diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d74b1b5 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/jasper-1.900.1.zip diff --git a/.jasper.metadata b/.jasper.metadata new file mode 100644 index 0000000..d4cad72 --- /dev/null +++ b/.jasper.metadata @@ -0,0 +1 @@ +9c5735f773922e580bf98c7c7dfda9bbed4c5191 SOURCES/jasper-1.900.1.zip diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/jasper-1.701.0-GL-ac.patch b/SOURCES/jasper-1.701.0-GL-ac.patch new file mode 100644 index 0000000..bf57143 --- /dev/null +++ b/SOURCES/jasper-1.701.0-GL-ac.patch @@ -0,0 +1,11 @@ +--- jasper-1.701.0.GEO/configure.ac.GL 2006-02-20 19:58:02.000000000 -0600 ++++ jasper-1.701.0.GEO/configure.ac 2006-02-24 07:40:38.000000000 -0600 +@@ -242,7 +242,7 @@ + OPENGL_LIBS="" + if test $ENABLE_OPENGL = yes; then + if test $HAVE_OPENGL = no; then +- TMPLIBS="-lglut -lGL -lGLU $X_PRE_LIBS -lX11 -lXmu -lXi -lXext -lXt $X_EXTRA_LIBS $X_LIBS" ++ TMPLIBS="-lglut -lGL -lGLU" + AC_CHECK_LIB(glut, glutInit, [HAVE_OPENGL=yes; + OPENGL_LIBS=$TMPLIBS], HAVE_OPENGL=no, $TMPLIBS) + fi diff --git a/SOURCES/jasper-1.701.0-GL.patch b/SOURCES/jasper-1.701.0-GL.patch new file mode 100644 index 0000000..ba199e2 --- /dev/null +++ b/SOURCES/jasper-1.701.0-GL.patch @@ -0,0 +1,11 @@ +--- jasper-1.701.0.GEO/configure.GL 2006-02-20 20:01:30.000000000 -0600 ++++ jasper-1.701.0.GEO/configure 2006-02-24 07:40:46.000000000 -0600 +@@ -9464,7 +9464,7 @@ + OPENGL_LIBS="" + if test $ENABLE_OPENGL = yes; then + if test $HAVE_OPENGL = no; then +- TMPLIBS="-lglut -lGL -lGLU $X_PRE_LIBS -lX11 -lXmu -lXi -lXext -lXt $X_EXTRA_LIBS $X_LIBS" ++ TMPLIBS="-lglut -lGL -lGLU" + echo "$as_me:$LINENO: checking for glutInit in -lglut" >&5 + echo $ECHO_N "checking for glutInit in -lglut... $ECHO_C" >&6 + if test "${ac_cv_lib_glut_glutInit+set}" = set; then diff --git a/SOURCES/jasper-1.900.1-CVE-2008-3520.patch b/SOURCES/jasper-1.900.1-CVE-2008-3520.patch new file mode 100644 index 0000000..0f5e3b7 --- /dev/null +++ b/SOURCES/jasper-1.900.1-CVE-2008-3520.patch @@ -0,0 +1,928 @@ +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520 + +OpenBSD jas_malloc hardening patches + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_cm.c jasper-1.900.1/src/libjasper/base/jas_cm.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2009-10-22 10:27:45.000000000 +0200 +@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm + { + jas_cmpxform_t **p; + assert(n >= pxformseq->numpxforms); +- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) : +- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *)); ++ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *)); + if (!p) { + return -1; + } +@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh + jas_cmshapmatlut_cleanup(lut); + if (curv->numents == 0) { + lut->size = 2; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + lut->data[0] = 0.0; + lut->data[1] = 1.0; + } else if (curv->numents == 1) { + lut->size = 256; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + gamma = curv->ents[0] / 256.0; + for (i = 0; i < lut->size; ++i) { +@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh + } + } else { + lut->size = curv->numents; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + for (i = 0; i < lut->size; ++i) { + lut->data[i] = curv->ents[i] / 65535.0; +@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c + return -1; + } + } +- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t)))) ++ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t)))) + return -1; + invlut->size = n; + for (i = 0; i < invlut->size; ++i) { +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2009-10-22 10:27:45.000000000 +0200 +@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof + jas_icctagtab_t *tagtab; + + tagtab = &prof->tagtab; +- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs * ++ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs, + sizeof(jas_icctagtabent_t)))) + goto error; + tagtab->numents = prof->attrtab->numattrs; +@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_str + } + if (jas_iccgetuint32(in, &tagtab->numents)) + goto error; +- if (!(tagtab->ents = jas_malloc(tagtab->numents * ++ if (!(tagtab->ents = jas_alloc2(tagtab->numents, + sizeof(jas_icctagtabent_t)))) + goto error; + tagtabent = tagtab->ents; +@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_icc + { + jas_iccattr_t *newattrs; + assert(maxents >= tab->numattrs); +- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents * +- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t)); ++ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t)); + if (!newattrs) + return -1; + tab->attrs = newattrs; +@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattr + + if (jas_iccgetuint32(in, &curv->numents)) + goto error; +- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t)))) ++ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t)))) + goto error; + for (i = 0; i < curv->numents; ++i) { + if (jas_iccgetuint16(in, &curv->ents[i])) +@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_icca + if (jas_iccgetuint32(in, &txtdesc->uclangcode) || + jas_iccgetuint32(in, &txtdesc->uclen)) + goto error; +- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2))) ++ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2))) + goto error; + if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != + JAS_CAST(int, txtdesc->uclen * 2)) +@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattr + jas_iccgetuint16(in, &lut8->numouttabents)) + goto error; + clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; +- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) || +- !(lut8->intabsbuf = jas_malloc(lut8->numinchans * +- lut8->numintabents * sizeof(jas_iccuint8_t))) || +- !(lut8->intabs = jas_malloc(lut8->numinchans * ++ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) || ++ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans, ++ lut8->numintabents, sizeof(jas_iccuint8_t))) || ++ !(lut8->intabs = jas_alloc2(lut8->numinchans, + sizeof(jas_iccuint8_t *)))) + goto error; + for (i = 0; i < lut8->numinchans; ++i) + lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents]; +- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans * +- lut8->numouttabents * sizeof(jas_iccuint8_t))) || +- !(lut8->outtabs = jas_malloc(lut8->numoutchans * ++ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans, ++ lut8->numouttabents, sizeof(jas_iccuint8_t))) || ++ !(lut8->outtabs = jas_alloc2(lut8->numoutchans, + sizeof(jas_iccuint8_t *)))) + goto error; + for (i = 0; i < lut8->numoutchans; ++i) +@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccatt + jas_iccgetuint16(in, &lut16->numouttabents)) + goto error; + clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; +- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) || +- !(lut16->intabsbuf = jas_malloc(lut16->numinchans * +- lut16->numintabents * sizeof(jas_iccuint16_t))) || +- !(lut16->intabs = jas_malloc(lut16->numinchans * ++ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) || ++ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans, ++ lut16->numintabents, sizeof(jas_iccuint16_t))) || ++ !(lut16->intabs = jas_alloc2(lut16->numinchans, + sizeof(jas_iccuint16_t *)))) + goto error; + for (i = 0; i < lut16->numinchans; ++i) + lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents]; +- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans * +- lut16->numouttabents * sizeof(jas_iccuint16_t))) || +- !(lut16->outtabs = jas_malloc(lut16->numoutchans * ++ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans, ++ lut16->numouttabents, sizeof(jas_iccuint16_t))) || ++ !(lut16->outtabs = jas_alloc2(lut16->numoutchans, + sizeof(jas_iccuint16_t *)))) + goto error; + for (i = 0; i < lut16->numoutchans; ++i) +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2009-10-22 10:27:45.000000000 +0200 +@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmp + image->inmem_ = true; + + /* Allocate memory for the per-component information. */ +- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * ++ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, + sizeof(jas_image_cmpt_t *)))) { + jas_image_destroy(image); + return 0; +@@ -774,8 +774,7 @@ static int jas_image_growcmpts(jas_image + jas_image_cmpt_t **newcmpts; + int cmptno; + +- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : +- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); ++ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); + if (!newcmpts) { + return -1; + } +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c jasper-1.900.1/src/libjasper/base/jas_malloc.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_malloc.c 2009-10-22 10:27:45.000000000 +0200 +@@ -76,6 +76,9 @@ + + /* We need the prototype for memset. */ + #include ++#include ++#include ++#include + + #include "jasper/jas_malloc.h" + +@@ -113,18 +116,50 @@ void jas_free(void *ptr) + + void *jas_realloc(void *ptr, size_t size) + { +- return realloc(ptr, size); ++ return ptr ? realloc(ptr, size) : malloc(size); + } + +-void *jas_calloc(size_t nmemb, size_t size) ++void *jas_realloc2(void *ptr, size_t nmemb, size_t size) ++{ ++ if (!ptr) ++ return jas_alloc2(nmemb, size); ++ if (nmemb && SIZE_MAX / nmemb < size) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ return jas_realloc(ptr, nmemb * size); ++ ++} ++ ++void *jas_alloc2(size_t nmemb, size_t size) ++{ ++ if (nmemb && SIZE_MAX / nmemb < size) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ ++ return jas_malloc(nmemb * size); ++} ++ ++void *jas_alloc3(size_t a, size_t b, size_t c) + { +- void *ptr; + size_t n; +- n = nmemb * size; +- if (!(ptr = jas_malloc(n * sizeof(char)))) { +- return 0; ++ ++ if (a && SIZE_MAX / a < b) { ++ errno = ENOMEM; ++ return NULL; + } +- memset(ptr, 0, n); ++ ++ return jas_alloc2(a*b, c); ++} ++ ++void *jas_calloc(size_t nmemb, size_t size) ++{ ++ void *ptr; ++ ++ ptr = jas_alloc2(nmemb, size); ++ if (ptr) ++ memset(ptr, 0, nmemb*size); + return ptr; + } + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2009-10-22 10:27:45.000000000 +0200 +@@ -114,7 +114,7 @@ jas_matrix_t *jas_matrix_create(int numr + matrix->datasize_ = numrows * numcols; + + if (matrix->maxrows_ > 0) { +- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * ++ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, + sizeof(jas_seqent_t *)))) { + jas_matrix_destroy(matrix); + return 0; +@@ -122,7 +122,7 @@ jas_matrix_t *jas_matrix_create(int numr + } + + if (matrix->datasize_ > 0) { +- if (!(matrix->data_ = jas_malloc(matrix->datasize_ * ++ if (!(matrix->data_ = jas_alloc2(matrix->datasize_, + sizeof(jas_seqent_t)))) { + jas_matrix_destroy(matrix); + return 0; +@@ -220,7 +220,7 @@ void jas_matrix_bindsub(jas_matrix_t *ma + mat0->numrows_ = r1 - r0 + 1; + mat0->numcols_ = c1 - c0 + 1; + mat0->maxrows_ = mat0->numrows_; +- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *)); ++ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); + for (i = 0; i < mat0->numrows_; ++i) { + mat0->rows_[i] = mat1->rows_[r0 + i] + c0; + } +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200 +@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b + if (buf) { + obj->buf_ = (unsigned char *) buf; + } else { +- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char)); ++ obj->buf_ = jas_malloc(obj->bufsize_); + obj->myalloc_ = 1; + } + if (!obj->buf_) { +@@ -992,7 +992,7 @@ static int mem_resize(jas_stream_memobj_ + unsigned char *buf; + + assert(m->buf_); +- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) { ++ if (!(buf = jas_realloc(m->buf_, bufsize))) { + return -1; + } + m->buf_ = buf; +diff -pruN jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c jasper-1.900.1/src/libjasper/bmp/bmp_dec.c +--- jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/bmp/bmp_dec.c 2009-10-22 10:27:45.000000000 +0200 +@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea + } + + if (info->numcolors > 0) { +- if (!(info->palents = jas_malloc(info->numcolors * ++ if (!(info->palents = jas_alloc2(info->numcolors, + sizeof(bmp_palent_t)))) { + bmp_info_destroy(info); + return 0; +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h 2009-10-22 10:27:45.000000000 +0200 +@@ -95,6 +95,9 @@ extern "C" { + #define jas_free MEMFREE + #define jas_realloc MEMREALLOC + #define jas_calloc MEMCALLOC ++#define jas_alloc2(a, b) MEMALLOC((a)*(b)) ++#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c)) ++#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b)) + #endif + + /******************************************************************************\ +@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size + /* Allocate a block of memory and initialize the contents to zero. */ + void *jas_calloc(size_t nmemb, size_t size); + ++/* size-checked double allocation .*/ ++void *jas_alloc2(size_t, size_t); ++ ++void *jas_alloc3(size_t, size_t, size_t); ++ ++void *jas_realloc2(void *, size_t, size_t); + #endif + + #ifdef __cplusplus +diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1/src/libjasper/jp2/jp2_cod.c +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2009-10-22 10:30:24.000000000 +0200 +@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) + box = 0; + tmpstream = 0; + +- if (!(box = jas_malloc(sizeof(jp2_box_t)))) { ++ if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) { + goto error; + } + box->ops = &jp2_boxinfo_unk.ops; +@@ -372,7 +372,7 @@ static int jp2_bpcc_getdata(jp2_box_t *b + jp2_bpcc_t *bpcc = &box->data.bpcc; + unsigned int i; + bpcc->numcmpts = box->datalen; +- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) { ++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { + return -1; + } + for (i = 0; i < bpcc->numcmpts; ++i) { +@@ -416,7 +416,7 @@ static int jp2_colr_getdata(jp2_box_t *b + break; + case JP2_COLR_ICC: + colr->iccplen = box->datalen - 3; +- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) { ++ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) { + return -1; + } + if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { +@@ -453,7 +453,7 @@ static int jp2_cdef_getdata(jp2_box_t *b + if (jp2_getuint16(in, &cdef->numchans)) { + return -1; + } +- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) { ++ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) { + return -1; + } + for (channo = 0; channo < cdef->numchans; ++channo) { +@@ -766,7 +766,7 @@ static int jp2_cmap_getdata(jp2_box_t *b + unsigned int i; + + cmap->numchans = (box->datalen) / 4; +- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) { ++ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { + return -1; + } + for (i = 0; i < cmap->numchans; ++i) { +@@ -828,10 +828,10 @@ static int jp2_pclr_getdata(jp2_box_t *b + return -1; + } + lutsize = pclr->numlutents * pclr->numchans; +- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) { ++ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) { + return -1; + } +- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) { ++ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) { + return -1; + } + for (i = 0; i < pclr->numchans; ++i) { +diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c jasper-1.900.1/src/libjasper/jp2/jp2_dec.c +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2009-10-22 10:27:45.000000000 +0200 +@@ -336,7 +336,7 @@ jas_image_t *jp2_decode(jas_stream_t *in + } + + /* Allocate space for the channel-number to component-number LUT. */ +- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) { ++ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) { + jas_eprintf("error: no memory\n"); + goto error; + } +@@ -354,7 +354,7 @@ jas_image_t *jp2_decode(jas_stream_t *in + if (cmapent->map == JP2_CMAP_DIRECT) { + dec->chantocmptlut[channo] = channo; + } else if (cmapent->map == JP2_CMAP_PALETTE) { +- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t)); ++ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t)); + for (i = 0; i < pclrd->numlutents; ++i) { + lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; + } +diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c jasper-1.900.1/src/libjasper/jp2/jp2_enc.c +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2009-10-22 10:27:45.000000000 +0200 +@@ -191,7 +191,7 @@ int sgnd; + } + bpcc = &box->data.bpcc; + bpcc->numcmpts = jas_image_numcmpts(image); +- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * ++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, + sizeof(uint_fast8_t)))) { + goto error; + } +@@ -285,7 +285,7 @@ int sgnd; + } + cdef = &box->data.cdef; + cdef->numchans = jas_image_numcmpts(image); +- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)); ++ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)); + for (i = 0; i < jas_image_numcmpts(image); ++i) { + cdefchanent = &cdef->ents[i]; + cdefchanent->channo = i; +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2009-10-22 09:58:16.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2009-10-22 10:27:45.000000000 +0200 +@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms + !siz->tileheight || !siz->numcomps) { + return -1; + } +- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) { ++ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { + return -1; + } + for (i = 0; i < siz->numcomps; ++i) { +@@ -986,7 +986,7 @@ static int jpc_qcx_getcompparms(jpc_qcxc + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { +- compparms->stepsizes = jas_malloc(compparms->numstepsizes * ++ compparms->stepsizes = jas_alloc2(compparms->numstepsizes, + sizeof(uint_fast16_t)); + assert(compparms->stepsizes); + for (i = 0; i < compparms->numstepsizes; ++i) { +@@ -1094,7 +1094,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms + + ppm->len = ms->len - 1; + if (ppm->len > 0) { +- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) { ++ if (!(ppm->data = jas_malloc(ppm->len))) { + goto error; + } + if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) { +@@ -1163,7 +1163,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms + } + ppt->len = ms->len - 1; + if (ppt->len > 0) { +- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) { ++ if (!(ppt->data = jas_malloc(ppt->len))) { + goto error; + } + if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) { +@@ -1226,7 +1226,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms + uint_fast8_t tmp; + poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) : + (ms->len / 7); +- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) { ++ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) { + goto error; + } + for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno, +@@ -1331,7 +1331,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms + jpc_crgcomp_t *comp; + uint_fast16_t compno; + crg->numcomps = cstate->numcomps; +- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { ++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { + return -1; + } + for (compno = 0, comp = crg->comps; compno < cstate->numcomps; +@@ -1470,7 +1470,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms + cstate = 0; + + if (ms->len > 0) { +- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) { ++ if (!(unk->data = jas_malloc(ms->len))) { + return -1; + } + if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) { +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2009-10-22 09:58:16.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2009-10-22 10:30:50.000000000 +0200 +@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t + + if (dec->state == JPC_MH) { + +- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t)); ++ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t)); + assert(compinfos); + for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; + cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { +@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d + tile->realmode = 1; + } + tcomp->numrlvls = ccp->numrlvls; +- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls * ++ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls, + sizeof(jpc_dec_rlvl_t)))) { + return -1; + } +@@ -764,7 +764,7 @@ rlvl->bands = 0; + rlvl->cbgheightexpn); + + rlvl->numbands = (!rlvlno) ? 1 : 3; +- if (!(rlvl->bands = jas_malloc(rlvl->numbands * ++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, + sizeof(jpc_dec_band_t)))) { + return -1; + } +@@ -797,7 +797,7 @@ rlvl->bands = 0; + + assert(rlvl->numprcs); + +- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) { ++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) { + return -1; + } + +@@ -834,7 +834,7 @@ rlvl->bands = 0; + if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) { + return -1; + } +- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) { ++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) { + return -1; + } + +@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t + return -1; + } + +- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) { ++ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) { + return -1; + } + +@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t + dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); + dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); + dec->numtiles = dec->numhtiles * dec->numvtiles; +- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { ++ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) { + return -1; + } + +@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t + tile->pkthdrstreampos = 0; + tile->pptstab = 0; + tile->cp = 0; +- if (!(tile->tcomps = jas_malloc(dec->numcomps * ++ if (!(tile->tcomps = jas_calloc(dec->numcomps, + sizeof(jpc_dec_tcomp_t)))) { + return -1; + } +@@ -1489,7 +1489,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u + cp->numlyrs = 0; + cp->mctid = 0; + cp->csty = 0; +- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) { ++ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { + return 0; + } + if (!(cp->pchglist = jpc_pchglist_create())) { +@@ -2048,7 +2048,7 @@ jpc_streamlist_t *jpc_streamlist_create( + } + streamlist->numstreams = 0; + streamlist->maxstreams = 100; +- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams * ++ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams, + sizeof(jas_stream_t *)))) { + jas_free(streamlist); + return 0; +@@ -2068,8 +2068,8 @@ int jpc_streamlist_insert(jpc_streamlist + /* Grow the array of streams if necessary. */ + if (streamlist->numstreams >= streamlist->maxstreams) { + newmaxstreams = streamlist->maxstreams + 1024; +- if (!(newstreams = jas_realloc(streamlist->streams, +- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) { ++ if (!(newstreams = jas_realloc2(streamlist->streams, ++ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) { + return -1; + } + for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) { +@@ -2155,8 +2155,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab, + { + jpc_ppxstabent_t **newents; + if (tab->maxents < maxents) { +- newents = (tab->ents) ? jas_realloc(tab->ents, maxents * +- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *)); ++ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *)); + if (!newents) { + return -1; + } +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2009-10-22 10:27:45.000000000 +0200 +@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt + vsteplcm *= jas_image_cmptvstep(image, cmptno); + } + +- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) { ++ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) { + goto error; + } + for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno, +@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt + + if (ilyrrates && numilyrrates > 0) { + tcp->numlyrs = numilyrrates + 1; +- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) * ++ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1), + sizeof(jpc_fix_t)))) { + goto error; + } +@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou + siz->tilewidth = cp->tilewidth; + siz->tileheight = cp->tileheight; + siz->numcomps = cp->numcmpts; +- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)); ++ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)); + assert(siz->comps); + for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) { + siz->comps[i].prec = cp->ccps[i].prec; +@@ -977,7 +977,7 @@ startoff = jas_stream_getrwcount(enc->ou + return -1; + } + crg = &enc->mrk->parms.crg; +- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t)); ++ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t)); + if (jpc_putms(enc->out, enc->cstate, enc->mrk)) { + jas_eprintf("cannot write CRG marker\n"); + return -1; +@@ -1955,7 +1955,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_ + tile->mctid = cp->tcp.mctid; + + tile->numlyrs = cp->tcp.numlyrs; +- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs * ++ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs, + sizeof(uint_fast32_t)))) { + goto error; + } +@@ -1964,7 +1964,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_ + } + + /* Allocate an array for the per-tile-component information. */ +- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) { ++ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) { + goto error; + } + /* Initialize a few members critical for error recovery. */ +@@ -2110,7 +2110,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc + jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data), + jas_seq2d_yend(tcmpt->data), bandinfos); + +- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) { ++ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) { + goto error; + } + for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls; +@@ -2213,7 +2213,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e + rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn); + rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs; + +- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) { ++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) { + goto error; + } + for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands; +@@ -2290,7 +2290,7 @@ if (bandinfo->xstart != bandinfo->xend & + band->synweight = bandinfo->synenergywt; + + if (band->data) { +- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) { ++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) { + goto error; + } + for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno, +@@ -2422,7 +2422,7 @@ if (!rlvlno) { + goto error; + } + +- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) { ++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) { + goto error; + } + for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks; +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c 2009-10-22 10:27:45.000000000 +0200 +@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx + mqdec->in = in; + mqdec->maxctxs = maxctxs; + /* Allocate memory for the per-context state information. */ +- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) { ++ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) { + goto error; + } + /* Set the current context to the first context. */ +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c 2009-10-22 10:27:45.000000000 +0200 +@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx + mqenc->maxctxs = maxctxs; + + /* Allocate memory for the per-context state information. */ +- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) { ++ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) { + goto error; + } + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2009-10-22 10:27:45.000000000 +0200 +@@ -321,7 +321,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -389,7 +389,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -460,7 +460,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -549,7 +549,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -633,7 +633,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -698,7 +698,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -766,7 +766,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -852,7 +852,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2009-10-22 10:27:45.000000000 +0200 +@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_ + + cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0; + if (cblk->numpasses > 0) { +- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t)); ++ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t)); + assert(cblk->passes); + } else { + cblk->passes = 0; +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c 2009-10-22 10:27:45.000000000 +0200 +@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t * + } + if (pchglist->numpchgs >= pchglist->maxpchgs) { + newmaxpchgs = pchglist->maxpchgs + 128; +- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) { ++ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) { + return -1; + } + pchglist->maxpchgs = newmaxpchgs; +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c 2009-10-22 10:27:45.000000000 +0200 +@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d + return 0; + } + pi->numcomps = dec->numcomps; +- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { ++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { + jpc_pi_destroy(pi); + return 0; + } +@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d + for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; + compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { + picomp->numrlvls = tcomp->numrlvls; +- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * ++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, + sizeof(jpc_pirlvl_t)))) { + jpc_pi_destroy(pi); + return 0; +@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d + rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { + /* XXX sizeof(long) should be sizeof different type */ + pirlvl->numprcs = rlvl->numprcs; +- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * ++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, + sizeof(long)))) { + jpc_pi_destroy(pi); + return 0; +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2009-10-22 10:27:45.000000000 +0200 +@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t + } + pi->pktno = -1; + pi->numcomps = cp->numcmpts; +- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { ++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { + jpc_pi_destroy(pi); + return 0; + } +@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t + for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps; + compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { + picomp->numrlvls = tcomp->numrlvls; +- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * ++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, + sizeof(jpc_pirlvl_t)))) { + jpc_pi_destroy(pi); + return 0; +@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t + /* XXX sizeof(long) should be sizeof different type */ + pirlvl->numprcs = rlvl->numprcs; + if (rlvl->numprcs) { +- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * ++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, + sizeof(long)))) { + jpc_pi_destroy(pi); + return 0; +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2009-10-22 10:27:45.000000000 +0200 +@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu + ++numlvls; + } while (n > 1); + +- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) { ++ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { + return 0; + } + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c jasper-1.900.1/src/libjasper/jpc/jpc_util.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_util.c 2009-10-22 10:27:45.000000000 +0200 +@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d + } + + if (n) { +- if (!(vs = jas_malloc(n * sizeof(double)))) { ++ if (!(vs = jas_alloc2(n, sizeof(double)))) { + return -1; + } + +diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c +--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2009-10-22 10:27:45.000000000 +0200 +@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t * + int cmptno; + mif_cmpt_t **newcmpts; + assert(maxcmpts >= hdr->numcmpts); +- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) : +- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *)); ++ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *)); + if (!newcmpts) { + return -1; + } diff --git a/SOURCES/jasper-1.900.1-CVE-2008-3522.patch b/SOURCES/jasper-1.900.1-CVE-2008-3522.patch new file mode 100644 index 0000000..4bf2e9b --- /dev/null +++ b/SOURCES/jasper-1.900.1-CVE-2008-3522.patch @@ -0,0 +1,14 @@ +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522 + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:35:53.000000000 +0200 +@@ -553,7 +553,7 @@ int jas_stream_printf(jas_stream_t *stre + int ret; + + va_start(ap, fmt); +- ret = vsprintf(buf, fmt, ap); ++ ret = vsnprintf(buf, sizeof buf, fmt, ap); + jas_stream_puts(stream, buf); + va_end(ap); + return ret; diff --git a/SOURCES/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch b/SOURCES/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch new file mode 100644 index 0000000..f753080 --- /dev/null +++ b/SOURCES/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch @@ -0,0 +1,23 @@ +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 2011-10-25 17:25:39.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-10-25 17:29:14.379371908 +0200 +@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t + return -1; + } + compparms->numrlvls = compparms->numdlvls + 1; ++ if (compparms->numrlvls > JPC_MAXRLVLS) { ++ jpc_cox_destroycompparms(compparms); ++ return -1; ++ } + if (prtflag) { + for (i = 0; i < compparms->numrlvls; ++i) { + if (jpc_getuint8(in, &tmp)) { +@@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms + jpc_crgcomp_t *comp; + uint_fast16_t compno; + crg->numcomps = cstate->numcomps; +- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { ++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { + return -1; + } + for (compno = 0, comp = crg->comps; compno < cstate->numcomps; diff --git a/SOURCES/jasper-1.900.1-CVE-2016-9396.patch b/SOURCES/jasper-1.900.1-CVE-2016-9396.patch new file mode 100644 index 0000000..84b2716 --- /dev/null +++ b/SOURCES/jasper-1.900.1-CVE-2016-9396.patch @@ -0,0 +1,50 @@ +diff -urNp old/src/libjasper/jpc/jpc_cs.c new/src/libjasper/jpc/jpc_cs.c +--- old/src/libjasper/jpc/jpc_cs.c 2018-06-21 09:16:03.401642013 +0200 ++++ new/src/libjasper/jpc/jpc_cs.c 2018-06-21 09:36:47.278110112 +0200 +@@ -782,29 +782,37 @@ static int jpc_cox_getcompparms(jpc_ms_t + jpc_getuint8(in, &compparms->qmfbid)) { + return -1; + } ++ if (compparms->numdlvls > 32) { ++ goto error; ++ } ++ if (compparms->qmfbid != JPC_COX_INS && ++ compparms->qmfbid != JPC_COX_RFT) ++ goto error; + compparms->numrlvls = compparms->numdlvls + 1; + if (compparms->numrlvls > JPC_MAXRLVLS) { +- jpc_cox_destroycompparms(compparms); +- return -1; ++ goto error; + } + if (prtflag) { + for (i = 0; i < compparms->numrlvls; ++i) { + if (jpc_getuint8(in, &tmp)) { +- jpc_cox_destroycompparms(compparms); +- return -1; ++ goto error; + } + compparms->rlvls[i].parwidthval = tmp & 0xf; + compparms->rlvls[i].parheightval = (tmp >> 4) & 0xf; + } +-/* Sigh. This bit should be in the same field in both COC and COD mrk segs. */ +-compparms->csty |= JPC_COX_PRT; +- } else { ++ /* Sigh. ++ This bit should be in the same field in both COC and COD mrk segs. */ ++ compparms->csty |= JPC_COX_PRT; + } + if (jas_stream_eof(in)) { +- jpc_cox_destroycompparms(compparms); +- return -1; ++ goto error; + } + return 0; ++error: ++ if (compparms) { ++ jpc_cox_destroycompparms(compparms); ++ } ++ return -1; + } + + static int jpc_cox_putcompparms(jpc_ms_t *ms, jpc_cstate_t *cstate, diff --git a/SOURCES/jasper-1.900.1-CVE-2017-1000050.patch b/SOURCES/jasper-1.900.1-CVE-2017-1000050.patch new file mode 100644 index 0000000..d6d4ad9 --- /dev/null +++ b/SOURCES/jasper-1.900.1-CVE-2017-1000050.patch @@ -0,0 +1,15 @@ +diff -urNp old/src/libjasper/jp2/jp2_enc.c new/src/libjasper/jp2/jp2_enc.c +--- old/src/libjasper/jp2/jp2_enc.c 2018-06-21 09:46:45.090301777 +0200 ++++ new/src/libjasper/jp2/jp2_enc.c 2018-06-21 10:18:17.602305787 +0200 +@@ -115,6 +115,11 @@ int sgnd; + iccstream = 0; + iccprof = 0; + ++ if (jas_image_numcmpts(image) < 1) { ++ // jas_eprintf("image must have at least one component\n"); ++ goto error; ++ } ++ + allcmptssame = 1; + sgnd = jas_image_cmptsgnd(image, 0); + prec = jas_image_cmptprec(image, 0); diff --git a/SOURCES/jasper-1.900.1-Coverity-BAD_SIZEOF.patch b/SOURCES/jasper-1.900.1-Coverity-BAD_SIZEOF.patch new file mode 100644 index 0000000..1977400 --- /dev/null +++ b/SOURCES/jasper-1.900.1-Coverity-BAD_SIZEOF.patch @@ -0,0 +1,17 @@ +Error: BAD_SIZEOF +jpc/jpc_enc.c:2105: bad_sizeof: Taking the size of binary expression "tcmpt->numstepsizes * sizeof (uint_fast16_t) /*8*/" is suspicious. + Did you intend "sizeof(tcmpt->numstepsizes) * sizeof (uint_fast16_t) /*8*/"? + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.bad_sizeof jasper-1.900.1/src/libjasper/jpc/jpc_enc.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.bad_sizeof 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2011-06-23 17:28:17.085690561 +0200 +@@ -2102,8 +2102,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc + + tcmpt->numstepsizes = tcmpt->numbands; + assert(tcmpt->numstepsizes <= JPC_MAXBANDS); +- memset(tcmpt->stepsizes, 0, sizeof(tcmpt->numstepsizes * +- sizeof(uint_fast16_t))); ++ memset(tcmpt->stepsizes, 0, tcmpt->numstepsizes * sizeof(uint_fast16_t)); + + /* Retrieve information about the various bands. */ + jpc_tsfb_getbands(tcmpt->tsfb, jas_seq2d_xstart(tcmpt->data), diff --git a/SOURCES/jasper-1.900.1-Coverity-CHECKED_RETURN.patch b/SOURCES/jasper-1.900.1-Coverity-CHECKED_RETURN.patch new file mode 100644 index 0000000..ea330f2 --- /dev/null +++ b/SOURCES/jasper-1.900.1-Coverity-CHECKED_RETURN.patch @@ -0,0 +1,141 @@ +Error: CHECKED_RETURN +jpc/jpc_cs.c:924: check_return: Calling function "jpc_putuint16" without checking return value (as is done elsewhere 11 out of 13 times). +jpc/jpc_cs.c:924: unchecked_value: No check of the return value of "jpc_putuint16(out, qcc->compno)". + +jpc/jpc_cs.c:1021: check_return: Calling function "jpc_putuint16" without checking return value (as is done elsewhere 11 out of 13 times). +jpc/jpc_cs.c:1021: unchecked_value: No check of the return value of "jpc_putuint16(out, compparms->stepsizes[i])". + +jpc/jpc_cs.c:994: check_return: Calling function "jpc_getuint16" without checking return value (as is done elsewhere 14 out of 16 times). +jpc/jpc_cs.c:994: unchecked_value: No check of the return value of "jpc_getuint16(in, compparms->stepsizes + i)". + +jpc/jpc_cs.c:905: check_return: Calling function "jpc_getuint16" without checking return value (as is done elsewhere 14 out of 16 times). +jpc/jpc_cs.c:905: unchecked_value: No check of the return value of "jpc_getuint16(in, &qcc->compno)". + +jpc/jpc_cs.c:969: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times). +jpc/jpc_cs.c:969: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)". + +jpc/jpc_cs.c:991: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times). +jpc/jpc_cs.c:991: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)". + +jpc/jpc_cs.c:901: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times). +jpc/jpc_cs.c:901: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)". + +jpc/jpc_t2enc.c:338: check_return: Calling function "jpc_putms" without checking return value (as is done elsewhere 12 out of 13 times). +jpc/jpc_t2enc.c:338: unchecked_value: No check of the return value of "jpc_putms(out, enc->cstate, ms)". + +ras/ras_enc.c:245: check_return: Calling function "jas_image_readcmpt" without checking return value (as is done elsewhere 9 out of 10 times). +ras/ras_enc.c:245: unchecked_value: No check of the return value of "jas_image_readcmpt(image, cmpts[i], 0L, y, image->brx_ - image->tlx_, 1L, data[i])". + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.checked_return jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.checked_return 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-06-24 13:52:25.636551844 +0200 +@@ -898,11 +898,15 @@ static int jpc_qcc_getparms(jpc_ms_t *ms + int len; + len = ms->len; + if (cstate->numcomps <= 256) { +- jpc_getuint8(in, &tmp); ++ if (jpc_getuint8(in, &tmp)) { ++ return -1; ++ } + qcc->compno = tmp; + --len; + } else { +- jpc_getuint16(in, &qcc->compno); ++ if (jpc_getuint16(in, &qcc->compno)) { ++ return -1; ++ } + len -= 2; + } + if (jpc_qcx_getcompparms(&qcc->compparms, cstate, in, len)) { +@@ -919,9 +923,13 @@ static int jpc_qcc_putparms(jpc_ms_t *ms + { + jpc_qcc_t *qcc = &ms->parms.qcc; + if (cstate->numcomps <= 256) { +- jpc_putuint8(out, qcc->compno); ++ if (jpc_putuint8(out, qcc->compno)) { ++ return -1; ++ } + } else { +- jpc_putuint16(out, qcc->compno); ++ if (jpc_putuint16(out, qcc->compno)) { ++ return -1; ++ } + } + if (jpc_qcx_putcompparms(&qcc->compparms, cstate, out)) { + return -1; +@@ -966,7 +974,9 @@ static int jpc_qcx_getcompparms(jpc_qcxc + cstate = 0; + + n = 0; +- jpc_getuint8(in, &tmp); ++ if (jpc_getuint8(in, &tmp)) { ++ return -1; ++ } + ++n; + compparms->qntsty = tmp & 0x1f; + compparms->numguard = (tmp >> 5) & 7; +@@ -988,10 +998,14 @@ static int jpc_qcx_getcompparms(jpc_qcxc + assert(compparms->stepsizes); + for (i = 0; i < compparms->numstepsizes; ++i) { + if (compparms->qntsty == JPC_QCX_NOQNT) { +- jpc_getuint8(in, &tmp); ++ if (jpc_getuint8(in, &tmp)) { ++ return -1; ++ } + compparms->stepsizes[i] = JPC_QCX_EXPN(tmp >> 3); + } else { +- jpc_getuint16(in, &compparms->stepsizes[i]); ++ if (jpc_getuint16(in, &compparms->stepsizes[i])) { ++ return -1; ++ } + } + } + } else { +@@ -1015,10 +1029,14 @@ static int jpc_qcx_putcompparms(jpc_qcxc + jpc_putuint8(out, ((compparms->numguard & 7) << 5) | compparms->qntsty); + for (i = 0; i < compparms->numstepsizes; ++i) { + if (compparms->qntsty == JPC_QCX_NOQNT) { +- jpc_putuint8(out, JPC_QCX_GETEXPN( +- compparms->stepsizes[i]) << 3); ++ if (jpc_putuint8(out, JPC_QCX_GETEXPN( ++ compparms->stepsizes[i]) << 3)) { ++ return -1; ++ } + } else { +- jpc_putuint16(out, compparms->stepsizes[i]); ++ if (jpc_putuint16(out, compparms->stepsizes[i])) { ++ return -1; ++ } + } + } + return 0; +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c.checked_return jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c.checked_return 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2011-06-24 12:29:32.069578992 +0200 +@@ -335,7 +335,9 @@ assert(jpc_firstone(datalen) < cblk->num + if (!(ms = jpc_ms_create(JPC_MS_EPH))) { + return -1; + } +- jpc_putms(out, enc->cstate, ms); ++ if (jpc_putms(out, enc->cstate, ms)) { ++ return -1; ++ } + jpc_ms_destroy(ms); + } + +diff -up jasper-1.900.1/src/libjasper/ras/ras_enc.c.checked_return jasper-1.900.1/src/libjasper/ras/ras_enc.c +--- jasper-1.900.1/src/libjasper/ras/ras_enc.c.checked_return 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/ras/ras_enc.c 2011-06-24 14:05:31.233482612 +0200 +@@ -242,8 +242,10 @@ static int ras_putdatastd(jas_stream_t * + + for (y = 0; y < hdr->height; y++) { + for (i = 0; i < numcmpts; ++i) { +- jas_image_readcmpt(image, cmpts[i], 0, y, jas_image_width(image), +- 1, data[i]); ++ if (jas_image_readcmpt(image, cmpts[i], 0, y, ++ jas_image_width(image), 1, data[i])) { ++ return -1; ++ } + } + z = 0; + nz = 0; diff --git a/SOURCES/jasper-1.900.1-Coverity-FORWARD_NULL.patch b/SOURCES/jasper-1.900.1-Coverity-FORWARD_NULL.patch new file mode 100644 index 0000000..ff526b4 --- /dev/null +++ b/SOURCES/jasper-1.900.1-Coverity-FORWARD_NULL.patch @@ -0,0 +1,44 @@ +Error: FORWARD_NULL +jpc/jpc_dec.c:2207: var_compare_op: Comparing "streams" to null implies that "streams" might be null. +jpc/jpc_dec.c:2270: var_deref_model: Passing null variable "streams" to function "jpc_streamlist_destroy", which dereferences it. +jpc/jpc_dec.c:2108: deref_parm: Directly dereferencing parameter "streamlist". + +jpc/jpc_t1enc.c:225: assign_zero: Assigning: "cblk->passes" = 0. +jpc/jpc_t1enc.c:228: alias_transfer: Assigning null: "pass" = "cblk->passes". +jpc/jpc_t1enc.c:229: var_deref_op: Dereferencing null variable "pass". + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.forward_null jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.forward_null 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-06-24 15:01:39.200600146 +0200 +@@ -2267,7 +2267,9 @@ jpc_streamlist_t *jpc_ppmstabtostreams(j + return streams; + + error: +- jpc_streamlist_destroy(streams); ++ if (streams) { ++ jpc_streamlist_destroy(streams); ++ } + return 0; + } + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c.forward_null jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c.forward_null 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2011-06-24 14:58:33.061248133 +0200 +@@ -224,7 +224,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_ + } else { + cblk->passes = 0; + } +- endpasses = &cblk->passes[cblk->numpasses]; ++ endpasses = (cblk->passes) ? &cblk->passes[cblk->numpasses] : 0; + for (pass = cblk->passes; pass != endpasses; ++pass) { + pass->start = 0; + pass->end = 0; +@@ -352,7 +352,7 @@ dump_passes(cblk->passes, cblk->numpasse + #endif + + n = 0; +- endpasses = &cblk->passes[cblk->numpasses]; ++ endpasses = (cblk->passes) ? &cblk->passes[cblk->numpasses] : 0; + for (pass = cblk->passes; pass != endpasses; ++pass) { + if (pass->start < n) { + pass->start = n; diff --git a/SOURCES/jasper-1.900.1-Coverity-NULL_RETURNS.patch b/SOURCES/jasper-1.900.1-Coverity-NULL_RETURNS.patch new file mode 100644 index 0000000..4c72270 --- /dev/null +++ b/SOURCES/jasper-1.900.1-Coverity-NULL_RETURNS.patch @@ -0,0 +1,61 @@ +Error: NULL_RETURNS +base/jas_image.c:213: returned_null: Function "jas_image_create0" returns null (checked 6 out of 7 times). +base/jas_image.c:213: var_assigned: Assigning: "newimage" = null return value from "jas_image_create0". +base/jas_image.c:214: dereference: Dereferencing a pointer that might be null "newimage" when calling "jas_image_growcmpts". +base/jas_image.c:777: deref_parm: Directly dereferencing parameter "image". + +base/jas_seq.c:223: returned_null: Function "jas_malloc" returns null (checked 110 out of 119 times). +base/jas_seq.c:223: var_assigned: Assigning: "mat0->rows_" = null return value from "jas_malloc". +base/jas_seq.c:225: dereference: Dereferencing a null pointer "mat0->rows_". + +jp2/jp2_cod.c:484: returned_null: Function "jas_stream_memopen" returns null (checked 12 out of 15 times). +jp2/jp2_cod.c:484: var_assigned: Assigning: "tmpstream" = null return value from "jas_stream_memopen". +jp2/jp2_cod.c:490: dereference: Dereferencing a pointer that might be null "tmpstream" when calling "jas_stream_tell". +base/jas_stream.c:677: deref_parm: Directly dereferencing parameter "stream". + + +diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS 2011-12-08 14:00:05.350020869 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:00:06.638004766 +0100 +@@ -210,7 +210,10 @@ jas_image_t *jas_image_copy(jas_image_t + jas_image_t *newimage; + int cmptno; + +- newimage = jas_image_create0(); ++ if (!(newimage = jas_image_create0())) { ++ goto error; ++ } ++ + if (jas_image_growcmpts(newimage, image->numcmpts_)) { + goto error; + } +diff -up jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS 2011-12-08 14:00:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2011-12-08 14:15:12.449680562 +0100 +@@ -220,7 +220,11 @@ void jas_matrix_bindsub(jas_matrix_t *ma + mat0->numrows_ = r1 - r0 + 1; + mat0->numcols_ = c1 - c0 + 1; + mat0->maxrows_ = mat0->numrows_; +- mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); ++ if (!(mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)))) { ++ jas_matrix_destroy(mat0); ++ return; ++ } ++ + for (i = 0; i < mat0->numrows_; ++i) { + mat0->rows_[i] = mat1->rows_[r0 + i] + c0; + } +diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS jasper-1.900.1/src/libjasper/jp2/jp2_cod.c +--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS 2011-12-08 14:00:05.633017331 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-12-08 14:00:06.677004279 +0100 +@@ -481,7 +481,9 @@ int jp2_box_put(jp2_box_t *box, jas_stre + dataflag = !(box->info->flags & (JP2_BOX_SUPER | JP2_BOX_NODATA)); + + if (dataflag) { +- tmpstream = jas_stream_memopen(0, 0); ++ if (!(tmpstream = jas_stream_memopen(0, 0))) { ++ goto error; ++ } + if (box->ops->putdata) { + if ((*box->ops->putdata)(box, tmpstream)) { + goto error; diff --git a/SOURCES/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch b/SOURCES/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch new file mode 100644 index 0000000..76f5da7 --- /dev/null +++ b/SOURCES/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch @@ -0,0 +1,202 @@ +Error: RESOURCE_LEAK +src/appl/imgcmp.c:504: var_assign: Assigning: "diffimage" = storage returned from "jas_image_create(3, compparms, 1025)". +src/appl/imgcmp.c:511: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to. +src/appl/imgcmp.c:537: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to. + +base/jas_image.c:254: var_assign: Assigning: "newcmpt" = storage returned from "jas_image_cmpt_create0()". +base/jas_image.c:268: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. +base/jas_image.c:271: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. +base/jas_image.c:274: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. +base/jas_image.c:277: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. + +base/jas_cm.c:611: var_assign: Assigning: "newpxformseq" = storage returned from "jas_cmpxformseq_create()". +base/jas_cm.c:617: leaked_storage: Variable "newpxformseq" going out of scope leaks the storage it points to. + +base/jas_cm.c:343: var_assign: Assigning: "newprof" = storage returned from "jas_cmprof_create()". +base/jas_cm.c:358: leaked_storage: Variable "newprof" going out of scope leaks the storage it points to. + +base/jas_cm.c:380: var_assign: Assigning: "xform" = storage returned from "jas_malloc(sizeof (jas_cmxform_t) /*16*/)". +base/jas_cm.c:461: leaked_storage: Variable "xform" going out of scope leaks the storage it points to. + +base/jas_image.c:1379: var_assign: Assigning: "xform" = storage returned from "jas_cmxform_create(inprof, outprof, NULL, 0, intent, 0)". +base/jas_image.c:1444: leaked_storage: Variable "xform" going out of scope leaks the storage it points to. + +base/jas_image.c:1306: var_assign: Assigning: "inimage" = storage returned from "jas_image_copy(image)". +base/jas_image.c:1444: leaked_storage: Variable "inimage" going out of scope leaks the storage it points to. + +base/jas_image.c:1345: var_assign: Assigning: "outimage" = storage returned from "jas_image_create0()". +base/jas_image.c:1444: leaked_storage: Variable "outimage" going out of scope leaks the storage it points to. + +bmp/bmp_enc.c:187: var_assign: Assigning: "info" = storage returned from "bmp_info_create()". +bmp/bmp_enc.c:208: leaked_storage: Variable "info" going out of scope leaks the storage it points to. + +jpc/jpc_tagtree.c:111: var_assign: Assigning: "tree" = storage returned from "jpc_tagtree_alloc()". +jpc/jpc_tagtree.c:129: leaked_storage: Variable "tree" going out of scope leaks the storage it points to. + +jpc/jpc_dec.c:452: var_assign: Assigning: "compinfos" = storage returned from "jas_malloc(dec->numcomps * sizeof (jas_image_cmptparm_t) /*56*/)". +jpc/jpc_dec.c:468: leaked_storage: Variable "compinfos" going out of scope leaks the storage it points to. + +jpc/jpc_dec.c:1483: var_assign: Assigning: "cp" = storage returned from "jas_malloc(sizeof (jpc_dec_cp_t) /*48*/)". +jpc/jpc_dec.c:1493: leaked_storage: Variable "cp" going out of scope leaks the storage it points to. +jpc/jpc_dec.c:1497: leaked_storage: Variable "cp" going out of scope leaks the storage it points to. + +mif/mif_cod.c:523: var_assign: Assigning: "cmpt" = storage returned from "mif_cmpt_create()". +mif/mif_cod.c:568: leaked_storage: Variable "cmpt" going out of scope leaks the storage it points to. + +mif/mif_cod.c:568: leaked_storage: Variable "tvp" going out of scope leaks the storage it points to. + + +diff -up jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK jasper-1.900.1/src/appl/imgcmp.c +--- jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK 2007-01-19 22:43:08.000000000 +0100 ++++ jasper-1.900.1/src/appl/imgcmp.c 2011-12-08 14:16:04.727027007 +0100 +@@ -507,6 +507,7 @@ jas_image_t *makediffimage(jas_matrix_t + + for (i = 0; i < 3; ++i) { + if (!(diffdata[i] = jas_matrix_create(height, width))) { ++ jas_image_destroy(diffimage); + fprintf(stderr, "internal error\n"); + return 0; + } +@@ -534,6 +535,7 @@ jas_image_t *makediffimage(jas_matrix_t + + for (i = 0; i < 3; ++i) { + if (jas_image_writecmpt(diffimage, i, 0, 0, width, height, diffdata[i])) { ++ jas_image_destroy(diffimage); + return 0; + } + } +diff -up jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_cm.c +--- jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK 2011-12-08 14:16:03.387043758 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2011-12-08 14:16:04.728026994 +0100 +@@ -355,6 +355,8 @@ jas_cmprof_t *jas_cmprof_copy(jas_cmprof + } + return newprof; + error: ++ if (newprof) ++ jas_cmprof_destroy(newprof); + return 0; + } + +@@ -458,6 +460,8 @@ jas_cmxform_t *jas_cmxform_create(jas_cm + } + return xform; + error: ++ if (xform) ++ jas_cmxform_destroy(xform); + return 0; + } + +@@ -614,6 +618,8 @@ static jas_cmpxformseq_t *jas_cmpxformse + goto error; + return newpxformseq; + error: ++ if (newpxformseq) ++ jas_cmpxformseq_destroy(newpxformseq); + return 0; + } + +diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK 2011-12-08 14:16:04.635028156 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:16:04.776026394 +0100 +@@ -268,15 +268,19 @@ static jas_image_cmpt_t *jas_image_cmpt_ + newcmpt->cps_ = cmpt->cps_; + newcmpt->type_ = cmpt->type_; + if (!(newcmpt->stream_ = jas_stream_memopen(0, 0))) { ++ jas_image_cmpt_destroy(newcmpt); + return 0; + } + if (jas_stream_seek(cmpt->stream_, 0, SEEK_SET)) { ++ jas_image_cmpt_destroy(newcmpt); + return 0; + } + if (jas_stream_copy(newcmpt->stream_, cmpt->stream_, -1)) { ++ jas_image_cmpt_destroy(newcmpt); + return 0; + } + if (jas_stream_seek(newcmpt->stream_, 0, SEEK_SET)) { ++ jas_image_cmpt_destroy(newcmpt); + return 0; + } + return newcmpt; +@@ -1443,5 +1447,11 @@ jas_image_dump(outimage, stderr); + #endif + return outimage; + error: ++ if (xform) ++ jas_cmxform_destroy(xform); ++ if (inimage) ++ jas_image_destroy(inimage); ++ if (outimage) ++ jas_image_destroy(outimage); + return 0; + } +diff -up jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/bmp/bmp_enc.c +--- jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/bmp/bmp_enc.c 2011-12-08 14:16:04.826025768 +0100 +@@ -205,16 +205,19 @@ int bmp_encode(jas_image_t *image, jas_s + + /* Write the bitmap header. */ + if (bmp_puthdr(out, &hdr)) { ++ bmp_info_destroy(info); + return -1; + } + + /* Write the bitmap information. */ + if (bmp_putinfo(out, info)) { ++ bmp_info_destroy(info); + return -1; + } + + /* Write the bitmap data. */ + if (bmp_putdata(out, info, image, enc->cmpts)) { ++ bmp_info_destroy(info); + return -1; + } + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK 2011-12-08 14:16:04.594028668 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-12-08 14:17:25.677014992 +0100 +@@ -465,6 +465,7 @@ static int jpc_dec_process_sot(jpc_dec_t + + if (!(dec->image = jas_image_create(dec->numcomps, compinfos, + JAS_CLRSPC_UNKNOWN))) { ++ jas_free(compinfos); + return -1; + } + jas_free(compinfos); +@@ -1490,10 +1491,11 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u + cp->mctid = 0; + cp->csty = 0; + if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { ++ jpc_dec_cp_destroy(cp); + return 0; + } + if (!(cp->pchglist = jpc_pchglist_create())) { +- jas_free(cp->ccps); ++ jpc_dec_cp_destroy(cp); + return 0; + } + for (compno = 0, ccp = cp->ccps; compno < cp->numcomps; +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK 2011-12-08 14:16:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2011-12-08 14:17:55.905637082 +0100 +@@ -126,6 +126,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu + } while (n > 1); + + if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { ++ jpc_tagtree_destroy(tree); + return 0; + } + +diff -up jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/mif/mif_cod.c +--- jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK 2011-12-08 14:16:04.250032970 +0100 ++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2011-12-08 14:16:04.967024005 +0100 +@@ -564,7 +564,7 @@ static int mif_process_cmpt(mif_hdr_t *h + break; + case MIF_DATA: + if (!(cmpt->data = jas_strdup(jas_tvparser_getval(tvp)))) { +- return -1; ++ goto error; + } + break; + } diff --git a/SOURCES/jasper-1.900.1-Coverity-UNREACHABLE.patch b/SOURCES/jasper-1.900.1-Coverity-UNREACHABLE.patch new file mode 100644 index 0000000..3cae294 --- /dev/null +++ b/SOURCES/jasper-1.900.1-Coverity-UNREACHABLE.patch @@ -0,0 +1,37 @@ +Error: UNREACHABLE +jp2/jp2_cod.c:304: unreachable: This code cannot be reached: "abort();". + +jp2/jp2_cod.c:514: unreachable: This code cannot be reached: "abort();". + +jp2/jp2_enc.c:354: unreachable: This code cannot be reached: "abort();". + +diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.unreachable jasper-1.900.1/src/libjasper/jp2/jp2_cod.c +--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.unreachable 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-06-27 15:28:13.083137952 +0200 +@@ -301,7 +301,6 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) + } + + return box; +- abort(); + + error: + if (box) { +@@ -511,7 +510,6 @@ int jp2_box_put(jp2_box_t *box, jas_stre + } + + return 0; +- abort(); + + error: + +diff -up jasper-1.900.1/src/libjasper/jp2/jp2_enc.c.unreachable jasper-1.900.1/src/libjasper/jp2/jp2_enc.c +--- jasper-1.900.1/src/libjasper/jp2/jp2_enc.c.unreachable 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2011-06-27 15:27:58.858353979 +0200 +@@ -351,7 +351,6 @@ int sgnd; + } + + return 0; +- abort(); + + error: + diff --git a/SOURCES/jasper-1.900.1-Coverity-UNUSED_VALUE.patch b/SOURCES/jasper-1.900.1-Coverity-UNUSED_VALUE.patch new file mode 100644 index 0000000..e7d4cb5 --- /dev/null +++ b/SOURCES/jasper-1.900.1-Coverity-UNUSED_VALUE.patch @@ -0,0 +1,41 @@ +Error: UNUSED_VALUE +base/jas_icc.c:328: returned_pointer: Pointer "attrvalinfo" returned by "jas_iccattrvalinfo_lookup(type)" is never used. + +jpc/jpc_enc.c:788: returned_pointer: Pointer "cp" returned by "strchr(s, 66)" is never used. + +diff -up jasper-1.900.1/src/libjasper/base/jas_icc.c.unused_value jasper-1.900.1/src/libjasper/base/jas_icc.c +--- jasper-1.900.1/src/libjasper/base/jas_icc.c.unused_value 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2011-06-27 15:35:52.815263000 +0200 +@@ -266,7 +266,6 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + jas_iccattrval_t *attrval; + jas_iccattrval_t *prevattrval; + jas_icctagtabent_t *tagtabent; +- jas_iccattrvalinfo_t *attrvalinfo; + int i; + int len; + +@@ -325,7 +324,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + goto error; + } + curoff += 8; +- if (!(attrvalinfo = jas_iccattrvalinfo_lookup(type))) { ++ if (!jas_iccattrvalinfo_lookup(type)) { + #if 0 + jas_eprintf("warning: skipping unknown tag type\n"); + #endif +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.unused_value jasper-1.900.1/src/libjasper/jpc/jpc_enc.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.unused_value 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2011-06-27 15:36:17.437900180 +0200 +@@ -781,11 +781,10 @@ void jpc_enc_cp_destroy(jpc_enc_cp_t *cp + + int ratestrtosize(char *s, uint_fast32_t rawsize, uint_fast32_t *size) + { +- char *cp; + jpc_flt_t f; + + /* Note: This function must not modify output size on failure. */ +- if ((cp = strchr(s, 'B'))) { ++ if (strchr(s, 'B')) { + *size = atoi(s); + } else { + f = atof(s); diff --git a/SOURCES/jasper-1.900.1-define-SIZE-MAX.patch b/SOURCES/jasper-1.900.1-define-SIZE-MAX.patch new file mode 100644 index 0000000..88671bb --- /dev/null +++ b/SOURCES/jasper-1.900.1-define-SIZE-MAX.patch @@ -0,0 +1,13 @@ +diff -urNp old/src/libjasper/include/jasper/jas_math.h new/src/libjasper/include/jasper/jas_math.h +--- old/src/libjasper/include/jasper/jas_math.h 2017-05-31 08:25:50.832055034 +0200 ++++ new/src/libjasper/include/jasper/jas_math.h 2017-05-31 08:27:47.975407832 +0200 +@@ -86,6 +86,9 @@ + + #ifdef __cplusplus + extern "C" { ++#ifndef SIZE_MAX ++#define SIZE_MAX ((size_t) - 1) ++#endif + #endif + + /******************************************************************************\ diff --git a/SOURCES/jasper-CVE-2014-8137.patch b/SOURCES/jasper-CVE-2014-8137.patch new file mode 100644 index 0000000..9600cd3 --- /dev/null +++ b/SOURCES/jasper-CVE-2014-8137.patch @@ -0,0 +1,57 @@ +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100 +@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr + return 0; + + error: +- jas_icccurv_destroy(attrval); + return -1; + } + +@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca + #endif + return 0; + error: +- jas_icctxtdesc_destroy(attrval); + return -1; + } + +@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv + goto error; + return 0; + error: +- if (txt->string) +- jas_free(txt->string); + return -1; + } + +@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr + goto error; + return 0; + error: +- jas_icclut8_destroy(attrval); + return -1; + } + +@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt + goto error; + return 0; + error: +- jas_icclut16_destroy(attrval); + return -1; + } + +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100 +@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in + case JP2_COLR_ICC: + iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, + dec->colr->data.colr.iccplen); +- assert(iccprof); ++ if (!iccprof) { ++ jas_eprintf("error: failed to parse ICC profile\n"); ++ goto error; ++ } + jas_iccprof_gethdr(iccprof, &icchdr); + jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); diff --git a/SOURCES/jasper-CVE-2014-8138.patch b/SOURCES/jasper-CVE-2014-8138.patch new file mode 100644 index 0000000..5aaf8ab --- /dev/null +++ b/SOURCES/jasper-CVE-2014-8138.patch @@ -0,0 +1,14 @@ +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100 +@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in + /* Determine the type of each component. */ + if (dec->cdef) { + for (i = 0; i < dec->numchans; ++i) { ++ /* Is the channel number reasonable? */ ++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { ++ jas_eprintf("error: invalid channel number in CDEF box\n"); ++ goto error; ++ } + jas_image_setcmpttype(dec->image, + dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], + jp2_getct(jas_image_clrspc(dec->image), diff --git a/SOURCES/jasper-CVE-2014-8157.patch b/SOURCES/jasper-CVE-2014-8157.patch new file mode 100644 index 0000000..ebfc1b2 --- /dev/null +++ b/SOURCES/jasper-CVE-2014-8157.patch @@ -0,0 +1,12 @@ +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100 +@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t + dec->curtileendoff = 0; + } + +- if (JAS_CAST(int, sot->tileno) > dec->numtiles) { ++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { + jas_eprintf("invalid tile number in SOT marker segment\n"); + return -1; + } diff --git a/SOURCES/jasper-CVE-2014-8158.patch b/SOURCES/jasper-CVE-2014-8158.patch new file mode 100644 index 0000000..ce9e4b4 --- /dev/null +++ b/SOURCES/jasper-CVE-2014-8158.patch @@ -0,0 +1,329 @@ +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100 +@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + { + + int bufsize = JPC_CEILDIVPOW2(numcols, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize]; +-#endif + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; +@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + register int m; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + abort(); + } + } +-#endif + + if (numcols >= 2) { + hstartcol = (numcols + 1 - parity) >> 1; +@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize]; +-#endif + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; +@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + register int m; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + abort(); + } + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; +-#endif + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + int m; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + abort(); + } + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize * numcols]; +-#endif + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + int m; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + abort(); + } + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int + { + + int bufsize = JPC_CEILDIVPOW2(numcols, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize]; +-#endif + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; + register int n; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int + abort(); + } + } +-#endif + + hstartcol = (numcols + 1 - parity) >> 1; + +@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int + ++srcptr; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize]; +-#endif + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; + register int n; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { +@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + abort(); + } + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + ++srcptr; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; +-#endif + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + register int i; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { + if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { +@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + abort(); + } + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + srcptr += JPC_QMFB_COLGRPSIZE; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize * numcols]; +-#endif + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + register int i; + int hstartcol; + +-#if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { + if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { +@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + abort(); + } + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + srcptr += numcols; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + diff --git a/SOURCES/jasper-CVE-2014-9029.patch b/SOURCES/jasper-CVE-2014-9029.patch new file mode 100644 index 0000000..98a2035 --- /dev/null +++ b/SOURCES/jasper-CVE-2014-9029.patch @@ -0,0 +1,29 @@ +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:45:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:44:58.000000000 +0100 +@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t + jpc_coc_t *coc = &ms->parms.coc; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, coc->compno) > dec->numcomps) { ++ if (JAS_CAST(int, coc->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in COC marker segment\n"); + return -1; + } +@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t + jpc_rgn_t *rgn = &ms->parms.rgn; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, rgn->compno) > dec->numcomps) { ++ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in RGN marker segment\n"); + return -1; + } +@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t + jpc_qcc_t *qcc = &ms->parms.qcc; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, qcc->compno) > dec->numcomps) { ++ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in QCC marker segment\n"); + return -1; + } diff --git a/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch b/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch new file mode 100644 index 0000000..bae613d --- /dev/null +++ b/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch @@ -0,0 +1,164 @@ +Backport of the upstream commit: + +From b35a05635e56f554870ce85f64293a3868793f69 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 19 Oct 2016 08:42:25 -0700 +Subject: [PATCH] Fixed potential integer overflow problem. + +Further enhanced by a change from d42b2388f7f8e0332c846675133acea151fc557a to +use jas_safe_size_mul3() and an explicit check to ensure that size not only +fits into size_t, but that it also does not exceed INT_MAX. This is similar +approach to what upstream used in a712a2041085e7cd5f2b153e1532ac2a2954ffaa. + +This also adds all jas_safe_size_*() functions, including changes from the +following upstream commits: + +f596a0766825b48cdc07b28d2051977a382cfb95 +65536647d380571d1a9a6c91fa03775fb5bbd256 +3afacc174867cc9d1f74ef2683bc780de4b0b2df +d42b2388f7f8e0332c846675133acea151fc557a + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2017-03-24 16:09:34.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2017-03-24 22:28:46.620880896 +0100 +@@ -76,6 +76,7 @@ + #include + #include + #include ++#include + + #include "jasper/jas_math.h" + #include "jasper/jas_image.h" +@@ -307,10 +308,10 @@ static jas_image_cmpt_t *jas_image_cmpt_ + height, uint_fast16_t depth, bool sgnd, uint_fast32_t inmem) + { + jas_image_cmpt_t *cmpt; +- long size; ++ size_t size; + + if (!(cmpt = jas_malloc(sizeof(jas_image_cmpt_t)))) { +- return 0; ++ goto error; + } + + cmpt->type_ = JAS_IMAGE_CT_UNKNOWN; +@@ -325,11 +326,14 @@ static jas_image_cmpt_t *jas_image_cmpt_ + cmpt->stream_ = 0; + cmpt->cps_ = (depth + 7) / 8; + +- size = cmpt->width_ * cmpt->height_ * cmpt->cps_; ++ //size = cmpt->width_ * cmpt->height_ * cmpt->cps_; ++ if (!jas_safe_size_mul3(cmpt->width_, cmpt->height_, cmpt->cps_, &size) || ++ size > INT_MAX) { ++ goto error; ++ } + cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) : jas_stream_tmpfile(); + if (!cmpt->stream_) { +- jas_image_cmpt_destroy(cmpt); +- return 0; ++ goto error; + } + + /* Zero the component data. This isn't necessary, but it is +@@ -337,11 +341,16 @@ static jas_image_cmpt_t *jas_image_cmpt_ + if (jas_stream_seek(cmpt->stream_, size - 1, SEEK_SET) < 0 || + jas_stream_putc(cmpt->stream_, 0) == EOF || + jas_stream_seek(cmpt->stream_, 0, SEEK_SET) < 0) { +- jas_image_cmpt_destroy(cmpt); +- return 0; ++ goto error; + } + + return cmpt; ++ ++error: ++ if (cmpt) { ++ jas_image_cmpt_destroy(cmpt); ++ } ++ return 0; + } + + static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt) +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h jasper-1.900.1/src/libjasper/include/jasper/jas_math.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h 2017-03-24 22:29:36.085024105 +0100 +@@ -76,9 +76,13 @@ + + #include + +-#include +-#include +-#include ++#include ++ ++#include ++#include ++#include ++#include ++#include + + #ifdef __cplusplus + extern "C" { +@@ -110,6 +114,62 @@ extern "C" { + #define JAS_ONES(n) \ + ((1 << (n)) - 1) + ++/******************************************************************************\ ++* Safe integer arithmetic (i.e., with overflow checking). ++\******************************************************************************/ ++ ++/* Compute the product of two size_t integers with overflow checking. */ ++inline static bool jas_safe_size_mul(size_t x, size_t y, size_t *result) ++{ ++ /* Check if overflow would occur */ ++ if (x && y > SIZE_MAX / x) { ++ /* Overflow would occur. */ ++ return false; ++ } ++ if (result) { ++ *result = x * y; ++ } ++ return true; ++} ++ ++inline static bool jas_safe_size_mul3(size_t a, size_t b, size_t c, ++ size_t *result) ++{ ++ size_t tmp; ++ if (!jas_safe_size_mul(a, b, &tmp) || ++ !jas_safe_size_mul(tmp, c, &tmp)) { ++ return false; ++ } ++ if (result) { ++ *result = tmp; ++ } ++ return true; ++} ++ ++/* Compute the sum of two size_t integer with overflow checking. */ ++inline static bool jas_safe_size_add(size_t x, size_t y, size_t *result) ++{ ++ if (y > SIZE_MAX - x) { ++ return false; ++ } ++ if (result) { ++ *result = x + y; ++ } ++ return true; ++} ++ ++/* Compute the difference of two size_t integer with overflow checking. */ ++inline static bool jas_safe_size_sub(size_t x, size_t y, size_t *result) ++{ ++ if (y > x) { ++ return false; ++ } ++ if (result) { ++ *result = x - y; ++ } ++ return true; ++} ++ + #ifdef __cplusplus + } + #endif diff --git a/SOURCES/jasper-CVE-2015-5221.patch b/SOURCES/jasper-CVE-2015-5221.patch new file mode 100644 index 0000000..a7372a9 --- /dev/null +++ b/SOURCES/jasper-CVE-2015-5221.patch @@ -0,0 +1,25 @@ +Backport of upstream commit: + +From df5d2867e8004e51e18b89865bc4aa69229227b3 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 19 Sep 2016 10:03:36 +0100 +Subject: [PATCH] CVE-2015-5221 + +diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c +--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2017-03-23 22:50:09.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2017-03-24 11:57:19.000000000 +0100 +@@ -569,13 +569,13 @@ static int mif_process_cmpt(mif_hdr_t *h + break; + } + } +- jas_tvparser_destroy(tvp); + if (!cmpt->sampperx || !cmpt->samppery) { + goto error; + } + if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) { + goto error; + } ++ jas_tvparser_destroy(tvp); + return 0; + + error: diff --git a/SOURCES/jasper-CVE-2016-10248.patch b/SOURCES/jasper-CVE-2016-10248.patch new file mode 100644 index 0000000..586403f --- /dev/null +++ b/SOURCES/jasper-CVE-2016-10248.patch @@ -0,0 +1,98 @@ +Backport of the upstream commit: + +From 2e82fa00466ae525339754bb3ab0a0474a31d4bd Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 19 Oct 2016 17:57:40 -0700 +Subject: [PATCH] Fixed an integral type promotion problem by adding a + JAS_CAST. Modified the jpc_tsfb_synthesize function so that it will be a noop + for an empty sequence (in order to avoid dereferencing a null pointer). + +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h jasper-1.900.1/src/libjasper/include/jasper/jas_math.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h 2017-03-31 14:08:18.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h 2017-03-31 14:09:06.000000000 +0200 +@@ -115,6 +115,24 @@ extern "C" { + ((1 << (n)) - 1) + + /******************************************************************************\ ++* ++\******************************************************************************/ ++ ++__attribute__((no_sanitize("undefined"))) ++inline static jas_int_asr(int x, int n) ++{ ++ assert(n >= 0); ++ return x >> n; ++} ++ ++__attribute__((no_sanitize("undefined"))) ++inline static jas_int_asl(int x, int n) ++{ ++ assert(n >= 0); ++ return x << n; ++} ++ ++/******************************************************************************\ + * Safe integer arithmetic (i.e., with overflow checking). + \******************************************************************************/ + +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_seq.h jasper-1.900.1/src/libjasper/include/jasper/jas_seq.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_seq.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_seq.h 2017-03-31 14:09:06.000000000 +0200 +@@ -154,6 +154,9 @@ typedef jas_matrix_t jas_seq_t; + #define jas_matrix_numcols(matrix) \ + ((matrix)->numcols_) + ++#define jas_matrix_size(matrix) \ ++ (jas_matrix_width(matrix) * jas_matrix_height(matrix)) ++ + /* Get a matrix element. */ + #define jas_matrix_get(matrix, i, j) \ + ((matrix)->rows_[i][j]) +@@ -269,6 +272,8 @@ jas_matrix_t *jas_seq2d_create(int xstar + ((s)->xstart_ = (x), (s)->ystart_ = (y), \ + (s)->xend_ = (s)->xstart_ + (s)->numcols_, \ + (s)->yend_ = (s)->ystart_ + (s)->numrows_) ++#define jas_seq2d_size(s) \ ++ (jas_seq2d_width(s) * jas_seq2d_height(s)) + + void jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, int xstart, + int ystart, int xend, int yend); +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 14:08:18.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 14:09:06.000000000 +0200 +@@ -1805,6 +1805,13 @@ static void jpc_undo_roi(jas_matrix_t *x + bool warn; + uint_fast32_t mask; + ++ if (roishift < 0) { ++ /* We could instead return an error here. */ ++ /* I do not think it matters much. */ ++ jas_eprintf("warning: forcing negative ROI shift to zero " ++ "(bitstream is probably corrupt)\n"); ++ roishift = 0; ++ } + if (roishift == 0 && bgshift == 0) { + return; + } +@@ -1823,7 +1830,7 @@ static void jpc_undo_roi(jas_matrix_t *x + } else { + /* We are dealing with non-ROI (i.e., background) data. */ + mag <<= bgshift; +- mask = (1 << numbps) - 1; ++ mask = (JAS_CAST(uint_fast32_t, 1) << numbps) - 1; + /* Perform a basic sanity check on the sample value. */ + /* Some implementations write garbage in the unused + most-significant bit planes introduced by ROI shifting. +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tsfb.c jasper-1.900.1/src/libjasper/jpc/jpc_tsfb.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tsfb.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_tsfb.c 2017-03-31 14:09:06.000000000 +0200 +@@ -148,7 +148,8 @@ int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb, + + int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a) + { +- return (tsfb->numlvls > 0) ? jpc_tsfb_synthesize2(tsfb, ++ return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ? ++ jpc_tsfb_synthesize2(tsfb, + jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)), + jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a), + jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0; diff --git a/SOURCES/jasper-CVE-2016-10249.patch b/SOURCES/jasper-CVE-2016-10249.patch new file mode 100644 index 0000000..0c18d84 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-10249.patch @@ -0,0 +1,78 @@ +Backport of the upstream commit: + +From 988f8365f7d8ad8073b6786e433d34c553ecf568 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 22 Oct 2016 14:36:49 -0700 +Subject: [PATCH] Fixed an integer overflow problem. + +Further enhanced by an explicit check to ensure that size not only fits into +size_t, but that it also does not exceed INT_FAST32_MAX (the type of +matrix->datasize_). This is similar approach to what upstream used in +a712a2041085e7cd5f2b153e1532ac2a2954ffaa. + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-31 15:02:01.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-31 15:41:17.527623038 +0200 +@@ -101,13 +101,16 @@ jas_matrix_t *jas_matrix_create(int numr + { + jas_matrix_t *matrix; + int i; ++ size_t size; ++ ++ matrix = 0; + + if (numrows < 0 || numcols < 0) { +- return 0; ++ goto error; + } + + if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) { +- return 0; ++ goto error; + } + matrix->flags_ = 0; + matrix->numrows_ = numrows; +@@ -115,21 +118,25 @@ jas_matrix_t *jas_matrix_create(int numr + matrix->rows_ = 0; + matrix->maxrows_ = numrows; + matrix->data_ = 0; +- matrix->datasize_ = numrows * numcols; ++ matrix->datasize_ = 0; ++ ++ // matrix->datasize_ = numrows * numcols; ++ if (!jas_safe_size_mul(numrows, numcols, &size) || size > INT_FAST32_MAX) { ++ goto error; ++ } ++ matrix->datasize_ = size; + + if (matrix->maxrows_ > 0) { + if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, + sizeof(jas_seqent_t *)))) { +- jas_matrix_destroy(matrix); +- return 0; ++ goto error; + } + } + + if (matrix->datasize_ > 0) { + if (!(matrix->data_ = jas_alloc2(matrix->datasize_, + sizeof(jas_seqent_t)))) { +- jas_matrix_destroy(matrix); +- return 0; ++ goto error; + } + } + +@@ -147,6 +154,12 @@ jas_matrix_t *jas_matrix_create(int numr + matrix->yend_ = matrix->numrows_; + + return matrix; ++ ++error: ++ if (matrix) { ++ jas_matrix_destroy(matrix); ++ } ++ return 0; + } + + void jas_matrix_destroy(jas_matrix_t *matrix) diff --git a/SOURCES/jasper-CVE-2016-10251.patch b/SOURCES/jasper-CVE-2016-10251.patch new file mode 100644 index 0000000..fd9977b --- /dev/null +++ b/SOURCES/jasper-CVE-2016-10251.patch @@ -0,0 +1,102 @@ +From 1f0dfe5a42911b6880a1445f13f6d615ddb55387 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Fri, 4 Nov 2016 07:20:23 -0700 +Subject: [PATCH] Fixed an integer overflow problem in the JPC codec that later + resulted in the use of uninitialized data. + +--- + src/libjasper/jpc/jpc_t2cod.c | 20 ++++++++++---------- + src/libjasper/jpc/jpc_t2cod.h | 20 ++++++++++---------- + 2 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c +index 08315dd..174442a 100644 +--- a/src/libjasper/jpc/jpc_t2cod.c ++++ b/src/libjasper/jpc/jpc_t2cod.c +@@ -432,18 +432,18 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi) + &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, + ++pi->picomp) { + pirlvl = pi->picomp->pirlvls; +- pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + +- pi->picomp->numrlvls - 1)); +- pi->ystep = pi->picomp->vsamp * (1 << (pirlvl->prcheightexpn + +- pi->picomp->numrlvls - 1)); ++ pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1)); ++ pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcheightexpn + pi->picomp->numrlvls - 1)); + for (rlvlno = 1, pirlvl = &pi->picomp->pirlvls[1]; + rlvlno < pi->picomp->numrlvls; ++rlvlno, ++pirlvl) { +- pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * (1 << +- (pirlvl->prcwidthexpn + pi->picomp->numrlvls - +- rlvlno - 1))); +- pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * (1 << +- (pirlvl->prcheightexpn + pi->picomp->numrlvls - +- rlvlno - 1))); ++ pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * ++ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn + ++ pi->picomp->numrlvls - rlvlno - 1))); ++ pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * ++ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcheightexpn + ++ pi->picomp->numrlvls - rlvlno - 1))); + } + for (pi->y = pi->ystart; pi->y < pi->yend; + pi->y += pi->ystep - (pi->y % pi->ystep)) { +diff --git a/src/libjasper/jpc/jpc_t2cod.h b/src/libjasper/jpc/jpc_t2cod.h +index 0a176c9..690e031 100644 +--- a/src/libjasper/jpc/jpc_t2cod.h ++++ b/src/libjasper/jpc/jpc_t2cod.h +@@ -129,10 +129,10 @@ typedef struct { + jpc_pirlvl_t *pirlvls; + + /* The horizontal sampling period. */ +- int hsamp; ++ uint_fast32_t hsamp; + + /* The vertical sampling period. */ +- int vsamp; ++ uint_fast32_t vsamp; + + } jpc_picomp_t; + +@@ -171,32 +171,32 @@ typedef struct { + int lyrno; + + /* The x-coordinate of the current position. */ +- int x; ++ uint_fast32_t x; + + /* The y-coordinate of the current position. */ +- int y; ++ uint_fast32_t y; + + /* The horizontal step size. */ +- int xstep; ++ uint_fast32_t xstep; + + /* The vertical step size. */ +- int ystep; ++ uint_fast32_t ystep; + + /* The x-coordinate of the top-left corner of the tile on the reference + grid. */ +- int xstart; ++ uint_fast32_t xstart; + + /* The y-coordinate of the top-left corner of the tile on the reference + grid. */ +- int ystart; ++ uint_fast32_t ystart; + + /* The x-coordinate of the bottom-right corner of the tile on the + reference grid (plus one). */ +- int xend; ++ uint_fast32_t xend; + + /* The y-coordinate of the bottom-right corner of the tile on the + reference grid (plus one). */ +- int yend; ++ uint_fast32_t yend; + + /* The current progression change. */ + jpc_pchg_t *pchg; diff --git a/SOURCES/jasper-CVE-2016-1577.patch b/SOURCES/jasper-CVE-2016-1577.patch new file mode 100644 index 0000000..67e347a --- /dev/null +++ b/SOURCES/jasper-CVE-2016-1577.patch @@ -0,0 +1,18 @@ +Bacport of the upstream commit: + +From 74ea22a7a4fe186e0a0124df25e19739b77c4a29 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 19 Sep 2016 10:03:36 +0100 +Subject: [PATCH] CVE-2016-1577 + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2017-03-24 13:58:54.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2017-03-24 13:59:12.000000000 +0100 +@@ -299,6 +299,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) + goto error; + jas_iccattrval_destroy(attrval); ++ attrval = 0; + } else { + #if 0 + jas_eprintf("warning: skipping unknown tag type\n"); diff --git a/SOURCES/jasper-CVE-2016-1867.patch b/SOURCES/jasper-CVE-2016-1867.patch new file mode 100644 index 0000000..7b3f6af --- /dev/null +++ b/SOURCES/jasper-CVE-2016-1867.patch @@ -0,0 +1,22 @@ +From 980da43d8d388a67cac505e734423b2a5aa4cede Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 19 Sep 2016 10:03:36 +0100 +Subject: [PATCH] CVE-2016-1867 + +--- + src/libjasper/jpc/jpc_t2cod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c +index e734900..b80d332 100644 +--- a/src/libjasper/jpc/jpc_t2cod.c ++++ b/src/libjasper/jpc/jpc_t2cod.c +@@ -429,7 +429,7 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi) + } + + for (pi->compno = pchg->compnostart, pi->picomp = +- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, ++ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, + ++pi->picomp) { + pirlvl = pi->picomp->pirlvls; + pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + diff --git a/SOURCES/jasper-CVE-2016-2089.patch b/SOURCES/jasper-CVE-2016-2089.patch new file mode 100644 index 0000000..d265c36 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-2089.patch @@ -0,0 +1,157 @@ +Backport of the upstream commit: + +From c87ad330a8b8d6e5eb0065675601fdfae08ebaab Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 12 Oct 2016 11:37:33 -0700 +Subject: [PATCH] Added fix for CVE-2016-2089. + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2017-03-24 22:40:10.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2017-03-24 22:40:51.000000000 +0100 +@@ -442,6 +442,10 @@ int jas_image_readcmpt(jas_image_t *imag + return -1; + } + ++ if (!jas_matrix_numrows(data) || !jas_matrix_numcols(data)) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + if (jas_matrix_resize(data, height, width)) { + return -1; +@@ -495,6 +499,10 @@ int jas_image_writecmpt(jas_image_t *ima + return -1; + } + ++ if (!jas_matrix_numrows(data) || !jas_matrix_numcols(data)) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + return -1; + } +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-24 15:26:36.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-24 15:28:09.000000000 +0100 +@@ -266,13 +266,16 @@ void jas_matrix_divpow2(jas_matrix_t *ma + int rowstep; + jas_seqent_t *data; + +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- *data = (*data >= 0) ? ((*data) >> n) : +- (-((-(*data)) >> n)); ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ *data = (*data >= 0) ? ((*data) >> n) : ++ (-((-(*data)) >> n)); ++ } + } + } + } +@@ -286,17 +289,20 @@ void jas_matrix_clip(jas_matrix_t *matri + jas_seqent_t *data; + int rowstep; + +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- data = rowstart; +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- v = *data; +- if (v < minval) { +- *data = minval; +- } else if (v > maxval) { +- *data = maxval; ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ data = rowstart; ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ v = *data; ++ if (v < minval) { ++ *data = minval; ++ } else if (v > maxval) { ++ *data = maxval; ++ } + } + } + } +@@ -311,12 +317,15 @@ void jas_matrix_asr(jas_matrix_t *matrix + jas_seqent_t *data; + + assert(n >= 0); +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- *data >>= n; ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ *data >>= n; ++ } + } + } + } +@@ -329,12 +338,15 @@ void jas_matrix_asl(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- *data <<= n; ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ *data <<= n; ++ } + } + } + } +@@ -371,12 +383,15 @@ void jas_matrix_setall(jas_matrix_t *mat + int rowstep; + jas_seqent_t *data; + +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- *data = val; ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ *data = val; ++ } + } + } + } diff --git a/SOURCES/jasper-CVE-2016-2116.patch b/SOURCES/jasper-CVE-2016-2116.patch new file mode 100644 index 0000000..5b1ba6e --- /dev/null +++ b/SOURCES/jasper-CVE-2016-2116.patch @@ -0,0 +1,19 @@ +Backport of the upstream commit: + +From 142245b9bbb33274a7c620aa7a8f85bc00b2d68e Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 19 Sep 2016 10:03:36 +0100 +Subject: [PATCH] CVE-2016-2116 + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2017-03-24 14:06:15.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2017-03-24 14:06:34.000000000 +0100 +@@ -1692,6 +1692,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf + jas_stream_close(in); + return prof; + error: ++ if (in) ++ jas_stream_close(in); + return 0; + } + diff --git a/SOURCES/jasper-CVE-2016-8654.patch b/SOURCES/jasper-CVE-2016-8654.patch new file mode 100644 index 0000000..cc8d396 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8654.patch @@ -0,0 +1,30 @@ +Backport of the relevant parts of the upstream commit: + +From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 26 Nov 2016 20:23:23 -0800 +Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC + codec that was caused by a buffer being allocated with a size that was too + small in some cases. Added a new regression test case. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2017-03-29 14:47:26.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2017-03-29 16:24:55.425985016 +0200 +@@ -439,7 +439,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -520,7 +520,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } diff --git a/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch b/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch new file mode 100644 index 0000000..8f6eb31 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch @@ -0,0 +1,22 @@ +Backport form the upstream commit: + +From 5d66894d2313e3f3469f19066e149e08ff076698 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 19 Oct 2016 20:13:06 -0700 +Subject: [PATCH] Fixed a problem with a null pointer dereference in the BMP + decoder. + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-23 22:50:09.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-23 23:01:30.000000000 +0100 +@@ -102,6 +102,10 @@ jas_matrix_t *jas_matrix_create(int numr + jas_matrix_t *matrix; + int i; + ++ if (numrows < 0 || numcols < 0) { ++ return 0; ++ } ++ + if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) { + return 0; + } diff --git a/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch b/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch new file mode 100644 index 0000000..607a3c9 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch @@ -0,0 +1,31 @@ +From d8c2604cd438c41ec72aff52c16ebd8183068020 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 15 Oct 2016 12:22:28 -0700 +Subject: [PATCH] Added range check on XRsiz and YRsiz fields of SIZ marker + segment. + +--- + src/libjasper/jpc/jpc_cs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c +index 6da4872..55d34d6 100644 +--- a/src/libjasper/jpc/jpc_cs.c ++++ b/src/libjasper/jpc/jpc_cs.c +@@ -512,6 +512,16 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, + jas_free(siz->comps); + return -1; + } ++ if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) { ++ jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp); ++ jas_free(siz->comps); ++ return -1; ++ } ++ if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) { ++ jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp); ++ jas_free(siz->comps); ++ return -1; ++ } + siz->comps[i].sgnd = (tmp >> 7) & 1; + siz->comps[i].prec = (tmp & 0x7f) + 1; + } diff --git a/SOURCES/jasper-CVE-2016-8693.patch b/SOURCES/jasper-CVE-2016-8693.patch new file mode 100644 index 0000000..b541210 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8693.patch @@ -0,0 +1,25 @@ +Backport of the upstream commit: + +From 44a524e367597af58d6265ae2014468b334d0309 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Thu, 20 Oct 2016 07:34:32 -0700 +Subject: [PATCH] The memory stream interface allows for a buffer size of zero. + The case of a zero-sized buffer was not handled correctly, as it could lead + to a double free. This problem has now been fixed (hopefully). One might ask + whether a zero-sized buffer should be allowed at all, but this is a question + for another day. + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2017-03-24 13:23:23.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2017-03-24 13:33:01.986069625 +0100 +@@ -991,8 +991,8 @@ static int mem_resize(jas_stream_memobj_ + { + unsigned char *buf; + +- assert(m->buf_); +- if (!(buf = jas_realloc(m->buf_, bufsize))) { ++ //assert(m->buf_); ++ if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) { + return -1; + } + m->buf_ = buf; diff --git a/SOURCES/jasper-CVE-2016-8883.patch b/SOURCES/jasper-CVE-2016-8883.patch new file mode 100644 index 0000000..46bcdad --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8883.patch @@ -0,0 +1,42 @@ +Backport of upstream commit: + +From 33cc2cfa51a8d0fc3116d16cc1d8fc581b3f9e8d Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 19 Oct 2016 15:02:20 -0700 +Subject: [PATCH] The RCT and ICT require at least three components. + Previously, this was enforced with an assertion. Now, the assertion has been + replaced with a proper error check. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 15:52:43.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 21:58:17.000000000 +0200 +@@ -1070,12 +1070,18 @@ static int jpc_dec_tiledecode(jpc_dec_t + /* Apply an inverse intercomponent transform if necessary. */ + switch (tile->cp->mctid) { + case JPC_MCT_RCT: +- assert(dec->numcomps >= 3); ++ if (dec->numcomps < 3) { ++ jas_eprintf("RCT requires at least three components\n"); ++ return -1; ++ } + jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; + case JPC_MCT_ICT: +- assert(dec->numcomps >= 3); ++ if (dec->numcomps < 3) { ++ jas_eprintf("ICT requires at least three components\n"); ++ return -1; ++ } + jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; +@@ -1127,7 +1133,7 @@ static int jpc_dec_tiledecode(jpc_dec_t + JPC_CEILDIV(dec->ystart, cmpt->vstep), jas_matrix_numcols( + tcomp->data), jas_matrix_numrows(tcomp->data), tcomp->data)) { + jas_eprintf("write component failed\n"); +- return -4; ++ return -1; + } + } + diff --git a/SOURCES/jasper-CVE-2016-9387.patch b/SOURCES/jasper-CVE-2016-9387.patch new file mode 100644 index 0000000..23c1b87 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9387.patch @@ -0,0 +1,37 @@ +Backport of the upstream commits: + +From d91198abd00fc435a397fe6bad906a4c1748e9cf Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sun, 23 Oct 2016 03:34:35 -0700 +Subject: [PATCH] Fixed another integer overflow problem. + +From a712a2041085e7cd5f2b153e1532ac2a2954ffaa Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Thu, 2 Mar 2017 09:28:42 -0800 +Subject: [PATCH] Added some additional checking to prevent a potential integer + overflow due to conversion in the JPC decoder. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:12:06.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:14:46.112781219 +0200 +@@ -1174,6 +1174,7 @@ static int jpc_dec_process_siz(jpc_dec_t + int htileno; + int vtileno; + jpc_dec_cmpt_t *cmpt; ++ size_t size; + + dec->xstart = siz->xoff; + dec->ystart = siz->yoff; +@@ -1210,7 +1211,11 @@ static int jpc_dec_process_siz(jpc_dec_t + + dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); + dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); +- dec->numtiles = dec->numhtiles * dec->numvtiles; ++ if (!jas_safe_size_mul(dec->numhtiles, dec->numvtiles, &size) || ++ size > INT_MAX) { ++ return -1; ++ } ++ dec->numtiles = size; + if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) { + return -1; + } diff --git a/SOURCES/jasper-CVE-2016-9388.patch b/SOURCES/jasper-CVE-2016-9388.patch new file mode 100644 index 0000000..27398be --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9388.patch @@ -0,0 +1,158 @@ +Backport of upstream commit: + +From 411a4068f8c464e883358bf403a3e25158863823 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Mon, 24 Oct 2016 06:56:08 -0700 +Subject: [PATCH] Fixed a few bugs in the RAS encoder and decoder where errors + were tested with assertions instead of being gracefully handled. + +diff -pruN jasper-1.900.1.orig/src/libjasper/ras/ras_dec.c jasper-1.900.1/src/libjasper/ras/ras_dec.c +--- jasper-1.900.1.orig/src/libjasper/ras/ras_dec.c 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/ras/ras_dec.c 2017-03-31 22:38:04.000000000 +0200 +@@ -257,9 +257,16 @@ static int ras_getdatastd(jas_stream_t * + /* Avoid compiler warnings about unused parameters. */ + cmap = 0; + ++ assert(jas_image_numcmpts(image) <= 3); ++ ++ for (i = 0; i < 3; ++i) { ++ data[i] = 0; ++ } ++ + for (i = 0; i < jas_image_numcmpts(image); ++i) { +- data[i] = jas_matrix_create(1, jas_image_width(image)); +- assert(data[i]); ++ if (!(data[i] = jas_matrix_create(1, jas_image_width(image)))) { ++ goto error; ++ } + } + + pad = RAS_ROWSIZE(hdr) - (hdr->width * hdr->depth + 7) / 8; +@@ -270,7 +277,7 @@ static int ras_getdatastd(jas_stream_t * + for (x = 0; x < hdr->width; x++) { + while (nz < hdr->depth) { + if ((c = jas_stream_getc(in)) == EOF) { +- return -1; ++ goto error; + } + z = (z << 8) | c; + nz += 8; +@@ -290,22 +297,31 @@ static int ras_getdatastd(jas_stream_t * + } + if (pad) { + if ((c = jas_stream_getc(in)) == EOF) { +- return -1; ++ goto error; + } + } + for (i = 0; i < jas_image_numcmpts(image); ++i) { + if (jas_image_writecmpt(image, i, 0, y, hdr->width, 1, + data[i])) { +- return -1; ++ goto error; + } + } + } + + for (i = 0; i < jas_image_numcmpts(image); ++i) { + jas_matrix_destroy(data[i]); ++ data[i] = 0; + } + + return 0; ++ ++error: ++ for (i = 0; i < 3; ++i) { ++ if (data[i]) { ++ jas_matrix_destroy(data[i]); ++ } ++ } ++ return -1; + } + + static int ras_getcmap(jas_stream_t *in, ras_hdr_t *hdr, ras_cmap_t *cmap) +@@ -324,7 +340,9 @@ static int ras_getcmap(jas_stream_t *in, + { + jas_eprintf("warning: palettized images not fully supported\n"); + numcolors = 1 << hdr->depth; +- assert(numcolors <= RAS_CMAP_MAXSIZ); ++ if (numcolors > RAS_CMAP_MAXSIZ) { ++ return -1; ++ } + actualnumcolors = hdr->maplength / 3; + for (i = 0; i < numcolors; i++) { + cmap->data[i] = 0; +diff -pruN jasper-1.900.1.orig/src/libjasper/ras/ras_enc.c jasper-1.900.1/src/libjasper/ras/ras_enc.c +--- jasper-1.900.1.orig/src/libjasper/ras/ras_enc.c 2017-03-31 22:20:38.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/ras/ras_enc.c 2017-03-31 22:38:04.000000000 +0200 +@@ -230,9 +230,17 @@ static int ras_putdatastd(jas_stream_t * + jas_matrix_t *data[3]; + int i; + ++ assert(numcmpts <= 3); ++ ++ for (i = 0; i < 3; ++i) { ++ data[i] = 0; ++ } ++ + for (i = 0; i < numcmpts; ++i) { +- data[i] = jas_matrix_create(jas_image_height(image), jas_image_width(image)); +- assert(data[i]); ++ if (!(data[i] = jas_matrix_create(jas_image_height(image), ++ jas_image_width(image)))) { ++ goto error; ++ } + } + + rowsize = RAS_ROWSIZE(hdr); +@@ -244,7 +252,7 @@ static int ras_putdatastd(jas_stream_t * + for (i = 0; i < numcmpts; ++i) { + if (jas_image_readcmpt(image, cmpts[i], 0, y, + jas_image_width(image), 1, data[i])) { +- return -1; ++ goto error; + } + } + z = 0; +@@ -263,7 +271,7 @@ static int ras_putdatastd(jas_stream_t * + while (nz >= 8) { + c = (z >> (nz - 8)) & 0xff; + if (jas_stream_putc(out, c) == EOF) { +- return -1; ++ goto error; + } + nz -= 8; + z &= RAS_ONES(nz); +@@ -272,21 +280,30 @@ static int ras_putdatastd(jas_stream_t * + if (nz > 0) { + c = (z >> (8 - nz)) & RAS_ONES(nz); + if (jas_stream_putc(out, c) == EOF) { +- return -1; ++ goto error; + } + } + if (pad % 2) { + if (jas_stream_putc(out, 0) == EOF) { +- return -1; ++ goto error; + } + } + } + + for (i = 0; i < numcmpts; ++i) { + jas_matrix_destroy(data[i]); ++ data[i] = 0; + } + + return 0; ++ ++error: ++ for (i = 0; i < numcmpts; ++i) { ++ if (data[i]) { ++ jas_matrix_destroy(data[i]); ++ } ++ } ++ return -1; + } + + static int ras_puthdr(jas_stream_t *out, ras_hdr_t *hdr) diff --git a/SOURCES/jasper-CVE-2016-9389.patch b/SOURCES/jasper-CVE-2016-9389.patch new file mode 100644 index 0000000..b69d209 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9389.patch @@ -0,0 +1,59 @@ +Backport of upstream commit: + +From dee11ec440d7908d1daf69f40a3324b27cf213ba Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Mon, 24 Oct 2016 07:26:40 -0700 +Subject: [PATCH] The component domains must be the same for the ICT/RCT in the + JPC codec. This was previously enforced with an assertion. Now, it is handled + in a more graceful manner. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:20:39.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:48:55.368931732 +0200 +@@ -1014,6 +1014,24 @@ if (!prc->cblks) { + return 0; + } + ++static int jas_image_cmpt_domains_same(jas_image_t *image) ++{ ++ int cmptno; ++ jas_image_cmpt_t *cmpt; ++ jas_image_cmpt_t *cmpt0; ++ ++ cmpt0 = image->cmpts_[0]; ++ for (cmptno = 1; cmptno < image->numcmpts_; ++cmptno) { ++ cmpt = image->cmpts_[cmptno]; ++ if (cmpt->tlx_ != cmpt0->tlx_ || cmpt->tly_ != cmpt0->tly_ || ++ cmpt->hstep_ != cmpt0->hstep_ || cmpt->vstep_ != cmpt0->vstep_ || ++ cmpt->width_ != cmpt0->width_ || cmpt->height_ != cmpt0->height_) { ++ return 0; ++ } ++ } ++ return 1; ++} ++ + static int jpc_dec_tiledecode(jpc_dec_t *dec, jpc_dec_tile_t *tile) + { + int i; +@@ -1074,6 +1092,10 @@ static int jpc_dec_tiledecode(jpc_dec_t + jas_eprintf("RCT requires at least three components\n"); + return -1; + } ++ if (!jas_image_cmpt_domains_same(dec->image)) { ++ jas_eprintf("RCT requires all components have the same domain\n"); ++ return -1; ++ } + jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; +@@ -1082,6 +1104,10 @@ static int jpc_dec_tiledecode(jpc_dec_t + jas_eprintf("ICT requires at least three components\n"); + return -1; + } ++ if (!jas_image_cmpt_domains_same(dec->image)) { ++ jas_eprintf("RCT requires all components have the same domain\n"); ++ return -1; ++ } + jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; diff --git a/SOURCES/jasper-CVE-2016-9390.patch b/SOURCES/jasper-CVE-2016-9390.patch new file mode 100644 index 0000000..a13eaa0 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9390.patch @@ -0,0 +1,21 @@ +Backport of the upstream commit: + +From ba2b9d000660313af7b692542afbd374c5685865 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Tue, 25 Oct 2016 16:18:51 -0700 +Subject: [PATCH] Ensure that not all tiles lie outside the image area. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:24:57.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:25:48.000000000 +0200 +@@ -502,6 +502,10 @@ static int jpc_siz_getparms(jpc_ms_t *ms + !siz->tileheight || !siz->numcomps) { + return -1; + } ++ if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) { ++ jas_eprintf("all tiles are outside the image area\n"); ++ return -1; ++ } + if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { + return -1; + } diff --git a/SOURCES/jasper-CVE-2016-9391.patch b/SOURCES/jasper-CVE-2016-9391.patch new file mode 100644 index 0000000..b202d57 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9391.patch @@ -0,0 +1,36 @@ +Backport of relevant parts of upstream commit: + +From 1e84674d95353c64e5c4c0e7232ae86fd6ea813b Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Tue, 25 Oct 2016 07:01:50 -0700 +Subject: [PATCH] Changed the JPC bitstream code to more gracefully handle a + request for a larger sized integer than what can be handled (i.e., return + with an error instead of failing an assert). + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_bs.c jasper-1.900.1/src/libjasper/jpc/jpc_bs.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_bs.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_bs.c 2017-03-31 23:00:31.000000000 +0200 +@@ -195,7 +195,10 @@ long jpc_bitstream_getbits(jpc_bitstream + + /* We can reliably get at most 31 bits since ISO/IEC 9899 only + guarantees that a long can represent values up to 2^31-1. */ +- assert(n >= 0 && n < 32); ++ //assert(n >= 0 && n < 32); ++ if (n < 0 || n >= 32) { ++ return -1; ++ } + + /* Get the number of bits requested from the specified bit stream. */ + v = 0; +@@ -215,7 +218,10 @@ int jpc_bitstream_putbits(jpc_bitstream_ + + /* We can reliably put at most 31 bits since ISO/IEC 9899 only + guarantees that a long can represent values up to 2^31-1. */ +- assert(n >= 0 && n < 32); ++ //assert(n >= 0 && n < 32); ++ if (n < 0 || n >= 32) { ++ return EOF; ++ } + /* Ensure that only the bits to be output are nonzero. */ + assert(!(v & (~JAS_ONES(n)))); + diff --git a/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch b/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch new file mode 100644 index 0000000..d046229 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch @@ -0,0 +1,105 @@ +Backport of the upstream commit: + +From f7038068550fba0e41e1d0c355787f1dcd5bf330 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Thu, 27 Oct 2016 20:11:57 -0700 +Subject: [PATCH] Added some missing sanity checks on the data in a SIZ marker + segment. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:30:41.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:48:20.267725023 +0200 +@@ -483,6 +483,8 @@ static int jpc_siz_getparms(jpc_ms_t *ms + unsigned int i; + uint_fast8_t tmp; + ++ siz->comps = 0; ++ + /* Eliminate compiler warning about unused variables. */ + cstate = 0; + +@@ -496,44 +498,67 @@ static int jpc_siz_getparms(jpc_ms_t *ms + jpc_getuint32(in, &siz->tilexoff) || + jpc_getuint32(in, &siz->tileyoff) || + jpc_getuint16(in, &siz->numcomps)) { +- return -1; ++ goto error; + } +- if (!siz->width || !siz->height || !siz->tilewidth || +- !siz->tileheight || !siz->numcomps) { +- return -1; +- } +- if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) { +- jas_eprintf("all tiles are outside the image area\n"); +- return -1; ++ if (!siz->width || !siz->height) { ++ jas_eprintf("reference grid cannot have zero area\n"); ++ goto error; ++ } ++ if (!siz->tilewidth || !siz->tileheight) { ++ jas_eprintf("tile cannot have zero area\n"); ++ goto error; ++ } ++ if (!siz->numcomps || siz->numcomps > 16384) { ++ jas_eprintf("number of components not in permissible range\n"); ++ goto error; ++ } ++ if (siz->xoff >= siz->width) { ++ jas_eprintf("XOsiz not in permissible range\n"); ++ goto error; ++ } ++ if (siz->yoff >= siz->height) { ++ jas_eprintf("YOsiz not in permissible range\n"); ++ goto error; ++ } ++ if (siz->tilexoff > siz->xoff || siz->tilexoff + siz->tilewidth <= siz->xoff) { ++ jas_eprintf("XTOsiz not in permissible range\n"); ++ goto error; ++ } ++ if (siz->tileyoff > siz->yoff || siz->tileyoff + siz->tileheight <= siz->yoff) { ++ jas_eprintf("YTOsiz not in permissible range\n"); ++ goto error; + } ++ + if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { +- return -1; ++ goto error; + } + for (i = 0; i < siz->numcomps; ++i) { + if (jpc_getuint8(in, &tmp) || + jpc_getuint8(in, &siz->comps[i].hsamp) || + jpc_getuint8(in, &siz->comps[i].vsamp)) { +- jas_free(siz->comps); +- return -1; ++ goto error; + } + if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) { + jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp); +- jas_free(siz->comps); +- return -1; ++ goto error; + } + if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) { + jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp); +- jas_free(siz->comps); +- return -1; ++ goto error; + } + siz->comps[i].sgnd = (tmp >> 7) & 1; + siz->comps[i].prec = (tmp & 0x7f) + 1; + } + if (jas_stream_eof(in)) { +- jas_free(siz->comps); +- return -1; ++ goto error; + } + return 0; ++ ++error: ++ if (siz->comps) { ++ jas_free(siz->comps); ++ } ++ return -1; + } + + static int jpc_siz_putparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *out) diff --git a/SOURCES/jasper-CVE-2016-9560.patch b/SOURCES/jasper-CVE-2016-9560.patch new file mode 100644 index 0000000..19ec2dc --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9560.patch @@ -0,0 +1,19 @@ +Backport of the upstream commit: + +From 1abc2e5a401a4bf1d5ca4df91358ce5df111f495 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sun, 20 Nov 2016 04:43:00 -0800 +Subject: [PATCH] Fixed an array overflow problem in the JPC decoder. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-30 15:00:55.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-30 17:56:05.000000000 +0200 +@@ -675,7 +675,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d + uint_fast32_t tmpxend; + uint_fast32_t tmpyend; + jpc_dec_cp_t *cp; +- jpc_tsfb_band_t bnds[64]; ++ jpc_tsfb_band_t bnds[JPC_MAXBANDS]; + jpc_pchg_t *pchg; + int pchgno; + jpc_dec_cmpt_t *cmpt; diff --git a/SOURCES/jasper-CVE-2016-9583.patch b/SOURCES/jasper-CVE-2016-9583.patch new file mode 100644 index 0000000..00735af --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9583.patch @@ -0,0 +1,220 @@ +Backport of upstream commits: + +From aa0b0f79ade5eef8b0e7a214c03f5af54b36ba7d Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 26 Nov 2016 17:14:09 -0800 +Subject: [PATCH] Fixed numerous integer overflow problems in the code for + packet iterators in the JPC decoder. + +From f25486c3d4aa472fec79150f2c41ed4333395d3d Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 26 Nov 2016 20:54:24 -0800 +Subject: [PATCH] Fixed a bug in the packet iterator code. Added a new + regression test case. + +From 99a50593254d1b53002719bbecfc946c84b23d27 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Fri, 9 Dec 2016 05:42:39 -0800 +Subject: [PATCH] Apply a patch for the following bug report: + https://github.com/mdadams/jasper/issues/103 Heap-Buffer-Overflow or + Null-pointer-dereference vulnerability due to a programming mistake + (off-by-1) + +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_types.h jasper-1.900.1/src/libjasper/include/jasper/jas_types.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_types.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_types.h 2017-03-30 22:12:18.000000000 +0200 +@@ -217,6 +217,10 @@ typedef ulonglong uint_fast64_t; + #define JAS_CAST(t, e) \ + ((t) (e)) + ++/* The number of bits in the integeral type uint_fast32_t. */ ++/* NOTE: This could underestimate the size on some exotic architectures. */ ++#define JAS_UINTFAST32_NUMBITS (8 * sizeof(uint_fast32_t)) ++ + #ifdef __cplusplus + extern "C" { + #endif +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2017-03-30 18:03:55.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c 2017-03-30 22:14:39.000000000 +0200 +@@ -249,10 +249,17 @@ static int jpc_pi_nextrpcl(register jpc_ + ++compno, ++picomp) { + for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < + picomp->numrlvls; ++rlvlno, ++pirlvl) { +- xstep = picomp->hsamp * (1 << (pirlvl->prcwidthexpn + +- picomp->numrlvls - rlvlno - 1)); +- ystep = picomp->vsamp * (1 << (pirlvl->prcheightexpn + +- picomp->numrlvls - rlvlno - 1)); ++ // Check for the potential for overflow problems. ++ if (pirlvl->prcwidthexpn + picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2 || ++ pirlvl->prcheightexpn + picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2) { ++ return -1; ++ } ++ xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); ++ ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); + pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep); + pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep); + } +@@ -282,21 +289,24 @@ static int jpc_pi_nextrpcl(register jpc_ + rpy = r + pi->pirlvl->prcheightexpn; + trx0 = JPC_CEILDIV(pi->xstart, pi->picomp->hsamp << r); + try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); +- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) +- || !(pi->x % (1 << rpx))) && +- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) +- || !(pi->y % (1 << rpy)))) { +- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp +- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, +- pi->pirlvl->prcwidthexpn); +- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp +- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, +- pi->pirlvl->prcheightexpn); ++ if (((pi->x == pi->xstart && ++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) ++ || !(pi->x % (JAS_CAST(uint_fast32_t, 1) << rpx))) && ++ ((pi->y == pi->ystart && ++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) ++ || !(pi->y % (JAS_CAST(uint_fast32_t, 1) << rpy)))) { ++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, ++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - ++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); ++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, ++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - ++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); + pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; + + assert(pi->prcno < pi->pirlvl->numprcs); + for (pi->lyrno = 0; pi->lyrno < +- pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { ++ pi->numlyrs && pi->lyrno < JAS_CAST(int, ++ pchg->lyrnoend); ++pi->lyrno) { + prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; + if (pi->lyrno >= *prclyrno) { + ++(*prclyrno); +@@ -341,16 +351,19 @@ static int jpc_pi_nextpcrl(register jpc_ + ++compno, ++picomp) { + for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < + picomp->numrlvls; ++rlvlno, ++pirlvl) { +- xstep = picomp->hsamp * (1 << +- (pirlvl->prcwidthexpn + picomp->numrlvls - +- rlvlno - 1)); +- ystep = picomp->vsamp * (1 << +- (pirlvl->prcheightexpn + picomp->numrlvls - +- rlvlno - 1)); +- pi->xstep = (!pi->xstep) ? xstep : +- JAS_MIN(pi->xstep, xstep); +- pi->ystep = (!pi->ystep) ? ystep : +- JAS_MIN(pi->ystep, ystep); ++ // Check for the potential for overflow problems. ++ if (pirlvl->prcwidthexpn + picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2 || ++ pirlvl->prcheightexpn + picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2) { ++ return -1; ++ } ++ xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); ++ ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); ++ pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep); ++ pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep); + } + } + pi->prgvolfirst = 0; +@@ -377,20 +390,23 @@ static int jpc_pi_nextpcrl(register jpc_ + try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); + rpx = r + pi->pirlvl->prcwidthexpn; + rpy = r + pi->pirlvl->prcheightexpn; +- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) || ++ if (((pi->x == pi->xstart && ++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) || + !(pi->x % (pi->picomp->hsamp << rpx))) && +- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) || ++ ((pi->y == pi->ystart && ++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) || + !(pi->y % (pi->picomp->vsamp << rpy)))) { +- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp +- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, +- pi->pirlvl->prcwidthexpn); +- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp +- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, +- pi->pirlvl->prcheightexpn); ++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, ++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - ++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); ++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, ++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - ++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); + pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; + assert(pi->prcno < pi->pirlvl->numprcs); + for (pi->lyrno = 0; pi->lyrno < pi->numlyrs && +- pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { ++ pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++ ++pi->lyrno) { + prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; + if (pi->lyrno >= *prclyrno) { + ++(*prclyrno); +@@ -428,10 +444,17 @@ static int jpc_pi_nextcprl(register jpc_ + pi->prgvolfirst = 0; + } + +- for (pi->compno = pchg->compnostart, pi->picomp = +- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, +- ++pi->picomp) { ++ for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno]; ++ pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++ ++pi->compno, ++pi->picomp) { + pirlvl = pi->picomp->pirlvls; ++ // Check for the potential for overflow problems. ++ if (pirlvl->prcwidthexpn + pi->picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2 || ++ pirlvl->prcheightexpn + pi->picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2) { ++ return -1; ++ } + pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1)); + pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << +@@ -461,23 +484,23 @@ static int jpc_pi_nextcprl(register jpc_ + try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); + rpx = r + pi->pirlvl->prcwidthexpn; + rpy = r + pi->pirlvl->prcheightexpn; +- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) || ++ if (((pi->x == pi->xstart && ++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) || + !(pi->x % (pi->picomp->hsamp << rpx))) && +- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) || ++ ((pi->y == pi->ystart && ++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) || + !(pi->y % (pi->picomp->vsamp << rpy)))) { +- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp +- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, +- pi->pirlvl->prcwidthexpn); +- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp +- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, +- pi->pirlvl->prcheightexpn); +- pi->prcno = prcvind * +- pi->pirlvl->numhprcs + +- prchind; +- assert(pi->prcno < +- pi->pirlvl->numprcs); +- for (pi->lyrno = 0; pi->lyrno < +- pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { ++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, ++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - ++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); ++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, ++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - ++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); ++ pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; ++ assert(pi->prcno < pi->pirlvl->numprcs); ++ for (pi->lyrno = 0; pi->lyrno < pi->numlyrs && ++ pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++ ++pi->lyrno) { + prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; + if (pi->lyrno >= *prclyrno) { + ++(*prclyrno); diff --git a/SOURCES/jasper-CVE-2016-9591.patch b/SOURCES/jasper-CVE-2016-9591.patch new file mode 100644 index 0000000..bd42d95 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9591.patch @@ -0,0 +1,212 @@ +Backport of the upstream patch: + +From 03fe49ab96bf65fea784cdc256507ea88267fc7c Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Thu, 2 Mar 2017 08:07:04 -0800 +Subject: [PATCH] Fixed some potential double-free problems in the JPC codec. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2017-03-30 22:53:59.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2017-03-31 13:40:12.000000000 +0200 +@@ -1140,8 +1140,9 @@ int numgbits; + tilex = tileno % cp->numhtiles; + tiley = tileno / cp->numhtiles; + +- if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image, tileno))) { +- abort(); ++ if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image, ++ tileno))) { ++ return -1; + } + + tile = enc->curtile; +@@ -2016,6 +2017,8 @@ error: + return 0; + } + ++/* Note: I don't think that it is necessary to marked destroyed subobjects ++as such in this function. */ + void jpc_enc_tile_destroy(jpc_enc_tile_t *tile) + { + jpc_enc_tcmpt_t *tcmpt; +@@ -2027,16 +2030,21 @@ void jpc_enc_tile_destroy(jpc_enc_tile_t + tcmpt_destroy(tcmpt); + } + jas_free(tile->tcmpts); ++ /* tile->tcmpts = NULL; */ + } + if (tile->lyrsizes) { + jas_free(tile->lyrsizes); ++ /* tile->lyrsizes = NULL; */ + } + if (tile->pi) { + jpc_pi_destroy(tile->pi); ++ /* tile->pi = NULL; */ + } + jas_free(tile); ++ /* tile = NULL; */ + } + ++/* Note: This constructor creates the object in place. */ + static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp, + jas_image_t *image, jpc_enc_tile_t *tile) + { +@@ -2132,6 +2140,10 @@ error: + + } + ++/* Note: Since jpc_enc_tcmpt_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void tcmpt_destroy(jpc_enc_tcmpt_t *tcmpt) + { + jpc_enc_rlvl_t *rlvl; +@@ -2143,16 +2155,20 @@ static void tcmpt_destroy(jpc_enc_tcmpt_ + rlvl_destroy(rlvl); + } + jas_free(tcmpt->rlvls); ++ tcmpt->rlvls = NULL; + } + + if (tcmpt->data) { + jas_seq2d_destroy(tcmpt->data); ++ tcmpt->data = NULL; + } + if (tcmpt->tsfb) { + jpc_tsfb_destroy(tcmpt->tsfb); ++ tcmpt->tsfb = NULL; + } + } + ++/* Note: This constructor creates the object in place. */ + static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp, + jpc_enc_tcmpt_t *tcmpt, jpc_tsfb_band_t *bandinfos) + { +@@ -2234,6 +2250,10 @@ error: + return 0; + } + ++/* Note: Since jpc_enc_rlvl_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void rlvl_destroy(jpc_enc_rlvl_t *rlvl) + { + jpc_enc_band_t *band; +@@ -2245,9 +2265,11 @@ static void rlvl_destroy(jpc_enc_rlvl_t + band_destroy(band); + } + jas_free(rlvl->bands); ++ rlvl->bands = NULL; + } + } + ++/* Note: This constructor creates the object in place. */ + static jpc_enc_band_t *band_create(jpc_enc_band_t *band, jpc_enc_cp_t *cp, + jpc_enc_rlvl_t *rlvl, jpc_tsfb_band_t *bandinfos) + { +@@ -2315,6 +2337,10 @@ error: + return 0; + } + ++/* Note: Since jpc_enc_band_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void band_destroy(jpc_enc_band_t *band) + { + jpc_enc_prc_t *prc; +@@ -2328,12 +2354,15 @@ static void band_destroy(jpc_enc_band_t + prc_destroy(prc); + } + jas_free(band->prcs); ++ band->prcs = NULL; + } + if (band->data) { + jas_seq2d_destroy(band->data); ++ band->data = NULL; + } + } + ++/* Note: This constructor creates the object in place. */ + static jpc_enc_prc_t *prc_create(jpc_enc_prc_t *prc, jpc_enc_cp_t *cp, jpc_enc_band_t *band) + { + uint_fast32_t prcno; +@@ -2459,6 +2488,10 @@ error: + return 0; + } + ++/* Note: Since jpc_enc_prc_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void prc_destroy(jpc_enc_prc_t *prc) + { + jpc_enc_cblk_t *cblk; +@@ -2470,22 +2503,29 @@ static void prc_destroy(jpc_enc_prc_t *p + cblk_destroy(cblk); + } + jas_free(prc->cblks); ++ prc->cblks = NULL; + } + if (prc->incltree) { + jpc_tagtree_destroy(prc->incltree); ++ prc->incltree = NULL; + } + if (prc->nlibtree) { + jpc_tagtree_destroy(prc->nlibtree); ++ prc->nlibtree = NULL; + } + if (prc->savincltree) { + jpc_tagtree_destroy(prc->savincltree); ++ prc->savincltree = NULL; + } + if (prc->savnlibtree) { + jpc_tagtree_destroy(prc->savnlibtree); ++ prc->savnlibtree = NULL; + } + } + +-static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, jpc_enc_prc_t *prc) ++/* Note: This constructor creates the object in place. */ ++static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, ++ jpc_enc_prc_t *prc) + { + jpc_enc_band_t *band; + uint_fast32_t cblktlx; +@@ -2543,6 +2583,10 @@ error: + return 0; + } + ++/* Note: Since jpc_enc_cblk_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void cblk_destroy(jpc_enc_cblk_t *cblk) + { + uint_fast16_t passno; +@@ -2553,18 +2597,23 @@ static void cblk_destroy(jpc_enc_cblk_t + pass_destroy(pass); + } + jas_free(cblk->passes); ++ cblk->passes = NULL; + } + if (cblk->stream) { + jas_stream_close(cblk->stream); ++ cblk->stream = NULL; + } + if (cblk->mqenc) { + jpc_mqenc_destroy(cblk->mqenc); ++ cblk->mqenc = NULL; + } + if (cblk->data) { + jas_seq2d_destroy(cblk->data); ++ cblk->data = NULL; + } + if (cblk->flags) { + jas_seq2d_destroy(cblk->flags); ++ cblk->flags = NULL; + } + } + diff --git a/SOURCES/jasper-CVE-2016-9600.patch b/SOURCES/jasper-CVE-2016-9600.patch new file mode 100644 index 0000000..ec197b1 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9600.patch @@ -0,0 +1,87 @@ +From a632c6b54bd4ffc3bebab420e00b7e7688aa3846 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Fri, 30 Dec 2016 07:27:48 -0800 +Subject: [PATCH] Fixed a problem in the JP2 encoder that caused a null pointer + dereference when no ICC profile data is available (e.g., in the case of an + unknown color space). Reference: + https://github.com/mdadams/jasper/issues/109 + +--- + src/libjasper/jp2/jp2_enc.c | 46 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 12 deletions(-) + +diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c +index bca3ca6..b979216 100644 +--- a/src/libjasper/jp2/jp2_enc.c ++++ b/src/libjasper/jp2/jp2_enc.c +@@ -112,6 +112,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr) + + box = 0; + tmpstream = 0; ++ iccstream = 0; ++ iccprof = 0; + + allcmptssame = 1; + sgnd = jas_image_cmptsgnd(image, 0); +@@ -225,22 +227,36 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr) + colr->method = JP2_COLR_ICC; + colr->pri = JP2_COLR_PRI; + colr->approx = 0; +- iccprof = jas_iccprof_createfromcmprof(jas_image_cmprof(image)); +- assert(iccprof); +- iccstream = jas_stream_memopen(0, 0); +- assert(iccstream); +- if (jas_iccprof_save(iccprof, iccstream)) +- abort(); +- if ((pos = jas_stream_tell(iccstream)) < 0) +- abort(); ++ /* Ensure that cmprof_ is not null. */ ++ if (!jas_image_cmprof(image)) { ++ goto error; ++ } ++ if (!(iccprof = jas_iccprof_createfromcmprof( ++ jas_image_cmprof(image)))) { ++ goto error; ++ } ++ if (!(iccstream = jas_stream_memopen(0, 0))) { ++ goto error; ++ } ++ if (jas_iccprof_save(iccprof, iccstream)) { ++ goto error; ++ } ++ if ((pos = jas_stream_tell(iccstream)) < 0) { ++ goto error; ++ } + colr->iccplen = pos; +- colr->iccp = jas_malloc(pos); +- assert(colr->iccp); ++ if (!(colr->iccp = jas_malloc(pos))) { ++ goto error; ++ } + jas_stream_rewind(iccstream); +- if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) != colr->iccplen) +- abort(); ++ if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) != ++ colr->iccplen) { ++ goto error; ++ } + jas_stream_close(iccstream); ++ iccstream = 0; + jas_iccprof_destroy(iccprof); ++ iccprof = 0; + break; + } + if (jp2_box_put(box, tmpstream)) { +@@ -354,6 +370,12 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr) + + error: + ++ if (iccprof) { ++ jas_iccprof_destroy(iccprof); ++ } ++ if (iccstream) { ++ jas_stream_close(iccstream); ++ } + if (box) { + jp2_box_destroy(box); + } diff --git a/SOURCES/jasper-CVE-implicit-declaration-fix.patch b/SOURCES/jasper-CVE-implicit-declaration-fix.patch new file mode 100644 index 0000000..8ea6e72 --- /dev/null +++ b/SOURCES/jasper-CVE-implicit-declaration-fix.patch @@ -0,0 +1,111 @@ +diff -urNp old/src/libjasper/base/jas_getopt.c new/src/libjasper/base/jas_getopt.c +--- old/src/libjasper/base/jas_getopt.c 2007-01-19 22:43:05.000000000 +0100 ++++ new/src/libjasper/base/jas_getopt.c 2017-04-24 14:44:13.479547933 +0200 +@@ -76,6 +76,7 @@ + + #include "jasper/jas_getopt.h" + #include "jasper/jas_math.h" ++#include "jasper/jas_debug.h" + + /******************************************************************************\ + * Global data. +diff -urNp old/src/libjasper/bmp/bmp_dec.c new/src/libjasper/bmp/bmp_dec.c +--- old/src/libjasper/bmp/bmp_dec.c 2017-04-24 14:42:17.283288014 +0200 ++++ new/src/libjasper/bmp/bmp_dec.c 2017-04-24 14:45:07.200206215 +0200 +@@ -77,6 +77,7 @@ + #include "jasper/jas_stream.h" + #include "jasper/jas_image.h" + #include "jasper/jas_malloc.h" ++#include "jasper/jas_debug.h" + + #include "bmp_cod.h" + +diff -urNp old/src/libjasper/jpc/jpc_tsfb.c new/src/libjasper/jpc/jpc_tsfb.c +--- old/src/libjasper/jpc/jpc_tsfb.c 2017-04-24 14:42:17.326287740 +0200 ++++ new/src/libjasper/jpc/jpc_tsfb.c 2017-04-24 14:59:11.226406745 +0200 +@@ -119,14 +119,6 @@ void jpc_tsfb_destroy(jpc_tsfb_t *tsfb) + free(tsfb); + } + +-int jpc_tsfb_analyze(jpc_tsfb_t *tsfb, jas_seq2d_t *a) +-{ +- return (tsfb->numlvls > 0) ? jpc_tsfb_analyze2(tsfb, jas_seq2d_getref(a, +- jas_seq2d_xstart(a), jas_seq2d_ystart(a)), jas_seq2d_xstart(a), +- jas_seq2d_ystart(a), jas_seq2d_width(a), +- jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0; +-} +- + int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb, int *a, int xstart, int ystart, + int width, int height, int stride, int numlvls) + { +@@ -146,15 +138,15 @@ int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb, + return 0; + } + +-int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a) ++int jpc_tsfb_analyze(jpc_tsfb_t *tsfb, jas_seq2d_t *a) + { +- return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ? +- jpc_tsfb_synthesize2(tsfb, +- jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)), +- jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a), ++ return (tsfb->numlvls > 0) ? jpc_tsfb_analyze2(tsfb, jas_seq2d_getref(a, ++ jas_seq2d_xstart(a), jas_seq2d_ystart(a)), jas_seq2d_xstart(a), ++ jas_seq2d_ystart(a), jas_seq2d_width(a), + jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0; + } + ++ + int jpc_tsfb_synthesize2(jpc_tsfb_t *tsfb, int *a, int xstart, int ystart, + int width, int height, int stride, int numlvls) + { +@@ -175,6 +167,15 @@ int jpc_tsfb_synthesize2(jpc_tsfb_t *tsf + return 0; + } + ++int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a) ++{ ++ return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ? ++ jpc_tsfb_synthesize2(tsfb, ++ jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)), ++ jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a), ++ jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0; ++} ++ + int jpc_tsfb_getbands(jpc_tsfb_t *tsfb, uint_fast32_t xstart, + uint_fast32_t ystart, uint_fast32_t xend, uint_fast32_t yend, + jpc_tsfb_band_t *bands) +diff -urNp old/src/libjasper/jpc/jpc_t1dec.c new/src/libjasper/jpc/jpc_t1dec.c +--- old/src/libjasper/jpc/jpc_t1dec.c 2007-01-19 22:43:07.000000000 +0100 ++++ new/src/libjasper/jpc/jpc_t1dec.c 2017-04-24 14:45:43.887972984 +0200 +@@ -78,6 +78,7 @@ + #include "jasper/jas_fix.h" + #include "jasper/jas_stream.h" + #include "jasper/jas_math.h" ++#include "jasper/jas_debug.h" + + #include "jpc_bs.h" + #include "jpc_mqdec.h" +diff -urNp old/src/libjasper/mif/mif_cod.c new/src/libjasper/mif/mif_cod.c +--- old/src/libjasper/mif/mif_cod.c 2017-04-24 14:42:17.303287887 +0200 ++++ new/src/libjasper/mif/mif_cod.c 2017-04-24 14:47:20.158361453 +0200 +@@ -70,6 +70,7 @@ + #include "jasper/jas_image.h" + #include "jasper/jas_string.h" + #include "jasper/jas_malloc.h" ++#include "jasper/jas_debug.h" + + #include "mif_cod.h" + +diff -urNp old/src/libjasper/pnm/pnm_dec.c new/src/libjasper/pnm/pnm_dec.c +--- old/src/libjasper/pnm/pnm_dec.c 2007-01-19 22:43:05.000000000 +0100 ++++ new/src/libjasper/pnm/pnm_dec.c 2017-04-24 14:47:45.904198015 +0200 +@@ -79,6 +79,7 @@ + #include "jasper/jas_types.h" + #include "jasper/jas_stream.h" + #include "jasper/jas_image.h" ++#include "jasper/jas_debug.h" + + #include "pnm_cod.h" + + diff --git a/SOURCES/jasper-pkgconfig.patch b/SOURCES/jasper-pkgconfig.patch new file mode 100644 index 0000000..c8af5ca --- /dev/null +++ b/SOURCES/jasper-pkgconfig.patch @@ -0,0 +1,48 @@ +diff -Naur jasper-1.900.1/configure.ac jasper-1.900.1.new/configure.ac +--- jasper-1.900.1/configure.ac 2007-01-19 21:47:11.000000000 +0000 ++++ jasper-1.900.1.new/configure.ac 2009-10-29 13:37:02.000000000 +0000 +@@ -399,6 +399,8 @@ + src/libjasper/pnm/Makefile + src/libjasper/ras/Makefile + src/msvc/Makefile ++pkgconfig/Makefile ++pkgconfig/jasper.pc + jasper.spec + ]) + AC_OUTPUT +diff -Naur jasper-1.900.1/Makefile.am jasper-1.900.1.new/Makefile.am +--- jasper-1.900.1/Makefile.am 2007-01-19 21:43:14.000000000 +0000 ++++ jasper-1.900.1.new/Makefile.am 2009-10-29 13:36:28.000000000 +0000 +@@ -64,7 +64,7 @@ + # Note: We need to put the derived file "jasper.spec" in the distribution + # in order to facilitate RPM building. + +-SUBDIRS = src ++SUBDIRS = src pkgconfig + + rpm: dist + for i in BUILD RPMS SRPMS SOURCES SPECS; do \ +diff -Naur jasper-1.900.1/pkgconfig/jasper.pc.in jasper-1.900.1.new/pkgconfig/jasper.pc.in +--- jasper-1.900.1/pkgconfig/jasper.pc.in 1970-01-01 01:00:00.000000000 +0100 ++++ jasper-1.900.1.new/pkgconfig/jasper.pc.in 2009-10-29 16:30:43.000000000 +0000 +@@ -0,0 +1,11 @@ ++prefix=@prefix@ ++exec_prefix=@exec_prefix@ ++libdir=@libdir@ ++includedir=@includedir@ ++ ++Name: Jasper ++Description: JPEG 2000 encoding and decoding library ++Version: @VERSION@ ++ ++Libs: -L${libdir} -ljasper ++Cflags: -I${includedir}/jasper +diff -Naur jasper-1.900.1/pkgconfig/Makefile.am jasper-1.900.1.new/pkgconfig/Makefile.am +--- jasper-1.900.1/pkgconfig/Makefile.am 1970-01-01 01:00:00.000000000 +0100 ++++ jasper-1.900.1.new/pkgconfig/Makefile.am 2009-10-29 13:38:59.000000000 +0000 +@@ -0,0 +1,5 @@ ++pkgconfigdir = $(libdir)/pkgconfig ++pkgconfig_DATA = jasper.pc ++ ++EXTRA_DIST = \ ++ jasper.pc.in diff --git a/SOURCES/jpc_dec.c.patch b/SOURCES/jpc_dec.c.patch new file mode 100644 index 0000000..ae1cd06 --- /dev/null +++ b/SOURCES/jpc_dec.c.patch @@ -0,0 +1,18 @@ +diff -urN jasper-1.900.1/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-fix/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2007-01-19 14:43:07.000000000 -0700 ++++ jasper-1.900.1-fix/src/libjasper/jpc/jpc_dec.c 2008-03-06 16:51:12.000000000 -0700 +@@ -1069,12 +1069,12 @@ + /* Apply an inverse intercomponent transform if necessary. */ + switch (tile->cp->mctid) { + case JPC_MCT_RCT: +- assert(dec->numcomps == 3); ++ assert(dec->numcomps >= 3); + jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; + case JPC_MCT_ICT: +- assert(dec->numcomps == 3); ++ assert(dec->numcomps >= 3); + jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; diff --git a/SOURCES/patch-libjasper-stepsizes-overflow.diff b/SOURCES/patch-libjasper-stepsizes-overflow.diff new file mode 100644 index 0000000..097559f --- /dev/null +++ b/SOURCES/patch-libjasper-stepsizes-overflow.diff @@ -0,0 +1,14 @@ +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200 +@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc + compparms->numstepsizes = (len - n) / 2; + break; + } +- if (compparms->numstepsizes > 0) { ++ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { ++ jpc_qcx_destroycompparms(compparms); ++ return -1; ++ } else if (compparms->numstepsizes > 0) { + compparms->stepsizes = jas_malloc(compparms->numstepsizes * + sizeof(uint_fast16_t)); + assert(compparms->stepsizes); diff --git a/SPECS/jasper.spec b/SPECS/jasper.spec new file mode 100644 index 0000000..a0583b3 --- /dev/null +++ b/SPECS/jasper.spec @@ -0,0 +1,423 @@ + +# NOTE: packages that can use jasper: +# ImageMagick +# netpbm + +Summary: Implementation of the JPEG-2000 standard, Part 1 +Name: jasper +Group: System Environment/Libraries +Version: 1.900.1 +Release: 33%{?dist} + +License: JasPer +URL: http://www.ece.uvic.ca/~frodo/jasper/ +Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.zip + +Patch1: jasper-1.701.0-GL.patch +# autoconf/automake bits of patch1 +Patch2: jasper-1.701.0-GL-ac.patch +# CVE-2007-2721 (bug #240397) +# borrowed from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041;msg=88 +Patch3: patch-libjasper-stepsizes-overflow.diff +# borrowed from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469786 +Patch4: jpc_dec.c.patch +# OpenBSD hardening patches addressing couple of possible integer overflows +# during the memory allocations +# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520 +Patch5: jasper-1.900.1-CVE-2008-3520.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522 +Patch6: jasper-1.900.1-CVE-2008-3522.patch +# add pkg-config support +Patch7: jasper-pkgconfig.patch + +Patch8: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch + +Patch9: jasper-CVE-2014-9029.patch +Patch10: jasper-CVE-2014-8137.patch +Patch11: jasper-CVE-2014-8138.patch +Patch12: jasper-CVE-2014-8157.patch +Patch13: jasper-CVE-2014-8158.patch + +# Issues found by static analysis of code +Patch110: jasper-1.900.1-Coverity-BAD_SIZEOF.patch +Patch111: jasper-1.900.1-Coverity-CHECKED_RETURN.patch +Patch112: jasper-1.900.1-Coverity-FORWARD_NULL.patch +Patch113: jasper-1.900.1-Coverity-NULL_RETURNS.patch +Patch114: jasper-1.900.1-Coverity-RESOURCE_LEAK.patch +Patch115: jasper-1.900.1-Coverity-UNREACHABLE.patch +Patch116: jasper-1.900.1-Coverity-UNUSED_VALUE.patch + +Patch14: jasper-CVE-2015-5203-CVE-2016-9262.patch +Patch15: jasper-CVE-2015-5221.patch +Patch16: jasper-CVE-2016-1577.patch +Patch17: jasper-CVE-2016-1867.patch +Patch18: jasper-CVE-2016-2089.patch +Patch19: jasper-CVE-2016-2116.patch +Patch20: jasper-CVE-2016-8654.patch +Patch21: jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch +Patch22: jasper-CVE-2016-8691-CVE-2016-8692.patch +Patch23: jasper-CVE-2016-8693.patch +Patch24: jasper-CVE-2016-9390.patch +Patch25: jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch +Patch26: jasper-CVE-2016-9560.patch +Patch27: jasper-CVE-2016-10251.patch +Patch28: jasper-CVE-2016-9583.patch +Patch29: jasper-CVE-2016-9591.patch +Patch30: jasper-CVE-2016-9600.patch +Patch31: jasper-CVE-2016-10248.patch +Patch32: jasper-CVE-2016-10249.patch +Patch33: jasper-CVE-2016-8883.patch +Patch34: jasper-CVE-2016-9387.patch +Patch35: jasper-CVE-2016-9388.patch +Patch36: jasper-CVE-2016-9389.patch +Patch37: jasper-CVE-2016-9391.patch +Patch38: jasper-CVE-implicit-declaration-fix.patch + +Patch39: jasper-1.900.1-define-SIZE-MAX.patch +Patch40: jasper-1.900.1-CVE-2016-9396.patch +Patch41: jasper-1.900.1-CVE-2017-1000050.patch + +# autoreconf +BuildRequires: autoconf automake libtool +BuildRequires: freeglut-devel +BuildRequires: libGLU-devel +BuildRequires: libjpeg-devel +BuildRequires: pkgconfig + +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description +This package contains an implementation of the image compression +standard JPEG-2000, Part 1. It consists of tools for conversion to and +from the JP2 and JPC formats. + +%package devel +Summary: Header files, libraries and developer documentation +Group: Development/Libraries +Provides: libjasper-devel = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: libjpeg-devel +Requires: pkgconfig +%description devel +%{summary}. + +%package libs +Summary: Runtime libraries for %{name} +Group: System Environment/Libraries +Conflicts: jasper < 1.900.1-4 +%description libs +%{summary}. + +%package utils +Summary: Nonessential utilities for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +%description utils +%{summary}, including jiv and tmrdemo. + + + +%prep +%setup -q -n %{name}-%{version} + +%patch1 -p1 -b .GL +%patch2 -p1 -b .GL-ac +%patch3 -p1 -b .CVE-2007-2721 +%patch4 -p1 -b .jpc_dec_assertion +%patch5 -p1 -b .CVE-2008-3520 +%patch6 -p1 -b .CVE-2008-3522 +%patch7 -p1 -b .pkgconfig +%patch8 -p1 -b .CVE-2011-4516-4517 +%patch9 -p1 -b .CVE-2014-9029 +%patch10 -p1 -b .CVE-2014-8137 +%patch11 -p1 -b .CVE-2014-8138 +%patch12 -p1 -b .CVE-2014-8157 +%patch13 -p1 -b .CVE-2014-8158 + +%patch110 -p1 -b .BAD_SIZEOF +%patch111 -p1 -b .CHECKED_RETURN +%patch112 -p1 -b .FORWARD_NULL +%patch113 -p1 -b .NULL_RETURNS +%patch114 -p1 -b .RESOURCE_LEAK +%patch115 -p1 -b .UNREACHABLE +%patch116 -p1 -b .UNUSED_VALUE + +%patch14 -p1 -b .CVE-2015-5203 +%patch15 -p1 -b .CVE-2015-5221 +%patch16 -p1 -b .CVE-2016-1577 +%patch17 -p1 -b .CVE-2016-1867 +%patch18 -p1 -b .CVE-2016-2089 +%patch19 -p1 -b .CVE-2016-2116 +%patch20 -p1 -b .CVE-2016-8654 +%patch21 -p1 -b .CVE-2016-8690 +%patch22 -p1 -b .CVE-2016-8691 +%patch23 -p1 -b .CVE-2016-8693 +%patch24 -p1 -b .CVE-2016-9390 +%patch25 -p1 -b .CVE-2016-9392 +%patch26 -p1 -b .CVE-2016-9560 +%patch27 -p1 -b .CVE-2016-10251 +%patch28 -p1 -b .CVE-2016-9583 +%patch29 -p1 -b .CVE-2016-9591 +%patch30 -p1 -b .CVE-2016-9600 +%patch31 -p1 -b .CVE-2016-10248 +%patch32 -p1 -b .CVE-2016-10249 +%patch33 -p1 -b .CVE-2016-8883 +%patch34 -p1 -b .CVE-2016-9387 +%patch35 -p1 -b .CVE-2016-9388 +%patch36 -p1 -b .CVE-2016-9389 +%patch37 -p1 -b .CVE-2016-9391 +%patch38 -p1 -b .CVE-implicit-declaration-fix +%patch39 -p1 -b .define-SIZE-MAX +%patch40 -p1 -b .CVE-2016-9396 +%patch41 -p1 -b .CVE-2017-1000050 + +autoreconf --verbose --force --install + + +%build + +# jas_icc.c:744:2: warning: assuming signed overflow does not occur +# when assuming that (X + c) < X is always false [-Wstrict-overflow] +# +# comment from Red Hat Security Response Team: +# gcc inlines jas_iccattrtab_resize into jas_iccattrtab_add. Additionally, it +# essentially removes the "assert(maxents >= tab->numattrs);" assertion in +# jas_iccattrtab_resize, because it assumes that "maxents >= tab->numattrs" will +# always be true due to jas_iccattrtab_resize(attrtab, attrtab->numattrs + 32), +# especially the + 32. This assumption can only be true if it completely ignores +# the problem of signed integer overflows. I don't think it's a smart idea to +# accept that. +# -fno-strict-overflow forces gcc into keeping the assertion there. +CFLAGS="%{optflags} -fno-strict-overflow" \ +%configure \ + --enable-shared \ + --disable-static + +make %{?_smp_mflags} + + +%install + +make install DESTDIR=$RPM_BUILD_ROOT + +# Unpackaged files +rm -f doc/README +rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la + + +%check +make check + + + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + + +%files +%{_bindir}/imgcmp +%{_bindir}/imginfo +%{_bindir}/jasper +%{_mandir}/man1/img* +%{_mandir}/man1/jasper.1* + +%files devel +%doc doc/* +%{_includedir}/jasper/ +%{_libdir}/libjasper.so +%{_libdir}/pkgconfig/jasper.pc + +%files libs +%doc COPYRIGHT LICENSE NEWS README +%{_libdir}/libjasper.so.1* + +%files utils +%{_bindir}/jiv +%{_bindir}/tmrdemo +%{_mandir}/man1/jiv.1* + + +%changelog +* Thu Jun 21 2018 Josef Ridky - 1.900.1-33 +- remove implicit declaration of jas_eprintf (#1585830) + +* Thu Jun 21 2018 Josef Ridky - 1.900.1-32 +- Fix CVE-2016-9396 (#1583721) +- Fix CVE-2017-1000050 (#1585830) + +* Wed May 31 2017 Josef Ridky - 1.900.1-31 +- Fix missing declaration of SIZE_MAX constant in jas_math.h (#1455489) + +* Tue Apr 25 2017 Josef Ridky - 1.900.1-30 +- Multiple security fixes (fixed by thoger): + CVE-2015-5203 CVE-2015-5221 CVE-2016-1577 CVE-2016-1867 CVE-2016-2089 + CVE-2016-2116 CVE-2016-8654 CVE-2016-8690 CVE-2016-8691 CVE-2016-8692 + CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885 CVE-2016-9262 + CVE-2016-9387 CVE-2016-9388 CVE-2016-9389 CVE-2016-9390 CVE-2016-9391 + CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560 CVE-2016-9583 + CVE-2016-9591 CVE-2016-9600 CVE-2016-10248 CVE-2016-10249 CVE-2016-10251 +- Fix implicit declaration warning caused by security fixes above + +* Mon Jan 19 2015 Jiri Popelka - 1.900.1-29 +- CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() (#1183674) +- CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c (#1183682) + +* Fri Dec 12 2014 Jiri Popelka - 1.900.1-28 +- CVE-2014-8137 - double-free in in jas_iccattrval_destroy (#1173569) +- CVE-2014-8138 - heap overflow in jp2_decode (#1173569) + +* Sat Dec 06 2014 Jiri Popelka - 1.900.1-27 +- CVE-2014-9029 - incorrect component number check in COC, RGN and QCC + marker segment decoders (#1171211) + +* Fri Jan 24 2014 Daniel Mach - 1.900.1-26 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 1.900.1-25 +- Mass rebuild 2013-12-27 + +* Mon Mar 25 2013 Jiri Popelka - 1.900.1-24 +- added --force option to autoreconf (#925604) + +* Thu Feb 14 2013 Fedora Release Engineering - 1.900.1-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Adam Tkac - 1.900.1-22 +- rebuild due to "jpeg8-ABI" feature drop + +* Thu Dec 06 2012 Jiri Popelka - 1.900.1-21 +- build with -fno-strict-overflow + +* Thu Jul 19 2012 Fedora Release Engineering - 1.900.1-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 1.900.1-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 09 2011 Jiri Popelka - 1.900.1-18 +- CVE-2011-4516, CVE-2011-4517 jasper: heap buffer overflow flaws + lead to arbitrary code execution (CERT VU#887409) (#765660) +- Fixed problems found by static analysis of code (#761440) +- spec file modernized + +* Wed Feb 09 2011 Fedora Release Engineering - 1.900.1-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jun 30 2010 Rex Dieter - 1.900.1-16 +- rebuild + +* Sun Feb 14 2010 Rex Dieter - 1.900.1-15 +- FTBFS jasper-1.900.1-14.fc12: ImplicitDSOLinking (#564794) + +* Thu Oct 29 2009 Rex Dieter - 1.900.1-14 +- add pkgconfig support + +* Mon Oct 13 2009 Rex Dieter - 1.900.1-13 +- CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls (#461476) +- CVE-2008-3522 jasper: possible buffer overflow in + jas_stream_printf() (#461478) + +* Fri Jul 24 2009 Fedora Release Engineering - 1.900.1-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jul 18 2009 Rex Dieter - 1.900.1-11 +- FTBFS jasper-1.900.1-10.fc11 (#511743) + +* Wed Feb 25 2009 Fedora Release Engineering - 1.900.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sun Jan 25 2009 Rex Dieter 1.900.1-9 +- patch for "jpc_dec_tiledecode: Assertion `dec->numcomps == 3' failed) + (#481284, #481291) + +* Fri Feb 08 2008 Rex Dieter 1.900.1-8 +- respin (gcc43) + +* Mon Oct 15 2007 Rex Dieter 1.900.1-7 +- -libs: %%post/%%postun -p /sbin/ldconfig + +* Mon Sep 17 2007 Rex Dieter 1.900.1-6 +- -libs: -Requires: %%name +- -devel: +Provides: libjasper-devel +- drop (unused) geojasper bits + +* Wed Aug 22 2007 Rex Dieter 1.900.1-4 +- -libs subpkg to be multilib friendlier +- -utils subpkg for non-essential binaries jiv, tmrdemo (#244153) + +* Fri Aug 17 2007 Rex Dieter 1.900.1-3 +- License: JasPer + +* Wed May 23 2007 Rex Dieter 1.900.1-2 +- CVE-2007-2721 (#240397) + +* Thu Mar 29 2007 Rex Dieter 1.900.1-1 +- jasper-1.900.1 + +* Fri Dec 08 2006 Rex Dieter 1.900.0-3 +- omit deprecated memleak patch + +* Fri Dec 08 2006 Rex Dieter 1.900.0-2 +- jasper-1.900.0 (#218947) + +* Mon Sep 18 2006 Rex Dieter 1.701.0-15 +- memory leak (#207006) + +* Tue Aug 29 2006 Rex Dieter 1.701.0-13 +- fc6 respin + +* Wed Mar 1 2006 Rex Dieter 1.701.0-12 +- fixup build issues introduced by geojasper integration + +* Wed Mar 1 2006 Rex Dieter 1.701.0-10 +- support/use geojasper (optional, default no) +- fc5: gcc/glibc respin + +* Fri Feb 10 2006 Rex Dieter +- fc5: gcc/glibc respin + +* Tue Jan 31 2006 Rex Dieter 1.701.0-9 +- workaround "freeglut-devel should Requires: libGL-devel, libGLU-devel" + (#179464) + +* Tue Jan 31 2006 Rex Dieter 1.701.0-8 +- revert jasper to jaspertool rename (#176773) +- actually use/apply GL patch + +* Tue Oct 18 2005 Rex Dieter 1.701.0-7 +- GL patch to remove libGL dependancy (using only freeglut) + +* Tue Oct 18 2005 Rex Dieter 1.701.0-6 +- token %%check section +- --enable-shared + +* Mon Oct 17 2005 Rex Dieter 1.701.0-5 +- use %%{?dist} +- BR: libGL-devel + +* Fri Apr 7 2005 Michael Schwendt +- rebuilt + +* Sat Oct 23 2004 Rex Dieter 0:1.701.0-0.fdr.3 +- Capitalize summary +- remove 0-length ChangeLog + +* Fri Jun 04 2004 Rex Dieter 0:1.701.0-0.fdr.2 +- nuke .la file +- BR: glut-devel -> freeglut-devel + +* Tue Jun 01 2004 Rex Dieter 0:1.701.0-0.fdr.1 +- 1.701.0 + +* Tue Jun 01 2004 Rex Dieter 0:1.700.5-0.fdr.2 +- avoid conflicts with fc'2 tomcat by renaming /usr/bin/jasper -> jaspertool + +* Mon Mar 08 2004 Rex Dieter 0:1.700.5-0.fdr.1 +- use Epochs. +- -devel: Requires: %%name = %%epoch:%%version + +* Thu Jan 22 2004 Rex Dieter 1.700.5-0.fdr.0 +- first try +