Pullup ticket #4624 - requested by taca graphics/jasper: security patch Revisions pulled up: - graphics/jasper/Makefile 1.39-1.40 - graphics/jasper/distinfo 1.16-1.17 - graphics/jasper/patches/patch-CVE-2014-9029 deleted - graphics/jasper/patches/patch-ad deleted - graphics/jasper/patches/patch-ae deleted - graphics/jasper/patches/patch-ag deleted - graphics/jasper/patches/patch-ah deleted - graphics/jasper/patches/patch-ai deleted - graphics/jasper/patches/patch-aj deleted - graphics/jasper/patches/patch-configure 1.1 - graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c 1.1 - graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c 1.1 - graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c 1.1 - graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c 1.1-1.2 - graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c 1.1 --- Module Name: pkgsrc Committed By: he Date: Thu Jan 1 14:15:27 UTC 2015 Modified Files: pkgsrc/graphics/jasper: Makefile distinfo Added Files: pkgsrc/graphics/jasper/patches: patch-configure patch-src_libjasper_jp2_jp2__cod.c patch-src_libjasper_jp2_jp2__dec.c patch-src_libjasper_jpc_jpc__cs.c patch-src_libjasper_jpc_jpc__dec.c Removed Files: pkgsrc/graphics/jasper/patches: patch-CVE-2014-9029 patch-ad patch-ae patch-ag patch-ah patch-ai patch-aj Log Message: Rename patches to conform to the "new" style. Add comments to the patches. Add fix for oCERT-2014-012, pulled from RedHat. Add fix from Debian bug 469786. Add LICENSE setting, I think modified-bsd is fitting. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: snj Date: Sun Feb 8 23:04:22 UTC 2015 Modified Files: pkgsrc/graphics/jasper: Makefile distinfo pkgsrc/graphics/jasper/patches: patch-src_libjasper_jpc_jpc__dec.c Added Files: pkgsrc/graphics/jasper/patches: patch-src_libjasper_jpc_jpc__qmfb.c Log Message: Fix CVE-2014-8157 and CVE-2014-8158. Bump PKGREVISION to 10.

(tron)

 @@ -1,24 +1,25 @@
-# $NetBSD: Makefile,v 1.38 2014/12/11 20:18:09 tez Exp $
+# $NetBSD: Makefile,v 1.38.2.1 2015/02/19 21:18:52 tron Exp $
 DISTNAME=	jasper-1.900.1
-PKGREVISION=	8
+PKGREVISION=	10
 CATEGORIES=	graphics
 MASTER_SITES=	http://www.ece.uvic.ca/~mdadams/jasper/software/
 EXTRACT_SUFX=	.zip
 MAINTAINER=	adam@NetBSD.org
 HOMEPAGE=	http://www.ece.uvic.ca/~mdadams/jasper/
 COMMENT=	Software-based reference implementation of the JPEG-2000 codec
 LICENSE=	modified-bsd
 USE_LANGUAGES=		c99
 USE_LIBTOOL=		yes
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--enable-shared --without-x --disable-opengl
 # The solaris stdbool.h requires c99 which is fine for jasper, but
 # not so good for things that depend upon jasper.  See PR#43901
 OPSYSVARS+=		CONFIGURE_ENV
 CONFIGURE_ENV.SunOS+=	ac_cv_header_stdbool_h=no
 INSTALLATION_DIRS+=	share/doc/jasper

 @@ -1,12 +1,11 @@
-$NetBSD: distinfo,v 1.15 2014/12/11 20:18:09 tez Exp $
+$NetBSD: distinfo,v 1.15.2.1 2015/02/19 21:18:52 tron Exp $
 SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
 RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c
 Size (jasper-1.900.1.zip) = 1415752 bytes
-SHA1 (patch-CVE-2014-9029) = e8db6f31a06773dd385b40d684f4be8eb8676723
+SHA1 (patch-configure) = c8aa09f8432f0e3f5667ecb3ccd738c3c03f3f05
-SHA1 (patch-ad) = 85637e42cdb1245babd5736c2d039558025738a6
+SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 7902e9900130f466fa60a5389409cc9495b6260c
-SHA1 (patch-ae) = bfe00f76582a44ad748706c3fc81c4d6b8aede35
+SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 5a795502f9241829afa1acf0a2a341155b954108
-SHA1 (patch-ag) = 0a3cf7ffff67001529198c23c3ca2499c71be7fa
+SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 794de4dcf8f809275a5bee5cb60d95cf9608e0a7
-SHA1 (patch-ah) = 5455854277ad52adb4a22be08219facd796bbf1a
+SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 9b0d764671ef32868a390464480c5b3ee805e258
-SHA1 (patch-ai) = 39a16368197d180d9d925bc12b9fc1c6985f06f0
+SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 8c8d6e6fbb8ce0117a9e806777a6fdde21e6d780
 SHA1 (patch-aj) = a2f5b3b31220767cd6f22ff236e3789ab6a5ba4f

$NetBSD: patch-configure,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $ Check for C99 conformance for stdbool.h, don't just test its presence. --- configure.orig 2007-01-19 21:54:48.000000000 +0000 +++ configure 2007-08-12 20:56:30.000000000 +0000 @@ -20979,6 +20979,163 @@ _ACEOF fi +echo "$as_me:$LINENO: checking for stdbool.h that conforms to C99" >&5 +echo $ECHO_N "checking for stdbool.h that conforms to C99... $ECHO_C" >&6 +if test "${ac_cv_header_stdbool_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include <stdbool.h> +#ifndef bool +# error bool is not defined +#endif +#ifndef false +# error false is not defined +#endif +#if false +# error false is not 0 +#endif +#ifndef true +# error true is not defined +#endif +#if true != 1 +# error true is not 1 +#endif +#ifndef __bool_true_false_are_defined +# error __bool_true_false_are_defined is not defined +#endif + + struct s { _Bool s: 1; _Bool t; } s; + + char a[true == 1 ? 1 : -1]; + char b[false == 0 ? 1 : -1]; + char c[__bool_true_false_are_defined == 1 ? 1 : -1]; + char d[(bool) -0.5 == true ? 1 : -1]; + bool e = &s; + char f[(_Bool) -0.0 == false ? 1 : -1]; + char g[true]; + char h[sizeof (_Bool)]; + char i[sizeof s.t]; + +int +main () +{ + return !a + !b + !c + !d + !e + !f + !g + !h + !i; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_header_stdbool_h=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_header_stdbool_h=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_header_stdbool_h" >&5 +echo "${ECHO_T}$ac_cv_header_stdbool_h" >&6 +echo "$as_me:$LINENO: checking for _Bool" >&5 +echo $ECHO_N "checking for _Bool... $ECHO_C" >&6 +if test "${ac_cv_type__Bool+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if ((_Bool *) 0) + return 0; +if (sizeof (_Bool)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_type__Bool=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_type__Bool=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_type__Bool" >&5 +echo "${ECHO_T}$ac_cv_type__Bool" >&6 +if test $ac_cv_type__Bool = yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE__BOOL 1 +_ACEOF + + +fi + +if test $ac_cv_header_stdbool_h = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_STDBOOL_H 1 +_ACEOF + +fi @@ -20990,7 +21147,7 @@ fi -for ac_header in fcntl.h limits.h unistd.h stdint.h stdbool.h io.h windows.h sys/types.h sys/time.h stdlib.h stddef.h +for ac_header in fcntl.h limits.h unistd.h stdint.h io.h windows.h sys/types.h sys/time.h stdlib.h stddef.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` if eval "test \"\${$as_ac_Header+set}\" = set"; then

$NetBSD: patch-src_libjasper_jp2_jp2__cod.c,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $ Only output debug info if debuglevel >= 1. --- src/libjasper/jp2/jp2_cod.c.orig 2006-12-08 00:23:36.000000000 +0000 +++ src/libjasper/jp2/jp2_cod.c @@ -795,11 +795,15 @@ static void jp2_cmap_dumpdata(jp2_box_t jp2_cmap_t *cmap = &box->data.cmap; unsigned int i; jp2_cmapent_t *ent; - fprintf(out, "numchans = %d\n", (int) cmap->numchans); + if (jas_getdbglevel() >= 1) { + fprintf(out, "numchans = %d\n", (int) cmap->numchans); + } for (i = 0; i < cmap->numchans; ++i) { ent = &cmap->ents[i]; - fprintf(out, "cmptno=%d; map=%d; pcol=%d\n", - (int) ent->cmptno, (int) ent->map, (int) ent->pcol); + if (jas_getdbglevel() >= 1) { + fprintf(out, "cmptno=%d; map=%d; pcol=%d\n", + (int) ent->cmptno, (int) ent->map, (int) ent->pcol); + } } }

$NetBSD: patch-src_libjasper_jp2_jp2__dec.c,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $ Only output debug info if debuglevel >= 1. Apply fix for oCERT-2014-012, from https://bugzilla.redhat.com/show_bug.cgi?id=1173162 --- src/libjasper/jp2/jp2_dec.c.orig 2004-02-09 01:34:40.000000000 +0000 +++ src/libjasper/jp2/jp2_dec.c @@ -293,7 +293,9 @@ jas_image_t *jp2_decode(jas_stream_t *in dec->colr->data.colr.iccplen); assert(iccprof); jas_iccprof_gethdr(iccprof, &icchdr); - jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + if (jas_getdbglevel() >= 1) { + jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + } jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); dec->image->cmprof_ = jas_cmprof_createfromiccprof(iccprof); assert(dec->image->cmprof_); @@ -386,6 +388,13 @@ jas_image_t *jp2_decode(jas_stream_t *in /* Determine the type of each component. */ if (dec->cdef) { for (i = 0; i < dec->numchans; ++i) { + /* Is the channel number reasonable? */ + if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { + jas_eprintf("error: invalid channel number in CDEF box\n"); + + goto error; + + } jas_image_setcmpttype(dec->image, dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], jp2_getct(jas_image_clrspc(dec->image),

$NetBSD: patch-src_libjasper_jpc_jpc__cs.c,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $ Add fixes for CVE-2011-4516 and CVE-2011-4517. --- src/libjasper/jpc/jpc_cs.c.orig 2007-01-19 21:43:07.000000000 +0000 +++ src/libjasper/jpc/jpc_cs.c @@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t return -1; } compparms->numrlvls = compparms->numdlvls + 1; + if (compparms->numrlvls > JPC_MAXRLVLS) { + jpc_cox_destroycompparms(compparms); + return -1; + } if (prtflag) { for (i = 0; i < compparms->numrlvls; ++i) { if (jpc_getuint8(in, &tmp)) { @@ -982,7 +986,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc compparms->numstepsizes = (len - n) / 2; break; } - if (compparms->numstepsizes > 0) { + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { compparms->stepsizes = jas_malloc(compparms->numstepsizes * sizeof(uint_fast16_t)); assert(compparms->stepsizes); @@ -1328,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms jpc_crgcomp_t *comp; uint_fast16_t compno; crg->numcomps = cstate->numcomps; - if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { + if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(jpc_crgcomp_t)))) { return -1; } for (compno = 0, comp = crg->comps; compno < cstate->numcomps;

$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $ Fix CVE-2014-8158. Patch taken from https://bugzilla.redhat.com/show_bug.cgi?id=1179298 --- src/libjasper/jpc/jpc_qmfb.c.orig 2007-01-19 13:43:07.000000000 -0800 +++ src/libjasper/jpc/jpc_qmfb.c 2015-02-08 14:49:33.000000000 -0800 @@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in { int bufsize = JPC_CEILDIVPOW2(numcols, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; -#else - jpc_fix_t splitbuf[bufsize]; -#endif jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; @@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in register int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in abort(); } } -#endif if (numcols >= 2) { hstartcol = (numcols + 1 - parity) >> 1; @@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; -#else - jpc_fix_t splitbuf[bufsize]; -#endif jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; @@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in register int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in abort(); } } -#endif if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; @@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; -#else - jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; -#endif jpc_fix_t *buf = splitbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; @@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, abort(); } } -#endif if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; @@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; -#else - jpc_fix_t splitbuf[bufsize * numcols]; -#endif jpc_fix_t *buf = splitbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; @@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, abort(); } } -#endif if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; @@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int { int bufsize = JPC_CEILDIVPOW2(numcols, 1); -#if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; -#else - jpc_fix_t joinbuf[bufsize]; -#endif jpc_fix_t *buf = joinbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; register int n; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int abort(); } } -#endif hstartcol = (numcols + 1 - parity) >> 1; @@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int ++srcptr; } -#if !defined(HAVE_VLA) /* If the join buffer was allocated on the heap, free this memory. */ if (buf != joinbuf) { jas_free(buf); } -#endif } @@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; -#else - jpc_fix_t joinbuf[bufsize]; -#endif jpc_fix_t *buf = joinbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; register int n; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int abort(); } } -#endif hstartcol = (numrows + 1 - parity) >> 1; @@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int ++srcptr; } -#if !defined(HAVE_VLA) /* If the join buffer was allocated on the heap, free this memory. */ if (buf != joinbuf) { jas_free(buf); } -#endif } @@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; -#else - jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; -#endif jpc_fix_t *buf = joinbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; @@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, register int i; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { @@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, abort(); } } -#endif hstartcol = (numrows + 1 - parity) >> 1; @@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, srcptr += JPC_QMFB_COLGRPSIZE; } -#if !defined(HAVE_VLA) /* If the join buffer was allocated on the heap, free this memory. */ if (buf != joinbuf) { jas_free(buf); } -#endif } @@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; -#else - jpc_fix_t joinbuf[bufsize * numcols]; -#endif jpc_fix_t *buf = joinbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; @@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, register int i; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { @@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, abort(); } } -#endif hstartcol = (numrows + 1 - parity) >> 1; @@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, srcptr += numcols; } -#if !defined(HAVE_VLA) /* If the join buffer was allocated on the heap, free this memory. */ if (buf != joinbuf) { jas_free(buf); } -#endif }

$NetBSD$ Apply fixes from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469786 and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9029 Also add a patch from Debian (bug #413041) to fix some heap corruption on malformed image input (CVE-2007-2721), Apply fix for CVE-2014-8157, taken from https://bugzilla.redhat.com/show_bug.cgi?id=1179282 --- src/libjasper/jpc/jpc_dec.c.orig 2014-12-05 12:10:45.000000000 +0000 +++ src/libjasper/jpc/jpc_dec.c @@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t dec->curtileendoff = 0; } - if (JAS_CAST(int, sot->tileno) > dec->numtiles) { + if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { jas_eprintf("invalid tile number in SOT marker segment\n"); return -1; } @@ -1069,12 +1069,12 @@ static int jpc_dec_tiledecode(jpc_dec_t /* Apply an inverse intercomponent transform if necessary. */ switch (tile->cp->mctid) { case JPC_MCT_RCT: - assert(dec->numcomps == 3); + assert(dec->numcomps >= 3); jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break; case JPC_MCT_ICT: - assert(dec->numcomps == 3); + assert(dec->numcomps >= 3); jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break; @@ -1234,6 +1234,7 @@ static int jpc_dec_process_siz(jpc_dec_t } for (compno = 0, cmpt = dec->cmpts, tcomp = tile->tcomps; compno < dec->numcomps; ++compno, ++cmpt, ++tcomp) { + tcomp->numrlvls = 0; tcomp->rlvls = 0; tcomp->data = 0; tcomp->xstart = JPC_CEILDIV(tile->xstart, cmpt->hstep); @@ -1280,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t jpc_coc_t *coc = &ms->parms.coc; jpc_dec_tile_t *tile; - if (JAS_CAST(int, coc->compno) > dec->numcomps) { + if (JAS_CAST(int, coc->compno) >= dec->numcomps) { jas_eprintf("invalid component number in COC marker segment\n"); return -1; } @@ -1306,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t jpc_rgn_t *rgn = &ms->parms.rgn; jpc_dec_tile_t *tile; - if (JAS_CAST(int, rgn->compno) > dec->numcomps) { + if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { jas_eprintf("invalid component number in RGN marker segment\n"); return -1; } @@ -1355,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t jpc_qcc_t *qcc = &ms->parms.qcc; jpc_dec_tile_t *tile; - if (JAS_CAST(int, qcc->compno) > dec->numcomps) { + if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { jas_eprintf("invalid component number in QCC marker segment\n"); return -1; } @@ -1466,7 +1467,9 @@ static int jpc_dec_process_unk(jpc_dec_t dec = 0; jas_eprintf("warning: ignoring unknown marker segment\n"); - jpc_ms_dump(ms, stderr); + if (jas_getdbglevel() >= 1) { + jpc_ms_dump(ms, stderr); + } return 0; }