Commit d32e6536 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/jasper: security fixes (CVE-2011-4516, CVE-2011-4517)

fixes #878
parent 77d1a037
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=jasper
pkgver=1.900.1
pkgrel=6
pkgrel=7
pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
url="http://www.ece.uvic.ca/~mdadams/jasper/"
arch="all"
......@@ -10,12 +10,21 @@ depends= #"libjpeg>=8 freeglut libxi libxmu mesa"
makedepends="jpeg-dev>=8"
subpackages="$pkgname-dev $pkgname-doc libjasper"
source="http://www.ece.uvic.ca/~mdadams/$pkgname/software/$pkgname-$pkgver.zip
jpc_dec.c.patch"
jpc_dec.c.patch
libjasper-stepsizes-overflow.patch
jasper-1.900.1-CVE-2008-3520.patch
jasper-1.900.1-CVE-2008-3522.patch
jasper-1.900.1-bnc725758.patch
"
_builddir="$srcdir"/$pkgname-$pkgver
prepare() {
cd "$_builddir"
patch -Np1 < "$srcdir"/jpc_dec.c.patch || return 1
for i in $source; do
case $i in
*.patch) msg $i; patch -Np1 -i "$srcdir"/$i || return 1;;
esac
done
chmod +x configure
}
......@@ -43,4 +52,8 @@ libjasper() {
}
md5sums="a342b2b4495b3e1394e161eb5d85d754 jasper-1.900.1.zip
36de7128eea6f701c1e2e13ce5bd8d37 jpc_dec.c.patch"
36de7128eea6f701c1e2e13ce5bd8d37 jpc_dec.c.patch
24785d8eb3eea19eec7e77d59f3e6a25 libjasper-stepsizes-overflow.patch
911bb13529483c093d12c15eed4e9243 jasper-1.900.1-CVE-2008-3520.patch
ed441f30c4231f319d9ff77d86db2ef9 jasper-1.900.1-CVE-2008-3522.patch
eaf73536f989e629a8c06533e4e6fad5 jasper-1.900.1-bnc725758.patch"
This diff is collapsed.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200
+++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:35:53.000000000 +0200
@@ -553,7 +553,7 @@ int jas_stream_printf(jas_stream_t *stre
int ret;
va_start(ap, fmt);
- ret = vsprintf(buf, fmt, ap);
+ ret = vsnprintf(buf, sizeof buf, fmt, ap);
jas_stream_puts(stream, buf);
va_end(ap);
return ret;
diff -up src/libjasper/jpc/jpc_cs.c.orig-725758 src/libjasper/jpc/jpc_cs.c
--- ./src/libjasper/jpc/jpc_cs.c.orig-725758 2011-12-12 18:36:53.772117206 +0100
+++ ./src/libjasper/jpc/jpc_cs.c 2011-12-12 18:36:12.805999375 +0100
@@ -744,6 +744,12 @@ static int jpc_cox_getcompparms(jpc_ms_t
return -1;
}
compparms->numrlvls = compparms->numdlvls + 1;
+ if (compparms->numrlvls > JPC_MAXRLVLS) {
+ compparms->numrlvls = 0;
+ jpc_cox_destroycompparms(compparms);
+ return -1;
+ }
+
if (prtflag) {
for (i = 0; i < compparms->numrlvls; ++i) {
if (jpc_getuint8(in, &tmp)) {
@@ -1331,7 +1337,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
jpc_crgcomp_t *comp;
uint_fast16_t compno;
crg->numcomps = cstate->numcomps;
- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
return -1;
}
for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
compparms->numstepsizes = (len - n) / 2;
break;
}
- if (compparms->numstepsizes > 0) {
+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
sizeof(uint_fast16_t));
assert(compparms->stepsizes);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment