From b927058237a36b3bd870cff50a4107bfd4a39e41 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Fri, 2 Oct 2015 12:30:41 -0400
Subject: [PATCH] gnu: openjpeg-2.x: Add fix for use-after-free in
 opj_j2k_write_mco.

* gnu/packages/patches/openjpeg-use-after-free-fix.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/image.scm (openjpeg, openjpeg-2.0)[source]: Add patch.
  [home-page]: Update.
---
 gnu-system.am                                 |  1 +
 gnu/packages/image.scm                        |  8 ++--
 .../patches/openjpeg-use-after-free-fix.patch | 48 +++++++++++++++++++
 3 files changed, 54 insertions(+), 3 deletions(-)
 create mode 100644 gnu/packages/patches/openjpeg-use-after-free-fix.patch

diff --git a/gnu-system.am b/gnu-system.am
index 98634a0c2be7dff3671ba36dfbe63002a2ec4fff..17012af51b1b6cd918d60dd42b5846380ad66fd8 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -571,6 +571,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/nvi-dbpagesize-binpower.patch		\
   gnu/packages/patches/nvi-db4.patch				\
   gnu/packages/patches/openexr-missing-samples.patch		\
+  gnu/packages/patches/openjpeg-use-after-free-fix.patch	\
   gnu/packages/patches/openssl-runpath.patch			\
   gnu/packages/patches/openssl-c-rehash.patch			\
   gnu/packages/patches/orpheus-cast-errors-and-includes.patch	\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index cee7f146facac360137d6b272dd8f890e6237691..c23946d0d090ffac897e179f5ad500b4c0743222 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -271,7 +271,8 @@ work.")
          (string-append "mirror://sourceforge/openjpeg.mirror/" name "-"
                         version ".tar.gz"))
         (sha256
-         (base32 "00zzm303zvv4ijzancrsb1cqbph3pgz0nky92k9qx3fq9y0vnchj"))))
+         (base32 "00zzm303zvv4ijzancrsb1cqbph3pgz0nky92k9qx3fq9y0vnchj"))
+        (patches (list (search-patch "openjpeg-use-after-free-fix.patch")))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.
@@ -292,7 +293,7 @@ In addition to the basic codec, various other features are under
 development, among them the JP2 and MJ2 (Motion JPEG 2000) file formats,
 an indexing tool useful for the JPIP protocol, JPWL-tools for
 error-resilience, a Java-viewer for j2k-images, ...")
-    (home-page "https://code.google.com/p/openjpeg/")
+    (home-page "https://github.com/uclouvain/openjpeg")
     (license license:bsd-2)))
 
 (define-public openjpeg-2.0
@@ -306,7 +307,8 @@ error-resilience, a Java-viewer for j2k-images, ...")
         (string-append "mirror://sourceforge/openjpeg.mirror/" name "-"
                        version ".tar.gz"))
        (sha256
-        (base32 "1c2xc3nl2mg511b63rk7hrckmy14681p1m44mzw3n1fyqnjm0b0z"))))))
+        (base32 "1c2xc3nl2mg511b63rk7hrckmy14681p1m44mzw3n1fyqnjm0b0z"))
+       (patches (list (search-patch "openjpeg-use-after-free-fix.patch")))))))
 
 (define-public openjpeg-1
   (package (inherit openjpeg)
diff --git a/gnu/packages/patches/openjpeg-use-after-free-fix.patch b/gnu/packages/patches/openjpeg-use-after-free-fix.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1a9cb1ae1d461693c86bb58c13ef3c278d3494bf
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-use-after-free-fix.patch
@@ -0,0 +1,48 @@
+From 940100c28ae28931722290794889cf84a92c5f6f Mon Sep 17 00:00:00 2001
+From: mayeut <mayeut@users.noreply.github.com>
+Date: Sun, 6 Sep 2015 17:24:03 +0200
+Subject: [PATCH] Fix potential use-after-free in opj_j2k_write_mco function
+
+Fixes #563
+---
+ src/lib/openjp2/j2k.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 19a48f5..d487d89 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -5559,8 +5559,7 @@ static OPJ_BOOL opj_j2k_write_mco(     opj_j2k_t *p_j2k,
+         assert(p_stream != 00);
+ 
+         l_tcp =&(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]);
+-        l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
+-
++	
+         l_mco_size = 5 + l_tcp->m_nb_mcc_records;
+         if (l_mco_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {
+ 
+@@ -5575,6 +5574,8 @@ static OPJ_BOOL opj_j2k_write_mco(     opj_j2k_t *p_j2k,
+                 p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;
+                 p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_mco_size;
+         }
++        l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
++
+ 
+         opj_write_bytes(l_current_data,J2K_MS_MCO,2);                   /* MCO */
+         l_current_data += 2;
+@@ -5586,10 +5587,9 @@ static OPJ_BOOL opj_j2k_write_mco(     opj_j2k_t *p_j2k,
+         ++l_current_data;
+ 
+         l_mcc_record = l_tcp->m_mcc_records;
+-        for     (i=0;i<l_tcp->m_nb_mcc_records;++i) {
++        for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
+                 opj_write_bytes(l_current_data,l_mcc_record->m_index,1);/* Imco -> use the mcc indicated by 1*/
+                 ++l_current_data;
+-
+                 ++l_mcc_record;
+         }
+ 
+-- 
+2.5.0
+