diff --git a/SOURCES/jasper-CVE-2014-8157.patch b/SOURCES/jasper-CVE-2014-8157.patch new file mode 100644 index 0000000..ebfc1b2 --- /dev/null +++ b/SOURCES/jasper-CVE-2014-8157.patch @@ -0,0 +1,12 @@ +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100 +@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t + dec->curtileendoff = 0; + } + +- if (JAS_CAST(int, sot->tileno) > dec->numtiles) { ++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { + jas_eprintf("invalid tile number in SOT marker segment\n"); + return -1; + } diff --git a/SOURCES/jasper-CVE-2014-8158.patch b/SOURCES/jasper-CVE-2014-8158.patch new file mode 100644 index 0000000..ce9e4b4 --- /dev/null +++ b/SOURCES/jasper-CVE-2014-8158.patch @@ -0,0 +1,329 @@ +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100 +@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + { + + int bufsize = JPC_CEILDIVPOW2(numcols, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize]; +-#endif + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; +@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + register int m; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + abort(); + } + } +-#endif + + if (numcols >= 2) { + hstartcol = (numcols + 1 - parity) >> 1; +@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize]; +-#endif + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; +@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + register int m; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + abort(); + } + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; +-#endif + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + int m; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + abort(); + } + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize * numcols]; +-#endif + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + int m; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + abort(); + } + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int + { + + int bufsize = JPC_CEILDIVPOW2(numcols, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize]; +-#endif + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; + register int n; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int + abort(); + } + } +-#endif + + hstartcol = (numcols + 1 - parity) >> 1; + +@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int + ++srcptr; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize]; +-#endif + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; + register int n; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + abort(); + } + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + ++srcptr; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; +-#endif + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + register int i; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { +@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + abort(); + } + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + srcptr += JPC_QMFB_COLGRPSIZE; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize * numcols]; +-#endif + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + register int i; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { + if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { +@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + abort(); + } + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + srcptr += numcols; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + diff --git a/SPECS/jasper.spec b/SPECS/jasper.spec index d3d244d..62f7d54 100644 --- a/SPECS/jasper.spec +++ b/SPECS/jasper.spec @@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper Group: System Environment/Libraries Version: 1.900.1 -Release: 26%{?dist}.2 +Release: 26%{?dist}.3 License: JasPer URL: http://www.ece.uvic.ca/~frodo/jasper/ @@ -35,6 +35,8 @@ Patch8: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch Patch9: jasper-CVE-2014-9029.patch Patch10: jasper-CVE-2014-8137.patch Patch11: jasper-CVE-2014-8138.patch +Patch12: jasper-CVE-2014-8157.patch +Patch13: jasper-CVE-2014-8158.patch # Issues found by static analysis of code Patch110: jasper-1.900.1-Coverity-BAD_SIZEOF.patch @@ -100,6 +102,8 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} %patch9 -p1 -b .CVE-2014-9029 %patch10 -p1 -b .CVE-2014-8137 %patch11 -p1 -b .CVE-2014-8138 +%patch12 -p1 -b .CVE-2014-8157 +%patch13 -p1 -b .CVE-2014-8158 %patch110 -p1 -b .BAD_SIZEOF %patch111 -p1 -b .CHECKED_RETURN @@ -177,6 +181,10 @@ make check %changelog +* Mon Jan 19 2015 Jiri Popelka - 1.900.1-26.3 +- CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() (#1183673) +- CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c (#1183681) + * Fri Dec 12 2014 Jiri Popelka - 1.900.1-26.2 - CVE-2014-8137 - double-free in in jas_iccattrval_destroy (#1173568) - CVE-2014-8138 - heap overflow in jp2_decode (#1173568)