patched openjpeg in pdfium

64 views
Skip to first unread message

Vincent Torri

unread,
Nov 27, 2018, 3:23:44 PM11/27/18
to OpenJPEG
hello

while browsing pdfium source, i've found this :


especially https://pdfium.googlesource.com/pdfium/+/master/third_party/libopenjpeg20/README.pdfium where it is mentioned that there are critical security issues.

i don't know if all the patches are good or not, if some of them are merged upstream. But if they are really fixing critical security issues, they should be taken into consideration

regards

Vincent Torri

Mario Emmenlauer

unread,
Jul 5, 2019, 8:53:32 AM7/5/19
to open...@googlegroups.com, Vincent Torri

Dear Vincent and all,

I must have missed the discussion of your email below. Was there
an outcome? I've seen that pdfium still maintains a long list of
patches against 2.3.1 release. So maybe not everything has found
its way into OpenJPEG?

At least a number of their current patches sound as if they may be
relevant for security and/or stability. Does anyone know if these
patches are considered for upstream integration? If not, is there
something that must be done, like making a PR or getting an official
ok from pdfium developers?
All the best,

Mario Emmenlauer

Even Rouault

unread,
Jul 5, 2019, 9:25:25 AM7/5/19
to open...@googlegroups.com, Mario Emmenlauer, Vincent Torri
On vendredi 5 juillet 2019 14:53:24 CEST Mario Emmenlauer wrote:
> Dear Vincent and all,
>
> I must have missed the discussion of your email below. Was there
> an outcome? I've seen that pdfium still maintains a long list of
> patches against 2.3.1 release. So maybe not everything has found
> its way into OpenJPEG?
>
> At least a number of their current patches sound as if they may be
> relevant for security and/or stability. Does anyone know if these
> patches are considered for upstream integration? If not, is there
> something that must be done, like making a PR or getting an official
> ok from pdfium developers?

I'd expect the pdfium developers to behave as good open source citizens and
issue PR against openjpeg when their patches are relevant from upstream
inclusion...

--
Spatialys - Geospatial professional services
http://www.spatialys.com

Lei Zhang

unread,
Jul 9, 2019, 7:20:31 AM7/9/19
to OpenJPEG
On Friday, July 5, 2019 at 6:25:25 AM UTC-7, Even Rouault wrote:
I'd expect the pdfium developers to behave as good open source citizens and
issue PR against openjpeg when their patches are relevant from upstream
inclusion...

I'll take a look at the stash of OpenJPEG patches in PDFium and see which ones are applicable for upstreaming. If anyone has opinions on which patches should / should not be upstreamed, please let me know.

Mario Emmenlauer

unread,
Jul 11, 2019, 5:22:52 AM7/11/19
to OpenJPEG
Thanks a lot Lei, its appreciated! Personally I'd start with more security-related issues or crashes, and then go down the severity list.
Reply all
Reply to author
Forward
0 new messages