Commit 5cb610fc authored by Natanael Copa's avatar Natanael Copa
Browse files

main/jasper: upgrade to 2.0.10

fixes #6876
parent 1c9f54f5
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=jasper
pkgver=1.900.1
pkgrel=12
pkgver=2.0.10
pkgrel=0
pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
url="http://www.ece.uvic.ca/~mdadams/jasper/"
arch="all"
license="custom:JasPer2.0"
depends= #"libjpeg>=8 freeglut libxi libxmu mesa"
makedepends="libjpeg-turbo-dev"
subpackages="$pkgname-dev $pkgname-doc libjasper"
source="http://www.ece.uvic.ca/~mdadams/$pkgname/software/$pkgname-$pkgver.zip
jpc_dec.c.patch
libjasper-stepsizes-overflow.patch
jasper-1.900.1-CVE-2008-3520.patch
jasper-1.900.1-CVE-2008-3522.patch
jasper-1.900.1-bnc725758.patch
CVE-2014-8137.patch
CVE-2014-8138.patch
CVE-2014-8157.patch
CVE-2014-8158.patch
CVE-2014-9029.patch
CVE-2015-5203.patch
CVE-2016-1577.patch
CVE-2016-2089.patch
CVE-2016-2116.patch
makedepends="libjpeg-turbo-dev cmake"
subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
source="http://www.ece.uvic.ca/~frodo/jasper/software/jasper-$pkgver.tar.gz
"
_builddir="$srcdir"/$pkgname-$pkgver
builddir="$srcdir"/$pkgname-$pkgver
prepare() {
cd "$_builddir"
cd "$builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -Np1 -i "$srcdir"/$i || return 1;;
esac
done
update_config_sub || return 1
chmod +x configure
}
build () {
cd "$_builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--mandir=/usr/share/man \
--enable-shared \
mkdir "$builddir"/build
cd "$builddir"/build
cmake .. \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_INSTALL_LIBDIR=/usr/lib \
|| return 1
make || return 1
}
package() {
cd "$_builddir"
cd "$builddir"/build
make DESTDIR="$pkgdir" install || return 1
install -Dm644 LICENSE \
"$pkgdir"/usr/share/licenses/$pkgname/LICENSE || return 1
}
libjasper() {
libs() {
pkgdesc="JPEG-2000 library"
install -d "$subpkgdir"/usr/
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}
md5sums="a342b2b4495b3e1394e161eb5d85d754 jasper-1.900.1.zip
36de7128eea6f701c1e2e13ce5bd8d37 jpc_dec.c.patch
24785d8eb3eea19eec7e77d59f3e6a25 libjasper-stepsizes-overflow.patch
911bb13529483c093d12c15eed4e9243 jasper-1.900.1-CVE-2008-3520.patch
ed441f30c4231f319d9ff77d86db2ef9 jasper-1.900.1-CVE-2008-3522.patch
eaf73536f989e629a8c06533e4e6fad5 jasper-1.900.1-bnc725758.patch
f386c336808e8fc840c8a5cb7fcc5902 CVE-2014-8137.patch
1ec04bd2483a3ad2186b2178c237fd3b CVE-2014-8138.patch
1c55ee31d9ca88359abb0353b3f9d052 CVE-2014-8157.patch
7e1266068d32cc9ecb8b75b6b1174cc3 CVE-2014-8158.patch
83fd587d569d6b4c7e49f67caaef9bf9 CVE-2014-9029.patch
78d55c9411bdca5250581a21b19a89c7 CVE-2015-5203.patch
579f318c6809644b99441cd595541c15 CVE-2016-1577.patch
45d6048316ff5fda476b2f4df0da4c44 CVE-2016-2089.patch
36f603ee5922419f869f3bbb3ab453b3 CVE-2016-2116.patch"
sha256sums="6b905a9c2aca2e275544212666eefc4eb44d95d0a57e4305457b407fe63f9494 jasper-1.900.1.zip
fca9c4bddc284d6c59845e5b80adfd670e79c945f166d9624b117c6db0c10492 jpc_dec.c.patch
e454f0fb1b994535ca02fa2468aa39ff153a78f3688db3808b6e953c44890e41 libjasper-stepsizes-overflow.patch
02236060cae28be5ac46d90ca17ce2de17e975574dd761d9117994e69bdc38d6 jasper-1.900.1-CVE-2008-3520.patch
b0272ce179ead3692942246523462db33c0f2a92bd9f9a117ff40e8ec963fbac jasper-1.900.1-CVE-2008-3522.patch
be19877bc67d843436288c85c17ab49917b1a3db7954b92f736f6cc3ca704756 jasper-1.900.1-bnc725758.patch
27350b9a72067e0325464b1e51f0fcab2701db26c918d82aac977dc345a02999 CVE-2014-8137.patch
597966eabef1eeb4155415352cee37492def0abb09349e1764ae92645f3a20c1 CVE-2014-8138.patch
60160f1eecb4cbfe7d8277e091333e9c1b4af7eeaccdfa3b539ac9658bb6a474 CVE-2014-8157.patch
1dce24d47bcfc599bde5fa625e8b9bfbd1c6c637e4358493276d8a96338ff8b7 CVE-2014-8158.patch
a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1 CVE-2014-9029.patch
7c73cdcca60a7ddffe4d5fe010d3f200870a8719dda571f578e7f437b7c8d6d0 CVE-2015-5203.patch
61bfc92b85f3fad4318e7268e422c9212b88178bc315826d9ed14c563750c262 CVE-2016-1577.patch
331eb8361e028ce0479d5a1065fa74e348dea6d1d8982236697c098882917b21 CVE-2016-2089.patch
e6d63d42c92769ba3a943367798c4a5a542b1c872fbe439cf5bc59f8468210bd CVE-2016-2116.patch"
sha512sums="e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6 jasper-1.900.1.zip
c449c0a405f589135b384bc284508bfdd2a29b7bb94b806b960ce72238aa5789cc11fa7d704463ebda9a1384d8d085c603180f7b419e25a91d304b447708b82c jpc_dec.c.patch
bafdd22b8214e2993c0a61c06c27b11b4eef68db2e9c6d8786dd54dfae92e685094b66ad6c899d19df9f0f85d3aa4fe35152dd773c5bd9a1e8453ccf8518c799 libjasper-stepsizes-overflow.patch
d337207260b3ac7e40e92326d95364ef21128431235e6ef9e345a6c781f328fd3aaf0dbfb8c7dde2403ab0cfc89cda664c3f2fec673187589358fe58521e83a1 jasper-1.900.1-CVE-2008-3520.patch
d686c26f1432b522f41948c7bd188f9b74c455671d5f30ab97144977b22d4e778e475fea6d8128b607218a061c50f2cc767e66413455805e8843c04d901f708d jasper-1.900.1-CVE-2008-3522.patch
a83fe196d4305fea6f2265e1bcb64dd4841bf4355ca661c46841de44c9f642f995e13929111833f23f51168282d2da06c0544956edc3a863d13be2b584c1ad73 jasper-1.900.1-bnc725758.patch
b689b8fdc3dfa7f7ffcb9d7e94c7eb8d11127adf55e2f67cb2311fe1495eb7a4a234e34bc50315059b85a257b083670a383a7cc751705fcacc49727c11152510 CVE-2014-8137.patch
ae9d1c85688f7711a5cd7765988e85c64bf5413dede80aa8c860caa505c079d6975410ccb3b0e18c65d84624226c5e12667bb7613a91e3856dab4f99483c2956 CVE-2014-8138.patch
44fc87f8a85a5c0b1f3669ca5ec139afcb8971f2d5bfd40ed95913dcf34fee4874301b580134ddca900091ef3cbfdd791b365a5c3ba74d0e8deb855b54322f68 CVE-2014-8157.patch
7f2f2a990ced181fd5755cc630a8c6d75e8172c926c08350505f6b8b5e8e1f8b0891b4603a4c43da35f913c079f2759975ee7ee1532ebb87f06d01c165299ecb CVE-2014-8158.patch
20bac10654ea1b16d741bcc71ca91e484c4238cb285f551a19b1bac4c4cf8ec39bc33f8d3c42dbadd03e85eb667a8e286f208e9b20a5b39429bf8e4454bd9b16 CVE-2014-9029.patch
911c813308af2cf0697b462e70bcb888a9e9a61399cbd0a6911133c3edd69ac50ddd57523c139080578373bceda1aa23af8ca979668f911785037250c7afcca1 CVE-2015-5203.patch
c953cadf37b21b80b313846bb3d0ececb25e3269d02cc8cc15d8a95587fcd8d0944f23d2b7d0a82b2242ea7c46993ea0b6ba33e885363d6484eeef51e5173116 CVE-2016-1577.patch
7ca676a2bcdf17c140e31286cd704c288201e29e77dc698bbcbbd10d7a51bf95d10dae2ddcbe70e4701440a9bd3fd34ce2042579f568418de3be380c038a39ad CVE-2016-2089.patch
f6506e712911df55d2f2891a4036e6baa5db468a6345657b0115c9873494e5390a94a4efb204686fd9d44fc915a6e02d0882b1679889d7e6539cabbf953d6f64 CVE-2016-2116.patch"
sha512sums="3cc08c9bc1f9ad1e4bac78a3246d6ee1a35a75d5b89b3b0f27cb5980420101256a2e05eeb7bf8a0c73d1a73c044b83b4cbca441c1418dced53d7a142e69129ed jasper-2.0.10.tar.gz"
--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
return 0;
error:
- jas_icccurv_destroy(attrval);
return -1;
}
@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
#endif
return 0;
error:
- jas_icctxtdesc_destroy(attrval);
return -1;
}
@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
goto error;
return 0;
error:
- if (txt->string)
- jas_free(txt->string);
return -1;
}
@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
goto error;
return 0;
error:
- jas_icclut8_destroy(attrval);
return -1;
}
@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
goto error;
return 0;
error:
- jas_icclut16_destroy(attrval);
return -1;
}
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
case JP2_COLR_ICC:
iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
dec->colr->data.colr.iccplen);
- assert(iccprof);
+ if (!iccprof) {
+ jas_eprintf("error: failed to parse ICC profile\n");
+ goto error;
+ }
jas_iccprof_gethdr(iccprof, &icchdr);
jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100
@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
/* Determine the type of each component. */
if (dec->cdef) {
for (i = 0; i < dec->numchans; ++i) {
+ /* Is the channel number reasonable? */
+ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
+ jas_eprintf("error: invalid channel number in CDEF box\n");
+ goto error;
+ }
jas_image_setcmpttype(dec->image,
dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
jp2_getct(jas_image_clrspc(dec->image),
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100
@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
dec->curtileendoff = 0;
}
- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
+ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
jas_eprintf("invalid tile number in SOT marker segment\n");
return -1;
}
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
--- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100
@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
{
int bufsize = JPC_CEILDIVPOW2(numcols, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
-#else
- jpc_fix_t splitbuf[bufsize];
-#endif
jpc_fix_t *buf = splitbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
register int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
abort();
}
}
-#endif
if (numcols >= 2) {
hstartcol = (numcols + 1 - parity) >> 1;
@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
-#else
- jpc_fix_t splitbuf[bufsize];
-#endif
jpc_fix_t *buf = splitbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
register int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
-#endif
jpc_fix_t *buf = splitbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t splitbuf[bufsize * numcols];
-#endif
jpc_fix_t *buf = splitbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
{
int bufsize = JPC_CEILDIVPOW2(numcols, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
-#else
- jpc_fix_t joinbuf[bufsize];
-#endif
jpc_fix_t *buf = joinbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
register int n;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
abort();
}
}
-#endif
hstartcol = (numcols + 1 - parity) >> 1;
@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
++srcptr;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
-#else
- jpc_fix_t joinbuf[bufsize];
-#endif
jpc_fix_t *buf = joinbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
register int n;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
++srcptr;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
-#endif
jpc_fix_t *buf = joinbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
register int i;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
srcptr += JPC_QMFB_COLGRPSIZE;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t joinbuf[bufsize * numcols];
-#endif
jpc_fix_t *buf = joinbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
register int i;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
srcptr += numcols;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:45:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:44:58.000000000 +0100
@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
jpc_coc_t *coc = &ms->parms.coc;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in COC marker segment\n");
return -1;
}
@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
jpc_rgn_t *rgn = &ms->parms.rgn;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in RGN marker segment\n");
return -1;
}
@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
jpc_qcc_t *qcc = &ms->parms.qcc;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in QCC marker segment\n");
return -1;
}
From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Mon, 17 Aug 2015
Subject: CVE-2015-5203
Prevent integer conversion errors.
jasper is vulnerable to integer conversion errors that can be leveraged,
via crafted input, to trigger faults such as double free's. This patch
addresses that by using size_t for buffer sizes.
---
src/libjasper/base/jas_stream.c | 10 +++++-----
src/libjasper/include/jasper/jas_stream.h | 8 ++++----
src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++--------
src/libjasper/mif/mif_cod.c | 4 ++--
4 files changed, 19 insertions(+), 19 deletions(-)
--- a/src/libjasper/include/jasper/jas_stream.h
+++ b/src/libjasper/include/jasper/jas_stream.h
@@ -215,7 +215,7 @@ typedef struct {
uchar *bufstart_;
/* The buffer size. */
- int bufsize_;
+ size_t bufsize_;
/* The current position in the buffer. */
uchar *ptr_;
@@ -267,7 +267,7 @@ typedef struct {
uchar *buf_;
/* The allocated size of the buffer for holding file data. */
- int bufsize_;
+ size_t bufsize_;
/* The length of the file. */
int_fast32_t len_;
@@ -291,7 +291,7 @@ typedef struct {
jas_stream_t *jas_stream_fopen(const char *filename, const char *mode);
/* Open a memory buffer as a stream. */
-jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
/* Open a file descriptor as a stream. */
jas_stream_t *jas_stream_fdopen(int fd, const char *mode);
@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre
int jas_stream_puts(jas_stream_t *stream, const char *s);
/* Read a line of input from a stream. */
-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize);
+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize);
/* Look at the next character to be read from a stream without actually
removing it from the stream. */
--- a/src/libjasper/base/jas_stream.c
+++ b/src/libjasper/base/jas_stream.c
@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char
static void jas_stream_destroy(jas_stream_t *stream);
static jas_stream_t *jas_stream_create(void);
static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
- int bufsize);
+ size_t bufsize);