diff --git a/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch b/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch new file mode 100644 index 0000000..bae613d --- /dev/null +++ b/SOURCES/jasper-CVE-2015-5203-CVE-2016-9262.patch @@ -0,0 +1,164 @@ +Backport of the upstream commit: + +From b35a05635e56f554870ce85f64293a3868793f69 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 19 Oct 2016 08:42:25 -0700 +Subject: [PATCH] Fixed potential integer overflow problem. + +Further enhanced by a change from d42b2388f7f8e0332c846675133acea151fc557a to +use jas_safe_size_mul3() and an explicit check to ensure that size not only +fits into size_t, but that it also does not exceed INT_MAX. This is similar +approach to what upstream used in a712a2041085e7cd5f2b153e1532ac2a2954ffaa. + +This also adds all jas_safe_size_*() functions, including changes from the +following upstream commits: + +f596a0766825b48cdc07b28d2051977a382cfb95 +65536647d380571d1a9a6c91fa03775fb5bbd256 +3afacc174867cc9d1f74ef2683bc780de4b0b2df +d42b2388f7f8e0332c846675133acea151fc557a + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2017-03-24 16:09:34.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2017-03-24 22:28:46.620880896 +0100 +@@ -76,6 +76,7 @@ + #include + #include + #include ++#include + + #include "jasper/jas_math.h" + #include "jasper/jas_image.h" +@@ -307,10 +308,10 @@ static jas_image_cmpt_t *jas_image_cmpt_ + height, uint_fast16_t depth, bool sgnd, uint_fast32_t inmem) + { + jas_image_cmpt_t *cmpt; +- long size; ++ size_t size; + + if (!(cmpt = jas_malloc(sizeof(jas_image_cmpt_t)))) { +- return 0; ++ goto error; + } + + cmpt->type_ = JAS_IMAGE_CT_UNKNOWN; +@@ -325,11 +326,14 @@ static jas_image_cmpt_t *jas_image_cmpt_ + cmpt->stream_ = 0; + cmpt->cps_ = (depth + 7) / 8; + +- size = cmpt->width_ * cmpt->height_ * cmpt->cps_; ++ //size = cmpt->width_ * cmpt->height_ * cmpt->cps_; ++ if (!jas_safe_size_mul3(cmpt->width_, cmpt->height_, cmpt->cps_, &size) || ++ size > INT_MAX) { ++ goto error; ++ } + cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) : jas_stream_tmpfile(); + if (!cmpt->stream_) { +- jas_image_cmpt_destroy(cmpt); +- return 0; ++ goto error; + } + + /* Zero the component data. This isn't necessary, but it is +@@ -337,11 +341,16 @@ static jas_image_cmpt_t *jas_image_cmpt_ + if (jas_stream_seek(cmpt->stream_, size - 1, SEEK_SET) < 0 || + jas_stream_putc(cmpt->stream_, 0) == EOF || + jas_stream_seek(cmpt->stream_, 0, SEEK_SET) < 0) { +- jas_image_cmpt_destroy(cmpt); +- return 0; ++ goto error; + } + + return cmpt; ++ ++error: ++ if (cmpt) { ++ jas_image_cmpt_destroy(cmpt); ++ } ++ return 0; + } + + static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt) +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h jasper-1.900.1/src/libjasper/include/jasper/jas_math.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h 2017-03-24 22:29:36.085024105 +0100 +@@ -76,9 +76,13 @@ + + #include + +-#include +-#include +-#include ++#include ++ ++#include ++#include ++#include ++#include ++#include + + #ifdef __cplusplus + extern "C" { +@@ -110,6 +114,62 @@ extern "C" { + #define JAS_ONES(n) \ + ((1 << (n)) - 1) + ++/******************************************************************************\ ++* Safe integer arithmetic (i.e., with overflow checking). ++\******************************************************************************/ ++ ++/* Compute the product of two size_t integers with overflow checking. */ ++inline static bool jas_safe_size_mul(size_t x, size_t y, size_t *result) ++{ ++ /* Check if overflow would occur */ ++ if (x && y > SIZE_MAX / x) { ++ /* Overflow would occur. */ ++ return false; ++ } ++ if (result) { ++ *result = x * y; ++ } ++ return true; ++} ++ ++inline static bool jas_safe_size_mul3(size_t a, size_t b, size_t c, ++ size_t *result) ++{ ++ size_t tmp; ++ if (!jas_safe_size_mul(a, b, &tmp) || ++ !jas_safe_size_mul(tmp, c, &tmp)) { ++ return false; ++ } ++ if (result) { ++ *result = tmp; ++ } ++ return true; ++} ++ ++/* Compute the sum of two size_t integer with overflow checking. */ ++inline static bool jas_safe_size_add(size_t x, size_t y, size_t *result) ++{ ++ if (y > SIZE_MAX - x) { ++ return false; ++ } ++ if (result) { ++ *result = x + y; ++ } ++ return true; ++} ++ ++/* Compute the difference of two size_t integer with overflow checking. */ ++inline static bool jas_safe_size_sub(size_t x, size_t y, size_t *result) ++{ ++ if (y > x) { ++ return false; ++ } ++ if (result) { ++ *result = x - y; ++ } ++ return true; ++} ++ + #ifdef __cplusplus + } + #endif diff --git a/SOURCES/jasper-CVE-2015-5221.patch b/SOURCES/jasper-CVE-2015-5221.patch new file mode 100644 index 0000000..a7372a9 --- /dev/null +++ b/SOURCES/jasper-CVE-2015-5221.patch @@ -0,0 +1,25 @@ +Backport of upstream commit: + +From df5d2867e8004e51e18b89865bc4aa69229227b3 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 19 Sep 2016 10:03:36 +0100 +Subject: [PATCH] CVE-2015-5221 + +diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c +--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2017-03-23 22:50:09.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2017-03-24 11:57:19.000000000 +0100 +@@ -569,13 +569,13 @@ static int mif_process_cmpt(mif_hdr_t *h + break; + } + } +- jas_tvparser_destroy(tvp); + if (!cmpt->sampperx || !cmpt->samppery) { + goto error; + } + if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) { + goto error; + } ++ jas_tvparser_destroy(tvp); + return 0; + + error: diff --git a/SOURCES/jasper-CVE-2016-10248.patch b/SOURCES/jasper-CVE-2016-10248.patch new file mode 100644 index 0000000..586403f --- /dev/null +++ b/SOURCES/jasper-CVE-2016-10248.patch @@ -0,0 +1,98 @@ +Backport of the upstream commit: + +From 2e82fa00466ae525339754bb3ab0a0474a31d4bd Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 19 Oct 2016 17:57:40 -0700 +Subject: [PATCH] Fixed an integral type promotion problem by adding a + JAS_CAST. Modified the jpc_tsfb_synthesize function so that it will be a noop + for an empty sequence (in order to avoid dereferencing a null pointer). + +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h jasper-1.900.1/src/libjasper/include/jasper/jas_math.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h 2017-03-31 14:08:18.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h 2017-03-31 14:09:06.000000000 +0200 +@@ -115,6 +115,24 @@ extern "C" { + ((1 << (n)) - 1) + + /******************************************************************************\ ++* ++\******************************************************************************/ ++ ++__attribute__((no_sanitize("undefined"))) ++inline static jas_int_asr(int x, int n) ++{ ++ assert(n >= 0); ++ return x >> n; ++} ++ ++__attribute__((no_sanitize("undefined"))) ++inline static jas_int_asl(int x, int n) ++{ ++ assert(n >= 0); ++ return x << n; ++} ++ ++/******************************************************************************\ + * Safe integer arithmetic (i.e., with overflow checking). + \******************************************************************************/ + +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_seq.h jasper-1.900.1/src/libjasper/include/jasper/jas_seq.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_seq.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_seq.h 2017-03-31 14:09:06.000000000 +0200 +@@ -154,6 +154,9 @@ typedef jas_matrix_t jas_seq_t; + #define jas_matrix_numcols(matrix) \ + ((matrix)->numcols_) + ++#define jas_matrix_size(matrix) \ ++ (jas_matrix_width(matrix) * jas_matrix_height(matrix)) ++ + /* Get a matrix element. */ + #define jas_matrix_get(matrix, i, j) \ + ((matrix)->rows_[i][j]) +@@ -269,6 +272,8 @@ jas_matrix_t *jas_seq2d_create(int xstar + ((s)->xstart_ = (x), (s)->ystart_ = (y), \ + (s)->xend_ = (s)->xstart_ + (s)->numcols_, \ + (s)->yend_ = (s)->ystart_ + (s)->numrows_) ++#define jas_seq2d_size(s) \ ++ (jas_seq2d_width(s) * jas_seq2d_height(s)) + + void jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, int xstart, + int ystart, int xend, int yend); +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 14:08:18.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 14:09:06.000000000 +0200 +@@ -1805,6 +1805,13 @@ static void jpc_undo_roi(jas_matrix_t *x + bool warn; + uint_fast32_t mask; + ++ if (roishift < 0) { ++ /* We could instead return an error here. */ ++ /* I do not think it matters much. */ ++ jas_eprintf("warning: forcing negative ROI shift to zero " ++ "(bitstream is probably corrupt)\n"); ++ roishift = 0; ++ } + if (roishift == 0 && bgshift == 0) { + return; + } +@@ -1823,7 +1830,7 @@ static void jpc_undo_roi(jas_matrix_t *x + } else { + /* We are dealing with non-ROI (i.e., background) data. */ + mag <<= bgshift; +- mask = (1 << numbps) - 1; ++ mask = (JAS_CAST(uint_fast32_t, 1) << numbps) - 1; + /* Perform a basic sanity check on the sample value. */ + /* Some implementations write garbage in the unused + most-significant bit planes introduced by ROI shifting. +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tsfb.c jasper-1.900.1/src/libjasper/jpc/jpc_tsfb.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tsfb.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_tsfb.c 2017-03-31 14:09:06.000000000 +0200 +@@ -148,7 +148,8 @@ int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb, + + int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a) + { +- return (tsfb->numlvls > 0) ? jpc_tsfb_synthesize2(tsfb, ++ return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ? ++ jpc_tsfb_synthesize2(tsfb, + jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)), + jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a), + jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0; diff --git a/SOURCES/jasper-CVE-2016-10249.patch b/SOURCES/jasper-CVE-2016-10249.patch new file mode 100644 index 0000000..0c18d84 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-10249.patch @@ -0,0 +1,78 @@ +Backport of the upstream commit: + +From 988f8365f7d8ad8073b6786e433d34c553ecf568 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 22 Oct 2016 14:36:49 -0700 +Subject: [PATCH] Fixed an integer overflow problem. + +Further enhanced by an explicit check to ensure that size not only fits into +size_t, but that it also does not exceed INT_FAST32_MAX (the type of +matrix->datasize_). This is similar approach to what upstream used in +a712a2041085e7cd5f2b153e1532ac2a2954ffaa. + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-31 15:02:01.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-31 15:41:17.527623038 +0200 +@@ -101,13 +101,16 @@ jas_matrix_t *jas_matrix_create(int numr + { + jas_matrix_t *matrix; + int i; ++ size_t size; ++ ++ matrix = 0; + + if (numrows < 0 || numcols < 0) { +- return 0; ++ goto error; + } + + if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) { +- return 0; ++ goto error; + } + matrix->flags_ = 0; + matrix->numrows_ = numrows; +@@ -115,21 +118,25 @@ jas_matrix_t *jas_matrix_create(int numr + matrix->rows_ = 0; + matrix->maxrows_ = numrows; + matrix->data_ = 0; +- matrix->datasize_ = numrows * numcols; ++ matrix->datasize_ = 0; ++ ++ // matrix->datasize_ = numrows * numcols; ++ if (!jas_safe_size_mul(numrows, numcols, &size) || size > INT_FAST32_MAX) { ++ goto error; ++ } ++ matrix->datasize_ = size; + + if (matrix->maxrows_ > 0) { + if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, + sizeof(jas_seqent_t *)))) { +- jas_matrix_destroy(matrix); +- return 0; ++ goto error; + } + } + + if (matrix->datasize_ > 0) { + if (!(matrix->data_ = jas_alloc2(matrix->datasize_, + sizeof(jas_seqent_t)))) { +- jas_matrix_destroy(matrix); +- return 0; ++ goto error; + } + } + +@@ -147,6 +154,12 @@ jas_matrix_t *jas_matrix_create(int numr + matrix->yend_ = matrix->numrows_; + + return matrix; ++ ++error: ++ if (matrix) { ++ jas_matrix_destroy(matrix); ++ } ++ return 0; + } + + void jas_matrix_destroy(jas_matrix_t *matrix) diff --git a/SOURCES/jasper-CVE-2016-10251.patch b/SOURCES/jasper-CVE-2016-10251.patch new file mode 100644 index 0000000..fd9977b --- /dev/null +++ b/SOURCES/jasper-CVE-2016-10251.patch @@ -0,0 +1,102 @@ +From 1f0dfe5a42911b6880a1445f13f6d615ddb55387 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Fri, 4 Nov 2016 07:20:23 -0700 +Subject: [PATCH] Fixed an integer overflow problem in the JPC codec that later + resulted in the use of uninitialized data. + +--- + src/libjasper/jpc/jpc_t2cod.c | 20 ++++++++++---------- + src/libjasper/jpc/jpc_t2cod.h | 20 ++++++++++---------- + 2 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c +index 08315dd..174442a 100644 +--- a/src/libjasper/jpc/jpc_t2cod.c ++++ b/src/libjasper/jpc/jpc_t2cod.c +@@ -432,18 +432,18 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi) + &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, + ++pi->picomp) { + pirlvl = pi->picomp->pirlvls; +- pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + +- pi->picomp->numrlvls - 1)); +- pi->ystep = pi->picomp->vsamp * (1 << (pirlvl->prcheightexpn + +- pi->picomp->numrlvls - 1)); ++ pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1)); ++ pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcheightexpn + pi->picomp->numrlvls - 1)); + for (rlvlno = 1, pirlvl = &pi->picomp->pirlvls[1]; + rlvlno < pi->picomp->numrlvls; ++rlvlno, ++pirlvl) { +- pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * (1 << +- (pirlvl->prcwidthexpn + pi->picomp->numrlvls - +- rlvlno - 1))); +- pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * (1 << +- (pirlvl->prcheightexpn + pi->picomp->numrlvls - +- rlvlno - 1))); ++ pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * ++ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn + ++ pi->picomp->numrlvls - rlvlno - 1))); ++ pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * ++ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcheightexpn + ++ pi->picomp->numrlvls - rlvlno - 1))); + } + for (pi->y = pi->ystart; pi->y < pi->yend; + pi->y += pi->ystep - (pi->y % pi->ystep)) { +diff --git a/src/libjasper/jpc/jpc_t2cod.h b/src/libjasper/jpc/jpc_t2cod.h +index 0a176c9..690e031 100644 +--- a/src/libjasper/jpc/jpc_t2cod.h ++++ b/src/libjasper/jpc/jpc_t2cod.h +@@ -129,10 +129,10 @@ typedef struct { + jpc_pirlvl_t *pirlvls; + + /* The horizontal sampling period. */ +- int hsamp; ++ uint_fast32_t hsamp; + + /* The vertical sampling period. */ +- int vsamp; ++ uint_fast32_t vsamp; + + } jpc_picomp_t; + +@@ -171,32 +171,32 @@ typedef struct { + int lyrno; + + /* The x-coordinate of the current position. */ +- int x; ++ uint_fast32_t x; + + /* The y-coordinate of the current position. */ +- int y; ++ uint_fast32_t y; + + /* The horizontal step size. */ +- int xstep; ++ uint_fast32_t xstep; + + /* The vertical step size. */ +- int ystep; ++ uint_fast32_t ystep; + + /* The x-coordinate of the top-left corner of the tile on the reference + grid. */ +- int xstart; ++ uint_fast32_t xstart; + + /* The y-coordinate of the top-left corner of the tile on the reference + grid. */ +- int ystart; ++ uint_fast32_t ystart; + + /* The x-coordinate of the bottom-right corner of the tile on the + reference grid (plus one). */ +- int xend; ++ uint_fast32_t xend; + + /* The y-coordinate of the bottom-right corner of the tile on the + reference grid (plus one). */ +- int yend; ++ uint_fast32_t yend; + + /* The current progression change. */ + jpc_pchg_t *pchg; diff --git a/SOURCES/jasper-CVE-2016-1577.patch b/SOURCES/jasper-CVE-2016-1577.patch new file mode 100644 index 0000000..67e347a --- /dev/null +++ b/SOURCES/jasper-CVE-2016-1577.patch @@ -0,0 +1,18 @@ +Bacport of the upstream commit: + +From 74ea22a7a4fe186e0a0124df25e19739b77c4a29 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 19 Sep 2016 10:03:36 +0100 +Subject: [PATCH] CVE-2016-1577 + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2017-03-24 13:58:54.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2017-03-24 13:59:12.000000000 +0100 +@@ -299,6 +299,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) + goto error; + jas_iccattrval_destroy(attrval); ++ attrval = 0; + } else { + #if 0 + jas_eprintf("warning: skipping unknown tag type\n"); diff --git a/SOURCES/jasper-CVE-2016-1867.patch b/SOURCES/jasper-CVE-2016-1867.patch new file mode 100644 index 0000000..7b3f6af --- /dev/null +++ b/SOURCES/jasper-CVE-2016-1867.patch @@ -0,0 +1,22 @@ +From 980da43d8d388a67cac505e734423b2a5aa4cede Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 19 Sep 2016 10:03:36 +0100 +Subject: [PATCH] CVE-2016-1867 + +--- + src/libjasper/jpc/jpc_t2cod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c +index e734900..b80d332 100644 +--- a/src/libjasper/jpc/jpc_t2cod.c ++++ b/src/libjasper/jpc/jpc_t2cod.c +@@ -429,7 +429,7 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi) + } + + for (pi->compno = pchg->compnostart, pi->picomp = +- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, ++ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, + ++pi->picomp) { + pirlvl = pi->picomp->pirlvls; + pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + diff --git a/SOURCES/jasper-CVE-2016-2089.patch b/SOURCES/jasper-CVE-2016-2089.patch new file mode 100644 index 0000000..d265c36 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-2089.patch @@ -0,0 +1,157 @@ +Backport of the upstream commit: + +From c87ad330a8b8d6e5eb0065675601fdfae08ebaab Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 12 Oct 2016 11:37:33 -0700 +Subject: [PATCH] Added fix for CVE-2016-2089. + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2017-03-24 22:40:10.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2017-03-24 22:40:51.000000000 +0100 +@@ -442,6 +442,10 @@ int jas_image_readcmpt(jas_image_t *imag + return -1; + } + ++ if (!jas_matrix_numrows(data) || !jas_matrix_numcols(data)) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + if (jas_matrix_resize(data, height, width)) { + return -1; +@@ -495,6 +499,10 @@ int jas_image_writecmpt(jas_image_t *ima + return -1; + } + ++ if (!jas_matrix_numrows(data) || !jas_matrix_numcols(data)) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + return -1; + } +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-24 15:26:36.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-24 15:28:09.000000000 +0100 +@@ -266,13 +266,16 @@ void jas_matrix_divpow2(jas_matrix_t *ma + int rowstep; + jas_seqent_t *data; + +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- *data = (*data >= 0) ? ((*data) >> n) : +- (-((-(*data)) >> n)); ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ *data = (*data >= 0) ? ((*data) >> n) : ++ (-((-(*data)) >> n)); ++ } + } + } + } +@@ -286,17 +289,20 @@ void jas_matrix_clip(jas_matrix_t *matri + jas_seqent_t *data; + int rowstep; + +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- data = rowstart; +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- v = *data; +- if (v < minval) { +- *data = minval; +- } else if (v > maxval) { +- *data = maxval; ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ data = rowstart; ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ v = *data; ++ if (v < minval) { ++ *data = minval; ++ } else if (v > maxval) { ++ *data = maxval; ++ } + } + } + } +@@ -311,12 +317,15 @@ void jas_matrix_asr(jas_matrix_t *matrix + jas_seqent_t *data; + + assert(n >= 0); +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- *data >>= n; ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ *data >>= n; ++ } + } + } + } +@@ -329,12 +338,15 @@ void jas_matrix_asl(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- *data <<= n; ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ *data <<= n; ++ } + } + } + } +@@ -371,12 +383,15 @@ void jas_matrix_setall(jas_matrix_t *mat + int rowstep; + jas_seqent_t *data; + +- rowstep = jas_matrix_rowstep(matrix); +- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +- rowstart += rowstep) { +- for (j = matrix->numcols_, data = rowstart; j > 0; --j, +- ++data) { +- *data = val; ++ if (jas_matrix_numrows(matrix) > 0 && jas_matrix_numcols(matrix) > 0) { ++ assert(matrix->rows_); ++ rowstep = jas_matrix_rowstep(matrix); ++ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, ++ rowstart += rowstep) { ++ for (j = matrix->numcols_, data = rowstart; j > 0; --j, ++ ++data) { ++ *data = val; ++ } + } + } + } diff --git a/SOURCES/jasper-CVE-2016-2116.patch b/SOURCES/jasper-CVE-2016-2116.patch new file mode 100644 index 0000000..5b1ba6e --- /dev/null +++ b/SOURCES/jasper-CVE-2016-2116.patch @@ -0,0 +1,19 @@ +Backport of the upstream commit: + +From 142245b9bbb33274a7c620aa7a8f85bc00b2d68e Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 19 Sep 2016 10:03:36 +0100 +Subject: [PATCH] CVE-2016-2116 + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2017-03-24 14:06:15.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2017-03-24 14:06:34.000000000 +0100 +@@ -1692,6 +1692,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf + jas_stream_close(in); + return prof; + error: ++ if (in) ++ jas_stream_close(in); + return 0; + } + diff --git a/SOURCES/jasper-CVE-2016-8654.patch b/SOURCES/jasper-CVE-2016-8654.patch new file mode 100644 index 0000000..cc8d396 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8654.patch @@ -0,0 +1,30 @@ +Backport of the relevant parts of the upstream commit: + +From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 26 Nov 2016 20:23:23 -0800 +Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC + codec that was caused by a buffer being allocated with a size that was too + small in some cases. Added a new regression test case. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2017-03-29 14:47:26.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2017-03-29 16:24:55.425985016 +0200 +@@ -439,7 +439,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -520,7 +520,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } diff --git a/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch b/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch new file mode 100644 index 0000000..8f6eb31 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch @@ -0,0 +1,22 @@ +Backport form the upstream commit: + +From 5d66894d2313e3f3469f19066e149e08ff076698 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 19 Oct 2016 20:13:06 -0700 +Subject: [PATCH] Fixed a problem with a null pointer dereference in the BMP + decoder. + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-23 22:50:09.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-23 23:01:30.000000000 +0100 +@@ -102,6 +102,10 @@ jas_matrix_t *jas_matrix_create(int numr + jas_matrix_t *matrix; + int i; + ++ if (numrows < 0 || numcols < 0) { ++ return 0; ++ } ++ + if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) { + return 0; + } diff --git a/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch b/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch new file mode 100644 index 0000000..607a3c9 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8691-CVE-2016-8692.patch @@ -0,0 +1,31 @@ +From d8c2604cd438c41ec72aff52c16ebd8183068020 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 15 Oct 2016 12:22:28 -0700 +Subject: [PATCH] Added range check on XRsiz and YRsiz fields of SIZ marker + segment. + +--- + src/libjasper/jpc/jpc_cs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c +index 6da4872..55d34d6 100644 +--- a/src/libjasper/jpc/jpc_cs.c ++++ b/src/libjasper/jpc/jpc_cs.c +@@ -512,6 +512,16 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, + jas_free(siz->comps); + return -1; + } ++ if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) { ++ jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp); ++ jas_free(siz->comps); ++ return -1; ++ } ++ if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) { ++ jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp); ++ jas_free(siz->comps); ++ return -1; ++ } + siz->comps[i].sgnd = (tmp >> 7) & 1; + siz->comps[i].prec = (tmp & 0x7f) + 1; + } diff --git a/SOURCES/jasper-CVE-2016-8693.patch b/SOURCES/jasper-CVE-2016-8693.patch new file mode 100644 index 0000000..b541210 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8693.patch @@ -0,0 +1,25 @@ +Backport of the upstream commit: + +From 44a524e367597af58d6265ae2014468b334d0309 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Thu, 20 Oct 2016 07:34:32 -0700 +Subject: [PATCH] The memory stream interface allows for a buffer size of zero. + The case of a zero-sized buffer was not handled correctly, as it could lead + to a double free. This problem has now been fixed (hopefully). One might ask + whether a zero-sized buffer should be allowed at all, but this is a question + for another day. + +diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2017-03-24 13:23:23.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2017-03-24 13:33:01.986069625 +0100 +@@ -991,8 +991,8 @@ static int mem_resize(jas_stream_memobj_ + { + unsigned char *buf; + +- assert(m->buf_); +- if (!(buf = jas_realloc(m->buf_, bufsize))) { ++ //assert(m->buf_); ++ if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) { + return -1; + } + m->buf_ = buf; diff --git a/SOURCES/jasper-CVE-2016-8883.patch b/SOURCES/jasper-CVE-2016-8883.patch new file mode 100644 index 0000000..46bcdad --- /dev/null +++ b/SOURCES/jasper-CVE-2016-8883.patch @@ -0,0 +1,42 @@ +Backport of upstream commit: + +From 33cc2cfa51a8d0fc3116d16cc1d8fc581b3f9e8d Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Wed, 19 Oct 2016 15:02:20 -0700 +Subject: [PATCH] The RCT and ICT require at least three components. + Previously, this was enforced with an assertion. Now, the assertion has been + replaced with a proper error check. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 15:52:43.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 21:58:17.000000000 +0200 +@@ -1070,12 +1070,18 @@ static int jpc_dec_tiledecode(jpc_dec_t + /* Apply an inverse intercomponent transform if necessary. */ + switch (tile->cp->mctid) { + case JPC_MCT_RCT: +- assert(dec->numcomps >= 3); ++ if (dec->numcomps < 3) { ++ jas_eprintf("RCT requires at least three components\n"); ++ return -1; ++ } + jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; + case JPC_MCT_ICT: +- assert(dec->numcomps >= 3); ++ if (dec->numcomps < 3) { ++ jas_eprintf("ICT requires at least three components\n"); ++ return -1; ++ } + jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; +@@ -1127,7 +1133,7 @@ static int jpc_dec_tiledecode(jpc_dec_t + JPC_CEILDIV(dec->ystart, cmpt->vstep), jas_matrix_numcols( + tcomp->data), jas_matrix_numrows(tcomp->data), tcomp->data)) { + jas_eprintf("write component failed\n"); +- return -4; ++ return -1; + } + } + diff --git a/SOURCES/jasper-CVE-2016-9387.patch b/SOURCES/jasper-CVE-2016-9387.patch new file mode 100644 index 0000000..23c1b87 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9387.patch @@ -0,0 +1,37 @@ +Backport of the upstream commits: + +From d91198abd00fc435a397fe6bad906a4c1748e9cf Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sun, 23 Oct 2016 03:34:35 -0700 +Subject: [PATCH] Fixed another integer overflow problem. + +From a712a2041085e7cd5f2b153e1532ac2a2954ffaa Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Thu, 2 Mar 2017 09:28:42 -0800 +Subject: [PATCH] Added some additional checking to prevent a potential integer + overflow due to conversion in the JPC decoder. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:12:06.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:14:46.112781219 +0200 +@@ -1174,6 +1174,7 @@ static int jpc_dec_process_siz(jpc_dec_t + int htileno; + int vtileno; + jpc_dec_cmpt_t *cmpt; ++ size_t size; + + dec->xstart = siz->xoff; + dec->ystart = siz->yoff; +@@ -1210,7 +1211,11 @@ static int jpc_dec_process_siz(jpc_dec_t + + dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); + dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); +- dec->numtiles = dec->numhtiles * dec->numvtiles; ++ if (!jas_safe_size_mul(dec->numhtiles, dec->numvtiles, &size) || ++ size > INT_MAX) { ++ return -1; ++ } ++ dec->numtiles = size; + if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) { + return -1; + } diff --git a/SOURCES/jasper-CVE-2016-9388.patch b/SOURCES/jasper-CVE-2016-9388.patch new file mode 100644 index 0000000..27398be --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9388.patch @@ -0,0 +1,158 @@ +Backport of upstream commit: + +From 411a4068f8c464e883358bf403a3e25158863823 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Mon, 24 Oct 2016 06:56:08 -0700 +Subject: [PATCH] Fixed a few bugs in the RAS encoder and decoder where errors + were tested with assertions instead of being gracefully handled. + +diff -pruN jasper-1.900.1.orig/src/libjasper/ras/ras_dec.c jasper-1.900.1/src/libjasper/ras/ras_dec.c +--- jasper-1.900.1.orig/src/libjasper/ras/ras_dec.c 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/ras/ras_dec.c 2017-03-31 22:38:04.000000000 +0200 +@@ -257,9 +257,16 @@ static int ras_getdatastd(jas_stream_t * + /* Avoid compiler warnings about unused parameters. */ + cmap = 0; + ++ assert(jas_image_numcmpts(image) <= 3); ++ ++ for (i = 0; i < 3; ++i) { ++ data[i] = 0; ++ } ++ + for (i = 0; i < jas_image_numcmpts(image); ++i) { +- data[i] = jas_matrix_create(1, jas_image_width(image)); +- assert(data[i]); ++ if (!(data[i] = jas_matrix_create(1, jas_image_width(image)))) { ++ goto error; ++ } + } + + pad = RAS_ROWSIZE(hdr) - (hdr->width * hdr->depth + 7) / 8; +@@ -270,7 +277,7 @@ static int ras_getdatastd(jas_stream_t * + for (x = 0; x < hdr->width; x++) { + while (nz < hdr->depth) { + if ((c = jas_stream_getc(in)) == EOF) { +- return -1; ++ goto error; + } + z = (z << 8) | c; + nz += 8; +@@ -290,22 +297,31 @@ static int ras_getdatastd(jas_stream_t * + } + if (pad) { + if ((c = jas_stream_getc(in)) == EOF) { +- return -1; ++ goto error; + } + } + for (i = 0; i < jas_image_numcmpts(image); ++i) { + if (jas_image_writecmpt(image, i, 0, y, hdr->width, 1, + data[i])) { +- return -1; ++ goto error; + } + } + } + + for (i = 0; i < jas_image_numcmpts(image); ++i) { + jas_matrix_destroy(data[i]); ++ data[i] = 0; + } + + return 0; ++ ++error: ++ for (i = 0; i < 3; ++i) { ++ if (data[i]) { ++ jas_matrix_destroy(data[i]); ++ } ++ } ++ return -1; + } + + static int ras_getcmap(jas_stream_t *in, ras_hdr_t *hdr, ras_cmap_t *cmap) +@@ -324,7 +340,9 @@ static int ras_getcmap(jas_stream_t *in, + { + jas_eprintf("warning: palettized images not fully supported\n"); + numcolors = 1 << hdr->depth; +- assert(numcolors <= RAS_CMAP_MAXSIZ); ++ if (numcolors > RAS_CMAP_MAXSIZ) { ++ return -1; ++ } + actualnumcolors = hdr->maplength / 3; + for (i = 0; i < numcolors; i++) { + cmap->data[i] = 0; +diff -pruN jasper-1.900.1.orig/src/libjasper/ras/ras_enc.c jasper-1.900.1/src/libjasper/ras/ras_enc.c +--- jasper-1.900.1.orig/src/libjasper/ras/ras_enc.c 2017-03-31 22:20:38.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/ras/ras_enc.c 2017-03-31 22:38:04.000000000 +0200 +@@ -230,9 +230,17 @@ static int ras_putdatastd(jas_stream_t * + jas_matrix_t *data[3]; + int i; + ++ assert(numcmpts <= 3); ++ ++ for (i = 0; i < 3; ++i) { ++ data[i] = 0; ++ } ++ + for (i = 0; i < numcmpts; ++i) { +- data[i] = jas_matrix_create(jas_image_height(image), jas_image_width(image)); +- assert(data[i]); ++ if (!(data[i] = jas_matrix_create(jas_image_height(image), ++ jas_image_width(image)))) { ++ goto error; ++ } + } + + rowsize = RAS_ROWSIZE(hdr); +@@ -244,7 +252,7 @@ static int ras_putdatastd(jas_stream_t * + for (i = 0; i < numcmpts; ++i) { + if (jas_image_readcmpt(image, cmpts[i], 0, y, + jas_image_width(image), 1, data[i])) { +- return -1; ++ goto error; + } + } + z = 0; +@@ -263,7 +271,7 @@ static int ras_putdatastd(jas_stream_t * + while (nz >= 8) { + c = (z >> (nz - 8)) & 0xff; + if (jas_stream_putc(out, c) == EOF) { +- return -1; ++ goto error; + } + nz -= 8; + z &= RAS_ONES(nz); +@@ -272,21 +280,30 @@ static int ras_putdatastd(jas_stream_t * + if (nz > 0) { + c = (z >> (8 - nz)) & RAS_ONES(nz); + if (jas_stream_putc(out, c) == EOF) { +- return -1; ++ goto error; + } + } + if (pad % 2) { + if (jas_stream_putc(out, 0) == EOF) { +- return -1; ++ goto error; + } + } + } + + for (i = 0; i < numcmpts; ++i) { + jas_matrix_destroy(data[i]); ++ data[i] = 0; + } + + return 0; ++ ++error: ++ for (i = 0; i < numcmpts; ++i) { ++ if (data[i]) { ++ jas_matrix_destroy(data[i]); ++ } ++ } ++ return -1; + } + + static int ras_puthdr(jas_stream_t *out, ras_hdr_t *hdr) diff --git a/SOURCES/jasper-CVE-2016-9389.patch b/SOURCES/jasper-CVE-2016-9389.patch new file mode 100644 index 0000000..b69d209 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9389.patch @@ -0,0 +1,59 @@ +Backport of upstream commit: + +From dee11ec440d7908d1daf69f40a3324b27cf213ba Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Mon, 24 Oct 2016 07:26:40 -0700 +Subject: [PATCH] The component domains must be the same for the ICT/RCT in the + JPC codec. This was previously enforced with an assertion. Now, it is handled + in a more graceful manner. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:20:39.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:48:55.368931732 +0200 +@@ -1014,6 +1014,24 @@ if (!prc->cblks) { + return 0; + } + ++static int jas_image_cmpt_domains_same(jas_image_t *image) ++{ ++ int cmptno; ++ jas_image_cmpt_t *cmpt; ++ jas_image_cmpt_t *cmpt0; ++ ++ cmpt0 = image->cmpts_[0]; ++ for (cmptno = 1; cmptno < image->numcmpts_; ++cmptno) { ++ cmpt = image->cmpts_[cmptno]; ++ if (cmpt->tlx_ != cmpt0->tlx_ || cmpt->tly_ != cmpt0->tly_ || ++ cmpt->hstep_ != cmpt0->hstep_ || cmpt->vstep_ != cmpt0->vstep_ || ++ cmpt->width_ != cmpt0->width_ || cmpt->height_ != cmpt0->height_) { ++ return 0; ++ } ++ } ++ return 1; ++} ++ + static int jpc_dec_tiledecode(jpc_dec_t *dec, jpc_dec_tile_t *tile) + { + int i; +@@ -1074,6 +1092,10 @@ static int jpc_dec_tiledecode(jpc_dec_t + jas_eprintf("RCT requires at least three components\n"); + return -1; + } ++ if (!jas_image_cmpt_domains_same(dec->image)) { ++ jas_eprintf("RCT requires all components have the same domain\n"); ++ return -1; ++ } + jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; +@@ -1082,6 +1104,10 @@ static int jpc_dec_tiledecode(jpc_dec_t + jas_eprintf("ICT requires at least three components\n"); + return -1; + } ++ if (!jas_image_cmpt_domains_same(dec->image)) { ++ jas_eprintf("RCT requires all components have the same domain\n"); ++ return -1; ++ } + jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; diff --git a/SOURCES/jasper-CVE-2016-9390.patch b/SOURCES/jasper-CVE-2016-9390.patch new file mode 100644 index 0000000..a13eaa0 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9390.patch @@ -0,0 +1,21 @@ +Backport of the upstream commit: + +From ba2b9d000660313af7b692542afbd374c5685865 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Tue, 25 Oct 2016 16:18:51 -0700 +Subject: [PATCH] Ensure that not all tiles lie outside the image area. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:24:57.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:25:48.000000000 +0200 +@@ -502,6 +502,10 @@ static int jpc_siz_getparms(jpc_ms_t *ms + !siz->tileheight || !siz->numcomps) { + return -1; + } ++ if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) { ++ jas_eprintf("all tiles are outside the image area\n"); ++ return -1; ++ } + if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { + return -1; + } diff --git a/SOURCES/jasper-CVE-2016-9391.patch b/SOURCES/jasper-CVE-2016-9391.patch new file mode 100644 index 0000000..b202d57 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9391.patch @@ -0,0 +1,36 @@ +Backport of relevant parts of upstream commit: + +From 1e84674d95353c64e5c4c0e7232ae86fd6ea813b Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Tue, 25 Oct 2016 07:01:50 -0700 +Subject: [PATCH] Changed the JPC bitstream code to more gracefully handle a + request for a larger sized integer than what can be handled (i.e., return + with an error instead of failing an assert). + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_bs.c jasper-1.900.1/src/libjasper/jpc/jpc_bs.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_bs.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_bs.c 2017-03-31 23:00:31.000000000 +0200 +@@ -195,7 +195,10 @@ long jpc_bitstream_getbits(jpc_bitstream + + /* We can reliably get at most 31 bits since ISO/IEC 9899 only + guarantees that a long can represent values up to 2^31-1. */ +- assert(n >= 0 && n < 32); ++ //assert(n >= 0 && n < 32); ++ if (n < 0 || n >= 32) { ++ return -1; ++ } + + /* Get the number of bits requested from the specified bit stream. */ + v = 0; +@@ -215,7 +218,10 @@ int jpc_bitstream_putbits(jpc_bitstream_ + + /* We can reliably put at most 31 bits since ISO/IEC 9899 only + guarantees that a long can represent values up to 2^31-1. */ +- assert(n >= 0 && n < 32); ++ //assert(n >= 0 && n < 32); ++ if (n < 0 || n >= 32) { ++ return EOF; ++ } + /* Ensure that only the bits to be output are nonzero. */ + assert(!(v & (~JAS_ONES(n)))); + diff --git a/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch b/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch new file mode 100644 index 0000000..d046229 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch @@ -0,0 +1,105 @@ +Backport of the upstream commit: + +From f7038068550fba0e41e1d0c355787f1dcd5bf330 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Thu, 27 Oct 2016 20:11:57 -0700 +Subject: [PATCH] Added some missing sanity checks on the data in a SIZ marker + segment. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:30:41.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2017-03-29 22:48:20.267725023 +0200 +@@ -483,6 +483,8 @@ static int jpc_siz_getparms(jpc_ms_t *ms + unsigned int i; + uint_fast8_t tmp; + ++ siz->comps = 0; ++ + /* Eliminate compiler warning about unused variables. */ + cstate = 0; + +@@ -496,44 +498,67 @@ static int jpc_siz_getparms(jpc_ms_t *ms + jpc_getuint32(in, &siz->tilexoff) || + jpc_getuint32(in, &siz->tileyoff) || + jpc_getuint16(in, &siz->numcomps)) { +- return -1; ++ goto error; + } +- if (!siz->width || !siz->height || !siz->tilewidth || +- !siz->tileheight || !siz->numcomps) { +- return -1; +- } +- if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) { +- jas_eprintf("all tiles are outside the image area\n"); +- return -1; ++ if (!siz->width || !siz->height) { ++ jas_eprintf("reference grid cannot have zero area\n"); ++ goto error; ++ } ++ if (!siz->tilewidth || !siz->tileheight) { ++ jas_eprintf("tile cannot have zero area\n"); ++ goto error; ++ } ++ if (!siz->numcomps || siz->numcomps > 16384) { ++ jas_eprintf("number of components not in permissible range\n"); ++ goto error; ++ } ++ if (siz->xoff >= siz->width) { ++ jas_eprintf("XOsiz not in permissible range\n"); ++ goto error; ++ } ++ if (siz->yoff >= siz->height) { ++ jas_eprintf("YOsiz not in permissible range\n"); ++ goto error; ++ } ++ if (siz->tilexoff > siz->xoff || siz->tilexoff + siz->tilewidth <= siz->xoff) { ++ jas_eprintf("XTOsiz not in permissible range\n"); ++ goto error; ++ } ++ if (siz->tileyoff > siz->yoff || siz->tileyoff + siz->tileheight <= siz->yoff) { ++ jas_eprintf("YTOsiz not in permissible range\n"); ++ goto error; + } ++ + if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { +- return -1; ++ goto error; + } + for (i = 0; i < siz->numcomps; ++i) { + if (jpc_getuint8(in, &tmp) || + jpc_getuint8(in, &siz->comps[i].hsamp) || + jpc_getuint8(in, &siz->comps[i].vsamp)) { +- jas_free(siz->comps); +- return -1; ++ goto error; + } + if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) { + jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp); +- jas_free(siz->comps); +- return -1; ++ goto error; + } + if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) { + jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp); +- jas_free(siz->comps); +- return -1; ++ goto error; + } + siz->comps[i].sgnd = (tmp >> 7) & 1; + siz->comps[i].prec = (tmp & 0x7f) + 1; + } + if (jas_stream_eof(in)) { +- jas_free(siz->comps); +- return -1; ++ goto error; + } + return 0; ++ ++error: ++ if (siz->comps) { ++ jas_free(siz->comps); ++ } ++ return -1; + } + + static int jpc_siz_putparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *out) diff --git a/SOURCES/jasper-CVE-2016-9560.patch b/SOURCES/jasper-CVE-2016-9560.patch new file mode 100644 index 0000000..19ec2dc --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9560.patch @@ -0,0 +1,19 @@ +Backport of the upstream commit: + +From 1abc2e5a401a4bf1d5ca4df91358ce5df111f495 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sun, 20 Nov 2016 04:43:00 -0800 +Subject: [PATCH] Fixed an array overflow problem in the JPC decoder. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-30 15:00:55.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-30 17:56:05.000000000 +0200 +@@ -675,7 +675,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d + uint_fast32_t tmpxend; + uint_fast32_t tmpyend; + jpc_dec_cp_t *cp; +- jpc_tsfb_band_t bnds[64]; ++ jpc_tsfb_band_t bnds[JPC_MAXBANDS]; + jpc_pchg_t *pchg; + int pchgno; + jpc_dec_cmpt_t *cmpt; diff --git a/SOURCES/jasper-CVE-2016-9583.patch b/SOURCES/jasper-CVE-2016-9583.patch new file mode 100644 index 0000000..00735af --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9583.patch @@ -0,0 +1,220 @@ +Backport of upstream commits: + +From aa0b0f79ade5eef8b0e7a214c03f5af54b36ba7d Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 26 Nov 2016 17:14:09 -0800 +Subject: [PATCH] Fixed numerous integer overflow problems in the code for + packet iterators in the JPC decoder. + +From f25486c3d4aa472fec79150f2c41ed4333395d3d Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 26 Nov 2016 20:54:24 -0800 +Subject: [PATCH] Fixed a bug in the packet iterator code. Added a new + regression test case. + +From 99a50593254d1b53002719bbecfc946c84b23d27 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Fri, 9 Dec 2016 05:42:39 -0800 +Subject: [PATCH] Apply a patch for the following bug report: + https://github.com/mdadams/jasper/issues/103 Heap-Buffer-Overflow or + Null-pointer-dereference vulnerability due to a programming mistake + (off-by-1) + +diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_types.h jasper-1.900.1/src/libjasper/include/jasper/jas_types.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_types.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/include/jasper/jas_types.h 2017-03-30 22:12:18.000000000 +0200 +@@ -217,6 +217,10 @@ typedef ulonglong uint_fast64_t; + #define JAS_CAST(t, e) \ + ((t) (e)) + ++/* The number of bits in the integeral type uint_fast32_t. */ ++/* NOTE: This could underestimate the size on some exotic architectures. */ ++#define JAS_UINTFAST32_NUMBITS (8 * sizeof(uint_fast32_t)) ++ + #ifdef __cplusplus + extern "C" { + #endif +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2017-03-30 18:03:55.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c 2017-03-30 22:14:39.000000000 +0200 +@@ -249,10 +249,17 @@ static int jpc_pi_nextrpcl(register jpc_ + ++compno, ++picomp) { + for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < + picomp->numrlvls; ++rlvlno, ++pirlvl) { +- xstep = picomp->hsamp * (1 << (pirlvl->prcwidthexpn + +- picomp->numrlvls - rlvlno - 1)); +- ystep = picomp->vsamp * (1 << (pirlvl->prcheightexpn + +- picomp->numrlvls - rlvlno - 1)); ++ // Check for the potential for overflow problems. ++ if (pirlvl->prcwidthexpn + picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2 || ++ pirlvl->prcheightexpn + picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2) { ++ return -1; ++ } ++ xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); ++ ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); + pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep); + pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep); + } +@@ -282,21 +289,24 @@ static int jpc_pi_nextrpcl(register jpc_ + rpy = r + pi->pirlvl->prcheightexpn; + trx0 = JPC_CEILDIV(pi->xstart, pi->picomp->hsamp << r); + try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); +- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) +- || !(pi->x % (1 << rpx))) && +- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) +- || !(pi->y % (1 << rpy)))) { +- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp +- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, +- pi->pirlvl->prcwidthexpn); +- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp +- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, +- pi->pirlvl->prcheightexpn); ++ if (((pi->x == pi->xstart && ++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) ++ || !(pi->x % (JAS_CAST(uint_fast32_t, 1) << rpx))) && ++ ((pi->y == pi->ystart && ++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) ++ || !(pi->y % (JAS_CAST(uint_fast32_t, 1) << rpy)))) { ++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, ++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - ++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); ++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, ++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - ++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); + pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; + + assert(pi->prcno < pi->pirlvl->numprcs); + for (pi->lyrno = 0; pi->lyrno < +- pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { ++ pi->numlyrs && pi->lyrno < JAS_CAST(int, ++ pchg->lyrnoend); ++pi->lyrno) { + prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; + if (pi->lyrno >= *prclyrno) { + ++(*prclyrno); +@@ -341,16 +351,19 @@ static int jpc_pi_nextpcrl(register jpc_ + ++compno, ++picomp) { + for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < + picomp->numrlvls; ++rlvlno, ++pirlvl) { +- xstep = picomp->hsamp * (1 << +- (pirlvl->prcwidthexpn + picomp->numrlvls - +- rlvlno - 1)); +- ystep = picomp->vsamp * (1 << +- (pirlvl->prcheightexpn + picomp->numrlvls - +- rlvlno - 1)); +- pi->xstep = (!pi->xstep) ? xstep : +- JAS_MIN(pi->xstep, xstep); +- pi->ystep = (!pi->ystep) ? ystep : +- JAS_MIN(pi->ystep, ystep); ++ // Check for the potential for overflow problems. ++ if (pirlvl->prcwidthexpn + picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2 || ++ pirlvl->prcheightexpn + picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2) { ++ return -1; ++ } ++ xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); ++ ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << ++ (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); ++ pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep); ++ pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep); + } + } + pi->prgvolfirst = 0; +@@ -377,20 +390,23 @@ static int jpc_pi_nextpcrl(register jpc_ + try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); + rpx = r + pi->pirlvl->prcwidthexpn; + rpy = r + pi->pirlvl->prcheightexpn; +- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) || ++ if (((pi->x == pi->xstart && ++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) || + !(pi->x % (pi->picomp->hsamp << rpx))) && +- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) || ++ ((pi->y == pi->ystart && ++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) || + !(pi->y % (pi->picomp->vsamp << rpy)))) { +- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp +- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, +- pi->pirlvl->prcwidthexpn); +- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp +- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, +- pi->pirlvl->prcheightexpn); ++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, ++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - ++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); ++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, ++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - ++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); + pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; + assert(pi->prcno < pi->pirlvl->numprcs); + for (pi->lyrno = 0; pi->lyrno < pi->numlyrs && +- pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { ++ pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++ ++pi->lyrno) { + prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; + if (pi->lyrno >= *prclyrno) { + ++(*prclyrno); +@@ -428,10 +444,17 @@ static int jpc_pi_nextcprl(register jpc_ + pi->prgvolfirst = 0; + } + +- for (pi->compno = pchg->compnostart, pi->picomp = +- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, +- ++pi->picomp) { ++ for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno]; ++ pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++ ++pi->compno, ++pi->picomp) { + pirlvl = pi->picomp->pirlvls; ++ // Check for the potential for overflow problems. ++ if (pirlvl->prcwidthexpn + pi->picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2 || ++ pirlvl->prcheightexpn + pi->picomp->numrlvls > ++ JAS_UINTFAST32_NUMBITS - 2) { ++ return -1; ++ } + pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1)); + pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << +@@ -461,23 +484,23 @@ static int jpc_pi_nextcprl(register jpc_ + try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); + rpx = r + pi->pirlvl->prcwidthexpn; + rpy = r + pi->pirlvl->prcheightexpn; +- if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) || ++ if (((pi->x == pi->xstart && ++ ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) || + !(pi->x % (pi->picomp->hsamp << rpx))) && +- ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) || ++ ((pi->y == pi->ystart && ++ ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) || + !(pi->y % (pi->picomp->vsamp << rpy)))) { +- prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp +- << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, +- pi->pirlvl->prcwidthexpn); +- prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp +- << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, +- pi->pirlvl->prcheightexpn); +- pi->prcno = prcvind * +- pi->pirlvl->numhprcs + +- prchind; +- assert(pi->prcno < +- pi->pirlvl->numprcs); +- for (pi->lyrno = 0; pi->lyrno < +- pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { ++ prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, ++ pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - ++ JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); ++ prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, ++ pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - ++ JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); ++ pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; ++ assert(pi->prcno < pi->pirlvl->numprcs); ++ for (pi->lyrno = 0; pi->lyrno < pi->numlyrs && ++ pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++ ++pi->lyrno) { + prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; + if (pi->lyrno >= *prclyrno) { + ++(*prclyrno); diff --git a/SOURCES/jasper-CVE-2016-9591.patch b/SOURCES/jasper-CVE-2016-9591.patch new file mode 100644 index 0000000..bd42d95 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9591.patch @@ -0,0 +1,212 @@ +Backport of the upstream patch: + +From 03fe49ab96bf65fea784cdc256507ea88267fc7c Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Thu, 2 Mar 2017 08:07:04 -0800 +Subject: [PATCH] Fixed some potential double-free problems in the JPC codec. + +diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2017-03-30 22:53:59.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2017-03-31 13:40:12.000000000 +0200 +@@ -1140,8 +1140,9 @@ int numgbits; + tilex = tileno % cp->numhtiles; + tiley = tileno / cp->numhtiles; + +- if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image, tileno))) { +- abort(); ++ if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image, ++ tileno))) { ++ return -1; + } + + tile = enc->curtile; +@@ -2016,6 +2017,8 @@ error: + return 0; + } + ++/* Note: I don't think that it is necessary to marked destroyed subobjects ++as such in this function. */ + void jpc_enc_tile_destroy(jpc_enc_tile_t *tile) + { + jpc_enc_tcmpt_t *tcmpt; +@@ -2027,16 +2030,21 @@ void jpc_enc_tile_destroy(jpc_enc_tile_t + tcmpt_destroy(tcmpt); + } + jas_free(tile->tcmpts); ++ /* tile->tcmpts = NULL; */ + } + if (tile->lyrsizes) { + jas_free(tile->lyrsizes); ++ /* tile->lyrsizes = NULL; */ + } + if (tile->pi) { + jpc_pi_destroy(tile->pi); ++ /* tile->pi = NULL; */ + } + jas_free(tile); ++ /* tile = NULL; */ + } + ++/* Note: This constructor creates the object in place. */ + static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp, + jas_image_t *image, jpc_enc_tile_t *tile) + { +@@ -2132,6 +2140,10 @@ error: + + } + ++/* Note: Since jpc_enc_tcmpt_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void tcmpt_destroy(jpc_enc_tcmpt_t *tcmpt) + { + jpc_enc_rlvl_t *rlvl; +@@ -2143,16 +2155,20 @@ static void tcmpt_destroy(jpc_enc_tcmpt_ + rlvl_destroy(rlvl); + } + jas_free(tcmpt->rlvls); ++ tcmpt->rlvls = NULL; + } + + if (tcmpt->data) { + jas_seq2d_destroy(tcmpt->data); ++ tcmpt->data = NULL; + } + if (tcmpt->tsfb) { + jpc_tsfb_destroy(tcmpt->tsfb); ++ tcmpt->tsfb = NULL; + } + } + ++/* Note: This constructor creates the object in place. */ + static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp, + jpc_enc_tcmpt_t *tcmpt, jpc_tsfb_band_t *bandinfos) + { +@@ -2234,6 +2250,10 @@ error: + return 0; + } + ++/* Note: Since jpc_enc_rlvl_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void rlvl_destroy(jpc_enc_rlvl_t *rlvl) + { + jpc_enc_band_t *band; +@@ -2245,9 +2265,11 @@ static void rlvl_destroy(jpc_enc_rlvl_t + band_destroy(band); + } + jas_free(rlvl->bands); ++ rlvl->bands = NULL; + } + } + ++/* Note: This constructor creates the object in place. */ + static jpc_enc_band_t *band_create(jpc_enc_band_t *band, jpc_enc_cp_t *cp, + jpc_enc_rlvl_t *rlvl, jpc_tsfb_band_t *bandinfos) + { +@@ -2315,6 +2337,10 @@ error: + return 0; + } + ++/* Note: Since jpc_enc_band_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void band_destroy(jpc_enc_band_t *band) + { + jpc_enc_prc_t *prc; +@@ -2328,12 +2354,15 @@ static void band_destroy(jpc_enc_band_t + prc_destroy(prc); + } + jas_free(band->prcs); ++ band->prcs = NULL; + } + if (band->data) { + jas_seq2d_destroy(band->data); ++ band->data = NULL; + } + } + ++/* Note: This constructor creates the object in place. */ + static jpc_enc_prc_t *prc_create(jpc_enc_prc_t *prc, jpc_enc_cp_t *cp, jpc_enc_band_t *band) + { + uint_fast32_t prcno; +@@ -2459,6 +2488,10 @@ error: + return 0; + } + ++/* Note: Since jpc_enc_prc_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void prc_destroy(jpc_enc_prc_t *prc) + { + jpc_enc_cblk_t *cblk; +@@ -2470,22 +2503,29 @@ static void prc_destroy(jpc_enc_prc_t *p + cblk_destroy(cblk); + } + jas_free(prc->cblks); ++ prc->cblks = NULL; + } + if (prc->incltree) { + jpc_tagtree_destroy(prc->incltree); ++ prc->incltree = NULL; + } + if (prc->nlibtree) { + jpc_tagtree_destroy(prc->nlibtree); ++ prc->nlibtree = NULL; + } + if (prc->savincltree) { + jpc_tagtree_destroy(prc->savincltree); ++ prc->savincltree = NULL; + } + if (prc->savnlibtree) { + jpc_tagtree_destroy(prc->savnlibtree); ++ prc->savnlibtree = NULL; + } + } + +-static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, jpc_enc_prc_t *prc) ++/* Note: This constructor creates the object in place. */ ++static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, ++ jpc_enc_prc_t *prc) + { + jpc_enc_band_t *band; + uint_fast32_t cblktlx; +@@ -2543,6 +2583,10 @@ error: + return 0; + } + ++/* Note: Since jpc_enc_cblk_t objects are created in-place, they might ++potentially be destroyed multiple times at different levels in the call ++chain. So, destroyed subobjects must be marked as destroyed to prevent ++problems such as double frees. */ + static void cblk_destroy(jpc_enc_cblk_t *cblk) + { + uint_fast16_t passno; +@@ -2553,18 +2597,23 @@ static void cblk_destroy(jpc_enc_cblk_t + pass_destroy(pass); + } + jas_free(cblk->passes); ++ cblk->passes = NULL; + } + if (cblk->stream) { + jas_stream_close(cblk->stream); ++ cblk->stream = NULL; + } + if (cblk->mqenc) { + jpc_mqenc_destroy(cblk->mqenc); ++ cblk->mqenc = NULL; + } + if (cblk->data) { + jas_seq2d_destroy(cblk->data); ++ cblk->data = NULL; + } + if (cblk->flags) { + jas_seq2d_destroy(cblk->flags); ++ cblk->flags = NULL; + } + } + diff --git a/SOURCES/jasper-CVE-2016-9600.patch b/SOURCES/jasper-CVE-2016-9600.patch new file mode 100644 index 0000000..ec197b1 --- /dev/null +++ b/SOURCES/jasper-CVE-2016-9600.patch @@ -0,0 +1,87 @@ +From a632c6b54bd4ffc3bebab420e00b7e7688aa3846 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Fri, 30 Dec 2016 07:27:48 -0800 +Subject: [PATCH] Fixed a problem in the JP2 encoder that caused a null pointer + dereference when no ICC profile data is available (e.g., in the case of an + unknown color space). Reference: + https://github.com/mdadams/jasper/issues/109 + +--- + src/libjasper/jp2/jp2_enc.c | 46 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 12 deletions(-) + +diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c +index bca3ca6..b979216 100644 +--- a/src/libjasper/jp2/jp2_enc.c ++++ b/src/libjasper/jp2/jp2_enc.c +@@ -112,6 +112,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr) + + box = 0; + tmpstream = 0; ++ iccstream = 0; ++ iccprof = 0; + + allcmptssame = 1; + sgnd = jas_image_cmptsgnd(image, 0); +@@ -225,22 +227,36 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr) + colr->method = JP2_COLR_ICC; + colr->pri = JP2_COLR_PRI; + colr->approx = 0; +- iccprof = jas_iccprof_createfromcmprof(jas_image_cmprof(image)); +- assert(iccprof); +- iccstream = jas_stream_memopen(0, 0); +- assert(iccstream); +- if (jas_iccprof_save(iccprof, iccstream)) +- abort(); +- if ((pos = jas_stream_tell(iccstream)) < 0) +- abort(); ++ /* Ensure that cmprof_ is not null. */ ++ if (!jas_image_cmprof(image)) { ++ goto error; ++ } ++ if (!(iccprof = jas_iccprof_createfromcmprof( ++ jas_image_cmprof(image)))) { ++ goto error; ++ } ++ if (!(iccstream = jas_stream_memopen(0, 0))) { ++ goto error; ++ } ++ if (jas_iccprof_save(iccprof, iccstream)) { ++ goto error; ++ } ++ if ((pos = jas_stream_tell(iccstream)) < 0) { ++ goto error; ++ } + colr->iccplen = pos; +- colr->iccp = jas_malloc(pos); +- assert(colr->iccp); ++ if (!(colr->iccp = jas_malloc(pos))) { ++ goto error; ++ } + jas_stream_rewind(iccstream); +- if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) != colr->iccplen) +- abort(); ++ if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) != ++ colr->iccplen) { ++ goto error; ++ } + jas_stream_close(iccstream); ++ iccstream = 0; + jas_iccprof_destroy(iccprof); ++ iccprof = 0; + break; + } + if (jp2_box_put(box, tmpstream)) { +@@ -354,6 +370,12 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr) + + error: + ++ if (iccprof) { ++ jas_iccprof_destroy(iccprof); ++ } ++ if (iccstream) { ++ jas_stream_close(iccstream); ++ } + if (box) { + jp2_box_destroy(box); + } diff --git a/SOURCES/jasper-CVE-implicit-declaration-fix.patch b/SOURCES/jasper-CVE-implicit-declaration-fix.patch new file mode 100644 index 0000000..8ea6e72 --- /dev/null +++ b/SOURCES/jasper-CVE-implicit-declaration-fix.patch @@ -0,0 +1,111 @@ +diff -urNp old/src/libjasper/base/jas_getopt.c new/src/libjasper/base/jas_getopt.c +--- old/src/libjasper/base/jas_getopt.c 2007-01-19 22:43:05.000000000 +0100 ++++ new/src/libjasper/base/jas_getopt.c 2017-04-24 14:44:13.479547933 +0200 +@@ -76,6 +76,7 @@ + + #include "jasper/jas_getopt.h" + #include "jasper/jas_math.h" ++#include "jasper/jas_debug.h" + + /******************************************************************************\ + * Global data. +diff -urNp old/src/libjasper/bmp/bmp_dec.c new/src/libjasper/bmp/bmp_dec.c +--- old/src/libjasper/bmp/bmp_dec.c 2017-04-24 14:42:17.283288014 +0200 ++++ new/src/libjasper/bmp/bmp_dec.c 2017-04-24 14:45:07.200206215 +0200 +@@ -77,6 +77,7 @@ + #include "jasper/jas_stream.h" + #include "jasper/jas_image.h" + #include "jasper/jas_malloc.h" ++#include "jasper/jas_debug.h" + + #include "bmp_cod.h" + +diff -urNp old/src/libjasper/jpc/jpc_tsfb.c new/src/libjasper/jpc/jpc_tsfb.c +--- old/src/libjasper/jpc/jpc_tsfb.c 2017-04-24 14:42:17.326287740 +0200 ++++ new/src/libjasper/jpc/jpc_tsfb.c 2017-04-24 14:59:11.226406745 +0200 +@@ -119,14 +119,6 @@ void jpc_tsfb_destroy(jpc_tsfb_t *tsfb) + free(tsfb); + } + +-int jpc_tsfb_analyze(jpc_tsfb_t *tsfb, jas_seq2d_t *a) +-{ +- return (tsfb->numlvls > 0) ? jpc_tsfb_analyze2(tsfb, jas_seq2d_getref(a, +- jas_seq2d_xstart(a), jas_seq2d_ystart(a)), jas_seq2d_xstart(a), +- jas_seq2d_ystart(a), jas_seq2d_width(a), +- jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0; +-} +- + int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb, int *a, int xstart, int ystart, + int width, int height, int stride, int numlvls) + { +@@ -146,15 +138,15 @@ int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb, + return 0; + } + +-int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a) ++int jpc_tsfb_analyze(jpc_tsfb_t *tsfb, jas_seq2d_t *a) + { +- return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ? +- jpc_tsfb_synthesize2(tsfb, +- jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)), +- jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a), ++ return (tsfb->numlvls > 0) ? jpc_tsfb_analyze2(tsfb, jas_seq2d_getref(a, ++ jas_seq2d_xstart(a), jas_seq2d_ystart(a)), jas_seq2d_xstart(a), ++ jas_seq2d_ystart(a), jas_seq2d_width(a), + jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0; + } + ++ + int jpc_tsfb_synthesize2(jpc_tsfb_t *tsfb, int *a, int xstart, int ystart, + int width, int height, int stride, int numlvls) + { +@@ -175,6 +167,15 @@ int jpc_tsfb_synthesize2(jpc_tsfb_t *tsf + return 0; + } + ++int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a) ++{ ++ return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ? ++ jpc_tsfb_synthesize2(tsfb, ++ jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)), ++ jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a), ++ jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0; ++} ++ + int jpc_tsfb_getbands(jpc_tsfb_t *tsfb, uint_fast32_t xstart, + uint_fast32_t ystart, uint_fast32_t xend, uint_fast32_t yend, + jpc_tsfb_band_t *bands) +diff -urNp old/src/libjasper/jpc/jpc_t1dec.c new/src/libjasper/jpc/jpc_t1dec.c +--- old/src/libjasper/jpc/jpc_t1dec.c 2007-01-19 22:43:07.000000000 +0100 ++++ new/src/libjasper/jpc/jpc_t1dec.c 2017-04-24 14:45:43.887972984 +0200 +@@ -78,6 +78,7 @@ + #include "jasper/jas_fix.h" + #include "jasper/jas_stream.h" + #include "jasper/jas_math.h" ++#include "jasper/jas_debug.h" + + #include "jpc_bs.h" + #include "jpc_mqdec.h" +diff -urNp old/src/libjasper/mif/mif_cod.c new/src/libjasper/mif/mif_cod.c +--- old/src/libjasper/mif/mif_cod.c 2017-04-24 14:42:17.303287887 +0200 ++++ new/src/libjasper/mif/mif_cod.c 2017-04-24 14:47:20.158361453 +0200 +@@ -70,6 +70,7 @@ + #include "jasper/jas_image.h" + #include "jasper/jas_string.h" + #include "jasper/jas_malloc.h" ++#include "jasper/jas_debug.h" + + #include "mif_cod.h" + +diff -urNp old/src/libjasper/pnm/pnm_dec.c new/src/libjasper/pnm/pnm_dec.c +--- old/src/libjasper/pnm/pnm_dec.c 2007-01-19 22:43:05.000000000 +0100 ++++ new/src/libjasper/pnm/pnm_dec.c 2017-04-24 14:47:45.904198015 +0200 +@@ -79,6 +79,7 @@ + #include "jasper/jas_types.h" + #include "jasper/jas_stream.h" + #include "jasper/jas_image.h" ++#include "jasper/jas_debug.h" + + #include "pnm_cod.h" + + diff --git a/SPECS/jasper.spec b/SPECS/jasper.spec index e85f993..138434c 100644 --- a/SPECS/jasper.spec +++ b/SPECS/jasper.spec @@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper Group: System Environment/Libraries Version: 1.900.1 -Release: 29%{?dist} +Release: 30%{?dist} License: JasPer URL: http://www.ece.uvic.ca/~frodo/jasper/ @@ -47,6 +47,32 @@ Patch114: jasper-1.900.1-Coverity-RESOURCE_LEAK.patch Patch115: jasper-1.900.1-Coverity-UNREACHABLE.patch Patch116: jasper-1.900.1-Coverity-UNUSED_VALUE.patch +Patch14: jasper-CVE-2015-5203-CVE-2016-9262.patch +Patch15: jasper-CVE-2015-5221.patch +Patch16: jasper-CVE-2016-1577.patch +Patch17: jasper-CVE-2016-1867.patch +Patch18: jasper-CVE-2016-2089.patch +Patch19: jasper-CVE-2016-2116.patch +Patch20: jasper-CVE-2016-8654.patch +Patch21: jasper-CVE-2016-8690-CVE-2016-8884-CVE-2016-8885.patch +Patch22: jasper-CVE-2016-8691-CVE-2016-8692.patch +Patch23: jasper-CVE-2016-8693.patch +Patch24: jasper-CVE-2016-9390.patch +Patch25: jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch +Patch26: jasper-CVE-2016-9560.patch +Patch27: jasper-CVE-2016-10251.patch +Patch28: jasper-CVE-2016-9583.patch +Patch29: jasper-CVE-2016-9591.patch +Patch30: jasper-CVE-2016-9600.patch +Patch31: jasper-CVE-2016-10248.patch +Patch32: jasper-CVE-2016-10249.patch +Patch33: jasper-CVE-2016-8883.patch +Patch34: jasper-CVE-2016-9387.patch +Patch35: jasper-CVE-2016-9388.patch +Patch36: jasper-CVE-2016-9389.patch +Patch37: jasper-CVE-2016-9391.patch +Patch38: jasper-CVE-implicit-declaration-fix.patch + # autoreconf BuildRequires: autoconf automake libtool BuildRequires: freeglut-devel @@ -113,6 +139,32 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} %patch115 -p1 -b .UNREACHABLE %patch116 -p1 -b .UNUSED_VALUE +%patch14 -p1 -b .CVE-2015-5203 +%patch15 -p1 -b .CVE-2015-5221 +%patch16 -p1 -b .CVE-2016-1577 +%patch17 -p1 -b .CVE-2016-1867 +%patch18 -p1 -b .CVE-2016-2089 +%patch19 -p1 -b .CVE-2016-2116 +%patch20 -p1 -b .CVE-2016-8654 +%patch21 -p1 -b .CVE-2016-8690 +%patch22 -p1 -b .CVE-2016-8691 +%patch23 -p1 -b .CVE-2016-8693 +%patch24 -p1 -b .CVE-2016-9390 +%patch25 -p1 -b .CVE-2016-9392 +%patch26 -p1 -b .CVE-2016-9560 +%patch27 -p1 -b .CVE-2016-10251 +%patch28 -p1 -b .CVE-2016-9583 +%patch29 -p1 -b .CVE-2016-9591 +%patch30 -p1 -b .CVE-2016-9600 +%patch31 -p1 -b .CVE-2016-10248 +%patch32 -p1 -b .CVE-2016-10249 +%patch33 -p1 -b .CVE-2016-8883 +%patch34 -p1 -b .CVE-2016-9387 +%patch35 -p1 -b .CVE-2016-9388 +%patch36 -p1 -b .CVE-2016-9389 +%patch37 -p1 -b .CVE-2016-9391 +%patch38 -p1 -b .CVE-implicit-declaration-fix + autoreconf --verbose --force --install @@ -181,6 +233,16 @@ make check %changelog +* Tue Apr 25 2017 Josef Ridky - 1.900.1-30 +- Multiple security fixes (fixed by thoger): + CVE-2015-5203 CVE-2015-5221 CVE-2016-1577 CVE-2016-1867 CVE-2016-2089 + CVE-2016-2116 CVE-2016-8654 CVE-2016-8690 CVE-2016-8691 CVE-2016-8692 + CVE-2016-8693 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885 CVE-2016-9262 + CVE-2016-9387 CVE-2016-9388 CVE-2016-9389 CVE-2016-9390 CVE-2016-9391 + CVE-2016-9392 CVE-2016-9393 CVE-2016-9394 CVE-2016-9560 CVE-2016-9583 + CVE-2016-9591 CVE-2016-9600 CVE-2016-10248 CVE-2016-10249 CVE-2016-10251 +- Fix implicit declaration warning caused by security fixes above + * Mon Jan 19 2015 Jiri Popelka - 1.900.1-29 - CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() (#1183674) - CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c (#1183682)