diffstat for opencv-2.4.8+dfsg1 opencv-2.4.8+dfsg1 changelog | 160 +++++++++++ control | 16 - patches/CVE-2017-1000450.patch | 14 + patches/CVE-2017-14136.patch | 300 +++++++++++++++++++++ patches/CVE-2017-17760.patch | 13 patches/CVE-2017-several.patch | 564 +++++++++++++++++++++++++++++++++++++++++ patches/CVE-2018-5268.patch | 127 +++++++++ patches/CVE-2018-5269.patch | 179 +++++++++++++ patches/series | 6 rules | 12 10 files changed, 1383 insertions(+), 8 deletions(-) diff -Nru opencv-2.4.8+dfsg1/debian/changelog opencv-2.4.8+dfsg1/debian/changelog --- opencv-2.4.8+dfsg1/debian/changelog 2014-02-17 22:10:27.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/changelog 2018-09-19 06:53:45.000000000 +0000 @@ -1,3 +1,68 @@ +opencv (2.4.8+dfsg1-2ubuntu1.2) trusty-security; urgency=medium + + * Set -DENABLE_PRECOMPILED_HEADERS on arm64. + + -- Eduardo Barretto Tue, 18 Sep 2018 06:37:02 -0300 + +opencv (2.4.8+dfsg1-2ubuntu1.1) trusty-security; urgency=medium + + * SECURITY UPDATE: Out-of-bounds read/write errors and buffer + overflows in different functions. + - debian/patches/CVE-2017-several.patch: fix in bitstrm.cpp, + bitstrm.hpp, grfmt_bmp.cpp, grfmt_pxm.cpp, loadsave.cpp, + test_grfmt.cpp and gpu_test.cpp. + - CVE-2016-1516 + - CVE-2016-1517 + - CVE-2017-12597 + - CVE-2017-12598 + - CVE-2017-12599 + - CVE-2017-12600 + - CVE-2017-12601 + - CVE-2017-12602 + - CVE-2017-12603 + - CVE-2017-12604 + - CVE-2017-12605 + - CVE-2017-12606 + - CVE-2017-12862 + - CVE-2017-12863 + - CVE-2017-12864 + * SECURITY UPDATE: Out of bound write cause segmentation fault + - debian/patches/CVE-2017-14136.patch: fix in grfmt_bmp.cpp, + grfmt_exr.cpp, grfmt_jpeg.cpp, grfmt_jpeg2000.cpp, + grfmt_sunras.cpp, utils.cpp and utils.hpp. + - CVE-2017-14136 + * SECURITY UPDATE: Buffer Overflow in the cv::PxMDecoder::readData + function in grfmt_pxm.cpp + - debian/patches/CVE-2017-17760.patch: fix in grfmt_pxm.cpp. + - CVE-2017-17760 + * SECURITY UPDATE: Integer overflow may lead to remote execution or + denial of service + - debian/patches/CVE-2017-1000450.patch: fix in grfmt_bmp.cpp. + - CVE-2017-1000450 + * SECURITY UPDATE: A heap-based buffer overflow happens in + cv::Jpeg2KDecoder::readComponent8u when parsing a crafted image file + - debian/patches/CVE-2018-5268.patch: fix in grfmt_jpeg2000.cpp. + - CVE-2018-5268 + * SECURITY UPDATE: an assertion failure happens in + cv::RBaseStream::setPos in modules/imgcodecs/src/bitstrm.cpp because + of an incorrect integer cast. + - debian/patches/CVE-2018-5269.patch: add overflow checks. + - CVE-2018-5269 + + -- Eduardo Barretto Tue, 11 Sep 2018 12:05:20 -0300 + +opencv (2.4.8+dfsg1-2ubuntu1) trusty; urgency=medium + + * Merge with Debian, remaining changes: + - In debian/rules don't build OpenGL on armhf; not useful there + - Arch-restrict libopencv-ocl2.4 and libopencv-ocl-dev binary packages + for now, due to 1263801. + - In debian/control disable OpenCL support on ppc64el, FTBFS see bug 1263801. + - add libopencv-ocl-dev to libcv-dev depends + - opencv-data breaks libopencv-dev (<= 2.4.6.1+dfsg-2ubuntu1) + + -- Jonathan Riddell Tue, 25 Feb 2014 11:10:42 +0000 + opencv (2.4.8+dfsg1-2) unstable; urgency=medium * Update debian/control. @@ -22,6 +87,20 @@ -- Nobuhiro Iwamatsu Wed, 12 Feb 2014 16:37:21 +0900 +opencv (2.4.8+dfsg-1ubuntu1) trusty; urgency=medium + + * Merge with Debian unstable, remaining changes: + - In debian/rules don't build OpenGL on armhf; not useful there + - Arch-restrict libopencv-ocl2.4 and libopencv-ocl-dev binary packages + for now, due to 1263801. + - In debian/control disable OpenCL support on ppc64el, FTBFS see bug 1263801. + - add libopencv-ocl-dev to libcv-dev depends + - opencv-data breaks libopencv-dev (<= 2.4.6.1+dfsg-2ubuntu1) + * Drop patch detect_sphinx now upstream + * Drop detect_opencl now upstream + + -- Jonathan Riddell Wed, 12 Feb 2014 16:29:04 +0000 + opencv (2.4.8+dfsg-1) unstable; urgency=low * New upstream release. @@ -53,6 +132,53 @@ -- Nobuhiro Iwamatsu Sat, 23 Nov 2013 11:31:08 +0900 +opencv (2.4.6.1+dfsg-2ubuntu5) trusty; urgency=medium + + * Don't build OpenGL on armhf; not useful there. + + -- Iain Lane Thu, 16 Jan 2014 11:19:15 +0000 + +opencv (2.4.6.1+dfsg-2ubuntu4) trusty; urgency=medium + + * Arch-restrict OpenCL binary packages for now, due to 1263801. + + -- Adam Conrad Tue, 24 Dec 2013 11:54:25 -0700 + +opencv (2.4.6.1+dfsg-2ubuntu3) trusty; urgency=medium + + * Enable TBB support on all, but arm64 (not available). + * Disable OpenCL support on ppc64el, FTBFS see bug 1263801. + + -- Dimitri John Ledkov Mon, 23 Dec 2013 23:43:41 +0000 + +opencv (2.4.6.1+dfsg-2ubuntu2) trusty; urgency=low + + * Add patch detect_sphinx to fix detection of Python Sphinx + + -- Jonathan Riddell Fri, 13 Dec 2013 13:00:18 +0000 + +opencv (2.4.6.1+dfsg-2ubuntu1) trusty; urgency=low + + * Merge with Debian unstable, remaining changes: + - build-dep on ocl-icd-opencl-dev and add libopencv-ocl-dev to libcv-dev depends + and add libopencv-ocl2.4 and libopencv-ocl-dev packages + * Add detect_opencl to build ocl with multiarched libraries + * opencv-data breaks libopencv-dev (<= 2.4.6.1+dfsg-2ubuntu1) + * Add detect_opencl to fix finding opencl library with multiarch + + -- Jonathan Riddell Wed, 11 Dec 2013 16:23:54 +0000 + +opencv (2.4.6.1+dfsg-2) unstable; urgency=low + + [ Anton Gladky ] + * Replace libeigen2-dev by libeigen3-dev. (Closes: #726155) + + [ Nobuhiro Iwamatsu ] + * FTBFS on sparc64. (Closes: #714923) + Add patches/change_type_from_int_to_Atomic_word. + + -- Nobuhiro Iwamatsu Sat, 23 Nov 2013 11:31:08 +0900 + opencv (2.4.6.1+dfsg-1) unstable; urgency=low * Upload to unstable. (Closes: #719998, #716811) @@ -111,6 +237,40 @@ -- Nobuhiro Iwamatsu Fri, 12 Jul 2013 13:00:43 +0900 +opencv (2.4.5+dfsg-0ubuntu5) trusty; urgency=low + + * No change rebuild against libav9. + + -- Dmitrijs Ledkovs Thu, 07 Nov 2013 11:25:28 +0000 + +opencv (2.4.5+dfsg-0ubuntu4) saucy; urgency=low + + * Add libopencv-ocl-dev to depends of libopencv-dev + + -- Jonathan Riddell Thu, 10 Oct 2013 16:58:42 +0100 + +opencv (2.4.5+dfsg-0ubuntu3) saucy; urgency=low + + [ Thomas Bleher ] + * Package missing library libopencv-ocl LP: #1213861 + + [ Jonathan Riddell ] + * Add build-dep on ocl-icd-opencl-dev + + -- Thomas Bleher Mon, 19 Aug 2013 08:21:39 +0200 + +opencv (2.4.5+dfsg-0ubuntu2) saucy; urgency=low + + * Package missing library libopencv-superres + + -- Jonathan Riddell Fri, 28 Jun 2013 14:01:14 +0100 + +opencv (2.4.5+dfsg-0ubuntu1) saucy; urgency=low + + * New upstream release + + -- Jonathan Riddell Wed, 26 Jun 2013 16:44:16 +0100 + opencv (2.4.3+dfsg-1) experimental; urgency=low * New upstream release. diff -Nru opencv-2.4.8+dfsg1/debian/control opencv-2.4.8+dfsg1/debian/control --- opencv-2.4.8+dfsg1/debian/control 2014-02-17 06:50:43.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/control 2014-02-25 11:29:30.000000000 +0000 @@ -1,7 +1,8 @@ Source: opencv Priority: optional Section: devel -Maintainer: Debian Science Team +Maintainer: Kubuntu Developers +XSBC-Original-Maintainer: Debian Science Team Uploaders: Sam Hocevar (Debian packages) , Nobuhiro Iwamatsu Build-Depends: debhelper (>= 9), @@ -20,7 +21,7 @@ liblapack-dev (>= 3.2.1), libtbb-dev [i386 amd64 ia64 powerpc ppc64], libeigen3-dev, - ocl-icd-opencl-dev, + ocl-icd-opencl-dev [!ppc64el], python-dev, python-support (>= 0.4.1), python-numpy, @@ -67,7 +68,8 @@ libopencv-objdetect-dev, libopencv-legacy-dev, libopencv-video-dev, - libopencv-ml-dev + libopencv-ml-dev, + libopencv-ocl-dev [!ppc64el] Conflicts: libcvaux-dev (<= 2.1.0-7), libhighgui-dev (<= 2.1.0-7) Description: Translation package for libcv-dev This package provide files for translation from libcv-dev to @@ -225,7 +227,7 @@ libopencv-stitching-dev (= ${binary:Version}), libopencv-gpu-dev (= ${binary:Version}), libopencv-superres-dev (= ${binary:Version}), - libopencv-ocl-dev (= ${binary:Version}), + libopencv-ocl-dev (= ${binary:Version}) [!ppc64el], libopencv2.4-java (= ${source:Version}), libopencv2.4-jni (= ${binary:Version}), libcv-dev (= ${binary:Version}), @@ -252,7 +254,7 @@ Section: libdevel Architecture: all Depends: ${misc:Depends} -Breaks: libopencv-dev (<= 2.3.1-12) +Breaks: libopencv-dev (<= 2.4.6.1+dfsg-2ubuntu1) Description: development data for opencv This is a metapackage providing development package necessary for development of OpenCV (Open Computer Vision). @@ -1025,7 +1027,7 @@ Package: libopencv-ocl-dev Section: libdevel -Architecture: any +Architecture: amd64 armhf arm64 i386 powerpc Multi-Arch: same Depends: ${misc:Depends}, libopencv-calib3d-dev (= ${binary:Version}), @@ -1050,7 +1052,7 @@ Package: libopencv-ocl2.4 Section: libs -Architecture: any +Architecture: amd64 armhf arm64 i386 powerpc Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends}, diff -Nru opencv-2.4.8+dfsg1/debian/patches/CVE-2017-1000450.patch opencv-2.4.8+dfsg1/debian/patches/CVE-2017-1000450.patch --- opencv-2.4.8+dfsg1/debian/patches/CVE-2017-1000450.patch 1970-01-01 00:00:00.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/patches/CVE-2017-1000450.patch 2018-09-11 14:49:00.000000000 +0000 @@ -0,0 +1,14 @@ +Index: opencv-2.3.1/modules/highgui/src/grfmt_bmp.cpp +=================================================================== +--- opencv-2.3.1.orig/modules/highgui/src/grfmt_bmp.cpp 2017-12-31 15:42:47.000000000 +0100 ++++ opencv-2.3.1/modules/highgui/src/grfmt_bmp.cpp 2018-01-04 19:29:11.689080986 +0100 +@@ -366,6 +366,9 @@ + gray_palette[code] ); + + line_end_flag = y - prev_y; ++ ++ if( y >= m_height ) ++ break; + } + else if( code > 2 ) // absolute mode + { diff -Nru opencv-2.4.8+dfsg1/debian/patches/CVE-2017-14136.patch opencv-2.4.8+dfsg1/debian/patches/CVE-2017-14136.patch --- opencv-2.4.8+dfsg1/debian/patches/CVE-2017-14136.patch 1970-01-01 00:00:00.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/patches/CVE-2017-14136.patch 2018-09-11 14:48:17.000000000 +0000 @@ -0,0 +1,300 @@ +From df1a0263299d2875eb51e85351b58d354304da22 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin +Date: Wed, 23 Aug 2017 15:15:27 +0300 +Subject: [PATCH] imgcodesc: fix code problems with integer overflow / address + arithmetic / UB + +--- + modules/highgui/src/grfmt_bmp.cpp | 14 ++++--- + modules/highgui/src/grfmt_exr.cpp | 10 ++--- + modules/highgui/src/grfmt_jpeg.cpp | 2 +- + modules/highgui/src/grfmt_jpeg2000.cpp | 6 +-- + modules/highgui/src/grfmt_sunras.cpp | 6 +-- + modules/highgui/src/utils.cpp | 51 ++++++++++++++++---------- + modules/highgui/src/utils.hpp | 2 + + 7 files changed, 53 insertions(+), 38 deletions(-) + +diff --git a/modules/highgui/src/grfmt_bmp.cpp b/modules/highgui/src/grfmt_bmp.cpp +index 026b317..4e12882 100644 +--- a/modules/highgui/src/grfmt_bmp.cpp ++++ b/modules/highgui/src/grfmt_bmp.cpp +@@ -115,7 +115,7 @@ bool BmpDecoder::readHeader() + + if( m_bpp <= 8 ) + { +- CV_Assert(clrused < 256); ++ CV_Assert(clrused <= 256); + memset(m_palette, 0, sizeof(m_palette)); + m_strm.getBytes(m_palette, (clrused == 0? 1< 1; + uchar gray_palette[256]; + bool result = false; +@@ -198,7 +199,7 @@ bool BmpDecoder::readData( Mat& img ) + + if( m_origin == IPL_ORIGIN_BL ) + { +- data += (m_height - 1)*step; ++ data += (m_height - 1)*(size_t)step; + step = -step; + } + +@@ -475,11 +476,12 @@ decode_rle8_bad: ; + result = true; + break; + default: +- assert(0); ++ CV_Error(CV_StsError, "Invalid/unsupported mode"); + } + } + catch(...) + { ++ throw; + } + + return result; +@@ -522,7 +524,7 @@ bool BmpEncoder::write( const Mat& img, const vector& ) + int bitmapHeaderSize = 40; + int paletteSize = channels > 1 ? 0 : 1024; + int headerSize = 14 /* fileheader */ + bitmapHeaderSize + paletteSize; +- int fileSize = fileStep*height + headerSize; ++ size_t fileSize = (size_t)fileStep*height + headerSize; + PaletteEntry palette[256]; + + if( m_buf ) +@@ -532,7 +534,7 @@ bool BmpEncoder::write( const Mat& img, const vector& ) + strm.putBytes( fmtSignBmp, (int)strlen(fmtSignBmp) ); + + // write file header +- strm.putDWord( fileSize ); // file size ++ strm.putDWord( validateToInt(fileSize) ); // file size + strm.putDWord( 0 ); + strm.putDWord( headerSize ); + +diff --git a/modules/highgui/src/grfmt_exr.cpp b/modules/highgui/src/grfmt_exr.cpp +index c29f4ba..399e586 100644 +--- a/modules/highgui/src/grfmt_exr.cpp ++++ b/modules/highgui/src/grfmt_exr.cpp +@@ -188,7 +188,7 @@ bool ExrDecoder::readData( Mat& img ) + bool color = img.channels() > 1; + + uchar* data = img.data; +- int step = img.step; ++ size_t step = img.step; + bool justcopy = m_native_depth; + bool chromatorgb = false; + bool rgbtogray = false; +@@ -196,8 +196,8 @@ bool ExrDecoder::readData( Mat& img ) + FrameBuffer frame; + int xsample[3] = {1, 1, 1}; + char *buffer; +- int xstep; +- int ystep; ++ size_t xstep = 0; ++ size_t ystep = 0; + + xstep = m_native_depth ? 4 : 1; + +@@ -589,7 +589,7 @@ bool ExrEncoder::write( const Mat& img, const vector& ) + bool isfloat = depth == CV_32F || depth == CV_64F; + depth = CV_ELEM_SIZE1(depth)*8; + uchar* data = img.data; +- int step = img.step; ++ size_t step = img.step; + + Header header( width, height ); + Imf::PixelType type; +@@ -619,7 +619,7 @@ bool ExrEncoder::write( const Mat& img, const vector& ) + FrameBuffer frame; + + char *buffer; +- int bufferstep; ++ size_t bufferstep; + int size; + if( type == FLOAT && depth == 32 ) + { +diff --git a/modules/highgui/src/grfmt_jpeg.cpp b/modules/highgui/src/grfmt_jpeg.cpp +index bd21e2c..a4d8957 100644 +--- a/modules/highgui/src/grfmt_jpeg.cpp ++++ b/modules/highgui/src/grfmt_jpeg.cpp +@@ -392,7 +392,7 @@ int my_jpeg_load_dht (struct jpeg_decompress_struct *info, unsigned char *dht, + bool JpegDecoder::readData( Mat& img ) + { + bool result = false; +- int step = (int)img.step; ++ size_t step = img.step; + bool color = img.channels() > 1; + + if( m_state && m_width && m_height ) +diff --git a/modules/highgui/src/grfmt_jpeg2000.cpp b/modules/highgui/src/grfmt_jpeg2000.cpp +index 28818e3..d8cb976 100644 +--- a/modules/highgui/src/grfmt_jpeg2000.cpp ++++ b/modules/highgui/src/grfmt_jpeg2000.cpp +@@ -155,7 +155,7 @@ bool Jpeg2KDecoder::readData( Mat& img ) + bool result = false; + int color = img.channels() > 1; + uchar* data = img.data; +- int step = (int)img.step; ++ size_t step = img.step; + jas_stream_t* stream = (jas_stream_t*)m_stream; + jas_image_t* image = (jas_image_t*)m_image; + +@@ -236,9 +236,9 @@ bool Jpeg2KDecoder::readData( Mat& img ) + if( !jas_image_readcmpt( image, cmptlut[i], 0, 0, xend / xstep, yend / ystep, buffer )) + { + if( img.depth() == CV_8U ) +- result = readComponent8u( data + i, buffer, step, cmptlut[i], maxval, offset, ncmpts ); ++ result = readComponent8u( data + i, buffer, validateToInt(step), cmptlut[i], maxval, offset, ncmpts ); + else +- result = readComponent16u( ((unsigned short *)data) + i, buffer, step / 2, cmptlut[i], maxval, offset, ncmpts ); ++ result = readComponent16u( ((unsigned short *)data) + i, buffer, validateToInt(step / 2), cmptlut[i], maxval, offset, ncmpts ); + if( !result ) + { + i = ncmpts; +diff --git a/modules/highgui/src/grfmt_sunras.cpp b/modules/highgui/src/grfmt_sunras.cpp +index 19f8db4..60a93a0 100644 +--- a/modules/highgui/src/grfmt_sunras.cpp ++++ b/modules/highgui/src/grfmt_sunras.cpp +@@ -156,7 +156,7 @@ bool SunRasterDecoder::readData( Mat& img ) + { + int color = img.channels() > 1; + uchar* data = img.data; +- int step = (int)img.step; ++ size_t step = img.step; + uchar gray_palette[256]; + bool result = false; + int src_pitch = ((m_width*m_bpp + 7)/8 + 1) & -2; +@@ -304,11 +304,11 @@ bad_decoding_1bpp: + code = m_strm.getByte(); + + if( color ) +- data = FillUniColor( data, line_end, step, width3, ++ data = FillUniColor( data, line_end, validateToInt(step), width3, + y, m_height, len, + m_palette[code] ); + else +- data = FillUniGray( data, line_end, step, width3, ++ data = FillUniGray( data, line_end, validateToInt(step), width3, + y, m_height, len, + gray_palette[code] ); + if( y >= m_height ) +diff --git a/modules/highgui/src/utils.cpp b/modules/highgui/src/utils.cpp +index 095a256..68b6d8e 100644 +--- a/modules/highgui/src/utils.cpp ++++ b/modules/highgui/src/utils.cpp +@@ -42,6 +42,13 @@ + #include "precomp.hpp" + #include "utils.hpp" + ++int validateToInt(size_t sz) ++{ ++ int valueInt = (int)sz; ++ CV_Assert((size_t)valueInt == sz); ++ return valueInt; ++} ++ + #define SCALE 14 + #define cR (int)(0.299*(1 << SCALE) + 0.5) + #define cG (int)(0.587*(1 << SCALE) + 0.5) +@@ -537,23 +544,25 @@ uchar* FillColorRow1( uchar* data, uchar* indices, int len, PaletteEntry* palett + { + uchar* end = data + len*3; + ++ const PaletteEntry p0 = palette[0], p1 = palette[1]; ++ + while( (data += 24) < end ) + { + int idx = *indices++; +- *((PaletteEntry*)(data - 24)) = palette[(idx & 128) != 0]; +- *((PaletteEntry*)(data - 21)) = palette[(idx & 64) != 0]; +- *((PaletteEntry*)(data - 18)) = palette[(idx & 32) != 0]; +- *((PaletteEntry*)(data - 15)) = palette[(idx & 16) != 0]; +- *((PaletteEntry*)(data - 12)) = palette[(idx & 8) != 0]; +- *((PaletteEntry*)(data - 9)) = palette[(idx & 4) != 0]; +- *((PaletteEntry*)(data - 6)) = palette[(idx & 2) != 0]; +- *((PaletteEntry*)(data - 3)) = palette[(idx & 1) != 0]; ++ *((PaletteEntry*)(data - 24)) = (idx & 128) ? p1 : p0; ++ *((PaletteEntry*)(data - 21)) = (idx & 64) ? p1 : p0; ++ *((PaletteEntry*)(data - 18)) = (idx & 32) ? p1 : p0; ++ *((PaletteEntry*)(data - 15)) = (idx & 16) ? p1 : p0; ++ *((PaletteEntry*)(data - 12)) = (idx & 8) ? p1 : p0; ++ *((PaletteEntry*)(data - 9)) = (idx & 4) ? p1 : p0; ++ *((PaletteEntry*)(data - 6)) = (idx & 2) ? p1 : p0; ++ *((PaletteEntry*)(data - 3)) = (idx & 1) ? p1 : p0; + } + +- int idx = indices[0] << 24; ++ int idx = indices[0]; + for( data -= 24; data < end; data += 3, idx += idx ) + { +- PaletteEntry clr = palette[idx < 0]; ++ const PaletteEntry clr = (idx & 128) ? p1 : p0; + WRITE_PIX( data, clr ); + } + +@@ -565,23 +574,25 @@ uchar* FillGrayRow1( uchar* data, uchar* indices, int len, uchar* palette ) + { + uchar* end = data + len; + ++ const uchar p0 = palette[0], p1 = palette[1]; ++ + while( (data += 8) < end ) + { + int idx = *indices++; +- *((uchar*)(data - 8)) = palette[(idx & 128) != 0]; +- *((uchar*)(data - 7)) = palette[(idx & 64) != 0]; +- *((uchar*)(data - 6)) = palette[(idx & 32) != 0]; +- *((uchar*)(data - 5)) = palette[(idx & 16) != 0]; +- *((uchar*)(data - 4)) = palette[(idx & 8) != 0]; +- *((uchar*)(data - 3)) = palette[(idx & 4) != 0]; +- *((uchar*)(data - 2)) = palette[(idx & 2) != 0]; +- *((uchar*)(data - 1)) = palette[(idx & 1) != 0]; ++ *((uchar*)(data - 8)) = (idx & 128) ? p1 : p0; ++ *((uchar*)(data - 7)) = (idx & 64) ? p1 : p0; ++ *((uchar*)(data - 6)) = (idx & 32) ? p1 : p0; ++ *((uchar*)(data - 5)) = (idx & 16) ? p1 : p0; ++ *((uchar*)(data - 4)) = (idx & 8) ? p1 : p0; ++ *((uchar*)(data - 3)) = (idx & 4) ? p1 : p0; ++ *((uchar*)(data - 2)) = (idx & 2) ? p1 : p0; ++ *((uchar*)(data - 1)) = (idx & 1) ? p1 : p0; + } + +- int idx = indices[0] << 24; ++ int idx = indices[0]; + for( data -= 8; data < end; data++, idx += idx ) + { +- data[0] = palette[idx < 0]; ++ data[0] = (idx & 128) ? p1 : p0; + } + + return data; +diff --git a/modules/highgui/src/utils.hpp b/modules/highgui/src/utils.hpp +index cab1060..7af4c61 100644 +--- a/modules/highgui/src/utils.hpp ++++ b/modules/highgui/src/utils.hpp +@@ -42,6 +42,8 @@ + #ifndef _UTILS_H_ + #define _UTILS_H_ + ++int validateToInt(size_t step); ++ + struct PaletteEntry + { + unsigned char b, g, r, a; +-- +2.17.1 + diff -Nru opencv-2.4.8+dfsg1/debian/patches/CVE-2017-17760.patch opencv-2.4.8+dfsg1/debian/patches/CVE-2017-17760.patch --- opencv-2.4.8+dfsg1/debian/patches/CVE-2017-17760.patch 1970-01-01 00:00:00.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/patches/CVE-2017-17760.patch 2018-09-11 14:48:47.000000000 +0000 @@ -0,0 +1,13 @@ +Index: opencv-2.3.1/modules/highgui/src/grfmt_pxm.cpp +=================================================================== +--- opencv-2.3.1.orig/modules/highgui/src/grfmt_pxm.cpp 2017-12-31 15:54:51.764550792 +0100 ++++ opencv-2.3.1/modules/highgui/src/grfmt_pxm.cpp 2017-12-31 15:55:42.096550867 +0100 +@@ -330,7 +330,7 @@ + } + } + else +- memcpy( data, src, m_width*(bit_depth/8) ); ++ memcpy( data, src, img.elemSize1()*m_width ); + } + else + { diff -Nru opencv-2.4.8+dfsg1/debian/patches/CVE-2017-several.patch opencv-2.4.8+dfsg1/debian/patches/CVE-2017-several.patch --- opencv-2.4.8+dfsg1/debian/patches/CVE-2017-several.patch 1970-01-01 00:00:00.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/patches/CVE-2017-several.patch 2018-09-11 14:46:14.000000000 +0000 @@ -0,0 +1,564 @@ +Index: opencv-2.4.9.1+dfsg/modules/core/include/opencv2/core/core.hpp +=================================================================== +--- opencv-2.4.9.1+dfsg.orig/modules/core/include/opencv2/core/core.hpp 2018-06-29 13:28:09.144794867 +0200 ++++ opencv-2.4.9.1+dfsg/modules/core/include/opencv2/core/core.hpp 2018-06-29 13:28:09.128794868 +0200 +@@ -3174,6 +3174,9 @@ + //! returns read-only pointer to the real buffer, stack-allocated or head-allocated + operator const _Tp* () const; + ++ //! returns number of allocated elements ++ size_t getSize() const; ++ + protected: + //! pointer to the real buffer, can point to buf if the buffer is small enough + _Tp* ptr; +Index: opencv-2.4.9.1+dfsg/modules/core/include/opencv2/core/operations.hpp +=================================================================== +--- opencv-2.4.9.1+dfsg.orig/modules/core/include/opencv2/core/operations.hpp 2018-06-29 13:28:09.144794867 +0200 ++++ opencv-2.4.9.1+dfsg/modules/core/include/opencv2/core/operations.hpp 2018-06-29 13:28:09.128794868 +0200 +@@ -2580,6 +2580,9 @@ + template inline AutoBuffer<_Tp, fixed_size>::operator const _Tp* () const + { return ptr; } + ++template inline size_t AutoBuffer<_Tp, fixed_size>::getSize() const ++{ return size; } ++ + + /////////////////////////////////// Ptr //////////////////////////////////////// + +Index: opencv-2.4.9.1+dfsg/modules/highgui/src/bitstrm.cpp +=================================================================== +--- opencv-2.4.9.1+dfsg.orig/modules/highgui/src/bitstrm.cpp 2018-06-29 13:28:09.144794867 +0200 ++++ opencv-2.4.9.1+dfsg/modules/highgui/src/bitstrm.cpp 2018-06-29 13:28:09.128794868 +0200 +@@ -208,6 +208,8 @@ + current = m_current; + } + ++ CV_Assert(current < m_end); ++ + val = *((uchar*)current); + m_current = current + 1; + return val; +Index: opencv-2.4.9.1+dfsg/modules/highgui/src/bitstrm.hpp +=================================================================== +--- opencv-2.4.9.1+dfsg.orig/modules/highgui/src/bitstrm.hpp 2018-06-29 13:28:09.144794867 +0200 ++++ opencv-2.4.9.1+dfsg/modules/highgui/src/bitstrm.hpp 2018-06-29 13:28:09.128794868 +0200 +@@ -48,13 +48,20 @@ + namespace cv + { + +-enum +-{ +- RBS_THROW_EOS=-123, // exception code +- RBS_THROW_FORB=-124, // exception code +- RBS_HUFF_FORB=2047, // forrbidden huffman code "value" +- RBS_BAD_HEADER=-125, // invalid header ++#define DECLARE_RBS_EXCEPTION(name) \ ++class RBS_ ## name ## _Exception : public cv::Exception \ ++{ \ ++public: \ ++ RBS_ ## name ## _Exception(int code_, const String& err_, const String& func_, const String& file_, int line_) : \ ++ cv::Exception(code_, err_, func_, file_, line_) \ ++ {} \ + }; ++DECLARE_RBS_EXCEPTION(THROW_EOS) ++#define RBS_THROW_EOS RBS_THROW_EOS_Exception(CV_StsError, "Unexpected end of input stream", CV_Func, __FILE__, __LINE__) ++DECLARE_RBS_EXCEPTION(THROW_FORB) ++#define RBS_THROW_FORB RBS_THROW_FORB_Exception(CV_StsError, "Forrbidden huffman code", CV_Func, __FILE__, __LINE__) ++DECLARE_RBS_EXCEPTION(BAD_HEADER) ++#define RBS_BAD_HEADER RBS_BAD_HEADER_Exception(CV_StsError, "Invalid header", CV_Func, __FILE__, __LINE__) + + typedef unsigned long ulong; + +Index: opencv-2.4.9.1+dfsg/modules/highgui/src/grfmt_bmp.cpp +=================================================================== +--- opencv-2.4.9.1+dfsg.orig/modules/highgui/src/grfmt_bmp.cpp 2018-06-29 13:28:09.144794867 +0200 ++++ opencv-2.4.9.1+dfsg/modules/highgui/src/grfmt_bmp.cpp 2018-06-29 14:30:40.392682415 +0200 +@@ -115,8 +115,9 @@ + + if( m_bpp <= 8 ) + { +- memset( m_palette, 0, sizeof(m_palette)); +- m_strm.getBytes( m_palette, (clrused == 0? 1< 2 ) // absolute mode + { + if( data + code*nch > line_end ) goto decode_rle4_bad; +- m_strm.getBytes( src, (((code + 1)>>1) + 1) & -2 ); ++ int sz = (((code + 1)>>1) + 1) & (~1); ++ CV_Assert((size_t)sz < _src.getSize()); ++ m_strm.getBytes(src, sz); + if( color ) + data = FillColorRow4( data, src, code, m_palette ); + else +@@ -371,7 +374,9 @@ + + if( data + code3 > line_end ) + goto decode_rle8_bad; +- m_strm.getBytes( src, (code + 1) & -2 ); ++ int sz = (code + 1) & (~1); ++ CV_Assert((size_t)sz < _src.getSize()); ++ m_strm.getBytes(src, sz); + if( color ) + data = FillColorRow8( data, src, code, m_palette ); + else +Index: opencv-2.4.9.1+dfsg/modules/highgui/src/grfmt_pxm.cpp +=================================================================== +--- opencv-2.4.9.1+dfsg.orig/modules/highgui/src/grfmt_pxm.cpp 2018-06-29 13:28:09.144794867 +0200 ++++ opencv-2.4.9.1+dfsg/modules/highgui/src/grfmt_pxm.cpp 2018-06-29 14:09:17.016720887 +0200 +@@ -43,50 +43,58 @@ + #include "precomp.hpp" + #include "utils.hpp" + #include "grfmt_pxm.hpp" ++#include + + namespace cv + { + + ///////////////////////// P?M reader ////////////////////////////// + +-static int ReadNumber( RLByteStream& strm, int maxdigits ) ++static int ReadNumber(RLByteStream& strm, int maxdigits = 0) + { + int code; +- int val = 0; ++ int64 val = 0; + int digits = 0; + + code = strm.getByte(); + +- if( !isdigit(code)) ++ while (!isdigit(code)) + { +- do ++ if (code == '#' ) + { +- if( code == '#' ) ++ do + { +- do +- { +- code = strm.getByte(); +- } +- while( code != '\n' && code != '\r' ); ++ code = strm.getByte(); + } +- ++ while (code != '\n' && code != '\r'); + code = strm.getByte(); +- +- while( isspace(code)) ++ } ++ else if (isspace(code)) ++ { ++ while (isspace(code)) + code = strm.getByte(); + } +- while( !isdigit( code )); ++ else ++ { ++#if 1 ++ CV_Error_(CV_StsError, ("PXM: Unexpected code in ReadNumber(): 0x%x (%d)", code, code)); ++#else ++ code = strm.getByte(); ++#endif ++ } + } + + do + { +- val = val*10 + code - '0'; +- if( ++digits >= maxdigits ) break; ++ val = val*10 + (code - '0'); ++ CV_Assert(val <= INT_MAX && "PXM: ReadNumber(): result is too large"); ++ digits++; ++ if (maxdigits != 0 && digits >= maxdigits) break; + code = strm.getByte(); + } +- while( isdigit(code)); ++ while (isdigit(code)); + +- return val; ++ return (int)val; + } + + +@@ -119,13 +127,13 @@ + return new PxMDecoder; + } + +-void PxMDecoder::close() ++void PxMDecoder::close() + { + m_strm.close(); + } + + +-bool PxMDecoder::readHeader() ++bool PxMDecoder::readHeader() + { + bool result = false; + +@@ -155,10 +163,10 @@ + m_binary = code >= '4'; + m_type = m_bpp > 8 ? CV_8UC3 : CV_8UC1; + +- m_width = ReadNumber( m_strm, INT_MAX ); +- m_height = ReadNumber( m_strm, INT_MAX ); ++ m_width = ReadNumber(m_strm); ++ m_height = ReadNumber(m_strm); + +- m_maxval = m_bpp == 1 ? 1 : ReadNumber( m_strm, INT_MAX ); ++ m_maxval = m_bpp == 1 ? 1 : ReadNumber(m_strm); + if( m_maxval > 65535 ) + throw RBS_BAD_HEADER; + +@@ -172,8 +180,14 @@ + result = true; + } + } +- catch(...) ++ catch (const cv::Exception&) + { ++ throw; ++ } ++ catch (...) ++ { ++ std::cerr << "PXM::readHeader(): unknown C++ exception" << std::endl << std::flush; ++ throw; + } + + if( !result ) +@@ -193,27 +207,23 @@ + int step = (int)img.step; + PaletteEntry palette[256]; + bool result = false; +- int bit_depth = CV_ELEM_SIZE1(m_type)*8; +- int src_pitch = (m_width*m_bpp*bit_depth/8 + 7)/8; ++ const int bit_depth = CV_ELEM_SIZE1(m_type)*8; ++ const int src_pitch = (m_width*m_bpp*(bit_depth/8) + 7) / 8; ++ + int nch = CV_MAT_CN(m_type); + int width3 = m_width*nch; +- int i, x, y; + + if( m_offset < 0 || !m_strm.isOpened()) + return false; + +- AutoBuffer _src(src_pitch + 32); +- uchar* src = _src; +- AutoBuffer _gray_palette; +- uchar* gray_palette = _gray_palette; ++ uchar gray_palette[256] = {0}; + + // create LUT for converting colors + if( bit_depth == 8 ) + { +- _gray_palette.allocate(m_maxval + 1); +- gray_palette = _gray_palette; ++ CV_Assert(m_maxval < 256); + +- for( i = 0; i <= m_maxval; i++ ) ++ for (int i = 0; i <= m_maxval; i++) + gray_palette[i] = (uchar)((i*255/m_maxval)^(m_bpp == 1 ? 255 : 0)); + + FillGrayPalette( palette, m_bpp==1 ? 1 : 8 , m_bpp == 1 ); +@@ -227,12 +237,16 @@ + { + ////////////////////////// 1 BPP ///////////////////////// + case 1: ++ CV_Assert(CV_MAT_DEPTH(m_type) == CV_8U); + if( !m_binary ) + { +- for( y = 0; y < m_height; y++, data += step ) ++ AutoBuffer _src(m_width); ++ uchar* src = _src; ++ ++ for (int y = 0; y < m_height; y++, data += step) + { +- for( x = 0; x < m_width; x++ ) +- src[x] = ReadNumber( m_strm, 1 ) != 0; ++ for (int x = 0; x < m_width; x++) ++ src[x] = ReadNumber(m_strm, 1) != 0; + + if( color ) + FillColorRow8( data, src, m_width, palette ); +@@ -242,7 +256,10 @@ + } + else + { +- for( y = 0; y < m_height; y++, data += step ) ++ AutoBuffer _src(src_pitch); ++ uchar* src = _src; ++ ++ for (int y = 0; y < m_height; y++, data += step) + { + m_strm.getBytes( src, src_pitch ); + +@@ -258,11 +275,15 @@ + ////////////////////////// 8 BPP ///////////////////////// + case 8: + case 24: +- for( y = 0; y < m_height; y++, data += step ) ++ { ++ AutoBuffer _src(std::max(width3*2, src_pitch)); ++ uchar* src = _src; ++ ++ for (int y = 0; y < m_height; y++, data += step) + { + if( !m_binary ) + { +- for( x = 0; x < width3; x++ ) ++ for (int x = 0; x < width3; x++) + { + int code = ReadNumber( m_strm, INT_MAX ); + if( (unsigned)code > (unsigned)m_maxval ) code = m_maxval; +@@ -277,7 +298,7 @@ + m_strm.getBytes( src, src_pitch ); + if( bit_depth == 16 && !isBigEndian() ) + { +- for( x = 0; x < width3; x++ ) ++ for (int x = 0; x < width3; x++) + { + uchar v = src[x * 2]; + src[x * 2] = src[x * 2 + 1]; +@@ -288,7 +309,7 @@ + + if( img.depth() == CV_8U && bit_depth == 16 ) + { +- for( x = 0; x < width3; x++ ) ++ for (int x = 0; x < width3; x++) + { + int v = ((ushort *)src)[x]; + src[x] = (uchar)(v >> 8); +@@ -329,12 +350,19 @@ + } + result = true; + break; ++ } + default: +- assert(0); ++ CV_Error(CV_StsError, "m_bpp is not supported"); + } + } +- catch(...) ++ catch (const cv::Exception&) ++ { ++ throw; ++ } ++ catch (...) + { ++ std::cerr << "PXM::readData(): unknown exception" << std::endl << std::flush; ++ throw; + } + + return result; +@@ -410,8 +438,9 @@ + char* buffer = _buffer; + + // write header; +- sprintf( buffer, "P%c\n%d %d\n%d\n", ++ sprintf( buffer, "P%c\n# Generated by OpenCV %s\n%d %d\n%d\n", + '2' + (channels > 1 ? 1 : 0) + (isBinary ? 3 : 0), ++ CV_VERSION, + width, height, (1 << depth) - 1 ); + + strm.putBytes( buffer, (int)strlen(buffer) ); +Index: opencv-2.4.9.1+dfsg/modules/highgui/src/loadsave.cpp +=================================================================== +--- opencv-2.4.9.1+dfsg.orig/modules/highgui/src/loadsave.cpp 2018-06-29 13:28:09.144794867 +0200 ++++ opencv-2.4.9.1+dfsg/modules/highgui/src/loadsave.cpp 2018-06-29 13:59:36.352738294 +0200 +@@ -48,12 +48,31 @@ + #undef min + #undef max + ++#include ++ + /****************************************************************************************\ + * Image Codecs * + \****************************************************************************************/ + namespace cv + { + ++// TODO Add runtime configuration ++#define CV_IO_MAX_IMAGE_PARAMS (50) ++#define CV_IO_MAX_IMAGE_WIDTH (1<<20) ++#define CV_IO_MAX_IMAGE_HEIGHT (1<<20) ++#define CV_IO_MAX_IMAGE_PIXELS (1<<30) // 1 Gigapixel ++static Size validateInputImageSize(const Size& size) ++{ ++ CV_Assert(size.width > 0); ++ CV_Assert(size.width <= CV_IO_MAX_IMAGE_WIDTH); ++ CV_Assert(size.height > 0); ++ CV_Assert(size.height <= CV_IO_MAX_IMAGE_HEIGHT); ++ uint64 pixels = (uint64)size.width * (uint64)size.height; ++ CV_Assert(pixels <= CV_IO_MAX_IMAGE_PIXELS); ++ return size; ++} ++ ++ + struct ImageCodecInitializer + { + ImageCodecInitializer() +@@ -203,12 +222,26 @@ + if( decoder.empty() ) + return 0; + decoder->setSource(filename); +- if( !decoder->readHeader() ) ++ ++ try ++ { ++ // read the header to make sure it succeeds ++ if (!decoder->readHeader()) ++ return 0; ++ } ++ catch (const cv::Exception& e) ++ { ++ std::cerr << "imread_('" << filename << "'): can't read header: " << e.what() << std::endl << std::flush; ++ return 0; ++ } ++ catch (...) ++ { ++ std::cerr << "imread_('" << filename << "'): can't read header: unknown exception" << std::endl << std::flush; + return 0; ++ } + +- CvSize size; +- size.width = decoder->width(); +- size.height = decoder->height(); ++ ++ Size size = validateInputImageSize(Size(decoder->width(), decoder->height())); + + int type = decoder->type(); + if( flags != -1 ) +@@ -242,7 +275,21 @@ + temp = cvarrToMat(image); + } + +- if( !decoder->readData( *data )) ++ bool success = false; ++ try ++ { ++ if (decoder->readData(*data)) ++ success = true; ++ } ++ catch (const cv::Exception& e) ++ { ++ std::cerr << "imread_('" << filename << "'): can't read data: " << e.what() << std::endl << std::flush; ++ } ++ catch (...) ++ { ++ std::cerr << "imread_('" << filename << "'): can't read data: unknown exception" << std::endl << std::flush; ++ } ++ if (!success) + { + cvReleaseImage( &image ); + cvReleaseMat( &matrix ); +@@ -288,6 +335,7 @@ + } + + encoder->setDestination( filename ); ++ CV_Assert(params.size() <= CV_IO_MAX_IMAGE_PARAMS*2); + bool code = encoder->write( *pimage, params ); + + // CV_Assert( code ); +@@ -326,16 +374,34 @@ + decoder->setSource(filename); + } + +- if( !decoder->readHeader() ) ++ bool success = false; ++ try ++ { ++ if (decoder->readHeader()) ++ success = true; ++ } ++ catch (const cv::Exception& e) ++ { ++ std::cerr << "imdecode_('" << filename << "'): can't read header: " << e.what() << std::endl << std::flush; ++ } ++ catch (...) + { +- if( !filename.empty() ) +- remove(filename.c_str()); ++ std::cerr << "imdecode_('" << filename << "'): can't read header: unknown exception" << std::endl << std::flush; ++ } ++ if (!success) ++ { ++ if (!filename.empty()) ++ { ++ if (0 != remove(filename.c_str())) ++ { ++ std::cerr << "unable to remove temporary file:" << filename << std::endl << std::flush; ++ } ++ } + return 0; + } + +- CvSize size; +- size.width = decoder->width(); +- size.height = decoder->height(); ++ // established the required input image size ++ Size size = validateInputImageSize(Size(decoder->width(), decoder->height())); + + int type = decoder->type(); + if( flags != -1 ) +@@ -369,11 +435,30 @@ + temp = cvarrToMat(image); + } + +- bool code = decoder->readData( *data ); +- if( !filename.empty() ) +- remove(filename.c_str()); ++ success = false; ++ try ++ { ++ if (decoder->readData(*data)) ++ success = true; ++ } ++ catch (const cv::Exception& e) ++ { ++ std::cerr << "imdecode_('" << filename << "'): can't read data: " << e.what() << std::endl << std::flush; ++ } ++ catch (...) ++ { ++ std::cerr << "imdecode_('" << filename << "'): can't read data: unknown exception" << std::endl << std::flush; ++ } + +- if( !code ) ++ if (!filename.empty()) ++ { ++ if (0 != remove(filename.c_str())) ++ { ++ std::cerr << "unable to remove temporary file:" << filename << std::endl << std::flush; ++ } ++ } ++ ++ if (!success) + { + cvReleaseImage( &image ); + cvReleaseMat( &matrix ); +@@ -490,7 +575,7 @@ + if( _params ) + { + for( ; _params[i] > 0; i += 2 ) +- ; ++ CV_Assert(i < CV_IO_MAX_IMAGE_PARAMS*2); // Limit number of params for security reasons + } + return cv::imwrite_(filename, cv::cvarrToMat(arr), + i > 0 ? cv::vector(_params, _params+i) : cv::vector(), +@@ -521,7 +606,7 @@ + if( _params ) + { + for( ; _params[i] > 0; i += 2 ) +- ; ++ CV_Assert(i < CV_IO_MAX_IMAGE_PARAMS*2); // Limit number of params for security reasons + } + cv::Mat img = cv::cvarrToMat(arr); + if( CV_IS_IMAGE(arr) && ((const IplImage*)arr)->origin == IPL_ORIGIN_BL ) diff -Nru opencv-2.4.8+dfsg1/debian/patches/CVE-2018-5268.patch opencv-2.4.8+dfsg1/debian/patches/CVE-2018-5268.patch --- opencv-2.4.8+dfsg1/debian/patches/CVE-2018-5268.patch 1970-01-01 00:00:00.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/patches/CVE-2018-5268.patch 2018-09-11 14:49:15.000000000 +0000 @@ -0,0 +1,127 @@ +From 56072c4406ad051c414e66460b4e73961ecdd3cf Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin +Date: Tue, 9 Jan 2018 17:36:57 +0300 +Subject: [PATCH 3/3] imgcodecs: add more Jasper checks for supported and + tested cases + +435a3e337bd9d4e11af61cf8b8afca067bf1a8aa +--- + modules/highgui/src/grfmt_jpeg2000.cpp | 47 ++++++++++++++++++++++---- + 1 file changed, 40 insertions(+), 7 deletions(-) + +diff --git a/modules/highgui/src/grfmt_jpeg2000.cpp b/modules/highgui/src/grfmt_jpeg2000.cpp +index d8cb976..231965e 100644 +--- a/modules/highgui/src/grfmt_jpeg2000.cpp ++++ b/modules/highgui/src/grfmt_jpeg2000.cpp +@@ -76,7 +76,8 @@ static JasperInitializer initialize_jasper; + + Jpeg2KDecoder::Jpeg2KDecoder() + { +- m_signature = '\0' + string() + '\0' + string() + '\0' + string("\x0cjP \r\n\x87\n"); ++ static const unsigned char signature_[12] = { 0, 0, 0, 0x0c, 'j', 'P', ' ', ' ', 13, 10, 0x87, 10}; ++ m_signature = string((const char*)signature_, (const char*)signature_ + sizeof(signature_)); + m_stream = 0; + m_image = 0; + } +@@ -120,6 +121,8 @@ bool Jpeg2KDecoder::readHeader() + jas_image_t* image = jas_image_decode( stream, -1, 0 ); + m_image = image; + if( image ) { ++ CV_Assert(0 == (jas_image_tlx(image)) && "not supported"); ++ CV_Assert(0 == (jas_image_tly(image)) && "not supported"); + m_width = jas_image_width( image ); + m_height = jas_image_height( image ); + +@@ -129,14 +132,31 @@ bool Jpeg2KDecoder::readHeader() + for( int i = 0; i < numcmpts; i++ ) + { + int depth_i = jas_image_cmptprec( image, i ); ++ CV_Assert(depth == 0 || depth == depth_i); // component data type mismatch + depth = MAX(depth, depth_i); + if( jas_image_cmpttype( image, i ) > 2 ) + continue; ++ int sgnd = jas_image_cmptsgnd(image, i); ++ int xstart = jas_image_cmpttlx(image, i); ++ int xend = jas_image_cmptbrx(image, i); ++ int xstep = jas_image_cmpthstep(image, i); ++ int ystart = jas_image_cmpttly(image, i); ++ int yend = jas_image_cmptbry(image, i); ++ int ystep = jas_image_cmptvstep(image, i); ++ CV_Assert(sgnd == 0 && "not supported"); ++ CV_Assert(xstart == 0 && "not supported"); ++ CV_Assert(ystart == 0 && "not supported"); ++ CV_Assert(xstep == 1 && "not supported"); ++ CV_Assert(ystep == 1 && "not supported"); ++ CV_Assert(xend == m_width); ++ CV_Assert(yend == m_height); + cntcmpts++; + } + + if( cntcmpts ) + { ++ CV_Assert(depth == 8 || depth == 16); ++ CV_Assert(cntcmpts == 1 || cntcmpts == 3); + m_type = CV_MAKETYPE(depth <= 8 ? CV_8U : CV_16U, cntcmpts > 1 ? 3 : 1); + result = true; + } +@@ -149,9 +169,15 @@ bool Jpeg2KDecoder::readHeader() + return result; + } + ++static void Jpeg2KDecoder_close(Jpeg2KDecoder* ptr) ++{ ++ ptr->close(); ++} ++template<> void Ptr::delete_obj() { Jpeg2KDecoder_close(obj); } + + bool Jpeg2KDecoder::readData( Mat& img ) + { ++ Ptr close_this(this); // auto cleanup: Jpeg2KDecoder_close + bool result = false; + int color = img.channels() > 1; + uchar* data = img.data; +@@ -188,11 +214,16 @@ bool Jpeg2KDecoder::readData( Mat& img ) + result = true; + } + else +- fprintf(stderr, "JPEG 2000 LOADER ERROR: cannot convert colorspace\n"); ++ { ++ jas_cmprof_destroy(clrprof); ++ CV_Error(CV_StsError, "JPEG 2000 LOADER ERROR: cannot convert colorspace"); ++ } + jas_cmprof_destroy( clrprof ); + } + else +- fprintf(stderr, "JPEG 2000 LOADER ERROR: unable to create colorspace\n"); ++ { ++ CV_Error(CV_StsError, "JPEG 2000 LOADER ERROR: unable to create colorspace"); ++ } + } + else + result = true; +@@ -241,8 +272,8 @@ bool Jpeg2KDecoder::readData( Mat& img ) + result = readComponent16u( ((unsigned short *)data) + i, buffer, validateToInt(step / 2), cmptlut[i], maxval, offset, ncmpts ); + if( !result ) + { +- i = ncmpts; +- result = false; ++ jas_matrix_destroy( buffer ); ++ CV_Error(CV_StsError, "JPEG2000 LOADER ERROR: failed to read component"); + } + } + jas_matrix_destroy( buffer ); +@@ -251,10 +282,12 @@ bool Jpeg2KDecoder::readData( Mat& img ) + } + } + else +- fprintf(stderr, "JPEG2000 LOADER ERROR: colorspace conversion failed\n" ); ++ { ++ CV_Error(CV_StsError, "JPEG2000 LOADER ERROR: colorspace conversion failed"); ++ } + } + +- close(); ++ CV_Assert(result == true); + + return result; + } diff -Nru opencv-2.4.8+dfsg1/debian/patches/CVE-2018-5269.patch opencv-2.4.8+dfsg1/debian/patches/CVE-2018-5269.patch --- opencv-2.4.8+dfsg1/debian/patches/CVE-2018-5269.patch 1970-01-01 00:00:00.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/patches/CVE-2018-5269.patch 2018-09-11 15:04:53.000000000 +0000 @@ -0,0 +1,179 @@ +From cd64b504b8f568a923adc764b1fc6303dcd75bec Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin +Date: Tue, 9 Jan 2018 17:56:52 +0300 +Subject: [PATCH 2/3] imgcodecs: add overflow checks + +imgcodecs: remove assert() usage + +Origin commits: +- be5247921da02e58aa42830c81730ef20a23af80 +- 8a76fadaa39b87d740ec3346d9eccb64bde5a6af +--- + modules/highgui/src/bitstrm.cpp | 22 ++++++++++++++-------- + modules/highgui/src/grfmt_bmp.cpp | 1 + + modules/highgui/src/grfmt_sunras.cpp | 8 ++++---- + modules/highgui/src/precomp.hpp | 2 +- + modules/highgui/src/utils.cpp | 2 +- + 5 files changed, 21 insertions(+), 14 deletions(-) + +diff --git a/modules/highgui/src/bitstrm.cpp b/modules/highgui/src/bitstrm.cpp +index 67792a2..89f52d4 100644 +--- a/modules/highgui/src/bitstrm.cpp ++++ b/modules/highgui/src/bitstrm.cpp +@@ -42,6 +42,7 @@ + + #include "precomp.hpp" + #include "bitstrm.hpp" ++#include "utils.hpp" + + namespace cv + { +@@ -164,7 +165,7 @@ void RBaseStream::release() + + void RBaseStream::setPos( int pos ) + { +- assert( isOpened() && pos >= 0 ); ++ CV_Assert(isOpened() && pos >= 0); + + if( !m_file ) + { +@@ -181,14 +182,19 @@ void RBaseStream::setPos( int pos ) + + int RBaseStream::getPos() + { +- assert( isOpened() ); +- return m_block_pos + (int)(m_current - m_start); ++ CV_Assert(isOpened()); ++ int pos = validateToInt((m_current - m_start) + m_block_pos); ++ CV_Assert(pos >= m_block_pos); // overflow check ++ CV_Assert(pos >= 0); // overflow check ++ return pos; + } + + void RBaseStream::skip( int bytes ) + { +- assert( bytes >= 0 ); ++ CV_Assert(bytes >= 0); ++ uchar* old = m_current; + m_current += bytes; ++ CV_Assert(m_current >= old); // overflow check + } + + ///////////////////////// RLByteStream //////////////////////////// +@@ -220,7 +226,7 @@ int RLByteStream::getBytes( void* buffer, int count ) + { + uchar* data = (uchar*)buffer; + int readed = 0; +- assert( count >= 0 ); ++ CV_Assert(count >= 0); + + while( count > 0 ) + { +@@ -371,7 +377,7 @@ void WBaseStream::writeBlock() + { + int size = (int)(m_current - m_start); + +- assert( isOpened() ); ++ CV_Assert(isOpened()); + if( size == 0 ) + return; + +@@ -442,7 +448,7 @@ void WBaseStream::release() + + int WBaseStream::getPos() + { +- assert( isOpened() ); ++ CV_Assert(isOpened()); + return m_block_pos + (int)(m_current - m_start); + } + +@@ -465,7 +471,7 @@ void WLByteStream::putBytes( const void* buffer, int count ) + { + uchar* data = (uchar*)buffer; + +- assert( data && m_current && count >= 0 ); ++ CV_Assert(data && m_current && count >= 0); + + while( count ) + { +diff --git a/modules/highgui/src/grfmt_bmp.cpp b/modules/highgui/src/grfmt_bmp.cpp +index de60ca6..6187b2b 100644 +--- a/modules/highgui/src/grfmt_bmp.cpp ++++ b/modules/highgui/src/grfmt_bmp.cpp +@@ -92,6 +92,7 @@ bool BmpDecoder::readHeader() + m_offset = m_strm.getDWord(); + + int size = m_strm.getDWord(); ++ CV_Assert(size > 0); // overflow, 2Gb limit + + if( size >= 36 ) + { +diff --git a/modules/highgui/src/grfmt_sunras.cpp b/modules/highgui/src/grfmt_sunras.cpp +index 60a93a0..dd85400 100644 +--- a/modules/highgui/src/grfmt_sunras.cpp ++++ b/modules/highgui/src/grfmt_sunras.cpp +@@ -120,7 +120,7 @@ bool SunRasterDecoder::readHeader() + m_type = IsColorPalette( m_palette, m_bpp ) ? CV_8UC3 : CV_8UC1; + m_offset = m_strm.getPos(); + +- assert( m_offset == 32 + m_maplength ); ++ CV_Assert(m_offset == 32 + m_maplength); + result = true; + } + } +@@ -133,7 +133,7 @@ bool SunRasterDecoder::readHeader() + + m_offset = m_strm.getPos(); + +- assert( m_offset == 32 + m_maplength ); ++ CV_Assert(m_offset == 32 + m_maplength); + result = true; + } + } +@@ -226,7 +226,7 @@ bool SunRasterDecoder::readData( Mat& img ) + code = m_strm.getByte(); + if( len > line_end - tsrc ) + { +- assert(0); ++ CV_Error(CV_StsInternal, ""); + goto bad_decoding_1bpp; + } + +@@ -367,7 +367,7 @@ bad_decoding_end: + result = true; + break; + default: +- assert(0); ++ CV_Error(CV_StsInternal, ""); + } + } + catch( ... ) +diff --git a/modules/highgui/src/precomp.hpp b/modules/highgui/src/precomp.hpp +index 88ba8e4..80e16e0 100644 +--- a/modules/highgui/src/precomp.hpp ++++ b/modules/highgui/src/precomp.hpp +@@ -54,7 +54,7 @@ + #include + #include + #include +-#include ++#include // FIX IT: remove this + + #if defined WIN32 || defined WINCE + #include +diff --git a/modules/highgui/src/utils.cpp b/modules/highgui/src/utils.cpp +index 68b6d8e..9678911 100644 +--- a/modules/highgui/src/utils.cpp ++++ b/modules/highgui/src/utils.cpp +@@ -670,7 +670,7 @@ cvConvertImage( const CvArr* srcarr, CvArr* dstarr, int flags ) + icvCvt_BGR2Gray_8u_C3C1R( s, s_step, d, d_step, size, swap_rb ); + break; + case 33: +- assert( swap_rb ); ++ CV_Assert(swap_rb); + icvCvt_RGB2BGR_8u_C3R( s, s_step, d, d_step, size ); + break; + case 41: +-- +2.17.1 + diff -Nru opencv-2.4.8+dfsg1/debian/patches/series opencv-2.4.8+dfsg1/debian/patches/series --- opencv-2.4.8+dfsg1/debian/patches/series 2014-01-28 05:10:09.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/patches/series 2018-09-11 14:49:23.000000000 +0000 @@ -6,3 +6,9 @@ change_type_from_int_to_Atomic_word revert-Make-ts-always-static fix_path_of_opencl_headers +CVE-2017-several.patch +CVE-2017-14136.patch +CVE-2017-17760.patch +CVE-2017-1000450.patch +CVE-2018-5268.patch +CVE-2018-5269.patch diff -Nru opencv-2.4.8+dfsg1/debian/rules opencv-2.4.8+dfsg1/debian/rules --- opencv-2.4.8+dfsg1/debian/rules 2014-02-16 23:40:46.000000000 +0000 +++ opencv-2.4.8+dfsg1/debian/rules 2018-09-18 08:19:01.000000000 +0000 @@ -12,6 +12,17 @@ CMAKE_ARCH_FLAGS = -DENABLE_SSE=OFF -DENABLE_SSE2=OFF -DENABLE_SSE3=OFF endif +ifeq ($(DEB_HOST_ARCH),arm64) +CMAKE_ARCH_FLAGS += -DENABLE_PRECOMPILED_HEADERS=OFF +endif + +# No GL on armhf +ifneq ($(DEB_HOST_ARCH),armhf) +CMAKE_ARCH_FLAGS += -DWITH_OPENGL=ON +else +CMAKE_ARCH_FLAGS += -DWITH_OPENGL=OFF +endif + # TBB support ifneq (,$(findstring $(DEB_HOST_ARCH), i386 amd64 ia64 powerpc ppc64)) CMAKE_ARCH_FLAGS += -DWITH_TBB=ON @@ -45,7 +56,6 @@ -DWITH_FFMPEG=ON \ -DWITH_GSTREAMER=OFF \ -DWITH_GTK=ON \ - -DWITH_OPENGL=ON \ -DWITH_JASPER=ON \ -DWITH_JPEG=ON \ -DWITH_PNG=ON \