From e27a2d44cd6d5413c8ad7d3ac6f309133e407823 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Wed, 8 Feb 2017 15:17:58 +0100 Subject: [PATCH] Fix CVE-2016-9573 --- applications/codec/convert.c | 45 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/applications/codec/convert.c b/applications/codec/convert.c index 11e89f7..88e1c68 100644 --- a/applications/codec/convert.c +++ b/applications/codec/convert.c @@ -1910,13 +1910,24 @@ int imagetopnm(opj_image_t * image, const char *outfile) if(want_gray) ncomp = 1; if (ncomp == 2 /* GRAYA */ - || (ncomp > 2 /* RGB, RGBA */ + || (ncomp == 3 /* RGB */ && image->comps[0].dx == image->comps[1].dx && image->comps[1].dx == image->comps[2].dx && image->comps[0].dy == image->comps[1].dy && image->comps[1].dy == image->comps[2].dy && image->comps[0].prec == image->comps[1].prec && image->comps[1].prec == image->comps[2].prec + ) + || (ncomp > 3 /* RGBA */ + && image->comps[0].dx == image->comps[1].dx + && image->comps[1].dx == image->comps[2].dx + && image->comps[2].dx == image->comps[3].dx + && image->comps[0].dy == image->comps[1].dy + && image->comps[1].dy == image->comps[2].dy + && image->comps[2].dy == image->comps[3].dy + && image->comps[0].prec == image->comps[1].prec + && image->comps[1].prec == image->comps[2].prec + && image->comps[2].prec == image->comps[3].prec )) { fdest = fopen(outfile, "wb"); @@ -2117,13 +2128,25 @@ int imagetotif(opj_image_t * image, const char *outfile) sgnd = image->comps[0].sgnd; adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0; - if(image->numcomps >= 3 + if((image->numcomps == 3 + && image->comps[0].dx == image->comps[1].dx + && image->comps[1].dx == image->comps[2].dx + && image->comps[0].dy == image->comps[1].dy + && image->comps[1].dy == image->comps[2].dy + && image->comps[0].prec == image->comps[1].prec + && image->comps[1].prec == image->comps[2].prec + ) + || (image->numcomps > 3 && image->comps[0].dx == image->comps[1].dx && image->comps[1].dx == image->comps[2].dx + && image->comps[2].dx == image->comps[3].dx && image->comps[0].dy == image->comps[1].dy && image->comps[1].dy == image->comps[2].dy + && image->comps[2].dy == image->comps[3].dy && image->comps[0].prec == image->comps[1].prec - && image->comps[1].prec == image->comps[2].prec) + && image->comps[1].prec == image->comps[2].prec + && image->comps[2].prec == image->comps[3].prec + )) { has_alpha = (image->numcomps == 4); @@ -3308,13 +3331,25 @@ int imagetopng(opj_image_t * image, const char *write_idf) else if(prec == 1) mask = 0x0001; - if(nr_comp >= 3 + if((nr_comp == 3 + && image->comps[0].dx == image->comps[1].dx + && image->comps[1].dx == image->comps[2].dx + && image->comps[0].dy == image->comps[1].dy + && image->comps[1].dy == image->comps[2].dy + && image->comps[0].prec == image->comps[1].prec + && image->comps[1].prec == image->comps[2].prec + ) + || (nr_comp > 3 && image->comps[0].dx == image->comps[1].dx && image->comps[1].dx == image->comps[2].dx + && image->comps[2].dx == image->comps[3].dx && image->comps[0].dy == image->comps[1].dy && image->comps[1].dy == image->comps[2].dy + && image->comps[2].dy == image->comps[3].dy && image->comps[0].prec == image->comps[1].prec - && image->comps[1].prec == image->comps[2].prec) + && image->comps[1].prec == image->comps[2].prec + && image->comps[2].prec == image->comps[3].prec + )) { int v; -- 2.7.4