmp_read_info_header() rejecting BMP files
with "intentional" 0 bitmasks. These checks might be removed in the
future when proper handling of zero bitmasks will be available in
openjpeg2.
fixes #1057 (CVE-2018-5785)
|
|
Compiler warnings:
src/lib/openjp2/jp2.c:1008:35: warning:
too many arguments for format [-Wformat-extra-args]
src/lib/openjp2/j2k.c:1928:73: warning:
format ‘%d’ expects argument of type ‘int’, but argument 4 has type ‘OPJ_OFF_T {aka long int}’ [-Wformat=]
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
All typos were found by Codespell.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
|
|
|
|
e6674f7ed66abdb32a0be5944f618722b6a7b5d5 revert. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2785
|
|
encountered in opj_j2k_read_tile_header(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2785. Credit to OSS Fuzz" (fixes #1120)
This reverts commit 9906fbf737692486cebabe98169988d818e2e66a.
which broke decoding of images where TNsot == 0
|
|
ssize_t is a POSIX type which is declared in POSIX include files.
Mingw-w64 provides it also for Windows.
Use the local declaration only with MS compilers.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
|
|
|
|
mj2: Add missing variable to format string in fprintf() invocation in meta_out.c
|
|
opj_mj2_extract: Rename output_location to output_prefix
|
|
This replaces the unsafe sprintf() invocation by the safer snprintf()
one, with the correct buffer size to prevent buffer overflows.
This fixes #1085.
|
|
This renames the argument in the help output, as the latter better describes
the the purpose of this argument.
|
|
This adds the appropriate variables to the invocation of fprintf(). They were
specified in the format string, but were missing in the actual call. This
fixes #1074 and #1075.
|
|
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
fix unchecked integer multiplication overflow
|
|
|
