diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d74b1b5
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/jasper-1.900.1.zip
diff --git a/.jasper.metadata b/.jasper.metadata
new file mode 100644
index 0000000..d4cad72
--- /dev/null
+++ b/.jasper.metadata
@@ -0,0 +1 @@
+9c5735f773922e580bf98c7c7dfda9bbed4c5191 SOURCES/jasper-1.900.1.zip
diff --git a/SOURCES/jasper-1.701.0-GL-ac.patch b/SOURCES/jasper-1.701.0-GL-ac.patch
new file mode 100644
index 0000000..bf57143
--- /dev/null
+++ b/SOURCES/jasper-1.701.0-GL-ac.patch
@@ -0,0 +1,11 @@
+--- jasper-1.701.0.GEO/configure.ac.GL 2006-02-20 19:58:02.000000000 -0600
++++ jasper-1.701.0.GEO/configure.ac 2006-02-24 07:40:38.000000000 -0600
+@@ -242,7 +242,7 @@
+ OPENGL_LIBS=""
+ if test $ENABLE_OPENGL = yes; then
+ if test $HAVE_OPENGL = no; then
+- TMPLIBS="-lglut -lGL -lGLU $X_PRE_LIBS -lX11 -lXmu -lXi -lXext -lXt $X_EXTRA_LIBS $X_LIBS"
++ TMPLIBS="-lglut -lGL -lGLU"
+ AC_CHECK_LIB(glut, glutInit, [HAVE_OPENGL=yes;
+ OPENGL_LIBS=$TMPLIBS], HAVE_OPENGL=no, $TMPLIBS)
+ fi
diff --git a/SOURCES/jasper-1.701.0-GL.patch b/SOURCES/jasper-1.701.0-GL.patch
new file mode 100644
index 0000000..ba199e2
--- /dev/null
+++ b/SOURCES/jasper-1.701.0-GL.patch
@@ -0,0 +1,11 @@
+--- jasper-1.701.0.GEO/configure.GL 2006-02-20 20:01:30.000000000 -0600
++++ jasper-1.701.0.GEO/configure 2006-02-24 07:40:46.000000000 -0600
+@@ -9464,7 +9464,7 @@
+ OPENGL_LIBS=""
+ if test $ENABLE_OPENGL = yes; then
+ if test $HAVE_OPENGL = no; then
+- TMPLIBS="-lglut -lGL -lGLU $X_PRE_LIBS -lX11 -lXmu -lXi -lXext -lXt $X_EXTRA_LIBS $X_LIBS"
++ TMPLIBS="-lglut -lGL -lGLU"
+ echo "$as_me:$LINENO: checking for glutInit in -lglut" >&5
+ echo $ECHO_N "checking for glutInit in -lglut... $ECHO_C" >&6
+ if test "${ac_cv_lib_glut_glutInit+set}" = set; then
diff --git a/SOURCES/jasper-1.900.1-CVE-2008-3520.patch b/SOURCES/jasper-1.900.1-CVE-2008-3520.patch
new file mode 100644
index 0000000..0f5e3b7
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-CVE-2008-3520.patch
@@ -0,0 +1,928 @@
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520
+
+OpenBSD jas_malloc hardening patches
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_cm.c jasper-1.900.1/src/libjasper/base/jas_cm.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2009-10-22 10:27:45.000000000 +0200
+@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm
+ {
+ jas_cmpxform_t **p;
+ assert(n >= pxformseq->numpxforms);
+- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) :
+- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *));
++ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *));
+ if (!p) {
+ return -1;
+ }
+@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ jas_cmshapmatlut_cleanup(lut);
+ if (curv->numents == 0) {
+ lut->size = 2;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ lut->data[0] = 0.0;
+ lut->data[1] = 1.0;
+ } else if (curv->numents == 1) {
+ lut->size = 256;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ gamma = curv->ents[0] / 256.0;
+ for (i = 0; i < lut->size; ++i) {
+@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ }
+ } else {
+ lut->size = curv->numents;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ for (i = 0; i < lut->size; ++i) {
+ lut->data[i] = curv->ents[i] / 65535.0;
+@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c
+ return -1;
+ }
+ }
+- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t))))
++ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t))))
+ return -1;
+ invlut->size = n;
+ for (i = 0; i < invlut->size; ++i) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof
+ jas_icctagtab_t *tagtab;
+
+ tagtab = &prof->tagtab;
+- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
++ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
+ sizeof(jas_icctagtabent_t))))
+ goto error;
+ tagtab->numents = prof->attrtab->numattrs;
+@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_str
+ }
+ if (jas_iccgetuint32(in, &tagtab->numents))
+ goto error;
+- if (!(tagtab->ents = jas_malloc(tagtab->numents *
++ if (!(tagtab->ents = jas_alloc2(tagtab->numents,
+ sizeof(jas_icctagtabent_t))))
+ goto error;
+ tagtabent = tagtab->ents;
+@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_icc
+ {
+ jas_iccattr_t *newattrs;
+ assert(maxents >= tab->numattrs);
+- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
+- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
++ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
+ if (!newattrs)
+ return -1;
+ tab->attrs = newattrs;
+@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattr
+
+ if (jas_iccgetuint32(in, &curv->numents))
+ goto error;
+- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
++ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
+ goto error;
+ for (i = 0; i < curv->numents; ++i) {
+ if (jas_iccgetuint16(in, &curv->ents[i]))
+@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_icca
+ if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ jas_iccgetuint32(in, &txtdesc->uclen))
+ goto error;
+- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
++ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
+ goto error;
+ if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
+ JAS_CAST(int, txtdesc->uclen * 2))
+@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattr
+ jas_iccgetuint16(in, &lut8->numouttabents))
+ goto error;
+ clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
+- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
+- !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
+- lut8->numintabents * sizeof(jas_iccuint8_t))) ||
+- !(lut8->intabs = jas_malloc(lut8->numinchans *
++ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
++ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
++ lut8->numintabents, sizeof(jas_iccuint8_t))) ||
++ !(lut8->intabs = jas_alloc2(lut8->numinchans,
+ sizeof(jas_iccuint8_t *))))
+ goto error;
+ for (i = 0; i < lut8->numinchans; ++i)
+ lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
+- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
+- lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
+- !(lut8->outtabs = jas_malloc(lut8->numoutchans *
++ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
++ lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
++ !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
+ sizeof(jas_iccuint8_t *))))
+ goto error;
+ for (i = 0; i < lut8->numoutchans; ++i)
+@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccatt
+ jas_iccgetuint16(in, &lut16->numouttabents))
+ goto error;
+ clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
+- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
+- !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
+- lut16->numintabents * sizeof(jas_iccuint16_t))) ||
+- !(lut16->intabs = jas_malloc(lut16->numinchans *
++ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
++ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans,
++ lut16->numintabents, sizeof(jas_iccuint16_t))) ||
++ !(lut16->intabs = jas_alloc2(lut16->numinchans,
+ sizeof(jas_iccuint16_t *))))
+ goto error;
+ for (i = 0; i < lut16->numinchans; ++i)
+ lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
+- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
+- lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
+- !(lut16->outtabs = jas_malloc(lut16->numoutchans *
++ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
++ lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
++ !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
+ sizeof(jas_iccuint16_t *))))
+ goto error;
+ for (i = 0; i < lut16->numoutchans; ++i)
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2009-10-22 10:27:45.000000000 +0200
+@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmp
+ image->inmem_ = true;
+
+ /* Allocate memory for the per-component information. */
+- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
++ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
+ sizeof(jas_image_cmpt_t *)))) {
+ jas_image_destroy(image);
+ return 0;
+@@ -774,8 +774,7 @@ static int jas_image_growcmpts(jas_image
+ jas_image_cmpt_t **newcmpts;
+ int cmptno;
+
+- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
+- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
++ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
+ if (!newcmpts) {
+ return -1;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c jasper-1.900.1/src/libjasper/base/jas_malloc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_malloc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -76,6 +76,9 @@
+
+ /* We need the prototype for memset. */
+ #include <string.h>
++#include <limits.h>
++#include <errno.h>
++#include <stdint.h>
+
+ #include "jasper/jas_malloc.h"
+
+@@ -113,18 +116,50 @@ void jas_free(void *ptr)
+
+ void *jas_realloc(void *ptr, size_t size)
+ {
+- return realloc(ptr, size);
++ return ptr ? realloc(ptr, size) : malloc(size);
+ }
+
+-void *jas_calloc(size_t nmemb, size_t size)
++void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
++{
++ if (!ptr)
++ return jas_alloc2(nmemb, size);
++ if (nmemb && SIZE_MAX / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++ return jas_realloc(ptr, nmemb * size);
++
++}
++
++void *jas_alloc2(size_t nmemb, size_t size)
++{
++ if (nmemb && SIZE_MAX / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++
++ return jas_malloc(nmemb * size);
++}
++
++void *jas_alloc3(size_t a, size_t b, size_t c)
+ {
+- void *ptr;
+ size_t n;
+- n = nmemb * size;
+- if (!(ptr = jas_malloc(n * sizeof(char)))) {
+- return 0;
++
++ if (a && SIZE_MAX / a < b) {
++ errno = ENOMEM;
++ return NULL;
+ }
+- memset(ptr, 0, n);
++
++ return jas_alloc2(a*b, c);
++}
++
++void *jas_calloc(size_t nmemb, size_t size)
++{
++ void *ptr;
++
++ ptr = jas_alloc2(nmemb, size);
++ if (ptr)
++ memset(ptr, 0, nmemb*size);
+ return ptr;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2009-10-22 10:27:45.000000000 +0200
+@@ -114,7 +114,7 @@ jas_matrix_t *jas_matrix_create(int numr
+ matrix->datasize_ = numrows * numcols;
+
+ if (matrix->maxrows_ > 0) {
+- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
++ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ sizeof(jas_seqent_t *)))) {
+ jas_matrix_destroy(matrix);
+ return 0;
+@@ -122,7 +122,7 @@ jas_matrix_t *jas_matrix_create(int numr
+ }
+
+ if (matrix->datasize_ > 0) {
+- if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
++ if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ sizeof(jas_seqent_t)))) {
+ jas_matrix_destroy(matrix);
+ return 0;
+@@ -220,7 +220,7 @@ void jas_matrix_bindsub(jas_matrix_t *ma
+ mat0->numrows_ = r1 - r0 + 1;
+ mat0->numcols_ = c1 - c0 + 1;
+ mat0->maxrows_ = mat0->numrows_;
+- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
++ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
+ for (i = 0; i < mat0->numrows_; ++i) {
+ mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200
+@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b
+ if (buf) {
+ obj->buf_ = (unsigned char *) buf;
+ } else {
+- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char));
++ obj->buf_ = jas_malloc(obj->bufsize_);
+ obj->myalloc_ = 1;
+ }
+ if (!obj->buf_) {
+@@ -992,7 +992,7 @@ static int mem_resize(jas_stream_memobj_
+ unsigned char *buf;
+
+ assert(m->buf_);
+- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) {
++ if (!(buf = jas_realloc(m->buf_, bufsize))) {
+ return -1;
+ }
+ m->buf_ = buf;
+diff -pruN jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c jasper-1.900.1/src/libjasper/bmp/bmp_dec.c
+--- jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/bmp/bmp_dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea
+ }
+
+ if (info->numcolors > 0) {
+- if (!(info->palents = jas_malloc(info->numcolors *
++ if (!(info->palents = jas_alloc2(info->numcolors,
+ sizeof(bmp_palent_t)))) {
+ bmp_info_destroy(info);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h 2009-10-22 10:27:45.000000000 +0200
+@@ -95,6 +95,9 @@ extern "C" {
+ #define jas_free MEMFREE
+ #define jas_realloc MEMREALLOC
+ #define jas_calloc MEMCALLOC
++#define jas_alloc2(a, b) MEMALLOC((a)*(b))
++#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c))
++#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b))
+ #endif
+
+ /******************************************************************************\
+@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size
+ /* Allocate a block of memory and initialize the contents to zero. */
+ void *jas_calloc(size_t nmemb, size_t size);
+
++/* size-checked double allocation .*/
++void *jas_alloc2(size_t, size_t);
++
++void *jas_alloc3(size_t, size_t, size_t);
++
++void *jas_realloc2(void *, size_t, size_t);
+ #endif
+
+ #ifdef __cplusplus
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2009-10-22 10:30:24.000000000 +0200
+@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
+ box = 0;
+ tmpstream = 0;
+
+- if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
++ if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
+ goto error;
+ }
+ box->ops = &jp2_boxinfo_unk.ops;
+@@ -372,7 +372,7 @@ static int jp2_bpcc_getdata(jp2_box_t *b
+ jp2_bpcc_t *bpcc = &box->data.bpcc;
+ unsigned int i;
+ bpcc->numcmpts = box->datalen;
+- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) {
++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ for (i = 0; i < bpcc->numcmpts; ++i) {
+@@ -416,7 +416,7 @@ static int jp2_colr_getdata(jp2_box_t *b
+ break;
+ case JP2_COLR_ICC:
+ colr->iccplen = box->datalen - 3;
+- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) {
++ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
+@@ -453,7 +453,7 @@ static int jp2_cdef_getdata(jp2_box_t *b
+ if (jp2_getuint16(in, &cdef->numchans)) {
+ return -1;
+ }
+- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) {
++ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) {
+ return -1;
+ }
+ for (channo = 0; channo < cdef->numchans; ++channo) {
+@@ -766,7 +766,7 @@ static int jp2_cmap_getdata(jp2_box_t *b
+ unsigned int i;
+
+ cmap->numchans = (box->datalen) / 4;
+- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) {
++ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
+ return -1;
+ }
+ for (i = 0; i < cmap->numchans; ++i) {
+@@ -828,10 +828,10 @@ static int jp2_pclr_getdata(jp2_box_t *b
+ return -1;
+ }
+ lutsize = pclr->numlutents * pclr->numchans;
+- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) {
++ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ return -1;
+ }
+- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) {
++ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ for (i = 0; i < pclr->numchans; ++i) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c jasper-1.900.1/src/libjasper/jp2/jp2_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -336,7 +336,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ }
+
+ /* Allocate space for the channel-number to component-number LUT. */
+- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
++ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) {
+ jas_eprintf("error: no memory\n");
+ goto error;
+ }
+@@ -354,7 +354,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ if (cmapent->map == JP2_CMAP_DIRECT) {
+ dec->chantocmptlut[channo] = channo;
+ } else if (cmapent->map == JP2_CMAP_PALETTE) {
+- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
++ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t));
+ for (i = 0; i < pclrd->numlutents; ++i) {
+ lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c jasper-1.900.1/src/libjasper/jp2/jp2_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -191,7 +191,7 @@ int sgnd;
+ }
+ bpcc = &box->data.bpcc;
+ bpcc->numcmpts = jas_image_numcmpts(image);
+- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts *
++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts,
+ sizeof(uint_fast8_t)))) {
+ goto error;
+ }
+@@ -285,7 +285,7 @@ int sgnd;
+ }
+ cdef = &box->data.cdef;
+ cdef->numchans = jas_image_numcmpts(image);
+- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t));
++ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t));
+ for (i = 0; i < jas_image_numcmpts(image); ++i) {
+ cdefchanent = &cdef->ents[i];
+ cdefchanent->channo = i;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2009-10-22 09:58:16.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2009-10-22 10:27:45.000000000 +0200
+@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms
+ !siz->tileheight || !siz->numcomps) {
+ return -1;
+ }
+- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) {
++ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
+ return -1;
+ }
+ for (i = 0; i < siz->numcomps; ++i) {
+@@ -986,7 +986,7 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
+- compparms->stepsizes = jas_malloc(compparms->numstepsizes *
++ compparms->stepsizes = jas_alloc2(compparms->numstepsizes,
+ sizeof(uint_fast16_t));
+ assert(compparms->stepsizes);
+ for (i = 0; i < compparms->numstepsizes; ++i) {
+@@ -1094,7 +1094,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms
+
+ ppm->len = ms->len - 1;
+ if (ppm->len > 0) {
+- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) {
++ if (!(ppm->data = jas_malloc(ppm->len))) {
+ goto error;
+ }
+ if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
+@@ -1163,7 +1163,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms
+ }
+ ppt->len = ms->len - 1;
+ if (ppt->len > 0) {
+- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) {
++ if (!(ppt->data = jas_malloc(ppt->len))) {
+ goto error;
+ }
+ if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
+@@ -1226,7 +1226,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms
+ uint_fast8_t tmp;
+ poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
+ (ms->len / 7);
+- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) {
++ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) {
+ goto error;
+ }
+ for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
+@@ -1331,7 +1331,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
+@@ -1470,7 +1470,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms
+ cstate = 0;
+
+ if (ms->len > 0) {
+- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) {
++ if (!(unk->data = jas_malloc(ms->len))) {
+ return -1;
+ }
+ if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2009-10-22 09:58:16.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2009-10-22 10:30:50.000000000 +0200
+@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+
+ if (dec->state == JPC_MH) {
+
+- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
++ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
+ assert(compinfos);
+ for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
+ cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d
+ tile->realmode = 1;
+ }
+ tcomp->numrlvls = ccp->numrlvls;
+- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
++ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
+ sizeof(jpc_dec_rlvl_t)))) {
+ return -1;
+ }
+@@ -764,7 +764,7 @@ rlvl->bands = 0;
+ rlvl->cbgheightexpn);
+
+ rlvl->numbands = (!rlvlno) ? 1 : 3;
+- if (!(rlvl->bands = jas_malloc(rlvl->numbands *
++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
+ sizeof(jpc_dec_band_t)))) {
+ return -1;
+ }
+@@ -797,7 +797,7 @@ rlvl->bands = 0;
+
+ assert(rlvl->numprcs);
+
+- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
+ return -1;
+ }
+
+@@ -834,7 +834,7 @@ rlvl->bands = 0;
+ if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
+ return -1;
+ }
+- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
+ return -1;
+ }
+
+@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ return -1;
+ }
+
+- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
++ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
+ return -1;
+ }
+
+@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ dec->numtiles = dec->numhtiles * dec->numvtiles;
+- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
++ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ return -1;
+ }
+
+@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ tile->pkthdrstreampos = 0;
+ tile->pptstab = 0;
+ tile->cp = 0;
+- if (!(tile->tcomps = jas_malloc(dec->numcomps *
++ if (!(tile->tcomps = jas_calloc(dec->numcomps,
+ sizeof(jpc_dec_tcomp_t)))) {
+ return -1;
+ }
+@@ -1489,7 +1489,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
+ cp->numlyrs = 0;
+ cp->mctid = 0;
+ cp->csty = 0;
+- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
++ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
+ return 0;
+ }
+ if (!(cp->pchglist = jpc_pchglist_create())) {
+@@ -2048,7 +2048,7 @@ jpc_streamlist_t *jpc_streamlist_create(
+ }
+ streamlist->numstreams = 0;
+ streamlist->maxstreams = 100;
+- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
++ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
+ sizeof(jas_stream_t *)))) {
+ jas_free(streamlist);
+ return 0;
+@@ -2068,8 +2068,8 @@ int jpc_streamlist_insert(jpc_streamlist
+ /* Grow the array of streams if necessary. */
+ if (streamlist->numstreams >= streamlist->maxstreams) {
+ newmaxstreams = streamlist->maxstreams + 1024;
+- if (!(newstreams = jas_realloc(streamlist->streams,
+- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
++ if (!(newstreams = jas_realloc2(streamlist->streams,
++ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
+ return -1;
+ }
+ for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
+@@ -2155,8 +2155,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab,
+ {
+ jpc_ppxstabent_t **newents;
+ if (tab->maxents < maxents) {
+- newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
+- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
++ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
+ if (!newents) {
+ return -1;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+ vsteplcm *= jas_image_cmptvstep(image, cmptno);
+ }
+
+- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) {
++ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) {
+ goto error;
+ }
+ for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno,
+@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+
+ if (ilyrrates && numilyrrates > 0) {
+ tcp->numlyrs = numilyrrates + 1;
+- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) *
++ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1),
+ sizeof(jpc_fix_t)))) {
+ goto error;
+ }
+@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ siz->tilewidth = cp->tilewidth;
+ siz->tileheight = cp->tileheight;
+ siz->numcomps = cp->numcmpts;
+- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t));
++ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t));
+ assert(siz->comps);
+ for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) {
+ siz->comps[i].prec = cp->ccps[i].prec;
+@@ -977,7 +977,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ return -1;
+ }
+ crg = &enc->mrk->parms.crg;
+- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t));
++ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t));
+ if (jpc_putms(enc->out, enc->cstate, enc->mrk)) {
+ jas_eprintf("cannot write CRG marker\n");
+ return -1;
+@@ -1955,7 +1955,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ tile->mctid = cp->tcp.mctid;
+
+ tile->numlyrs = cp->tcp.numlyrs;
+- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs *
++ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs,
+ sizeof(uint_fast32_t)))) {
+ goto error;
+ }
+@@ -1964,7 +1964,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ }
+
+ /* Allocate an array for the per-tile-component information. */
+- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) {
++ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) {
+ goto error;
+ }
+ /* Initialize a few members critical for error recovery. */
+@@ -2110,7 +2110,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc
+ jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data),
+ jas_seq2d_yend(tcmpt->data), bandinfos);
+
+- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) {
++ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) {
+ goto error;
+ }
+ for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls;
+@@ -2213,7 +2213,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e
+ rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn);
+ rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs;
+
+- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) {
++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) {
+ goto error;
+ }
+ for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands;
+@@ -2290,7 +2290,7 @@ if (bandinfo->xstart != bandinfo->xend &
+ band->synweight = bandinfo->synenergywt;
+
+ if (band->data) {
+- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) {
++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) {
+ goto error;
+ }
+ for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno,
+@@ -2422,7 +2422,7 @@ if (!rlvlno) {
+ goto error;
+ }
+
+- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) {
++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) {
+ goto error;
+ }
+ for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx
+ mqdec->in = in;
+ mqdec->maxctxs = maxctxs;
+ /* Allocate memory for the per-context state information. */
+- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) {
++ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ goto error;
+ }
+ /* Set the current context to the first context. */
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx
+ mqenc->maxctxs = maxctxs;
+
+ /* Allocate memory for the per-context state information. */
+- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) {
++ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ goto error;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2009-10-22 10:27:45.000000000 +0200
+@@ -321,7 +321,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -389,7 +389,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -460,7 +460,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -549,7 +549,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -633,7 +633,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -698,7 +698,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -766,7 +766,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -852,7 +852,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_
+
+ cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0;
+ if (cblk->numpasses > 0) {
+- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t));
++ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t));
+ assert(cblk->passes);
+ } else {
+ cblk->passes = 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c 2009-10-22 10:27:45.000000000 +0200
+@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t *
+ }
+ if (pchglist->numpchgs >= pchglist->maxpchgs) {
+ newmaxpchgs = pchglist->maxpchgs + 128;
+- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) {
++ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) {
+ return -1;
+ }
+ pchglist->maxpchgs = newmaxpchgs;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ return 0;
+ }
+ pi->numcomps = dec->numcomps;
+- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+ }
+@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
+ compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ picomp->numrlvls = tcomp->numrlvls;
+- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ sizeof(jpc_pirlvl_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
+ /* XXX sizeof(long) should be sizeof different type */
+ pirlvl->numprcs = rlvl->numprcs;
+- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ sizeof(long)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ }
+ pi->pktno = -1;
+ pi->numcomps = cp->numcmpts;
+- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+ }
+@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
+ compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ picomp->numrlvls = tcomp->numrlvls;
+- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ sizeof(jpc_pirlvl_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ /* XXX sizeof(long) should be sizeof different type */
+ pirlvl->numprcs = rlvl->numprcs;
+ if (rlvl->numprcs) {
+- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ sizeof(long)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2009-10-22 10:27:45.000000000 +0200
+@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
+ ++numlvls;
+ } while (n > 1);
+
+- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) {
++ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
+ return 0;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c jasper-1.900.1/src/libjasper/jpc/jpc_util.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_util.c 2009-10-22 10:27:45.000000000 +0200
+@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d
+ }
+
+ if (n) {
+- if (!(vs = jas_malloc(n * sizeof(double)))) {
++ if (!(vs = jas_alloc2(n, sizeof(double)))) {
+ return -1;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c
+--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2009-10-22 10:27:45.000000000 +0200
+@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t *
+ int cmptno;
+ mif_cmpt_t **newcmpts;
+ assert(maxcmpts >= hdr->numcmpts);
+- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) :
+- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *));
++ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *));
+ if (!newcmpts) {
+ return -1;
+ }
diff --git a/SOURCES/jasper-1.900.1-CVE-2008-3522.patch b/SOURCES/jasper-1.900.1-CVE-2008-3522.patch
new file mode 100644
index 0000000..4bf2e9b
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-CVE-2008-3522.patch
@@ -0,0 +1,14 @@
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200
++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:35:53.000000000 +0200
+@@ -553,7 +553,7 @@ int jas_stream_printf(jas_stream_t *stre
+ int ret;
+
+ va_start(ap, fmt);
+- ret = vsprintf(buf, fmt, ap);
++ ret = vsnprintf(buf, sizeof buf, fmt, ap);
+ jas_stream_puts(stream, buf);
+ va_end(ap);
+ return ret;
diff --git a/SOURCES/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch b/SOURCES/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
new file mode 100644
index 0000000..f753080
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
@@ -0,0 +1,23 @@
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 2011-10-25 17:25:39.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-10-25 17:29:14.379371908 +0200
+@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t
+ return -1;
+ }
+ compparms->numrlvls = compparms->numdlvls + 1;
++ if (compparms->numrlvls > JPC_MAXRLVLS) {
++ jpc_cox_destroycompparms(compparms);
++ return -1;
++ }
+ if (prtflag) {
+ for (i = 0; i < compparms->numrlvls; ++i) {
+ if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
diff --git a/SOURCES/jasper-1.900.1-CVE-2016-9396.patch b/SOURCES/jasper-1.900.1-CVE-2016-9396.patch
new file mode 100644
index 0000000..84b2716
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-CVE-2016-9396.patch
@@ -0,0 +1,50 @@
+diff -urNp old/src/libjasper/jpc/jpc_cs.c new/src/libjasper/jpc/jpc_cs.c
+--- old/src/libjasper/jpc/jpc_cs.c 2018-06-21 09:16:03.401642013 +0200
++++ new/src/libjasper/jpc/jpc_cs.c 2018-06-21 09:36:47.278110112 +0200
+@@ -782,29 +782,37 @@ static int jpc_cox_getcompparms(jpc_ms_t
+ jpc_getuint8(in, &compparms->qmfbid)) {
+ return -1;
+ }
++ if (compparms->numdlvls > 32) {
++ goto error;
++ }
++ if (compparms->qmfbid != JPC_COX_INS &&
++ compparms->qmfbid != JPC_COX_RFT)
++ goto error;
+ compparms->numrlvls = compparms->numdlvls + 1;
+ if (compparms->numrlvls > JPC_MAXRLVLS) {
+- jpc_cox_destroycompparms(compparms);
+- return -1;
++ goto error;
+ }
+ if (prtflag) {
+ for (i = 0; i < compparms->numrlvls; ++i) {
+ if (jpc_getuint8(in, &tmp)) {
+- jpc_cox_destroycompparms(compparms);
+- return -1;
++ goto error;
+ }
+ compparms->rlvls[i].parwidthval = tmp & 0xf;
+ compparms->rlvls[i].parheightval = (tmp >> 4) & 0xf;
+ }
+-/* Sigh. This bit should be in the same field in both COC and COD mrk segs. */
+-compparms->csty |= JPC_COX_PRT;
+- } else {
++ /* Sigh.
++ This bit should be in the same field in both COC and COD mrk segs. */
++ compparms->csty |= JPC_COX_PRT;
+ }
+ if (jas_stream_eof(in)) {
+- jpc_cox_destroycompparms(compparms);
+- return -1;
++ goto error;
+ }
+ return 0;
++error:
++ if (compparms) {
++ jpc_cox_destroycompparms(compparms);
++ }
++ return -1;
+ }
+
+ static int jpc_cox_putcompparms(jpc_ms_t *ms, jpc_cstate_t *cstate,
diff --git a/SOURCES/jasper-1.900.1-CVE-2017-1000050.patch b/SOURCES/jasper-1.900.1-CVE-2017-1000050.patch
new file mode 100644
index 0000000..d6d4ad9
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-CVE-2017-1000050.patch
@@ -0,0 +1,15 @@
+diff -urNp old/src/libjasper/jp2/jp2_enc.c new/src/libjasper/jp2/jp2_enc.c
+--- old/src/libjasper/jp2/jp2_enc.c 2018-06-21 09:46:45.090301777 +0200
++++ new/src/libjasper/jp2/jp2_enc.c 2018-06-21 10:18:17.602305787 +0200
+@@ -115,6 +115,11 @@ int sgnd;
+ iccstream = 0;
+ iccprof = 0;
+
++ if (jas_image_numcmpts(image) < 1) {
++ // jas_eprintf("image must have at least one component\n");
++ goto error;
++ }
++
+ allcmptssame = 1;
+ sgnd = jas_image_cmptsgnd(image, 0);
+ prec = jas_image_cmptprec(image, 0);
diff --git a/SOURCES/jasper-1.900.1-Coverity-BAD_SIZEOF.patch b/SOURCES/jasper-1.900.1-Coverity-BAD_SIZEOF.patch
new file mode 100644
index 0000000..1977400
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-Coverity-BAD_SIZEOF.patch
@@ -0,0 +1,17 @@
+Error: BAD_SIZEOF
+jpc/jpc_enc.c:2105: bad_sizeof: Taking the size of binary expression "tcmpt->numstepsizes * sizeof (uint_fast16_t) /*8*/" is suspicious.
+ Did you intend "sizeof(tcmpt->numstepsizes) * sizeof (uint_fast16_t) /*8*/"?
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.bad_sizeof jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.bad_sizeof 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2011-06-23 17:28:17.085690561 +0200
+@@ -2102,8 +2102,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc
+
+ tcmpt->numstepsizes = tcmpt->numbands;
+ assert(tcmpt->numstepsizes <= JPC_MAXBANDS);
+- memset(tcmpt->stepsizes, 0, sizeof(tcmpt->numstepsizes *
+- sizeof(uint_fast16_t)));
++ memset(tcmpt->stepsizes, 0, tcmpt->numstepsizes * sizeof(uint_fast16_t));
+
+ /* Retrieve information about the various bands. */
+ jpc_tsfb_getbands(tcmpt->tsfb, jas_seq2d_xstart(tcmpt->data),
diff --git a/SOURCES/jasper-1.900.1-Coverity-CHECKED_RETURN.patch b/SOURCES/jasper-1.900.1-Coverity-CHECKED_RETURN.patch
new file mode 100644
index 0000000..ea330f2
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-Coverity-CHECKED_RETURN.patch
@@ -0,0 +1,141 @@
+Error: CHECKED_RETURN
+jpc/jpc_cs.c:924: check_return: Calling function "jpc_putuint16" without checking return value (as is done elsewhere 11 out of 13 times).
+jpc/jpc_cs.c:924: unchecked_value: No check of the return value of "jpc_putuint16(out, qcc->compno)".
+
+jpc/jpc_cs.c:1021: check_return: Calling function "jpc_putuint16" without checking return value (as is done elsewhere 11 out of 13 times).
+jpc/jpc_cs.c:1021: unchecked_value: No check of the return value of "jpc_putuint16(out, compparms->stepsizes[i])".
+
+jpc/jpc_cs.c:994: check_return: Calling function "jpc_getuint16" without checking return value (as is done elsewhere 14 out of 16 times).
+jpc/jpc_cs.c:994: unchecked_value: No check of the return value of "jpc_getuint16(in, compparms->stepsizes + i)".
+
+jpc/jpc_cs.c:905: check_return: Calling function "jpc_getuint16" without checking return value (as is done elsewhere 14 out of 16 times).
+jpc/jpc_cs.c:905: unchecked_value: No check of the return value of "jpc_getuint16(in, &qcc->compno)".
+
+jpc/jpc_cs.c:969: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times).
+jpc/jpc_cs.c:969: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)".
+
+jpc/jpc_cs.c:991: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times).
+jpc/jpc_cs.c:991: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)".
+
+jpc/jpc_cs.c:901: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times).
+jpc/jpc_cs.c:901: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)".
+
+jpc/jpc_t2enc.c:338: check_return: Calling function "jpc_putms" without checking return value (as is done elsewhere 12 out of 13 times).
+jpc/jpc_t2enc.c:338: unchecked_value: No check of the return value of "jpc_putms(out, enc->cstate, ms)".
+
+ras/ras_enc.c:245: check_return: Calling function "jas_image_readcmpt" without checking return value (as is done elsewhere 9 out of 10 times).
+ras/ras_enc.c:245: unchecked_value: No check of the return value of "jas_image_readcmpt(image, cmpts[i], 0L, y, image->brx_ - image->tlx_, 1L, data[i])".
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.checked_return jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.checked_return 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-06-24 13:52:25.636551844 +0200
+@@ -898,11 +898,15 @@ static int jpc_qcc_getparms(jpc_ms_t *ms
+ int len;
+ len = ms->len;
+ if (cstate->numcomps <= 256) {
+- jpc_getuint8(in, &tmp);
++ if (jpc_getuint8(in, &tmp)) {
++ return -1;
++ }
+ qcc->compno = tmp;
+ --len;
+ } else {
+- jpc_getuint16(in, &qcc->compno);
++ if (jpc_getuint16(in, &qcc->compno)) {
++ return -1;
++ }
+ len -= 2;
+ }
+ if (jpc_qcx_getcompparms(&qcc->compparms, cstate, in, len)) {
+@@ -919,9 +923,13 @@ static int jpc_qcc_putparms(jpc_ms_t *ms
+ {
+ jpc_qcc_t *qcc = &ms->parms.qcc;
+ if (cstate->numcomps <= 256) {
+- jpc_putuint8(out, qcc->compno);
++ if (jpc_putuint8(out, qcc->compno)) {
++ return -1;
++ }
+ } else {
+- jpc_putuint16(out, qcc->compno);
++ if (jpc_putuint16(out, qcc->compno)) {
++ return -1;
++ }
+ }
+ if (jpc_qcx_putcompparms(&qcc->compparms, cstate, out)) {
+ return -1;
+@@ -966,7 +974,9 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ cstate = 0;
+
+ n = 0;
+- jpc_getuint8(in, &tmp);
++ if (jpc_getuint8(in, &tmp)) {
++ return -1;
++ }
+ ++n;
+ compparms->qntsty = tmp & 0x1f;
+ compparms->numguard = (tmp >> 5) & 7;
+@@ -988,10 +998,14 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ assert(compparms->stepsizes);
+ for (i = 0; i < compparms->numstepsizes; ++i) {
+ if (compparms->qntsty == JPC_QCX_NOQNT) {
+- jpc_getuint8(in, &tmp);
++ if (jpc_getuint8(in, &tmp)) {
++ return -1;
++ }
+ compparms->stepsizes[i] = JPC_QCX_EXPN(tmp >> 3);
+ } else {
+- jpc_getuint16(in, &compparms->stepsizes[i]);
++ if (jpc_getuint16(in, &compparms->stepsizes[i])) {
++ return -1;
++ }
+ }
+ }
+ } else {
+@@ -1015,10 +1029,14 @@ static int jpc_qcx_putcompparms(jpc_qcxc
+ jpc_putuint8(out, ((compparms->numguard & 7) << 5) | compparms->qntsty);
+ for (i = 0; i < compparms->numstepsizes; ++i) {
+ if (compparms->qntsty == JPC_QCX_NOQNT) {
+- jpc_putuint8(out, JPC_QCX_GETEXPN(
+- compparms->stepsizes[i]) << 3);
++ if (jpc_putuint8(out, JPC_QCX_GETEXPN(
++ compparms->stepsizes[i]) << 3)) {
++ return -1;
++ }
+ } else {
+- jpc_putuint16(out, compparms->stepsizes[i]);
++ if (jpc_putuint16(out, compparms->stepsizes[i])) {
++ return -1;
++ }
+ }
+ }
+ return 0;
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c.checked_return jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c.checked_return 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2011-06-24 12:29:32.069578992 +0200
+@@ -335,7 +335,9 @@ assert(jpc_firstone(datalen) < cblk->num
+ if (!(ms = jpc_ms_create(JPC_MS_EPH))) {
+ return -1;
+ }
+- jpc_putms(out, enc->cstate, ms);
++ if (jpc_putms(out, enc->cstate, ms)) {
++ return -1;
++ }
+ jpc_ms_destroy(ms);
+ }
+
+diff -up jasper-1.900.1/src/libjasper/ras/ras_enc.c.checked_return jasper-1.900.1/src/libjasper/ras/ras_enc.c
+--- jasper-1.900.1/src/libjasper/ras/ras_enc.c.checked_return 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/ras/ras_enc.c 2011-06-24 14:05:31.233482612 +0200
+@@ -242,8 +242,10 @@ static int ras_putdatastd(jas_stream_t *
+
+ for (y = 0; y < hdr->height; y++) {
+ for (i = 0; i < numcmpts; ++i) {
+- jas_image_readcmpt(image, cmpts[i], 0, y, jas_image_width(image),
+- 1, data[i]);
++ if (jas_image_readcmpt(image, cmpts[i], 0, y,
++ jas_image_width(image), 1, data[i])) {
++ return -1;
++ }
+ }
+ z = 0;
+ nz = 0;
diff --git a/SOURCES/jasper-1.900.1-Coverity-FORWARD_NULL.patch b/SOURCES/jasper-1.900.1-Coverity-FORWARD_NULL.patch
new file mode 100644
index 0000000..ff526b4
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-Coverity-FORWARD_NULL.patch
@@ -0,0 +1,44 @@
+Error: FORWARD_NULL
+jpc/jpc_dec.c:2207: var_compare_op: Comparing "streams" to null implies that "streams" might be null.
+jpc/jpc_dec.c:2270: var_deref_model: Passing null variable "streams" to function "jpc_streamlist_destroy", which dereferences it.
+jpc/jpc_dec.c:2108: deref_parm: Directly dereferencing parameter "streamlist".
+
+jpc/jpc_t1enc.c:225: assign_zero: Assigning: "cblk->passes" = 0.
+jpc/jpc_t1enc.c:228: alias_transfer: Assigning null: "pass" = "cblk->passes".
+jpc/jpc_t1enc.c:229: var_deref_op: Dereferencing null variable "pass".
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.forward_null jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.forward_null 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-06-24 15:01:39.200600146 +0200
+@@ -2267,7 +2267,9 @@ jpc_streamlist_t *jpc_ppmstabtostreams(j
+ return streams;
+
+ error:
+- jpc_streamlist_destroy(streams);
++ if (streams) {
++ jpc_streamlist_destroy(streams);
++ }
+ return 0;
+ }
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c.forward_null jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c.forward_null 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2011-06-24 14:58:33.061248133 +0200
+@@ -224,7 +224,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_
+ } else {
+ cblk->passes = 0;
+ }
+- endpasses = &cblk->passes[cblk->numpasses];
++ endpasses = (cblk->passes) ? &cblk->passes[cblk->numpasses] : 0;
+ for (pass = cblk->passes; pass != endpasses; ++pass) {
+ pass->start = 0;
+ pass->end = 0;
+@@ -352,7 +352,7 @@ dump_passes(cblk->passes, cblk->numpasse
+ #endif
+
+ n = 0;
+- endpasses = &cblk->passes[cblk->numpasses];
++ endpasses = (cblk->passes) ? &cblk->passes[cblk->numpasses] : 0;
+ for (pass = cblk->passes; pass != endpasses; ++pass) {
+ if (pass->start < n) {
+ pass->start = n;
diff --git a/SOURCES/jasper-1.900.1-Coverity-NULL_RETURNS.patch b/SOURCES/jasper-1.900.1-Coverity-NULL_RETURNS.patch
new file mode 100644
index 0000000..4c72270
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-Coverity-NULL_RETURNS.patch
@@ -0,0 +1,61 @@
+Error: NULL_RETURNS
+base/jas_image.c:213: returned_null: Function "jas_image_create0" returns null (checked 6 out of 7 times).
+base/jas_image.c:213: var_assigned: Assigning: "newimage" = null return value from "jas_image_create0".
+base/jas_image.c:214: dereference: Dereferencing a pointer that might be null "newimage" when calling "jas_image_growcmpts".
+base/jas_image.c:777: deref_parm: Directly dereferencing parameter "image".
+
+base/jas_seq.c:223: returned_null: Function "jas_malloc" returns null (checked 110 out of 119 times).
+base/jas_seq.c:223: var_assigned: Assigning: "mat0->rows_" = null return value from "jas_malloc".
+base/jas_seq.c:225: dereference: Dereferencing a null pointer "mat0->rows_".
+
+jp2/jp2_cod.c:484: returned_null: Function "jas_stream_memopen" returns null (checked 12 out of 15 times).
+jp2/jp2_cod.c:484: var_assigned: Assigning: "tmpstream" = null return value from "jas_stream_memopen".
+jp2/jp2_cod.c:490: dereference: Dereferencing a pointer that might be null "tmpstream" when calling "jas_stream_tell".
+base/jas_stream.c:677: deref_parm: Directly dereferencing parameter "stream".
+
+
+diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS 2011-12-08 14:00:05.350020869 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:00:06.638004766 +0100
+@@ -210,7 +210,10 @@ jas_image_t *jas_image_copy(jas_image_t
+ jas_image_t *newimage;
+ int cmptno;
+
+- newimage = jas_image_create0();
++ if (!(newimage = jas_image_create0())) {
++ goto error;
++ }
++
+ if (jas_image_growcmpts(newimage, image->numcmpts_)) {
+ goto error;
+ }
+diff -up jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS 2011-12-08 14:00:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2011-12-08 14:15:12.449680562 +0100
+@@ -220,7 +220,11 @@ void jas_matrix_bindsub(jas_matrix_t *ma
+ mat0->numrows_ = r1 - r0 + 1;
+ mat0->numcols_ = c1 - c0 + 1;
+ mat0->maxrows_ = mat0->numrows_;
+- mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
++ if (!(mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)))) {
++ jas_matrix_destroy(mat0);
++ return;
++ }
++
+ for (i = 0; i < mat0->numrows_; ++i) {
+ mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ }
+diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
+--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS 2011-12-08 14:00:05.633017331 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-12-08 14:00:06.677004279 +0100
+@@ -481,7 +481,9 @@ int jp2_box_put(jp2_box_t *box, jas_stre
+ dataflag = !(box->info->flags & (JP2_BOX_SUPER | JP2_BOX_NODATA));
+
+ if (dataflag) {
+- tmpstream = jas_stream_memopen(0, 0);
++ if (!(tmpstream = jas_stream_memopen(0, 0))) {
++ goto error;
++ }
+ if (box->ops->putdata) {
+ if ((*box->ops->putdata)(box, tmpstream)) {
+ goto error;
diff --git a/SOURCES/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch b/SOURCES/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
new file mode 100644
index 0000000..76f5da7
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
@@ -0,0 +1,202 @@
+Error: RESOURCE_LEAK
+src/appl/imgcmp.c:504: var_assign: Assigning: "diffimage" = storage returned from "jas_image_create(3, compparms, 1025)".
+src/appl/imgcmp.c:511: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to.
+src/appl/imgcmp.c:537: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to.
+
+base/jas_image.c:254: var_assign: Assigning: "newcmpt" = storage returned from "jas_image_cmpt_create0()".
+base/jas_image.c:268: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
+base/jas_image.c:271: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
+base/jas_image.c:274: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
+base/jas_image.c:277: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
+
+base/jas_cm.c:611: var_assign: Assigning: "newpxformseq" = storage returned from "jas_cmpxformseq_create()".
+base/jas_cm.c:617: leaked_storage: Variable "newpxformseq" going out of scope leaks the storage it points to.
+
+base/jas_cm.c:343: var_assign: Assigning: "newprof" = storage returned from "jas_cmprof_create()".
+base/jas_cm.c:358: leaked_storage: Variable "newprof" going out of scope leaks the storage it points to.
+
+base/jas_cm.c:380: var_assign: Assigning: "xform" = storage returned from "jas_malloc(sizeof (jas_cmxform_t) /*16*/)".
+base/jas_cm.c:461: leaked_storage: Variable "xform" going out of scope leaks the storage it points to.
+
+base/jas_image.c:1379: var_assign: Assigning: "xform" = storage returned from "jas_cmxform_create(inprof, outprof, NULL, 0, intent, 0)".
+base/jas_image.c:1444: leaked_storage: Variable "xform" going out of scope leaks the storage it points to.
+
+base/jas_image.c:1306: var_assign: Assigning: "inimage" = storage returned from "jas_image_copy(image)".
+base/jas_image.c:1444: leaked_storage: Variable "inimage" going out of scope leaks the storage it points to.
+
+base/jas_image.c:1345: var_assign: Assigning: "outimage" = storage returned from "jas_image_create0()".
+base/jas_image.c:1444: leaked_storage: Variable "outimage" going out of scope leaks the storage it points to.
+
+bmp/bmp_enc.c:187: var_assign: Assigning: "info" = storage returned from "bmp_info_create()".
+bmp/bmp_enc.c:208: leaked_storage: Variable "info" going out of scope leaks the storage it points to.
+
+jpc/jpc_tagtree.c:111: var_assign: Assigning: "tree" = storage returned from "jpc_tagtree_alloc()".
+jpc/jpc_tagtree.c:129: leaked_storage: Variable "tree" going out of scope leaks the storage it points to.
+
+jpc/jpc_dec.c:452: var_assign: Assigning: "compinfos" = storage returned from "jas_malloc(dec->numcomps * sizeof (jas_image_cmptparm_t) /*56*/)".
+jpc/jpc_dec.c:468: leaked_storage: Variable "compinfos" going out of scope leaks the storage it points to.
+
+jpc/jpc_dec.c:1483: var_assign: Assigning: "cp" = storage returned from "jas_malloc(sizeof (jpc_dec_cp_t) /*48*/)".
+jpc/jpc_dec.c:1493: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
+jpc/jpc_dec.c:1497: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
+
+mif/mif_cod.c:523: var_assign: Assigning: "cmpt" = storage returned from "mif_cmpt_create()".
+mif/mif_cod.c:568: leaked_storage: Variable "cmpt" going out of scope leaks the storage it points to.
+
+mif/mif_cod.c:568: leaked_storage: Variable "tvp" going out of scope leaks the storage it points to.
+
+
+diff -up jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK jasper-1.900.1/src/appl/imgcmp.c
+--- jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK 2007-01-19 22:43:08.000000000 +0100
++++ jasper-1.900.1/src/appl/imgcmp.c 2011-12-08 14:16:04.727027007 +0100
+@@ -507,6 +507,7 @@ jas_image_t *makediffimage(jas_matrix_t
+
+ for (i = 0; i < 3; ++i) {
+ if (!(diffdata[i] = jas_matrix_create(height, width))) {
++ jas_image_destroy(diffimage);
+ fprintf(stderr, "internal error\n");
+ return 0;
+ }
+@@ -534,6 +535,7 @@ jas_image_t *makediffimage(jas_matrix_t
+
+ for (i = 0; i < 3; ++i) {
+ if (jas_image_writecmpt(diffimage, i, 0, 0, width, height, diffdata[i])) {
++ jas_image_destroy(diffimage);
+ return 0;
+ }
+ }
+diff -up jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_cm.c
+--- jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK 2011-12-08 14:16:03.387043758 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2011-12-08 14:16:04.728026994 +0100
+@@ -355,6 +355,8 @@ jas_cmprof_t *jas_cmprof_copy(jas_cmprof
+ }
+ return newprof;
+ error:
++ if (newprof)
++ jas_cmprof_destroy(newprof);
+ return 0;
+ }
+
+@@ -458,6 +460,8 @@ jas_cmxform_t *jas_cmxform_create(jas_cm
+ }
+ return xform;
+ error:
++ if (xform)
++ jas_cmxform_destroy(xform);
+ return 0;
+ }
+
+@@ -614,6 +618,8 @@ static jas_cmpxformseq_t *jas_cmpxformse
+ goto error;
+ return newpxformseq;
+ error:
++ if (newpxformseq)
++ jas_cmpxformseq_destroy(newpxformseq);
+ return 0;
+ }
+
+diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK 2011-12-08 14:16:04.635028156 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:16:04.776026394 +0100
+@@ -268,15 +268,19 @@ static jas_image_cmpt_t *jas_image_cmpt_
+ newcmpt->cps_ = cmpt->cps_;
+ newcmpt->type_ = cmpt->type_;
+ if (!(newcmpt->stream_ = jas_stream_memopen(0, 0))) {
++ jas_image_cmpt_destroy(newcmpt);
+ return 0;
+ }
+ if (jas_stream_seek(cmpt->stream_, 0, SEEK_SET)) {
++ jas_image_cmpt_destroy(newcmpt);
+ return 0;
+ }
+ if (jas_stream_copy(newcmpt->stream_, cmpt->stream_, -1)) {
++ jas_image_cmpt_destroy(newcmpt);
+ return 0;
+ }
+ if (jas_stream_seek(newcmpt->stream_, 0, SEEK_SET)) {
++ jas_image_cmpt_destroy(newcmpt);
+ return 0;
+ }
+ return newcmpt;
+@@ -1443,5 +1447,11 @@ jas_image_dump(outimage, stderr);
+ #endif
+ return outimage;
+ error:
++ if (xform)
++ jas_cmxform_destroy(xform);
++ if (inimage)
++ jas_image_destroy(inimage);
++ if (outimage)
++ jas_image_destroy(outimage);
+ return 0;
+ }
+diff -up jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/bmp/bmp_enc.c
+--- jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/bmp/bmp_enc.c 2011-12-08 14:16:04.826025768 +0100
+@@ -205,16 +205,19 @@ int bmp_encode(jas_image_t *image, jas_s
+
+ /* Write the bitmap header. */
+ if (bmp_puthdr(out, &hdr)) {
++ bmp_info_destroy(info);
+ return -1;
+ }
+
+ /* Write the bitmap information. */
+ if (bmp_putinfo(out, info)) {
++ bmp_info_destroy(info);
+ return -1;
+ }
+
+ /* Write the bitmap data. */
+ if (bmp_putdata(out, info, image, enc->cmpts)) {
++ bmp_info_destroy(info);
+ return -1;
+ }
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK 2011-12-08 14:16:04.594028668 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-12-08 14:17:25.677014992 +0100
+@@ -465,6 +465,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+
+ if (!(dec->image = jas_image_create(dec->numcomps, compinfos,
+ JAS_CLRSPC_UNKNOWN))) {
++ jas_free(compinfos);
+ return -1;
+ }
+ jas_free(compinfos);
+@@ -1490,10 +1491,11 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
+ cp->mctid = 0;
+ cp->csty = 0;
+ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
++ jpc_dec_cp_destroy(cp);
+ return 0;
+ }
+ if (!(cp->pchglist = jpc_pchglist_create())) {
+- jas_free(cp->ccps);
++ jpc_dec_cp_destroy(cp);
+ return 0;
+ }
+ for (compno = 0, ccp = cp->ccps; compno < cp->numcomps;
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK 2011-12-08 14:16:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2011-12-08 14:17:55.905637082 +0100
+@@ -126,6 +126,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
+ } while (n > 1);
+
+ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
++ jpc_tagtree_destroy(tree);
+ return 0;
+ }
+
+diff -up jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/mif/mif_cod.c
+--- jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK 2011-12-08 14:16:04.250032970 +0100
++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2011-12-08 14:16:04.967024005 +0100
+@@ -564,7 +564,7 @@ static int mif_process_cmpt(mif_hdr_t *h
+ break;
+ case MIF_DATA:
+ if (!(cmpt->data = jas_strdup(jas_tvparser_getval(tvp)))) {
+- return -1;
++ goto error;
+ }
+ break;
+ }
diff --git a/SOURCES/jasper-1.900.1-Coverity-UNREACHABLE.patch b/SOURCES/jasper-1.900.1-Coverity-UNREACHABLE.patch
new file mode 100644
index 0000000..3cae294
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-Coverity-UNREACHABLE.patch
@@ -0,0 +1,37 @@
+Error: UNREACHABLE
+jp2/jp2_cod.c:304: unreachable: This code cannot be reached: "abort();".
+
+jp2/jp2_cod.c:514: unreachable: This code cannot be reached: "abort();".
+
+jp2/jp2_enc.c:354: unreachable: This code cannot be reached: "abort();".
+
+diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.unreachable jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
+--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.unreachable 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-06-27 15:28:13.083137952 +0200
+@@ -301,7 +301,6 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
+ }
+
+ return box;
+- abort();
+
+ error:
+ if (box) {
+@@ -511,7 +510,6 @@ int jp2_box_put(jp2_box_t *box, jas_stre
+ }
+
+ return 0;
+- abort();
+
+ error:
+
+diff -up jasper-1.900.1/src/libjasper/jp2/jp2_enc.c.unreachable jasper-1.900.1/src/libjasper/jp2/jp2_enc.c
+--- jasper-1.900.1/src/libjasper/jp2/jp2_enc.c.unreachable 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2011-06-27 15:27:58.858353979 +0200
+@@ -351,7 +351,6 @@ int sgnd;
+ }
+
+ return 0;
+- abort();
+
+ error:
+
diff --git a/SOURCES/jasper-1.900.1-Coverity-UNUSED_VALUE.patch b/SOURCES/jasper-1.900.1-Coverity-UNUSED_VALUE.patch
new file mode 100644
index 0000000..e7d4cb5
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-Coverity-UNUSED_VALUE.patch
@@ -0,0 +1,41 @@
+Error: UNUSED_VALUE
+base/jas_icc.c:328: returned_pointer: Pointer "attrvalinfo" returned by "jas_iccattrvalinfo_lookup(type)" is never used.
+
+jpc/jpc_enc.c:788: returned_pointer: Pointer "cp" returned by "strchr(s, 66)" is never used.
+
+diff -up jasper-1.900.1/src/libjasper/base/jas_icc.c.unused_value jasper-1.900.1/src/libjasper/base/jas_icc.c
+--- jasper-1.900.1/src/libjasper/base/jas_icc.c.unused_value 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2011-06-27 15:35:52.815263000 +0200
+@@ -266,7 +266,6 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ jas_iccattrval_t *attrval;
+ jas_iccattrval_t *prevattrval;
+ jas_icctagtabent_t *tagtabent;
+- jas_iccattrvalinfo_t *attrvalinfo;
+ int i;
+ int len;
+
+@@ -325,7 +324,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ goto error;
+ }
+ curoff += 8;
+- if (!(attrvalinfo = jas_iccattrvalinfo_lookup(type))) {
++ if (!jas_iccattrvalinfo_lookup(type)) {
+ #if 0
+ jas_eprintf("warning: skipping unknown tag type\n");
+ #endif
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.unused_value jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.unused_value 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2011-06-27 15:36:17.437900180 +0200
+@@ -781,11 +781,10 @@ void jpc_enc_cp_destroy(jpc_enc_cp_t *cp
+
+ int ratestrtosize(char *s, uint_fast32_t rawsize, uint_fast32_t *size)
+ {
+- char *cp;
+ jpc_flt_t f;
+
+ /* Note: This function must not modify output size on failure. */
+- if ((cp = strchr(s, 'B'))) {
++ if (strchr(s, 'B')) {
+ *size = atoi(s);
+ } else {
+ f = atof(s);
diff --git a/SOURCES/jasper-1.900.1-define-SIZE-MAX.patch b/SOURCES/jasper-1.900.1-define-SIZE-MAX.patch
new file mode 100644
index 0000000..88671bb
--- /dev/null
+++ b/SOURCES/jasper-1.900.1-define-SIZE-MAX.patch
@@ -0,0 +1,13 @@
+diff -urNp old/src/libjasper/include/jasper/jas_math.h new/src/libjasper/include/jasper/jas_math.h
+--- old/src/libjasper/include/jasper/jas_math.h 2017-05-31 08:25:50.832055034 +0200
++++ new/src/libjasper/include/jasper/jas_math.h 2017-05-31 08:27:47.975407832 +0200
+@@ -86,6 +86,9 @@
+
+ #ifdef __cplusplus
+ extern "C" {
++#ifndef SIZE_MAX
++#define SIZE_MAX ((size_t) - 1)
++#endif
+ #endif
+
+ /******************************************************************************\
diff --git a/SOURCES/jasper-CVE-2014-8137.patch b/SOURCES/jasper-CVE-2014-8137.patch
new file mode 100644
index 0000000..9600cd3
--- /dev/null
+++ b/SOURCES/jasper-CVE-2014-8137.patch
@@ -0,0 +1,57 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
diff --git a/SOURCES/jasper-CVE-2014-8138.patch b/SOURCES/jasper-CVE-2014-8138.patch
new file mode 100644
index 0000000..5aaf8ab
--- /dev/null
+++ b/SOURCES/jasper-CVE-2014-8138.patch
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ /* Determine the type of each component. */
+ if (dec->cdef) {
+ for (i = 0; i < dec->numchans; ++i) {
++ /* Is the channel number reasonable? */
++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++ jas_eprintf("error: invalid channel number in CDEF box\n");
++ goto error;
++ }
+ jas_image_setcmpttype(dec->image,
+ dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ jp2_getct(jas_image_clrspc(dec->image),
diff --git a/SOURCES/jasper-CVE-2014-8157.patch b/SOURCES/jasper-CVE-2014-8157.patch
new file mode 100644
index 0000000..ebfc1b2
--- /dev/null
+++ b/SOURCES/jasper-CVE-2014-8157.patch
@@ -0,0 +1,12 @@
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100
+@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ dec->curtileendoff = 0;
+ }
+
+- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ jas_eprintf("invalid tile number in SOT marker segment\n");
+ return -1;
+ }
diff --git a/SOURCES/jasper-CVE-2014-8158.patch b/SOURCES/jasper-CVE-2014-8158.patch
new file mode 100644
index 0000000..ce9e4b4
--- /dev/null
+++ b/SOURCES/jasper-CVE-2014-8158.patch
@@ -0,0 +1,329 @@
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100
+@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ abort();
+ }
+ }
+-#endif
+
+ if (numcols >= 2) {
+ hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numcols + 1 - parity) >> 1;
+
+@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ register int i;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ srcptr += JPC_QMFB_COLGRPSIZE;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ register int i;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ srcptr += numcols;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
diff --git a/SOURCES/jasper-CVE-2014-9029.patch b/SOURCES/jasper-CVE-2014-9029.patch
new file mode 100644
index 0000000..98a2035
--- /dev/null
+++ b/SOURCES/jasper-CVE-2014-9029.patch
@@ -0,0 +1,29 @@
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:45:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:44:58.000000000 +0100
+@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
+ jpc_coc_t *coc = &ms->parms.coc;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
++ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in COC marker segment\n");
+ return -1;
+ }
+@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
+ jpc_rgn_t *rgn = &ms->parms.rgn;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
++ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in RGN marker segment\n");
+ return -1;
+ }
+@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
+ jpc_qcc_t *qcc = &ms->parms.qcc;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
++ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in QCC marker segment\n");
+ return -1;
+ }
diff --git a/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch b/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch
new file mode 100644
index 0000000..bae613d
--- /dev/null
+++ b/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch
@@ -0,0 +1,164 @@
+Backport of the upstream commit:
+
+From b35a05635e56f554870ce85f64293a3868793f69 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Wed, 19 Oct 2016 08:42:25 -0700
+Subject: [PATCH] Fixed potential integer overflow problem.
+
+Further enhanced by a change from d42b2388f7f8e0332c846675133acea151fc557a to
+use jas_safe_size_mul3() and an explicit check to ensure that size not only
+fits into size_t, but that it also does not exceed INT_MAX. This is similar
+approach to what upstream used in a712a2041085e7cd5f2b153e1532ac2a2954ffaa.
+
+This also adds all jas_safe_size_*() functions, including changes from the
+following upstream commits:
+
+f596a0766825b48cdc07b28d2051977a382cfb95
+65536647d380571d1a9a6c91fa03775fb5bbd256
+3afacc174867cc9d1f74ef2683bc780de4b0b2df
+d42b2388f7f8e0332c846675133acea151fc557a
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2017-03-24 16:09:34.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2017-03-24 22:28:46.620880896 +0100
+@@ -76,6 +76,7 @@
+ #include <string.h>
+ #include <assert.h>
+ #include <ctype.h>
++#include <limits.h>
+
+ #include "jasper/jas_math.h"
+ #include "jasper/jas_image.h"
+@@ -307,10 +308,10 @@ static jas_image_cmpt_t *jas_image_cmpt_
+ height, uint_fast16_t depth, bool sgnd, uint_fast32_t inmem)
+ {
+ jas_image_cmpt_t *cmpt;
+- long size;
++ size_t size;
+
+ if (!(cmpt = jas_malloc(sizeof(jas_image_cmpt_t)))) {
+- return 0;
++ goto error;
+ }
+
+ cmpt->type_ = JAS_IMAGE_CT_UNKNOWN;
+@@ -325,11 +326,14 @@ static jas_image_cmpt_t *jas_image_cmpt_
+ cmpt->stream_ = 0;
+ cmpt->cps_ = (depth + 7) / 8;
+
+- size = cmpt->width_ * cmpt->height_ * cmpt->cps_;
++ //size = cmpt->width_ * cmpt->height_ * cmpt->cps_;
++ if (!jas_safe_size_mul3(cmpt->width_, cmpt->height_, cmpt->cps_, &size) ||
++ size > INT_MAX) {
++ goto error;
++ }
+ cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) : jas_stream_tmpfile();
+ if (!cmpt->stream_) {
+- jas_image_cmpt_destroy(cmpt);
+- return 0;
++ goto error;
+ }
+
+ /* Zero the component data. This isn't necessary, but it is
+@@ -337,11 +341,16 @@ static jas_image_cmpt_t *jas_image_cmpt_
+ if (jas_stream_seek(cmpt->stream_, size - 1, SEEK_SET) < 0 ||
+ jas_stream_putc(cmpt->stream_, 0) == EOF ||
+ jas_stream_seek(cmpt->stream_, 0, SEEK_SET) < 0) {
+- jas_image_cmpt_destroy(cmpt);
+- return 0;
++ goto error;
+ }
+
+ return cmpt;
++
++error:
++ if (cmpt) {
++ jas_image_cmpt_destroy(cmpt);
++ }
++ return 0;
+ }
+
+ static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt)
+diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h jasper-1.900.1/src/libjasper/include/jasper/jas_math.h
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h 2017-03-24 22:29:36.085024105 +0100
+@@ -76,9 +76,13 @@
+
+ #include <jasper/jas_config.h>
+
+-#include <assert.h>
+-#include <stdio.h>
+-#include <string.h>
++#include <jasper/jas_types.h>
++
++#include <assert.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdbool.h>
++#include <stdint.h>
+
+ #ifdef __cplusplus
+ extern "C" {
+@@ -110,6 +114,62 @@ extern "C" {
+ #define JAS_ONES(n) \
+ ((1 << (n)) - 1)
+
++/******************************************************************************\
++* Safe integer arithmetic (i.e., with overflow checking).
++\******************************************************************************/
++
++/* Compute the product of two size_t integers with overflow checking. */
++inline static bool jas_safe_size_mul(size_t x, size_t y, size_t *result)
++{
++ /* Check if overflow would occur */
++ if (x && y > SIZE_MAX / x) {
++ /* Overflow would occur. */
++ return false;
++ }
++ if (result) {
++ *result = x * y;
++ }
++ return true;
++}
++
++inline static bool jas_safe_size_mul3(size_t a, size_t b, size_t c,
++ size_t *result)
++{
++ size_t tmp;
++ if (!jas_safe_size_mul(a, b, &tmp) ||
++ !jas_safe_size_mul(tmp, c, &tmp)) {
++ return false;
++ }
++ if (result) {
++ *result = tmp;
++ }
++ return true;
++}
++
++/* Compute the sum of two size_t integer with overflow checking. */
++inline static bool jas_safe_size_add(size_t x, size_t y, size_t *result)
++{
++ if (y > SIZE_MAX - x) {
++ return false;
++ }
++ if (result) {
++ *result = x + y;
++ }
++ return true;
++}
++
++/* Compute the difference of two size_t integer with overflow checking. */
++inline static bool jas_safe_size_sub(size_t x, size_t y, size_t *result)
++{
++ if (y > x) {
++ return false;
++ }
++ if (result) {
++ *result = x - y;
++ }
++ return true;
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
diff --git a/SOURCES/jasper-CVE-2015-5221.patch b/SOURCES/jasper-CVE-2015-5221.patch
new file mode 100644
index 0000000..a7372a9
--- /dev/null
+++ b/SOURCES/jasper-CVE-2015-5221.patch
@@ -0,0 +1,25 @@
+Backport of upstream commit:
+
+From df5d2867e8004e51e18b89865bc4aa69229227b3 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 19 Sep 2016 10:03:36 +0100
+Subject: [PATCH] CVE-2015-5221
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c
+--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2017-03-23 22:50:09.000000000 +0100
++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2017-03-24 11:57:19.000000000 +0100
+@@ -569,13 +569,13 @@ static int mif_process_cmpt(mif_hdr_t *h
+ break;
+ }
+ }
+- jas_tvparser_destroy(tvp);
+ if (!cmpt->sampperx || !cmpt->samppery) {
+ goto error;
+ }
+ if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) {
+ goto error;
+ }
++ jas_tvparser_destroy(tvp);
+ return 0;
+
+ error:
diff --git a/SOURCES/jasper-CVE-2016-10248.patch b/SOURCES/jasper-CVE-2016-10248.patch
new file mode 100644
index 0000000..586403f
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-10248.patch
@@ -0,0 +1,98 @@
+Backport of the upstream commit:
+
+From 2e82fa00466ae525339754bb3ab0a0474a31d4bd Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Wed, 19 Oct 2016 17:57:40 -0700
+Subject: [PATCH] Fixed an integral type promotion problem by adding a
+ JAS_CAST. Modified the jpc_tsfb_synthesize function so that it will be a noop
+ for an empty sequence (in order to avoid dereferencing a null pointer).
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h jasper-1.900.1/src/libjasper/include/jasper/jas_math.h
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h 2017-03-31 14:08:18.000000000 +0200
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h 2017-03-31 14:09:06.000000000 +0200
+@@ -115,6 +115,24 @@ extern "C" {
+ ((1 << (n)) - 1)
+
+ /******************************************************************************\
++*
++\******************************************************************************/
++
++__attribute__((no_sanitize("undefined")))
++inline static jas_int_asr(int x, int n)
++{
++ assert(n >= 0);
++ return x >> n;
++}
++
++__attribute__((no_sanitize("undefined")))
++inline static jas_int_asl(int x, int n)
++{
++ assert(n >= 0);
++ return x << n;
++}
++
++/******************************************************************************\
+ * Safe integer arithmetic (i.e., with overflow checking).
+ \******************************************************************************/
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_seq.h jasper-1.900.1/src/libjasper/include/jasper/jas_seq.h
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_seq.h 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_seq.h 2017-03-31 14:09:06.000000000 +0200
+@@ -154,6 +154,9 @@ typedef jas_matrix_t jas_seq_t;
+ #define jas_matrix_numcols(matrix) \
+ ((matrix)->numcols_)
+
++#define jas_matrix_size(matrix) \
++ (jas_matrix_width(matrix) * jas_matrix_height(matrix))
++
+ /* Get a matrix element. */
+ #define jas_matrix_get(matrix, i, j) \
+ ((matrix)->rows_[i][j])
+@@ -269,6 +272,8 @@ jas_matrix_t *jas_seq2d_create(int xstar
+ ((s)->xstart_ = (x), (s)->ystart_ = (y), \
+ (s)->xend_ = (s)->xstart_ + (s)->numcols_, \
+ (s)->yend_ = (s)->ystart_ + (s)->numrows_)
++#define jas_seq2d_size(s) \
++ (jas_seq2d_width(s) * jas_seq2d_height(s))
+
+ void jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, int xstart,
+ int ystart, int xend, int yend);
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 14:08:18.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 14:09:06.000000000 +0200
+@@ -1805,6 +1805,13 @@ static void jpc_undo_roi(jas_matrix_t *x
+ bool warn;
+ uint_fast32_t mask;
+
++ if (roishift < 0) {
++ /* We could instead return an error here. */
++ /* I do not think it matters much. */
++ jas_eprintf("warning: forcing negative ROI shift to zero "
++ "(bitstream is probably corrupt)\n");
++ roishift = 0;
++ }
+ if (roishift == 0 && bgshift == 0) {
+ return;
+ }
+@@ -1823,7 +1830,7 @@ static void jpc_undo_roi(jas_matrix_t *x
+ } else {
+ /* We are dealing with non-ROI (i.e., background) data. */
+ mag <<= bgshift;
+- mask = (1 << numbps) - 1;
++ mask = (JAS_CAST(uint_fast32_t, 1) << numbps) - 1;
+ /* Perform a basic sanity check on the sample value. */
+ /* Some implementations write garbage in the unused
+ most-significant bit planes introduced by ROI shifting.
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tsfb.c jasper-1.900.1/src/libjasper/jpc/jpc_tsfb.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tsfb.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_tsfb.c 2017-03-31 14:09:06.000000000 +0200
+@@ -148,7 +148,8 @@ int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb,
+
+ int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a)
+ {
+- return (tsfb->numlvls > 0) ? jpc_tsfb_synthesize2(tsfb,
++ return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ?
++ jpc_tsfb_synthesize2(tsfb,
+ jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)),
+ jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a),
+ jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0;
diff --git a/SOURCES/jasper-CVE-2016-10249.patch b/SOURCES/jasper-CVE-2016-10249.patch
new file mode 100644
index 0000000..0c18d84
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-10249.patch
@@ -0,0 +1,78 @@
+Backport of the upstream commit:
+
+From 988f8365f7d8ad8073b6786e433d34c553ecf568 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sat, 22 Oct 2016 14:36:49 -0700
+Subject: [PATCH] Fixed an integer overflow problem.
+
+Further enhanced by an explicit check to ensure that size not only fits into
+size_t, but that it also does not exceed INT_FAST32_MAX (the type of
+matrix->datasize_). This is similar approach to what upstream used in
+a712a2041085e7cd5f2b153e1532ac2a2954ffaa.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-31 15:02:01.000000000 +0200
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-31 15:41:17.527623038 +0200
+@@ -101,13 +101,16 @@ jas_matrix_t *jas_matrix_create(int numr
+ {
+ jas_matrix_t *matrix;
+ int i;
++ size_t size;
++
++ matrix = 0;
+
+ if (numrows < 0 || numcols < 0) {
+- return 0;
++ goto error;
+ }
+
+ if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
+- return 0;
++ goto error;
+ }
+ matrix->flags_ = 0;
+ matrix->numrows_ = numrows;
+@@ -115,21 +118,25 @@ jas_matrix_t *jas_matrix_create(int numr
+ matrix->rows_ = 0;
+ matrix->maxrows_ = numrows;
+ matrix->data_ = 0;
+- matrix->datasize_ = numrows * numcols;
++ matrix->datasize_ = 0;
++
++ // matrix->datasize_ = numrows * numcols;
++ if (!jas_safe_size_mul(numrows, numcols, &size) || size > INT_FAST32_MAX) {
++ goto error;
++ }
++ matrix->datasize_ = size;
+
+ if (matrix->maxrows_ > 0) {
+ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ sizeof(jas_seqent_t *)))) {
+- jas_matrix_destroy(matrix);
+- return 0;
++ goto error;
+ }
+ }
+
+ if (matrix->datasize_ > 0) {
+ if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ sizeof(jas_seqent_t)))) {
+- jas_matrix_destroy(matrix);
+- return 0;
++ goto error;
+ }
+ }
+
+@@ -147,6 +154,12 @@ jas_matrix_t *jas_matrix_create(int numr
+ matrix->yend_ = matrix->numrows_;
+
+ return matrix;
++
++error:
++ if (matrix) {
++ jas_matrix_destroy(matrix);
++ }
++ return 0;
+ }
+
+ void jas_matrix_destroy(jas_matrix_t *matrix)
diff --git a/SOURCES/jasper-CVE-2016-10251.patch b/SOURCES/jasper-CVE-2016-10251.patch
new file mode 100644
index 0000000..fd9977b
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-10251.patch
@@ -0,0 +1,102 @@
+From 1f0dfe5a42911b6880a1445f13f6d615ddb55387 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Fri, 4 Nov 2016 07:20:23 -0700
+Subject: [PATCH] Fixed an integer overflow problem in the JPC codec that later
+ resulted in the use of uninitialized data.
+
+---
+ src/libjasper/jpc/jpc_t2cod.c | 20 ++++++++++----------
+ src/libjasper/jpc/jpc_t2cod.h | 20 ++++++++++----------
+ 2 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c
+index 08315dd..174442a 100644
+--- a/src/libjasper/jpc/jpc_t2cod.c
++++ b/src/libjasper/jpc/jpc_t2cod.c
+@@ -432,18 +432,18 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi)
+ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+ ++pi->picomp) {
+ pirlvl = pi->picomp->pirlvls;
+- pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
+- pi->picomp->numrlvls - 1));
+- pi->ystep = pi->picomp->vsamp * (1 << (pirlvl->prcheightexpn +
+- pi->picomp->numrlvls - 1));
++ pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
++ (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1));
++ pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
++ (pirlvl->prcheightexpn + pi->picomp->numrlvls - 1));
+ for (rlvlno = 1, pirlvl = &pi->picomp->pirlvls[1];
+ rlvlno < pi->picomp->numrlvls; ++rlvlno, ++pirlvl) {
+- pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * (1 <<
+- (pirlvl->prcwidthexpn + pi->picomp->numrlvls -
+- rlvlno - 1)));
+- pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * (1 <<
+- (pirlvl->prcheightexpn + pi->picomp->numrlvls -
+- rlvlno - 1)));
++ pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp *
++ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn +
++ pi->picomp->numrlvls - rlvlno - 1)));
++ pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp *
++ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcheightexpn +
++ pi->picomp->numrlvls - rlvlno - 1)));
+ }
+ for (pi->y = pi->ystart; pi->y < pi->yend;
+ pi->y += pi->ystep - (pi->y % pi->ystep)) {
+diff --git a/src/libjasper/jpc/jpc_t2cod.h b/src/libjasper/jpc/jpc_t2cod.h
+index 0a176c9..690e031 100644
+--- a/src/libjasper/jpc/jpc_t2cod.h
++++ b/src/libjasper/jpc/jpc_t2cod.h
+@@ -129,10 +129,10 @@ typedef struct {
+ jpc_pirlvl_t *pirlvls;
+
+ /* The horizontal sampling period. */
+- int hsamp;
++ uint_fast32_t hsamp;
+
+ /* The vertical sampling period. */
+- int vsamp;
++ uint_fast32_t vsamp;
+
+ } jpc_picomp_t;
+
+@@ -171,32 +171,32 @@ typedef struct {
+ int lyrno;
+
+ /* The x-coordinate of the current position. */
+- int x;
++ uint_fast32_t x;
+
+ /* The y-coordinate of the current position. */
+- int y;
++ uint_fast32_t y;
+
+ /* The horizontal step size. */
+- int xstep;
++ uint_fast32_t xstep;
+
+ /* The vertical step size. */
+- int ystep;
++ uint_fast32_t ystep;
+
+ /* The x-coordinate of the top-left corner of the tile on the reference
+ grid. */
+- int xstart;
++ uint_fast32_t xstart;
+
+ /* The y-coordinate of the top-left corner of the tile on the reference
+ grid. */
+- int ystart;
++ uint_fast32_t ystart;
+
+ /* The x-coordinate of the bottom-right corner of the tile on the
+ reference grid (plus one). */
+- int xend;
++ uint_fast32_t xend;
+
+ /* The y-coordinate of the bottom-right corner of the tile on the
+ reference grid (plus one). */
+- int yend;
++ uint_fast32_t yend;
+
+ /* The current progression change. */
+ jpc_pchg_t *pchg;
diff --git a/SOURCES/jasper-CVE-2016-1577.patch b/SOURCES/jasper-CVE-2016-1577.patch
new file mode 100644
index 0000000..67e347a
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-1577.patch
@@ -0,0 +1,18 @@
+Bacport of the upstream commit:
+
+From 74ea22a7a4fe186e0a0124df25e19739b77c4a29 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 19 Sep 2016 10:03:36 +0100
+Subject: [PATCH] CVE-2016-1577
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2017-03-24 13:58:54.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2017-03-24 13:59:12.000000000 +0100
+@@ -299,6 +299,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
+ goto error;
+ jas_iccattrval_destroy(attrval);
++ attrval = 0;
+ } else {
+ #if 0
+ jas_eprintf("warning: skipping unknown tag type\n");
diff --git a/SOURCES/jasper-CVE-2016-1867.patch b/SOURCES/jasper-CVE-2016-1867.patch
new file mode 100644
index 0000000..7b3f6af
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-1867.patch
@@ -0,0 +1,22 @@
+From 980da43d8d388a67cac505e734423b2a5aa4cede Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 19 Sep 2016 10:03:36 +0100
+Subject: [PATCH] CVE-2016-1867
+
+---
+ src/libjasper/jpc/jpc_t2cod.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c
+index e734900..b80d332 100644
+--- a/src/libjasper/jpc/jpc_t2cod.c
++++ b/src/libjasper/jpc/jpc_t2cod.c
+@@ -429,7 +429,7 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi)
+ }
+
+ for (pi->compno = pchg->compnostart, pi->picomp =
+- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
++ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+ ++pi->picomp) {
+ pirlvl = pi->picomp->pirlvls;
+ pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
diff --git a/SOURCES/jasper-CVE-2016-2089.patch b/SOURCES/jasper-CVE-2016-2089.patch
new file mode 100644
index 0000000..d265c36
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-2089.patch
@@ -0,0 +1,157 @@
+Backport of the upstream commit:
+
+From c87ad330a8b8d6e5eb0065675601fdfae08ebaab Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Wed, 12 Oct 2016 11:37:33 -0700
+Subject: [PATCH] Added fix for CVE-2016-2089.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2017-03-24 22:40:10.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2017-03-24 22:40:51.000000000 +0100
+@@ -442,6 +442,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ return -1;
+ }
+
++ if (!jas_matrix_numrows(data) || !jas_matrix_numcols(data)) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ if (jas_matrix_resize(data, height, width)) {
+ return -1;
+@@ -495,6 +499,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ return -1;
+ }
+
++ if (!jas_matrix_numrows(data) || !jas_matrix_numcols(data)) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ return -1;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-24 15:26:36.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-24 15:28:09.000000000 +0100
+@@ -266,13 +266,16 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ int rowstep;
+ jas_seqent_t *data;
+
+- rowstep = jas_matrix_rowstep(matrix);
+- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+- rowstart += rowstep) {
+- for (j = matrix->numcols_, data = rowstart; j > 0; --j,
+- ++data) {
+- *data = (*data >= 0) ? ((*data) >> n) :
+- (-((-(*data)) >> n));
++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) {
++ assert(matrix->rows_);
++ rowstep = jas_matrix_rowstep(matrix);
++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
++ rowstart += rowstep) {
++ for (j = matrix->numcols_, data = rowstart; j > 0; --j,
++ ++data) {
++ *data = (*data >= 0) ? ((*data) >> n) :
++ (-((-(*data)) >> n));
++ }
+ }
+ }
+ }
+@@ -286,17 +289,20 @@ void jas_matrix_clip(jas_matrix_t *matri
+ jas_seqent_t *data;
+ int rowstep;
+
+- rowstep = jas_matrix_rowstep(matrix);
+- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+- rowstart += rowstep) {
+- data = rowstart;
+- for (j = matrix->numcols_, data = rowstart; j > 0; --j,
+- ++data) {
+- v = *data;
+- if (v < minval) {
+- *data = minval;
+- } else if (v > maxval) {
+- *data = maxval;
++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) {
++ assert(matrix->rows_);
++ rowstep = jas_matrix_rowstep(matrix);
++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
++ rowstart += rowstep) {
++ data = rowstart;
++ for (j = matrix->numcols_, data = rowstart; j > 0; --j,
++ ++data) {
++ v = *data;
++ if (v < minval) {
++ *data = minval;
++ } else if (v > maxval) {
++ *data = maxval;
++ }
+ }
+ }
+ }
+@@ -311,12 +317,15 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ jas_seqent_t *data;
+
+ assert(n >= 0);
+- rowstep = jas_matrix_rowstep(matrix);
+- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+- rowstart += rowstep) {
+- for (j = matrix->numcols_, data = rowstart; j > 0; --j,
+- ++data) {
+- *data >>= n;
++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) {
++ assert(matrix->rows_);
++ rowstep = jas_matrix_rowstep(matrix);
++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
++ rowstart += rowstep) {
++ for (j = matrix->numcols_, data = rowstart; j > 0; --j,
++ ++data) {
++ *data >>= n;
++ }
+ }
+ }
+ }
+@@ -329,12 +338,15 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
+- rowstep = jas_matrix_rowstep(matrix);
+- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+- rowstart += rowstep) {
+- for (j = matrix->numcols_, data = rowstart; j > 0; --j,
+- ++data) {
+- *data <<= n;
++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) {
++ assert(matrix->rows_);
++ rowstep = jas_matrix_rowstep(matrix);
++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
++ rowstart += rowstep) {
++ for (j = matrix->numcols_, data = rowstart; j > 0; --j,
++ ++data) {
++ *data <<= n;
++ }
+ }
+ }
+ }
+@@ -371,12 +383,15 @@ void jas_matrix_setall(jas_matrix_t *mat
+ int rowstep;
+ jas_seqent_t *data;
+
+- rowstep = jas_matrix_rowstep(matrix);
+- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+- rowstart += rowstep) {
+- for (j = matrix->numcols_, data = rowstart; j > 0; --j,
+- ++data) {
+- *data = val;
++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) {
++ assert(matrix->rows_);
++ rowstep = jas_matrix_rowstep(matrix);
++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
++ rowstart += rowstep) {
++ for (j = matrix->numcols_, data = rowstart; j > 0; --j,
++ ++data) {
++ *data = val;
++ }
+ }
+ }
+ }
diff --git a/SOURCES/jasper-CVE-2016-2116.patch b/SOURCES/jasper-CVE-2016-2116.patch
new file mode 100644
index 0000000..5b1ba6e
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-2116.patch
@@ -0,0 +1,19 @@
+Backport of the upstream commit:
+
+From 142245b9bbb33274a7c620aa7a8f85bc00b2d68e Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 19 Sep 2016 10:03:36 +0100
+Subject: [PATCH] CVE-2016-2116
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2017-03-24 14:06:15.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2017-03-24 14:06:34.000000000 +0100
+@@ -1692,6 +1692,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
+ jas_stream_close(in);
+ return prof;
+ error:
++ if (in)
++ jas_stream_close(in);
+ return 0;
+ }
+
diff --git a/SOURCES/jasper-CVE-2016-8654.patch b/SOURCES/jasper-CVE-2016-8654.patch
new file mode 100644
index 0000000..cc8d396
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-8654.patch
@@ -0,0 +1,30 @@
+Backport of the relevant parts of the upstream commit:
+
+From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sat, 26 Nov 2016 20:23:23 -0800
+Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC
+ codec that was caused by a buffer being allocated with a size that was too
+ small in some cases. Added a new regression test case.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2017-03-29 14:47:26.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2017-03-29 16:24:55.425985016 +0200
+@@ -439,7 +439,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -520,7 +520,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
diff --git a/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch b/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch
new file mode 100644
index 0000000..8f6eb31
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch
@@ -0,0 +1,22 @@
+Backport form the upstream commit:
+
+From 5d66894d2313e3f3469f19066e149e08ff076698 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Wed, 19 Oct 2016 20:13:06 -0700
+Subject: [PATCH] Fixed a problem with a null pointer dereference in the BMP
+ decoder.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-23 22:50:09.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-23 23:01:30.000000000 +0100
+@@ -102,6 +102,10 @@ jas_matrix_t *jas_matrix_create(int numr
+ jas_matrix_t *matrix;
+ int i;
+
++ if (numrows < 0 || numcols < 0) {
++ return 0;
++ }
++
+ if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
+ return 0;
+ }
diff --git a/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch b/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch
new file mode 100644
index 0000000..607a3c9
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch
@@ -0,0 +1,31 @@
+From d8c2604cd438c41ec72aff52c16ebd8183068020 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sat, 15 Oct 2016 12:22:28 -0700
+Subject: [PATCH] Added range check on XRsiz and YRsiz fields of SIZ marker
+ segment.
+
+---
+ src/libjasper/jpc/jpc_cs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c
+index 6da4872..55d34d6 100644
+--- a/src/libjasper/jpc/jpc_cs.c
++++ b/src/libjasper/jpc/jpc_cs.c
+@@ -512,6 +512,16 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate,
+ jas_free(siz->comps);
+ return -1;
+ }
++ if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
++ jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
++ jas_free(siz->comps);
++ return -1;
++ }
++ if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
++ jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
++ jas_free(siz->comps);
++ return -1;
++ }
+ siz->comps[i].sgnd = (tmp >> 7) & 1;
+ siz->comps[i].prec = (tmp & 0x7f) + 1;
+ }
diff --git a/SOURCES/jasper-CVE-2016-8693.patch b/SOURCES/jasper-CVE-2016-8693.patch
new file mode 100644
index 0000000..b541210
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-8693.patch
@@ -0,0 +1,25 @@
+Backport of the upstream commit:
+
+From 44a524e367597af58d6265ae2014468b334d0309 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Thu, 20 Oct 2016 07:34:32 -0700
+Subject: [PATCH] The memory stream interface allows for a buffer size of zero.
+ The case of a zero-sized buffer was not handled correctly, as it could lead
+ to a double free. This problem has now been fixed (hopefully). One might ask
+ whether a zero-sized buffer should be allowed at all, but this is a question
+ for another day.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2017-03-24 13:23:23.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2017-03-24 13:33:01.986069625 +0100
+@@ -991,8 +991,8 @@ static int mem_resize(jas_stream_memobj_
+ {
+ unsigned char *buf;
+
+- assert(m->buf_);
+- if (!(buf = jas_realloc(m->buf_, bufsize))) {
++ //assert(m->buf_);
++ if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) {
+ return -1;
+ }
+ m->buf_ = buf;
diff --git a/SOURCES/jasper-CVE-2016-8883.patch b/SOURCES/jasper-CVE-2016-8883.patch
new file mode 100644
index 0000000..46bcdad
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-8883.patch
@@ -0,0 +1,42 @@
+Backport of upstream commit:
+
+From 33cc2cfa51a8d0fc3116d16cc1d8fc581b3f9e8d Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Wed, 19 Oct 2016 15:02:20 -0700
+Subject: [PATCH] The RCT and ICT require at least three components.
+ Previously, this was enforced with an assertion. Now, the assertion has been
+ replaced with a proper error check.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 15:52:43.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 21:58:17.000000000 +0200
+@@ -1070,12 +1070,18 @@ static int jpc_dec_tiledecode(jpc_dec_t
+ /* Apply an inverse intercomponent transform if necessary. */
+ switch (tile->cp->mctid) {
+ case JPC_MCT_RCT:
+- assert(dec->numcomps >= 3);
++ if (dec->numcomps < 3) {
++ jas_eprintf("RCT requires at least three components\n");
++ return -1;
++ }
+ jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data,
+ tile->tcomps[2].data);
+ break;
+ case JPC_MCT_ICT:
+- assert(dec->numcomps >= 3);
++ if (dec->numcomps < 3) {
++ jas_eprintf("ICT requires at least three components\n");
++ return -1;
++ }
+ jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
+ tile->tcomps[2].data);
+ break;
+@@ -1127,7 +1133,7 @@ static int jpc_dec_tiledecode(jpc_dec_t
+ JPC_CEILDIV(dec->ystart, cmpt->vstep), jas_matrix_numcols(
+ tcomp->data), jas_matrix_numrows(tcomp->data), tcomp->data)) {
+ jas_eprintf("write component failed\n");
+- return -4;
++ return -1;
+ }
+ }
+
diff --git a/SOURCES/jasper-CVE-2016-9387.patch b/SOURCES/jasper-CVE-2016-9387.patch
new file mode 100644
index 0000000..23c1b87
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9387.patch
@@ -0,0 +1,37 @@
+Backport of the upstream commits:
+
+From d91198abd00fc435a397fe6bad906a4c1748e9cf Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sun, 23 Oct 2016 03:34:35 -0700
+Subject: [PATCH] Fixed another integer overflow problem.
+
+From a712a2041085e7cd5f2b153e1532ac2a2954ffaa Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Thu, 2 Mar 2017 09:28:42 -0800
+Subject: [PATCH] Added some additional checking to prevent a potential integer
+ overflow due to conversion in the JPC decoder.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:12:06.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:14:46.112781219 +0200
+@@ -1174,6 +1174,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ int htileno;
+ int vtileno;
+ jpc_dec_cmpt_t *cmpt;
++ size_t size;
+
+ dec->xstart = siz->xoff;
+ dec->ystart = siz->yoff;
+@@ -1210,7 +1211,11 @@ static int jpc_dec_process_siz(jpc_dec_t
+
+ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+- dec->numtiles = dec->numhtiles * dec->numvtiles;
++ if (!jas_safe_size_mul(dec->numhtiles, dec->numvtiles, &size) ||
++ size > INT_MAX) {
++ return -1;
++ }
++ dec->numtiles = size;
+ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ return -1;
+ }
diff --git a/SOURCES/jasper-CVE-2016-9388.patch b/SOURCES/jasper-CVE-2016-9388.patch
new file mode 100644
index 0000000..27398be
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9388.patch
@@ -0,0 +1,158 @@
+Backport of upstream commit:
+
+From 411a4068f8c464e883358bf403a3e25158863823 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Mon, 24 Oct 2016 06:56:08 -0700
+Subject: [PATCH] Fixed a few bugs in the RAS encoder and decoder where errors
+ were tested with assertions instead of being gracefully handled.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/ras/ras_dec.c jasper-1.900.1/src/libjasper/ras/ras_dec.c
+--- jasper-1.900.1.orig/src/libjasper/ras/ras_dec.c 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/ras/ras_dec.c 2017-03-31 22:38:04.000000000 +0200
+@@ -257,9 +257,16 @@ static int ras_getdatastd(jas_stream_t *
+ /* Avoid compiler warnings about unused parameters. */
+ cmap = 0;
+
++ assert(jas_image_numcmpts(image) <= 3);
++
++ for (i = 0; i < 3; ++i) {
++ data[i] = 0;
++ }
++
+ for (i = 0; i < jas_image_numcmpts(image); ++i) {
+- data[i] = jas_matrix_create(1, jas_image_width(image));
+- assert(data[i]);
++ if (!(data[i] = jas_matrix_create(1, jas_image_width(image)))) {
++ goto error;
++ }
+ }
+
+ pad = RAS_ROWSIZE(hdr) - (hdr->width * hdr->depth + 7) / 8;
+@@ -270,7 +277,7 @@ static int ras_getdatastd(jas_stream_t *
+ for (x = 0; x < hdr->width; x++) {
+ while (nz < hdr->depth) {
+ if ((c = jas_stream_getc(in)) == EOF) {
+- return -1;
++ goto error;
+ }
+ z = (z << 8) | c;
+ nz += 8;
+@@ -290,22 +297,31 @@ static int ras_getdatastd(jas_stream_t *
+ }
+ if (pad) {
+ if ((c = jas_stream_getc(in)) == EOF) {
+- return -1;
++ goto error;
+ }
+ }
+ for (i = 0; i < jas_image_numcmpts(image); ++i) {
+ if (jas_image_writecmpt(image, i, 0, y, hdr->width, 1,
+ data[i])) {
+- return -1;
++ goto error;
+ }
+ }
+ }
+
+ for (i = 0; i < jas_image_numcmpts(image); ++i) {
+ jas_matrix_destroy(data[i]);
++ data[i] = 0;
+ }
+
+ return 0;
++
++error:
++ for (i = 0; i < 3; ++i) {
++ if (data[i]) {
++ jas_matrix_destroy(data[i]);
++ }
++ }
++ return -1;
+ }
+
+ static int ras_getcmap(jas_stream_t *in, ras_hdr_t *hdr, ras_cmap_t *cmap)
+@@ -324,7 +340,9 @@ static int ras_getcmap(jas_stream_t *in,
+ {
+ jas_eprintf("warning: palettized images not fully supported\n");
+ numcolors = 1 << hdr->depth;
+- assert(numcolors <= RAS_CMAP_MAXSIZ);
++ if (numcolors > RAS_CMAP_MAXSIZ) {
++ return -1;
++ }
+ actualnumcolors = hdr->maplength / 3;
+ for (i = 0; i < numcolors; i++) {
+ cmap->data[i] = 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/ras/ras_enc.c jasper-1.900.1/src/libjasper/ras/ras_enc.c
+--- jasper-1.900.1.orig/src/libjasper/ras/ras_enc.c 2017-03-31 22:20:38.000000000 +0200
++++ jasper-1.900.1/src/libjasper/ras/ras_enc.c 2017-03-31 22:38:04.000000000 +0200
+@@ -230,9 +230,17 @@ static int ras_putdatastd(jas_stream_t *
+ jas_matrix_t *data[3];
+ int i;
+
++ assert(numcmpts <= 3);
++
++ for (i = 0; i < 3; ++i) {
++ data[i] = 0;
++ }
++
+ for (i = 0; i < numcmpts; ++i) {
+- data[i] = jas_matrix_create(jas_image_height(image), jas_image_width(image));
+- assert(data[i]);
++ if (!(data[i] = jas_matrix_create(jas_image_height(image),
++ jas_image_width(image)))) {
++ goto error;
++ }
+ }
+
+ rowsize = RAS_ROWSIZE(hdr);
+@@ -244,7 +252,7 @@ static int ras_putdatastd(jas_stream_t *
+ for (i = 0; i < numcmpts; ++i) {
+ if (jas_image_readcmpt(image, cmpts[i], 0, y,
+ jas_image_width(image), 1, data[i])) {
+- return -1;
++ goto error;
+ }
+ }
+ z = 0;
+@@ -263,7 +271,7 @@ static int ras_putdatastd(jas_stream_t *
+ while (nz >= 8) {
+ c = (z >> (nz - 8)) & 0xff;
+ if (jas_stream_putc(out, c) == EOF) {
+- return -1;
++ goto error;
+ }
+ nz -= 8;
+ z &= RAS_ONES(nz);
+@@ -272,21 +280,30 @@ static int ras_putdatastd(jas_stream_t *
+ if (nz > 0) {
+ c = (z >> (8 - nz)) & RAS_ONES(nz);
+ if (jas_stream_putc(out, c) == EOF) {
+- return -1;
++ goto error;
+ }
+ }
+ if (pad % 2) {
+ if (jas_stream_putc(out, 0) == EOF) {
+- return -1;
++ goto error;
+ }
+ }
+ }
+
+ for (i = 0; i < numcmpts; ++i) {
+ jas_matrix_destroy(data[i]);
++ data[i] = 0;
+ }
+
+ return 0;
++
++error:
++ for (i = 0; i < numcmpts; ++i) {
++ if (data[i]) {
++ jas_matrix_destroy(data[i]);
++ }
++ }
++ return -1;
+ }
+
+ static int ras_puthdr(jas_stream_t *out, ras_hdr_t *hdr)
diff --git a/SOURCES/jasper-CVE-2016-9389.patch b/SOURCES/jasper-CVE-2016-9389.patch
new file mode 100644
index 0000000..b69d209
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9389.patch
@@ -0,0 +1,59 @@
+Backport of upstream commit:
+
+From dee11ec440d7908d1daf69f40a3324b27cf213ba Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Mon, 24 Oct 2016 07:26:40 -0700
+Subject: [PATCH] The component domains must be the same for the ICT/RCT in the
+ JPC codec. This was previously enforced with an assertion. Now, it is handled
+ in a more graceful manner.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:20:39.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:48:55.368931732 +0200
+@@ -1014,6 +1014,24 @@ if (!prc->cblks) {
+ return 0;
+ }
+
++static int jas_image_cmpt_domains_same(jas_image_t *image)
++{
++ int cmptno;
++ jas_image_cmpt_t *cmpt;
++ jas_image_cmpt_t *cmpt0;
++
++ cmpt0 = image->cmpts_[0];
++ for (cmptno = 1; cmptno < image->numcmpts_; ++cmptno) {
++ cmpt = image->cmpts_[cmptno];
++ if (cmpt->tlx_ != cmpt0->tlx_ || cmpt->tly_ != cmpt0->tly_ ||
++ cmpt->hstep_ != cmpt0->hstep_ || cmpt->vstep_ != cmpt0->vstep_ ||
++ cmpt->width_ != cmpt0->width_ || cmpt->height_ != cmpt0->height_) {
++ return 0;
++ }
++ }
++ return 1;
++}
++
+ static int jpc_dec_tiledecode(jpc_dec_t *dec, jpc_dec_tile_t *tile)
+ {
+ int i;
+@@ -1074,6 +1092,10 @@ static int jpc_dec_tiledecode(jpc_dec_t
+ jas_eprintf("RCT requires at least three components\n");
+ return -1;
+ }
++ if (!jas_image_cmpt_domains_same(dec->image)) {
++ jas_eprintf("RCT requires all components have the same domain\n");
++ return -1;
++ }
+ jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data,
+ tile->tcomps[2].data);
+ break;
+@@ -1082,6 +1104,10 @@ static int jpc_dec_tiledecode(jpc_dec_t
+ jas_eprintf("ICT requires at least three components\n");
+ return -1;
+ }
++ if (!jas_image_cmpt_domains_same(dec->image)) {
++ jas_eprintf("RCT requires all components have the same domain\n");
++ return -1;
++ }
+ jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
+ tile->tcomps[2].data);
+ break;
diff --git a/SOURCES/jasper-CVE-2016-9390.patch b/SOURCES/jasper-CVE-2016-9390.patch
new file mode 100644
index 0000000..a13eaa0
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9390.patch
@@ -0,0 +1,21 @@
+Backport of the upstream commit:
+
+From ba2b9d000660313af7b692542afbd374c5685865 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Tue, 25 Oct 2016 16:18:51 -0700
+Subject: [PATCH] Ensure that not all tiles lie outside the image area.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:24:57.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:25:48.000000000 +0200
+@@ -502,6 +502,10 @@ static int jpc_siz_getparms(jpc_ms_t *ms
+ !siz->tileheight || !siz->numcomps) {
+ return -1;
+ }
++ if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) {
++ jas_eprintf("all tiles are outside the image area\n");
++ return -1;
++ }
+ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
+ return -1;
+ }
diff --git a/SOURCES/jasper-CVE-2016-9391.patch b/SOURCES/jasper-CVE-2016-9391.patch
new file mode 100644
index 0000000..b202d57
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9391.patch
@@ -0,0 +1,36 @@
+Backport of relevant parts of upstream commit:
+
+From 1e84674d95353c64e5c4c0e7232ae86fd6ea813b Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Tue, 25 Oct 2016 07:01:50 -0700
+Subject: [PATCH] Changed the JPC bitstream code to more gracefully handle a
+ request for a larger sized integer than what can be handled (i.e., return
+ with an error instead of failing an assert).
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_bs.c jasper-1.900.1/src/libjasper/jpc/jpc_bs.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_bs.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_bs.c 2017-03-31 23:00:31.000000000 +0200
+@@ -195,7 +195,10 @@ long jpc_bitstream_getbits(jpc_bitstream
+
+ /* We can reliably get at most 31 bits since ISO/IEC 9899 only
+ guarantees that a long can represent values up to 2^31-1. */
+- assert(n >= 0 && n < 32);
++ //assert(n >= 0 && n < 32);
++ if (n < 0 || n >= 32) {
++ return -1;
++ }
+
+ /* Get the number of bits requested from the specified bit stream. */
+ v = 0;
+@@ -215,7 +218,10 @@ int jpc_bitstream_putbits(jpc_bitstream_
+
+ /* We can reliably put at most 31 bits since ISO/IEC 9899 only
+ guarantees that a long can represent values up to 2^31-1. */
+- assert(n >= 0 && n < 32);
++ //assert(n >= 0 && n < 32);
++ if (n < 0 || n >= 32) {
++ return EOF;
++ }
+ /* Ensure that only the bits to be output are nonzero. */
+ assert(!(v & (~JAS_ONES(n))));
+
diff --git a/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch b/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch
new file mode 100644
index 0000000..d046229
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch
@@ -0,0 +1,105 @@
+Backport of the upstream commit:
+
+From f7038068550fba0e41e1d0c355787f1dcd5bf330 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Thu, 27 Oct 2016 20:11:57 -0700
+Subject: [PATCH] Added some missing sanity checks on the data in a SIZ marker
+ segment.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:30:41.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:48:20.267725023 +0200
+@@ -483,6 +483,8 @@ static int jpc_siz_getparms(jpc_ms_t *ms
+ unsigned int i;
+ uint_fast8_t tmp;
+
++ siz->comps = 0;
++
+ /* Eliminate compiler warning about unused variables. */
+ cstate = 0;
+
+@@ -496,44 +498,67 @@ static int jpc_siz_getparms(jpc_ms_t *ms
+ jpc_getuint32(in, &siz->tilexoff) ||
+ jpc_getuint32(in, &siz->tileyoff) ||
+ jpc_getuint16(in, &siz->numcomps)) {
+- return -1;
++ goto error;
+ }
+- if (!siz->width || !siz->height || !siz->tilewidth ||
+- !siz->tileheight || !siz->numcomps) {
+- return -1;
+- }
+- if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) {
+- jas_eprintf("all tiles are outside the image area\n");
+- return -1;
++ if (!siz->width || !siz->height) {
++ jas_eprintf("reference grid cannot have zero area\n");
++ goto error;
++ }
++ if (!siz->tilewidth || !siz->tileheight) {
++ jas_eprintf("tile cannot have zero area\n");
++ goto error;
++ }
++ if (!siz->numcomps || siz->numcomps > 16384) {
++ jas_eprintf("number of components not in permissible range\n");
++ goto error;
++ }
++ if (siz->xoff >= siz->width) {
++ jas_eprintf("XOsiz not in permissible range\n");
++ goto error;
++ }
++ if (siz->yoff >= siz->height) {
++ jas_eprintf("YOsiz not in permissible range\n");
++ goto error;
++ }
++ if (siz->tilexoff > siz->xoff || siz->tilexoff + siz->tilewidth <= siz->xoff) {
++ jas_eprintf("XTOsiz not in permissible range\n");
++ goto error;
++ }
++ if (siz->tileyoff > siz->yoff || siz->tileyoff + siz->tileheight <= siz->yoff) {
++ jas_eprintf("YTOsiz not in permissible range\n");
++ goto error;
+ }
++
+ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
+- return -1;
++ goto error;
+ }
+ for (i = 0; i < siz->numcomps; ++i) {
+ if (jpc_getuint8(in, &tmp) ||
+ jpc_getuint8(in, &siz->comps[i].hsamp) ||
+ jpc_getuint8(in, &siz->comps[i].vsamp)) {
+- jas_free(siz->comps);
+- return -1;
++ goto error;
+ }
+ if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
+ jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
+- jas_free(siz->comps);
+- return -1;
++ goto error;
+ }
+ if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
+ jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
+- jas_free(siz->comps);
+- return -1;
++ goto error;
+ }
+ siz->comps[i].sgnd = (tmp >> 7) & 1;
+ siz->comps[i].prec = (tmp & 0x7f) + 1;
+ }
+ if (jas_stream_eof(in)) {
+- jas_free(siz->comps);
+- return -1;
++ goto error;
+ }
+ return 0;
++
++error:
++ if (siz->comps) {
++ jas_free(siz->comps);
++ }
++ return -1;
+ }
+
+ static int jpc_siz_putparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *out)
diff --git a/SOURCES/jasper-CVE-2016-9560.patch b/SOURCES/jasper-CVE-2016-9560.patch
new file mode 100644
index 0000000..19ec2dc
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9560.patch
@@ -0,0 +1,19 @@
+Backport of the upstream commit:
+
+From 1abc2e5a401a4bf1d5ca4df91358ce5df111f495 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sun, 20 Nov 2016 04:43:00 -0800
+Subject: [PATCH] Fixed an array overflow problem in the JPC decoder.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-30 15:00:55.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-30 17:56:05.000000000 +0200
+@@ -675,7 +675,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d
+ uint_fast32_t tmpxend;
+ uint_fast32_t tmpyend;
+ jpc_dec_cp_t *cp;
+- jpc_tsfb_band_t bnds[64];
++ jpc_tsfb_band_t bnds[JPC_MAXBANDS];
+ jpc_pchg_t *pchg;
+ int pchgno;
+ jpc_dec_cmpt_t *cmpt;
diff --git a/SOURCES/jasper-CVE-2016-9583.patch b/SOURCES/jasper-CVE-2016-9583.patch
new file mode 100644
index 0000000..00735af
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9583.patch
@@ -0,0 +1,220 @@
+Backport of upstream commits:
+
+From aa0b0f79ade5eef8b0e7a214c03f5af54b36ba7d Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sat, 26 Nov 2016 17:14:09 -0800
+Subject: [PATCH] Fixed numerous integer overflow problems in the code for
+ packet iterators in the JPC decoder.
+
+From f25486c3d4aa472fec79150f2c41ed4333395d3d Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sat, 26 Nov 2016 20:54:24 -0800
+Subject: [PATCH] Fixed a bug in the packet iterator code. Added a new
+ regression test case.
+
+From 99a50593254d1b53002719bbecfc946c84b23d27 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Fri, 9 Dec 2016 05:42:39 -0800
+Subject: [PATCH] Apply a patch for the following bug report:
+ https://github.com/mdadams/jasper/issues/103 Heap-Buffer-Overflow or
+ Null-pointer-dereference vulnerability due to a programming mistake
+ (off-by-1)
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_types.h jasper-1.900.1/src/libjasper/include/jasper/jas_types.h
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_types.h 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_types.h 2017-03-30 22:12:18.000000000 +0200
+@@ -217,6 +217,10 @@ typedef ulonglong uint_fast64_t;
+ #define JAS_CAST(t, e) \
+ ((t) (e))
+
++/* The number of bits in the integeral type uint_fast32_t. */
++/* NOTE: This could underestimate the size on some exotic architectures. */
++#define JAS_UINTFAST32_NUMBITS (8 * sizeof(uint_fast32_t))
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2017-03-30 18:03:55.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c 2017-03-30 22:14:39.000000000 +0200
+@@ -249,10 +249,17 @@ static int jpc_pi_nextrpcl(register jpc_
+ ++compno, ++picomp) {
+ for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno <
+ picomp->numrlvls; ++rlvlno, ++pirlvl) {
+- xstep = picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
+- picomp->numrlvls - rlvlno - 1));
+- ystep = picomp->vsamp * (1 << (pirlvl->prcheightexpn +
+- picomp->numrlvls - rlvlno - 1));
++ // Check for the potential for overflow problems.
++ if (pirlvl->prcwidthexpn + picomp->numrlvls >
++ JAS_UINTFAST32_NUMBITS - 2 ||
++ pirlvl->prcheightexpn + picomp->numrlvls >
++ JAS_UINTFAST32_NUMBITS - 2) {
++ return -1;
++ }
++ xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
++ (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1));
++ ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
++ (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1));
+ pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep);
+ pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep);
+ }
+@@ -282,21 +289,24 @@ static int jpc_pi_nextrpcl(register jpc_
+ rpy = r + pi->pirlvl->prcheightexpn;
+ trx0 = JPC_CEILDIV(pi->xstart, pi->picomp->hsamp << r);
+ try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r);
+- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx)))
+- || !(pi->x % (1 << rpx))) &&
+- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy)))
+- || !(pi->y % (1 << rpy)))) {
+- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp
+- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0,
+- pi->pirlvl->prcwidthexpn);
+- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp
+- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0,
+- pi->pirlvl->prcheightexpn);
++ if (((pi->x == pi->xstart &&
++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx)))
++ || !(pi->x % (JAS_CAST(uint_fast32_t, 1) << rpx))) &&
++ ((pi->y == pi->ystart &&
++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy)))
++ || !(pi->y % (JAS_CAST(uint_fast32_t, 1) << rpy)))) {
++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x,
++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) -
++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn);
++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y,
++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) -
++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn);
+ pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind;
+
+ assert(pi->prcno < pi->pirlvl->numprcs);
+ for (pi->lyrno = 0; pi->lyrno <
+- pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) {
++ pi->numlyrs && pi->lyrno < JAS_CAST(int,
++ pchg->lyrnoend); ++pi->lyrno) {
+ prclyrno = &pi->pirlvl->prclyrnos[pi->prcno];
+ if (pi->lyrno >= *prclyrno) {
+ ++(*prclyrno);
+@@ -341,16 +351,19 @@ static int jpc_pi_nextpcrl(register jpc_
+ ++compno, ++picomp) {
+ for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno <
+ picomp->numrlvls; ++rlvlno, ++pirlvl) {
+- xstep = picomp->hsamp * (1 <<
+- (pirlvl->prcwidthexpn + picomp->numrlvls -
+- rlvlno - 1));
+- ystep = picomp->vsamp * (1 <<
+- (pirlvl->prcheightexpn + picomp->numrlvls -
+- rlvlno - 1));
+- pi->xstep = (!pi->xstep) ? xstep :
+- JAS_MIN(pi->xstep, xstep);
+- pi->ystep = (!pi->ystep) ? ystep :
+- JAS_MIN(pi->ystep, ystep);
++ // Check for the potential for overflow problems.
++ if (pirlvl->prcwidthexpn + picomp->numrlvls >
++ JAS_UINTFAST32_NUMBITS - 2 ||
++ pirlvl->prcheightexpn + picomp->numrlvls >
++ JAS_UINTFAST32_NUMBITS - 2) {
++ return -1;
++ }
++ xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
++ (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1));
++ ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
++ (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1));
++ pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep);
++ pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep);
+ }
+ }
+ pi->prgvolfirst = 0;
+@@ -377,20 +390,23 @@ static int jpc_pi_nextpcrl(register jpc_
+ try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r);
+ rpx = r + pi->pirlvl->prcwidthexpn;
+ rpy = r + pi->pirlvl->prcheightexpn;
+- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) ||
++ if (((pi->x == pi->xstart &&
++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) ||
+ !(pi->x % (pi->picomp->hsamp << rpx))) &&
+- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) ||
++ ((pi->y == pi->ystart &&
++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) ||
+ !(pi->y % (pi->picomp->vsamp << rpy)))) {
+- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp
+- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0,
+- pi->pirlvl->prcwidthexpn);
+- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp
+- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0,
+- pi->pirlvl->prcheightexpn);
++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x,
++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) -
++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn);
++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y,
++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) -
++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn);
+ pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind;
+ assert(pi->prcno < pi->pirlvl->numprcs);
+ for (pi->lyrno = 0; pi->lyrno < pi->numlyrs &&
+- pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) {
++ pi->lyrno < JAS_CAST(int, pchg->lyrnoend);
++ ++pi->lyrno) {
+ prclyrno = &pi->pirlvl->prclyrnos[pi->prcno];
+ if (pi->lyrno >= *prclyrno) {
+ ++(*prclyrno);
+@@ -428,10 +444,17 @@ static int jpc_pi_nextcprl(register jpc_
+ pi->prgvolfirst = 0;
+ }
+
+- for (pi->compno = pchg->compnostart, pi->picomp =
+- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+- ++pi->picomp) {
++ for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno];
++ pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps;
++ ++pi->compno, ++pi->picomp) {
+ pirlvl = pi->picomp->pirlvls;
++ // Check for the potential for overflow problems.
++ if (pirlvl->prcwidthexpn + pi->picomp->numrlvls >
++ JAS_UINTFAST32_NUMBITS - 2 ||
++ pirlvl->prcheightexpn + pi->picomp->numrlvls >
++ JAS_UINTFAST32_NUMBITS - 2) {
++ return -1;
++ }
+ pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
+ (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1));
+ pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
+@@ -461,23 +484,23 @@ static int jpc_pi_nextcprl(register jpc_
+ try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r);
+ rpx = r + pi->pirlvl->prcwidthexpn;
+ rpy = r + pi->pirlvl->prcheightexpn;
+- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) ||
++ if (((pi->x == pi->xstart &&
++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) ||
+ !(pi->x % (pi->picomp->hsamp << rpx))) &&
+- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) ||
++ ((pi->y == pi->ystart &&
++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) ||
+ !(pi->y % (pi->picomp->vsamp << rpy)))) {
+- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp
+- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0,
+- pi->pirlvl->prcwidthexpn);
+- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp
+- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0,
+- pi->pirlvl->prcheightexpn);
+- pi->prcno = prcvind *
+- pi->pirlvl->numhprcs +
+- prchind;
+- assert(pi->prcno <
+- pi->pirlvl->numprcs);
+- for (pi->lyrno = 0; pi->lyrno <
+- pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) {
++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x,
++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) -
++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn);
++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y,
++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) -
++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn);
++ pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind;
++ assert(pi->prcno < pi->pirlvl->numprcs);
++ for (pi->lyrno = 0; pi->lyrno < pi->numlyrs &&
++ pi->lyrno < JAS_CAST(int, pchg->lyrnoend);
++ ++pi->lyrno) {
+ prclyrno = &pi->pirlvl->prclyrnos[pi->prcno];
+ if (pi->lyrno >= *prclyrno) {
+ ++(*prclyrno);
diff --git a/SOURCES/jasper-CVE-2016-9591.patch b/SOURCES/jasper-CVE-2016-9591.patch
new file mode 100644
index 0000000..bd42d95
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9591.patch
@@ -0,0 +1,212 @@
+Backport of the upstream patch:
+
+From 03fe49ab96bf65fea784cdc256507ea88267fc7c Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Thu, 2 Mar 2017 08:07:04 -0800
+Subject: [PATCH] Fixed some potential double-free problems in the JPC codec.
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2017-03-30 22:53:59.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2017-03-31 13:40:12.000000000 +0200
+@@ -1140,8 +1140,9 @@ int numgbits;
+ tilex = tileno % cp->numhtiles;
+ tiley = tileno / cp->numhtiles;
+
+- if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image, tileno))) {
+- abort();
++ if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image,
++ tileno))) {
++ return -1;
+ }
+
+ tile = enc->curtile;
+@@ -2016,6 +2017,8 @@ error:
+ return 0;
+ }
+
++/* Note: I don't think that it is necessary to marked destroyed subobjects
++as such in this function. */
+ void jpc_enc_tile_destroy(jpc_enc_tile_t *tile)
+ {
+ jpc_enc_tcmpt_t *tcmpt;
+@@ -2027,16 +2030,21 @@ void jpc_enc_tile_destroy(jpc_enc_tile_t
+ tcmpt_destroy(tcmpt);
+ }
+ jas_free(tile->tcmpts);
++ /* tile->tcmpts = NULL; */
+ }
+ if (tile->lyrsizes) {
+ jas_free(tile->lyrsizes);
++ /* tile->lyrsizes = NULL; */
+ }
+ if (tile->pi) {
+ jpc_pi_destroy(tile->pi);
++ /* tile->pi = NULL; */
+ }
+ jas_free(tile);
++ /* tile = NULL; */
+ }
+
++/* Note: This constructor creates the object in place. */
+ static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp,
+ jas_image_t *image, jpc_enc_tile_t *tile)
+ {
+@@ -2132,6 +2140,10 @@ error:
+
+ }
+
++/* Note: Since jpc_enc_tcmpt_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void tcmpt_destroy(jpc_enc_tcmpt_t *tcmpt)
+ {
+ jpc_enc_rlvl_t *rlvl;
+@@ -2143,16 +2155,20 @@ static void tcmpt_destroy(jpc_enc_tcmpt_
+ rlvl_destroy(rlvl);
+ }
+ jas_free(tcmpt->rlvls);
++ tcmpt->rlvls = NULL;
+ }
+
+ if (tcmpt->data) {
+ jas_seq2d_destroy(tcmpt->data);
++ tcmpt->data = NULL;
+ }
+ if (tcmpt->tsfb) {
+ jpc_tsfb_destroy(tcmpt->tsfb);
++ tcmpt->tsfb = NULL;
+ }
+ }
+
++/* Note: This constructor creates the object in place. */
+ static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp,
+ jpc_enc_tcmpt_t *tcmpt, jpc_tsfb_band_t *bandinfos)
+ {
+@@ -2234,6 +2250,10 @@ error:
+ return 0;
+ }
+
++/* Note: Since jpc_enc_rlvl_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void rlvl_destroy(jpc_enc_rlvl_t *rlvl)
+ {
+ jpc_enc_band_t *band;
+@@ -2245,9 +2265,11 @@ static void rlvl_destroy(jpc_enc_rlvl_t
+ band_destroy(band);
+ }
+ jas_free(rlvl->bands);
++ rlvl->bands = NULL;
+ }
+ }
+
++/* Note: This constructor creates the object in place. */
+ static jpc_enc_band_t *band_create(jpc_enc_band_t *band, jpc_enc_cp_t *cp,
+ jpc_enc_rlvl_t *rlvl, jpc_tsfb_band_t *bandinfos)
+ {
+@@ -2315,6 +2337,10 @@ error:
+ return 0;
+ }
+
++/* Note: Since jpc_enc_band_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void band_destroy(jpc_enc_band_t *band)
+ {
+ jpc_enc_prc_t *prc;
+@@ -2328,12 +2354,15 @@ static void band_destroy(jpc_enc_band_t
+ prc_destroy(prc);
+ }
+ jas_free(band->prcs);
++ band->prcs = NULL;
+ }
+ if (band->data) {
+ jas_seq2d_destroy(band->data);
++ band->data = NULL;
+ }
+ }
+
++/* Note: This constructor creates the object in place. */
+ static jpc_enc_prc_t *prc_create(jpc_enc_prc_t *prc, jpc_enc_cp_t *cp, jpc_enc_band_t *band)
+ {
+ uint_fast32_t prcno;
+@@ -2459,6 +2488,10 @@ error:
+ return 0;
+ }
+
++/* Note: Since jpc_enc_prc_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void prc_destroy(jpc_enc_prc_t *prc)
+ {
+ jpc_enc_cblk_t *cblk;
+@@ -2470,22 +2503,29 @@ static void prc_destroy(jpc_enc_prc_t *p
+ cblk_destroy(cblk);
+ }
+ jas_free(prc->cblks);
++ prc->cblks = NULL;
+ }
+ if (prc->incltree) {
+ jpc_tagtree_destroy(prc->incltree);
++ prc->incltree = NULL;
+ }
+ if (prc->nlibtree) {
+ jpc_tagtree_destroy(prc->nlibtree);
++ prc->nlibtree = NULL;
+ }
+ if (prc->savincltree) {
+ jpc_tagtree_destroy(prc->savincltree);
++ prc->savincltree = NULL;
+ }
+ if (prc->savnlibtree) {
+ jpc_tagtree_destroy(prc->savnlibtree);
++ prc->savnlibtree = NULL;
+ }
+ }
+
+-static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, jpc_enc_prc_t *prc)
++/* Note: This constructor creates the object in place. */
++static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp,
++ jpc_enc_prc_t *prc)
+ {
+ jpc_enc_band_t *band;
+ uint_fast32_t cblktlx;
+@@ -2543,6 +2583,10 @@ error:
+ return 0;
+ }
+
++/* Note: Since jpc_enc_cblk_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void cblk_destroy(jpc_enc_cblk_t *cblk)
+ {
+ uint_fast16_t passno;
+@@ -2553,18 +2597,23 @@ static void cblk_destroy(jpc_enc_cblk_t
+ pass_destroy(pass);
+ }
+ jas_free(cblk->passes);
++ cblk->passes = NULL;
+ }
+ if (cblk->stream) {
+ jas_stream_close(cblk->stream);
++ cblk->stream = NULL;
+ }
+ if (cblk->mqenc) {
+ jpc_mqenc_destroy(cblk->mqenc);
++ cblk->mqenc = NULL;
+ }
+ if (cblk->data) {
+ jas_seq2d_destroy(cblk->data);
++ cblk->data = NULL;
+ }
+ if (cblk->flags) {
+ jas_seq2d_destroy(cblk->flags);
++ cblk->flags = NULL;
+ }
+ }
+
diff --git a/SOURCES/jasper-CVE-2016-9600.patch b/SOURCES/jasper-CVE-2016-9600.patch
new file mode 100644
index 0000000..ec197b1
--- /dev/null
+++ b/SOURCES/jasper-CVE-2016-9600.patch
@@ -0,0 +1,87 @@
+From a632c6b54bd4ffc3bebab420e00b7e7688aa3846 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Fri, 30 Dec 2016 07:27:48 -0800
+Subject: [PATCH] Fixed a problem in the JP2 encoder that caused a null pointer
+ dereference when no ICC profile data is available (e.g., in the case of an
+ unknown color space). Reference:
+ https://github.com/mdadams/jasper/issues/109
+
+---
+ src/libjasper/jp2/jp2_enc.c | 46 +++++++++++++++++++++++++++++++++------------
+ 1 file changed, 34 insertions(+), 12 deletions(-)
+
+diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c
+index bca3ca6..b979216 100644
+--- a/src/libjasper/jp2/jp2_enc.c
++++ b/src/libjasper/jp2/jp2_enc.c
+@@ -112,6 +112,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
+
+ box = 0;
+ tmpstream = 0;
++ iccstream = 0;
++ iccprof = 0;
+
+ allcmptssame = 1;
+ sgnd = jas_image_cmptsgnd(image, 0);
+@@ -225,22 +227,36 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
+ colr->method = JP2_COLR_ICC;
+ colr->pri = JP2_COLR_PRI;
+ colr->approx = 0;
+- iccprof = jas_iccprof_createfromcmprof(jas_image_cmprof(image));
+- assert(iccprof);
+- iccstream = jas_stream_memopen(0, 0);
+- assert(iccstream);
+- if (jas_iccprof_save(iccprof, iccstream))
+- abort();
+- if ((pos = jas_stream_tell(iccstream)) < 0)
+- abort();
++ /* Ensure that cmprof_ is not null. */
++ if (!jas_image_cmprof(image)) {
++ goto error;
++ }
++ if (!(iccprof = jas_iccprof_createfromcmprof(
++ jas_image_cmprof(image)))) {
++ goto error;
++ }
++ if (!(iccstream = jas_stream_memopen(0, 0))) {
++ goto error;
++ }
++ if (jas_iccprof_save(iccprof, iccstream)) {
++ goto error;
++ }
++ if ((pos = jas_stream_tell(iccstream)) < 0) {
++ goto error;
++ }
+ colr->iccplen = pos;
+- colr->iccp = jas_malloc(pos);
+- assert(colr->iccp);
++ if (!(colr->iccp = jas_malloc(pos))) {
++ goto error;
++ }
+ jas_stream_rewind(iccstream);
+- if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) != colr->iccplen)
+- abort();
++ if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) !=
++ colr->iccplen) {
++ goto error;
++ }
+ jas_stream_close(iccstream);
++ iccstream = 0;
+ jas_iccprof_destroy(iccprof);
++ iccprof = 0;
+ break;
+ }
+ if (jp2_box_put(box, tmpstream)) {
+@@ -354,6 +370,12 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
+
+ error:
+
++ if (iccprof) {
++ jas_iccprof_destroy(iccprof);
++ }
++ if (iccstream) {
++ jas_stream_close(iccstream);
++ }
+ if (box) {
+ jp2_box_destroy(box);
+ }
diff --git a/SOURCES/jasper-CVE-implicit-declaration-fix.patch b/SOURCES/jasper-CVE-implicit-declaration-fix.patch
new file mode 100644
index 0000000..8ea6e72
--- /dev/null
+++ b/SOURCES/jasper-CVE-implicit-declaration-fix.patch
@@ -0,0 +1,111 @@
+diff -urNp old/src/libjasper/base/jas_getopt.c new/src/libjasper/base/jas_getopt.c
+--- old/src/libjasper/base/jas_getopt.c 2007-01-19 22:43:05.000000000 +0100
++++ new/src/libjasper/base/jas_getopt.c 2017-04-24 14:44:13.479547933 +0200
+@@ -76,6 +76,7 @@
+
+ #include "jasper/jas_getopt.h"
+ #include "jasper/jas_math.h"
++#include "jasper/jas_debug.h"
+
+ /******************************************************************************\
+ * Global data.
+diff -urNp old/src/libjasper/bmp/bmp_dec.c new/src/libjasper/bmp/bmp_dec.c
+--- old/src/libjasper/bmp/bmp_dec.c 2017-04-24 14:42:17.283288014 +0200
++++ new/src/libjasper/bmp/bmp_dec.c 2017-04-24 14:45:07.200206215 +0200
+@@ -77,6 +77,7 @@
+ #include "jasper/jas_stream.h"
+ #include "jasper/jas_image.h"
+ #include "jasper/jas_malloc.h"
++#include "jasper/jas_debug.h"
+
+ #include "bmp_cod.h"
+
+diff -urNp old/src/libjasper/jpc/jpc_tsfb.c new/src/libjasper/jpc/jpc_tsfb.c
+--- old/src/libjasper/jpc/jpc_tsfb.c 2017-04-24 14:42:17.326287740 +0200
++++ new/src/libjasper/jpc/jpc_tsfb.c 2017-04-24 14:59:11.226406745 +0200
+@@ -119,14 +119,6 @@ void jpc_tsfb_destroy(jpc_tsfb_t *tsfb)
+ free(tsfb);
+ }
+
+-int jpc_tsfb_analyze(jpc_tsfb_t *tsfb, jas_seq2d_t *a)
+-{
+- return (tsfb->numlvls > 0) ? jpc_tsfb_analyze2(tsfb, jas_seq2d_getref(a,
+- jas_seq2d_xstart(a), jas_seq2d_ystart(a)), jas_seq2d_xstart(a),
+- jas_seq2d_ystart(a), jas_seq2d_width(a),
+- jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0;
+-}
+-
+ int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb, int *a, int xstart, int ystart,
+ int width, int height, int stride, int numlvls)
+ {
+@@ -146,15 +138,15 @@ int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb,
+ return 0;
+ }
+
+-int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a)
++int jpc_tsfb_analyze(jpc_tsfb_t *tsfb, jas_seq2d_t *a)
+ {
+- return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ?
+- jpc_tsfb_synthesize2(tsfb,
+- jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)),
+- jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a),
++ return (tsfb->numlvls > 0) ? jpc_tsfb_analyze2(tsfb, jas_seq2d_getref(a,
++ jas_seq2d_xstart(a), jas_seq2d_ystart(a)), jas_seq2d_xstart(a),
++ jas_seq2d_ystart(a), jas_seq2d_width(a),
+ jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0;
+ }
+
++
+ int jpc_tsfb_synthesize2(jpc_tsfb_t *tsfb, int *a, int xstart, int ystart,
+ int width, int height, int stride, int numlvls)
+ {
+@@ -175,6 +167,15 @@ int jpc_tsfb_synthesize2(jpc_tsfb_t *tsf
+ return 0;
+ }
+
++int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a)
++{
++ return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ?
++ jpc_tsfb_synthesize2(tsfb,
++ jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)),
++ jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a),
++ jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0;
++}
++
+ int jpc_tsfb_getbands(jpc_tsfb_t *tsfb, uint_fast32_t xstart,
+ uint_fast32_t ystart, uint_fast32_t xend, uint_fast32_t yend,
+ jpc_tsfb_band_t *bands)
+diff -urNp old/src/libjasper/jpc/jpc_t1dec.c new/src/libjasper/jpc/jpc_t1dec.c
+--- old/src/libjasper/jpc/jpc_t1dec.c 2007-01-19 22:43:07.000000000 +0100
++++ new/src/libjasper/jpc/jpc_t1dec.c 2017-04-24 14:45:43.887972984 +0200
+@@ -78,6 +78,7 @@
+ #include "jasper/jas_fix.h"
+ #include "jasper/jas_stream.h"
+ #include "jasper/jas_math.h"
++#include "jasper/jas_debug.h"
+
+ #include "jpc_bs.h"
+ #include "jpc_mqdec.h"
+diff -urNp old/src/libjasper/mif/mif_cod.c new/src/libjasper/mif/mif_cod.c
+--- old/src/libjasper/mif/mif_cod.c 2017-04-24 14:42:17.303287887 +0200
++++ new/src/libjasper/mif/mif_cod.c 2017-04-24 14:47:20.158361453 +0200
+@@ -70,6 +70,7 @@
+ #include "jasper/jas_image.h"
+ #include "jasper/jas_string.h"
+ #include "jasper/jas_malloc.h"
++#include "jasper/jas_debug.h"
+
+ #include "mif_cod.h"
+
+diff -urNp old/src/libjasper/pnm/pnm_dec.c new/src/libjasper/pnm/pnm_dec.c
+--- old/src/libjasper/pnm/pnm_dec.c 2007-01-19 22:43:05.000000000 +0100
++++ new/src/libjasper/pnm/pnm_dec.c 2017-04-24 14:47:45.904198015 +0200
+@@ -79,6 +79,7 @@
+ #include "jasper/jas_types.h"
+ #include "jasper/jas_stream.h"
+ #include "jasper/jas_image.h"
++#include "jasper/jas_debug.h"
+
+ #include "pnm_cod.h"
+
+
diff --git a/SOURCES/jasper-pkgconfig.patch b/SOURCES/jasper-pkgconfig.patch
new file mode 100644
index 0000000..c8af5ca
--- /dev/null
+++ b/SOURCES/jasper-pkgconfig.patch
@@ -0,0 +1,48 @@
+diff -Naur jasper-1.900.1/configure.ac jasper-1.900.1.new/configure.ac
+--- jasper-1.900.1/configure.ac 2007-01-19 21:47:11.000000000 +0000
++++ jasper-1.900.1.new/configure.ac 2009-10-29 13:37:02.000000000 +0000
+@@ -399,6 +399,8 @@
+ src/libjasper/pnm/Makefile
+ src/libjasper/ras/Makefile
+ src/msvc/Makefile
++pkgconfig/Makefile
++pkgconfig/jasper.pc
+ jasper.spec
+ ])
+ AC_OUTPUT
+diff -Naur jasper-1.900.1/Makefile.am jasper-1.900.1.new/Makefile.am
+--- jasper-1.900.1/Makefile.am 2007-01-19 21:43:14.000000000 +0000
++++ jasper-1.900.1.new/Makefile.am 2009-10-29 13:36:28.000000000 +0000
+@@ -64,7 +64,7 @@
+ # Note: We need to put the derived file "jasper.spec" in the distribution
+ # in order to facilitate RPM building.
+
+-SUBDIRS = src
++SUBDIRS = src pkgconfig
+
+ rpm: dist
+ for i in BUILD RPMS SRPMS SOURCES SPECS; do \
+diff -Naur jasper-1.900.1/pkgconfig/jasper.pc.in jasper-1.900.1.new/pkgconfig/jasper.pc.in
+--- jasper-1.900.1/pkgconfig/jasper.pc.in 1970-01-01 01:00:00.000000000 +0100
++++ jasper-1.900.1.new/pkgconfig/jasper.pc.in 2009-10-29 16:30:43.000000000 +0000
+@@ -0,0 +1,11 @@
++prefix=@prefix@
++exec_prefix=@exec_prefix@
++libdir=@libdir@
++includedir=@includedir@
++
++Name: Jasper
++Description: JPEG 2000 encoding and decoding library
++Version: @VERSION@
++
++Libs: -L${libdir} -ljasper
++Cflags: -I${includedir}/jasper
+diff -Naur jasper-1.900.1/pkgconfig/Makefile.am jasper-1.900.1.new/pkgconfig/Makefile.am
+--- jasper-1.900.1/pkgconfig/Makefile.am 1970-01-01 01:00:00.000000000 +0100
++++ jasper-1.900.1.new/pkgconfig/Makefile.am 2009-10-29 13:38:59.000000000 +0000
+@@ -0,0 +1,5 @@
++pkgconfigdir = $(libdir)/pkgconfig
++pkgconfig_DATA = jasper.pc
++
++EXTRA_DIST = \
++ jasper.pc.in
diff --git a/SOURCES/jpc_dec.c.patch b/SOURCES/jpc_dec.c.patch
new file mode 100644
index 0000000..ae1cd06
--- /dev/null
+++ b/SOURCES/jpc_dec.c.patch
@@ -0,0 +1,18 @@
+diff -urN jasper-1.900.1/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-fix/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2007-01-19 14:43:07.000000000 -0700
++++ jasper-1.900.1-fix/src/libjasper/jpc/jpc_dec.c 2008-03-06 16:51:12.000000000 -0700
+@@ -1069,12 +1069,12 @@
+ /* Apply an inverse intercomponent transform if necessary. */
+ switch (tile->cp->mctid) {
+ case JPC_MCT_RCT:
+- assert(dec->numcomps == 3);
++ assert(dec->numcomps >= 3);
+ jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data,
+ tile->tcomps[2].data);
+ break;
+ case JPC_MCT_ICT:
+- assert(dec->numcomps == 3);
++ assert(dec->numcomps >= 3);
+ jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
+ tile->tcomps[2].data);
+ break;
diff --git a/SOURCES/patch-libjasper-stepsizes-overflow.diff b/SOURCES/patch-libjasper-stepsizes-overflow.diff
new file mode 100644
index 0000000..097559f
--- /dev/null
+++ b/SOURCES/patch-libjasper-stepsizes-overflow.diff
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
+@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ compparms->numstepsizes = (len - n) / 2;
+ break;
+ }
+- if (compparms->numstepsizes > 0) {
++ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++ jpc_qcx_destroycompparms(compparms);
++ return -1;
++ } else if (compparms->numstepsizes > 0) {
+ compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+ sizeof(uint_fast16_t));
+ assert(compparms->stepsizes);
diff --git a/SPECS/jasper.spec b/SPECS/jasper.spec
new file mode 100644
index 0000000..a0583b3
--- /dev/null
+++ b/SPECS/jasper.spec
@@ -0,0 +1,423 @@
+
+# NOTE: packages that can use jasper:
+# ImageMagick
+# netpbm
+
+Summary: Implementation of the JPEG-2000 standard, Part 1
+Name: jasper
+Group: System Environment/Libraries
+Version: 1.900.1
+Release: 33%{?dist}
+
+License: JasPer
+URL: http://www.ece.uvic.ca/~frodo/jasper/
+Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.zip
+
+Patch1: jasper-1.701.0-GL.patch
+# autoconf/automake bits of patch1
+Patch2: jasper-1.701.0-GL-ac.patch
+# CVE-2007-2721 (bug #240397)
+# borrowed from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041;msg=88
+Patch3: patch-libjasper-stepsizes-overflow.diff
+# borrowed from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469786
+Patch4: jpc_dec.c.patch
+# OpenBSD hardening patches addressing couple of possible integer overflows
+# during the memory allocations
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520
+Patch5: jasper-1.900.1-CVE-2008-3520.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522
+Patch6: jasper-1.900.1-CVE-2008-3522.patch
+# add pkg-config support
+Patch7: jasper-pkgconfig.patch
+
+Patch8: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
+
+Patch9: jasper-CVE-2014-9029.patch
+Patch10: jasper-CVE-2014-8137.patch
+Patch11: jasper-CVE-2014-8138.patch
+Patch12: jasper-CVE-2014-8157.patch
+Patch13: jasper-CVE-2014-8158.patch
+
+# Issues found by static analysis of code
+Patch110: jasper-1.900.1-Coverity-BAD_SIZEOF.patch
+Patch111: jasper-1.900.1-Coverity-CHECKED_RETURN.patch
+Patch112: jasper-1.900.1-Coverity-FORWARD_NULL.patch
+Patch113: jasper-1.900.1-Coverity-NULL_RETURNS.patch
+Patch114: jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
+Patch115: jasper-1.900.1-Coverity-UNREACHABLE.patch
+Patch116: jasper-1.900.1-Coverity-UNUSED_VALUE.patch
+
+Patch14: jasper-CVE-2015-5203-CVE-2016-9262.patch
+Patch15: jasper-CVE-2015-5221.patch
+Patch16: jasper-CVE-2016-1577.patch
+Patch17: jasper-CVE-2016-1867.patch
+Patch18: jasper-CVE-2016-2089.patch
+Patch19: jasper-CVE-2016-2116.patch
+Patch20: jasper-CVE-2016-8654.patch
+Patch21: jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch
+Patch22: jasper-CVE-2016-8691-CVE-2016-8692.patch
+Patch23: jasper-CVE-2016-8693.patch
+Patch24: jasper-CVE-2016-9390.patch
+Patch25: jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch
+Patch26: jasper-CVE-2016-9560.patch
+Patch27: jasper-CVE-2016-10251.patch
+Patch28: jasper-CVE-2016-9583.patch
+Patch29: jasper-CVE-2016-9591.patch
+Patch30: jasper-CVE-2016-9600.patch
+Patch31: jasper-CVE-2016-10248.patch
+Patch32: jasper-CVE-2016-10249.patch
+Patch33: jasper-CVE-2016-8883.patch
+Patch34: jasper-CVE-2016-9387.patch
+Patch35: jasper-CVE-2016-9388.patch
+Patch36: jasper-CVE-2016-9389.patch
+Patch37: jasper-CVE-2016-9391.patch
+Patch38: jasper-CVE-implicit-declaration-fix.patch
+
+Patch39: jasper-1.900.1-define-SIZE-MAX.patch
+Patch40: jasper-1.900.1-CVE-2016-9396.patch
+Patch41: jasper-1.900.1-CVE-2017-1000050.patch
+
+# autoreconf
+BuildRequires: autoconf automake libtool
+BuildRequires: freeglut-devel
+BuildRequires: libGLU-devel
+BuildRequires: libjpeg-devel
+BuildRequires: pkgconfig
+
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description
+This package contains an implementation of the image compression
+standard JPEG-2000, Part 1. It consists of tools for conversion to and
+from the JP2 and JPC formats.
+
+%package devel
+Summary: Header files, libraries and developer documentation
+Group: Development/Libraries
+Provides: libjasper-devel = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: libjpeg-devel
+Requires: pkgconfig
+%description devel
+%{summary}.
+
+%package libs
+Summary: Runtime libraries for %{name}
+Group: System Environment/Libraries
+Conflicts: jasper < 1.900.1-4
+%description libs
+%{summary}.
+
+%package utils
+Summary: Nonessential utilities for %{name}
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+%description utils
+%{summary}, including jiv and tmrdemo.
+
+
+
+%prep
+%setup -q -n %{name}-%{version}
+
+%patch1 -p1 -b .GL
+%patch2 -p1 -b .GL-ac
+%patch3 -p1 -b .CVE-2007-2721
+%patch4 -p1 -b .jpc_dec_assertion
+%patch5 -p1 -b .CVE-2008-3520
+%patch6 -p1 -b .CVE-2008-3522
+%patch7 -p1 -b .pkgconfig
+%patch8 -p1 -b .CVE-2011-4516-4517
+%patch9 -p1 -b .CVE-2014-9029
+%patch10 -p1 -b .CVE-2014-8137
+%patch11 -p1 -b .CVE-2014-8138
+%patch12 -p1 -b .CVE-2014-8157
+%patch13 -p1 -b .CVE-2014-8158
+
+%patch110 -p1 -b .BAD_SIZEOF
+%patch111 -p1 -b .CHECKED_RETURN
+%patch112 -p1 -b .FORWARD_NULL
+%patch113 -p1 -b .NULL_RETURNS
+%patch114 -p1 -b .RESOURCE_LEAK
+%patch115 -p1 -b .UNREACHABLE
+%patch116 -p1 -b .UNUSED_VALUE
+
+%patch14 -p1 -b .CVE-2015-5203
+%patch15 -p1 -b .CVE-2015-5221
+%patch16 -p1 -b .CVE-2016-1577
+%patch17 -p1 -b .CVE-2016-1867
+%patch18 -p1 -b .CVE-2016-2089
+%patch19 -p1 -b .CVE-2016-2116
+%patch20 -p1 -b .CVE-2016-8654
+%patch21 -p1 -b .CVE-2016-8690
+%patch22 -p1 -b .CVE-2016-8691
+%patch23 -p1 -b .CVE-2016-8693
+%patch24 -p1 -b .CVE-2016-9390
+%patch25 -p1 -b .CVE-2016-9392
+%patch26 -p1 -b .CVE-2016-9560
+%patch27 -p1 -b .CVE-2016-10251
+%patch28 -p1 -b .CVE-2016-9583
+%patch29 -p1 -b .CVE-2016-9591
+%patch30 -p1 -b .CVE-2016-9600
+%patch31 -p1 -b .CVE-2016-10248
+%patch32 -p1 -b .CVE-2016-10249
+%patch33 -p1 -b .CVE-2016-8883
+%patch34 -p1 -b .CVE-2016-9387
+%patch35 -p1 -b .CVE-2016-9388
+%patch36 -p1 -b .CVE-2016-9389
+%patch37 -p1 -b .CVE-2016-9391
+%patch38 -p1 -b .CVE-implicit-declaration-fix
+%patch39 -p1 -b .define-SIZE-MAX
+%patch40 -p1 -b .CVE-2016-9396
+%patch41 -p1 -b .CVE-2017-1000050
+
+autoreconf --verbose --force --install
+
+
+%build
+
+# jas_icc.c:744:2: warning: assuming signed overflow does not occur
+# when assuming that (X + c) < X is always false [-Wstrict-overflow]
+#
+# comment from Red Hat Security Response Team:
+# gcc inlines jas_iccattrtab_resize into jas_iccattrtab_add. Additionally, it
+# essentially removes the "assert(maxents >= tab->numattrs);" assertion in
+# jas_iccattrtab_resize, because it assumes that "maxents >= tab->numattrs" will
+# always be true due to jas_iccattrtab_resize(attrtab, attrtab->numattrs + 32),
+# especially the + 32. This assumption can only be true if it completely ignores
+# the problem of signed integer overflows. I don't think it's a smart idea to
+# accept that.
+# -fno-strict-overflow forces gcc into keeping the assertion there.
+CFLAGS="%{optflags} -fno-strict-overflow" \
+%configure \
+ --enable-shared \
+ --disable-static
+
+make %{?_smp_mflags}
+
+
+%install
+
+make install DESTDIR=$RPM_BUILD_ROOT
+
+# Unpackaged files
+rm -f doc/README
+rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la
+
+
+%check
+make check
+
+
+
+%post libs -p /sbin/ldconfig
+
+%postun libs -p /sbin/ldconfig
+
+
+%files
+%{_bindir}/imgcmp
+%{_bindir}/imginfo
+%{_bindir}/jasper
+%{_mandir}/man1/img*
+%{_mandir}/man1/jasper.1*
+
+%files devel
+%doc doc/*
+%{_includedir}/jasper/
+%{_libdir}/libjasper.so
+%{_libdir}/pkgconfig/jasper.pc
+
+%files libs
+%doc COPYRIGHT LICENSE NEWS README
+%{_libdir}/libjasper.so.1*
+
+%files utils
+%{_bindir}/jiv
+%{_bindir}/tmrdemo
+%{_mandir}/man1/jiv.1*
+
+
+%changelog
+* Thu Jun 21 2018 Josef Ridky <jridky@redhat.com> - 1.900.1-33
+- remove implicit declaration of jas_eprintf (#1585830)
+
+* Thu Jun 21 2018 Josef Ridky <jridky@redhat.com> - 1.900.1-32
+- Fix CVE-2016-9396 (#1583721)
+- Fix CVE-2017-1000050 (#1585830)
+
+* Wed May 31 2017 Josef Ridky <jridky@redhat.com> - 1.900.1-31
+- Fix missing declaration of SIZE_MAX constant in jas_math.h (#1455489)
+
+* Tue Apr 25 2017 Josef Ridky <jridky@redhat.com> - 1.900.1-30
+- Multiple security fixes (fixed by thoger):
+ CVE-2015-5203 CVE-2015-5221 CVE-2016-1577 CVE-2016-1867 CVE-2016-2089
+ CVE-2016-2116 CVE-2016-8654 CVE-2016-8690 CVE-2016-8691 CVE-2016-8692
+ CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885 CVE-2016-9262
+ CVE-2016-9387 CVE-2016-9388 CVE-2016-9389 CVE-2016-9390 CVE-2016-9391
+ CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560 CVE-2016-9583
+ CVE-2016-9591 CVE-2016-9600 CVE-2016-10248 CVE-2016-10249 CVE-2016-10251
+- Fix implicit declaration warning caused by security fixes above
+
+* Mon Jan 19 2015 Jiri Popelka <jpopelka@redhat.com> - 1.900.1-29
+- CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() (#1183674)
+- CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c (#1183682)
+
+* Fri Dec 12 2014 Jiri Popelka <jpopelka@redhat.com> - 1.900.1-28
+- CVE-2014-8137 - double-free in in jas_iccattrval_destroy (#1173569)
+- CVE-2014-8138 - heap overflow in jp2_decode (#1173569)
+
+* Sat Dec 06 2014 Jiri Popelka <jpopelka@redhat.com> - 1.900.1-27
+- CVE-2014-9029 - incorrect component number check in COC, RGN and QCC
+ marker segment decoders (#1171211)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.900.1-26
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.900.1-25
+- Mass rebuild 2013-12-27
+
+* Mon Mar 25 2013 Jiri Popelka <jpopelka@redhat.com> - 1.900.1-24
+- added --force option to autoreconf (#925604)
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.900.1-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Fri Jan 18 2013 Adam Tkac <atkac redhat com> - 1.900.1-22
+- rebuild due to "jpeg8-ABI" feature drop
+
+* Thu Dec 06 2012 Jiri Popelka <jpopelka@redhat.com> - 1.900.1-21
+- build with -fno-strict-overflow
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.900.1-20
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.900.1-19
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Dec 09 2011 Jiri Popelka <jpopelka@redhat.com> - 1.900.1-18
+- CVE-2011-4516, CVE-2011-4517 jasper: heap buffer overflow flaws
+ lead to arbitrary code execution (CERT VU#887409) (#765660)
+- Fixed problems found by static analysis of code (#761440)
+- spec file modernized
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.900.1-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Jun 30 2010 Rex Dieter <rdieter@fedoraproject.org> - 1.900.1-16
+- rebuild
+
+* Sun Feb 14 2010 Rex Dieter <rdieter@fedoraproject.org> - 1.900.1-15
+- FTBFS jasper-1.900.1-14.fc12: ImplicitDSOLinking (#564794)
+
+* Thu Oct 29 2009 Rex Dieter <rdieter@fedoraproject.org> - 1.900.1-14
+- add pkgconfig support
+
+* Mon Oct 13 2009 Rex Dieter <rdieter@fedoraproject.org> - 1.900.1-13
+- CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls (#461476)
+- CVE-2008-3522 jasper: possible buffer overflow in
+ jas_stream_printf() (#461478)
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.900.1-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sat Jul 18 2009 Rex Dieter <rdieter@fedoraproject.org> - 1.900.1-11
+- FTBFS jasper-1.900.1-10.fc11 (#511743)
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.900.1-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Sun Jan 25 2009 Rex Dieter <rdieter@fedoraproject.org> 1.900.1-9
+- patch for "jpc_dec_tiledecode: Assertion `dec->numcomps == 3' failed)
+ (#481284, #481291)
+
+* Fri Feb 08 2008 Rex Dieter <rdieter@fedoraproject.org> 1.900.1-8
+- respin (gcc43)
+
+* Mon Oct 15 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 1.900.1-7
+- -libs: %%post/%%postun -p /sbin/ldconfig
+
+* Mon Sep 17 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 1.900.1-6
+- -libs: -Requires: %%name
+- -devel: +Provides: libjasper-devel
+- drop (unused) geojasper bits
+
+* Wed Aug 22 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 1.900.1-4
+- -libs subpkg to be multilib friendlier
+- -utils subpkg for non-essential binaries jiv, tmrdemo (#244153)
+
+* Fri Aug 17 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 1.900.1-3
+- License: JasPer
+
+* Wed May 23 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 1.900.1-2
+- CVE-2007-2721 (#240397)
+
+* Thu Mar 29 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 1.900.1-1
+- jasper-1.900.1
+
+* Fri Dec 08 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.900.0-3
+- omit deprecated memleak patch
+
+* Fri Dec 08 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.900.0-2
+- jasper-1.900.0 (#218947)
+
+* Mon Sep 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-15
+- memory leak (#207006)
+
+* Tue Aug 29 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-13
+- fc6 respin
+
+* Wed Mar 1 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-12
+- fixup build issues introduced by geojasper integration
+
+* Wed Mar 1 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-10
+- support/use geojasper (optional, default no)
+- fc5: gcc/glibc respin
+
+* Fri Feb 10 2006 Rex Dieter <rexdieter[AT]users.sf.net>
+- fc5: gcc/glibc respin
+
+* Tue Jan 31 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-9
+- workaround "freeglut-devel should Requires: libGL-devel, libGLU-devel"
+ (#179464)
+
+* Tue Jan 31 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-8
+- revert jasper to jaspertool rename (#176773)
+- actually use/apply GL patch
+
+* Tue Oct 18 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-7
+- GL patch to remove libGL dependancy (using only freeglut)
+
+* Tue Oct 18 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-6
+- token %%check section
+- --enable-shared
+
+* Mon Oct 17 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.701.0-5
+- use %%{?dist}
+- BR: libGL-devel
+
+* Fri Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+- rebuilt
+
+* Sat Oct 23 2004 Rex Dieter <rexdieter at sf.net> 0:1.701.0-0.fdr.3
+- Capitalize summary
+- remove 0-length ChangeLog
+
+* Fri Jun 04 2004 Rex Dieter <rexdieter at sf.net> 0:1.701.0-0.fdr.2
+- nuke .la file
+- BR: glut-devel -> freeglut-devel
+
+* Tue Jun 01 2004 Rex Dieter <rexdieter at sf.net> 0:1.701.0-0.fdr.1
+- 1.701.0
+
+* Tue Jun 01 2004 Rex Dieter <rexdieter at sf.net> 0:1.700.5-0.fdr.2
+- avoid conflicts with fc'2 tomcat by renaming /usr/bin/jasper -> jaspertool
+
+* Mon Mar 08 2004 Rex Dieter <rexdieter at sf.net> 0:1.700.5-0.fdr.1
+- use Epochs.
+- -devel: Requires: %%name = %%epoch:%%version
+
+* Thu Jan 22 2004 Rex Dieter <rexdieter at sf.net> 1.700.5-0.fdr.0
+- first try
+