From 9c781aa2020eef838284dcb348f4528f3c3cc1ab Mon Sep 17 00:00:00 2001

From: Lumir Balhar <lbalhar@redhat.com>

Date: Mon, 14 Jun 2021 09:06:07 +0200

Subject: [PATCH 1/5] CVE-2021-25287_25288

---

 src/libImaging/Jpeg2KDecode.c | 78 +++++++++++++++++++++++++++--------

 1 file changed, 61 insertions(+), 17 deletions(-)

diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c

index 9140e00..fdbd0c0 100644

--- a/src/libImaging/Jpeg2KDecode.c

+++ b/src/libImaging/Jpeg2KDecode.c

@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo,

     if (shift < 0)

         offset += 1 << (-shift - 1);

+    /* csiz*h*w + offset = tileinfo.datasize */

     switch (csiz) {

     case 1:

         for (y = 0; y < h; ++y) {

@@ -557,8 +558,10 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)

     opj_dparameters_t params;

     OPJ_COLOR_SPACE color_space;

     j2k_unpacker_t unpack = NULL;

-    size_t buffer_size = 0;

-    unsigned n;

+    size_t buffer_size = 0, tile_bytes = 0;

+    unsigned n, tile_height, tile_width;

+    int total_component_width = 0;

+

     stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);

@@ -703,8 +706,62 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)

         tile_info.x1 = (tile_info.x1 + correction) >> context->reduce;

         tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;

+        /* Check the tile bounds; if the tile is outside the image area,

+           or if it has a negative width or height (i.e. the coordinates are

+           swapped), bail. */

+        if (tile_info.x0 >= tile_info.x1

+            || tile_info.y0 >= tile_info.y1

+            || tile_info.x0 < image->x0

+            || tile_info.y0 < image->y0

+            || tile_info.x1 - image->x0 > im->xsize

+            || tile_info.y1 - image->y0 > im->ysize) {

+            state->errcode = IMAGING_CODEC_BROKEN;

+            state->state = J2K_STATE_FAILED;

+            goto quick_exit;

+        }

+

+        if (tile_info.nb_comps != image->numcomps) {

+            state->errcode = IMAGING_CODEC_BROKEN;

+            state->state = J2K_STATE_FAILED;

+            goto quick_exit;

+        }

+

+        /* Sometimes the tile_info.datasize we get back from openjpeg

+           is less than sum(comp_bytes)*w*h, and we overflow in the

+           shuffle stage */

+

+        tile_width = tile_info.x1 - tile_info.x0;

+        tile_height = tile_info.y1 - tile_info.y0;

+

+        /* Total component width = sum (component_width) e.g, it's

+         legal for an la file to have a 1 byte width for l, and 4 for

+         a. and then a malicious file could have a smaller tile_bytes

+        */

+

+        for (n=0; n < tile_info.nb_comps; n++) {

+            // see csize /acsize calcs

+            int csize = (image->comps[n].prec + 7) >> 3;

+            csize = (csize == 3) ? 4 : csize;

+            total_component_width += csize;

+        }

+        if ((tile_width > UINT_MAX / total_component_width) ||

+            (tile_height > UINT_MAX / total_component_width) ||

+            (tile_width > UINT_MAX / (tile_height * total_component_width)) ||

+            (tile_height > UINT_MAX / (tile_width * total_component_width))) {

+

+            state->errcode = IMAGING_CODEC_BROKEN;

+            state->state = J2K_STATE_FAILED;

+            goto quick_exit;

+        }

+

+        tile_bytes = tile_width * tile_height * total_component_width;

+

+        if (tile_bytes > tile_info.data_size) {

+            tile_info.data_size = tile_bytes;

+        }

+

         if (buffer_size < tile_info.data_size) {

-            /* malloc check ok, tile_info.data_size from openjpeg */

+            /* malloc check ok, overflow and tile size sanity check above */

             UINT8 *new = realloc (state->buffer, tile_info.data_size);

             if (!new) {

                 state->errcode = IMAGING_CODEC_MEMORY;

@@ -715,6 +772,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)

             buffer_size = tile_info.data_size;

         }

+

         if (!opj_decode_tile_data(codec,

                                   tile_info.tile_index,

                                   (OPJ_BYTE *)state->buffer,

@@ -725,20 +783,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)

             goto quick_exit;

         }

-        /* Check the tile bounds; if the tile is outside the image area,

-           or if it has a negative width or height (i.e. the coordinates are

-           swapped), bail. */

-        if (tile_info.x0 >= tile_info.x1

-            || tile_info.y0 >= tile_info.y1

-            || tile_info.x0 < image->x0

-            || tile_info.y0 < image->y0

-            || tile_info.x1 - image->x0 > im->xsize

-            || tile_info.y1 - image->y0 > im->ysize) {

-            state->errcode = IMAGING_CODEC_BROKEN;

-            state->state = J2K_STATE_FAILED;

-            goto quick_exit;

-        }

-

         unpack(image, &tile_info, state->buffer, im);

     }

-- 

2.31.1