Thu Feb 19 21:18:52 2015 UTC ()
Pullup ticket #4624 - requested by taca
graphics/jasper: security patch
Revisions pulled up:
- graphics/jasper/Makefile 1.39-1.40
- graphics/jasper/distinfo 1.16-1.17
- graphics/jasper/patches/patch-CVE-2014-9029 deleted
- graphics/jasper/patches/patch-ad deleted
- graphics/jasper/patches/patch-ae deleted
- graphics/jasper/patches/patch-ag deleted
- graphics/jasper/patches/patch-ah deleted
- graphics/jasper/patches/patch-ai deleted
- graphics/jasper/patches/patch-aj deleted
- graphics/jasper/patches/patch-configure 1.1
- graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c 1.1
- graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c 1.1
- graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c 1.1
- graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c 1.1-1.2
- graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c 1.1
---
Module Name: pkgsrc
Committed By: he
Date: Thu Jan 1 14:15:27 UTC 2015
Modified Files:
pkgsrc/graphics/jasper: Makefile distinfo
Added Files:
pkgsrc/graphics/jasper/patches: patch-configure
patch-src_libjasper_jp2_jp2__cod.c
patch-src_libjasper_jp2_jp2__dec.c
patch-src_libjasper_jpc_jpc__cs.c
patch-src_libjasper_jpc_jpc__dec.c
Removed Files:
pkgsrc/graphics/jasper/patches: patch-CVE-2014-9029 patch-ad patch-ae
patch-ag patch-ah patch-ai patch-aj
Log Message:
Rename patches to conform to the "new" style.
Add comments to the patches.
Add fix for oCERT-2014-012, pulled from RedHat.
Add fix from Debian bug 469786.
Add LICENSE setting, I think modified-bsd is fitting.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: snj
Date: Sun Feb 8 23:04:22 UTC 2015
Modified Files:
pkgsrc/graphics/jasper: Makefile distinfo
pkgsrc/graphics/jasper/patches: patch-src_libjasper_jpc_jpc__dec.c
Added Files:
pkgsrc/graphics/jasper/patches: patch-src_libjasper_jpc_jpc__qmfb.c
Log Message:
Fix CVE-2014-8157 and CVE-2014-8158. Bump PKGREVISION to 10.
(tron)
diff -r1.38 -r1.38.2.1 pkgsrc/graphics/jasper/Makefile
diff -r1.15 -r1.15.2.1 pkgsrc/graphics/jasper/distinfo
diff -r1.1 -r0 pkgsrc/graphics/jasper/patches/patch-CVE-2014-9029
diff -r1.1 -r0 pkgsrc/graphics/jasper/patches/patch-aj
diff -r1.3 -r0 pkgsrc/graphics/jasper/patches/patch-ad
diff -r1.3 -r0 pkgsrc/graphics/jasper/patches/patch-ah
diff -r1.2 -r0 pkgsrc/graphics/jasper/patches/patch-ae
diff -r1.2 -r0 pkgsrc/graphics/jasper/patches/patch-ai
diff -r1.4 -r0 pkgsrc/graphics/jasper/patches/patch-ag
diff -r0 -r1.1.2.2 pkgsrc/graphics/jasper/patches/patch-configure
diff -r0 -r1.1.2.2 pkgsrc/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c
diff -r0 -r1.1.2.2 pkgsrc/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c
diff -r0 -r1.1.2.2 pkgsrc/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c
diff -r0 -r1.1.2.2 pkgsrc/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c
diff -r0 -r1.2.2.2 pkgsrc/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c
--- pkgsrc/graphics/jasper/Makefile 2014/12/11 20:18:09 1.38
+++ pkgsrc/graphics/jasper/Makefile 2015/02/19 21:18:52 1.38.2.1
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.38 2014/12/11 20:18:09 tez Exp $
+# $NetBSD: Makefile,v 1.38.2.1 2015/02/19 21:18:52 tron Exp $
DISTNAME= jasper-1.900.1
-PKGREVISION= 8
+PKGREVISION= 10
CATEGORIES= graphics
MASTER_SITES= http://www.ece.uvic.ca/~mdadams/jasper/software/
EXTRACT_SUFX= .zip
@@ -9,6 +9,7 @@
MAINTAINER= adam@NetBSD.org
HOMEPAGE= http://www.ece.uvic.ca/~mdadams/jasper/
COMMENT= Software-based reference implementation of the JPEG-2000 codec
+LICENSE= modified-bsd
USE_LANGUAGES= c99
USE_LIBTOOL= yes
--- pkgsrc/graphics/jasper/distinfo 2014/12/11 20:18:09 1.15
+++ pkgsrc/graphics/jasper/distinfo 2015/02/19 21:18:52 1.15.2.1
@@ -1,12 +1,11 @@
-$NetBSD: distinfo,v 1.15 2014/12/11 20:18:09 tez Exp $
+$NetBSD: distinfo,v 1.15.2.1 2015/02/19 21:18:52 tron Exp $
SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c
Size (jasper-1.900.1.zip) = 1415752 bytes
-SHA1 (patch-CVE-2014-9029) = e8db6f31a06773dd385b40d684f4be8eb8676723
+SHA1 (patch-configure) = c8aa09f8432f0e3f5667ecb3ccd738c3c03f3f05
-SHA1 (patch-ad) = 85637e42cdb1245babd5736c2d039558025738a6
+SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 7902e9900130f466fa60a5389409cc9495b6260c
-SHA1 (patch-ae) = bfe00f76582a44ad748706c3fc81c4d6b8aede35
+SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 5a795502f9241829afa1acf0a2a341155b954108
-SHA1 (patch-ag) = 0a3cf7ffff67001529198c23c3ca2499c71be7fa
+SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 794de4dcf8f809275a5bee5cb60d95cf9608e0a7
-SHA1 (patch-ah) = 5455854277ad52adb4a22be08219facd796bbf1a
+SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 9b0d764671ef32868a390464480c5b3ee805e258
-SHA1 (patch-ai) = 39a16368197d180d9d925bc12b9fc1c6985f06f0
+SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 8c8d6e6fbb8ce0117a9e806777a6fdde21e6d780
-SHA1 (patch-aj) = a2f5b3b31220767cd6f22ff236e3789ab6a5ba4f
$NetBSD: patch-configure,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $
Check for C99 conformance for stdbool.h, don't just test its presence.
--- configure.orig 2007-01-19 21:54:48.000000000 +0000
+++ configure 2007-08-12 20:56:30.000000000 +0000
@@ -20979,6 +20979,163 @@ _ACEOF
fi
+echo "$as_me:$LINENO: checking for stdbool.h that conforms to C99" >&5
+echo $ECHO_N "checking for stdbool.h that conforms to C99... $ECHO_C" >&6
+if test "${ac_cv_header_stdbool_h+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+#include <stdbool.h>
+#ifndef bool
+# error bool is not defined
+#endif
+#ifndef false
+# error false is not defined
+#endif
+#if false
+# error false is not 0
+#endif
+#ifndef true
+# error true is not defined
+#endif
+#if true != 1
+# error true is not 1
+#endif
+#ifndef __bool_true_false_are_defined
+# error __bool_true_false_are_defined is not defined
+#endif
+
+ struct s { _Bool s: 1; _Bool t; } s;
+
+ char a[true == 1 ? 1 : -1];
+ char b[false == 0 ? 1 : -1];
+ char c[__bool_true_false_are_defined == 1 ? 1 : -1];
+ char d[(bool) -0.5 == true ? 1 : -1];
+ bool e = &s;
+ char f[(_Bool) -0.0 == false ? 1 : -1];
+ char g[true];
+ char h[sizeof (_Bool)];
+ char i[sizeof s.t];
+
+int
+main ()
+{
+ return !a + !b + !c + !d + !e + !f + !g + !h + !i;
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+ (eval $ac_compile) 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -z "$ac_c_werror_flag"
+ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; } &&
+ { ac_try='test -s conftest.$ac_objext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_header_stdbool_h=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_header_stdbool_h=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_header_stdbool_h" >&5
+echo "${ECHO_T}$ac_cv_header_stdbool_h" >&6
+echo "$as_me:$LINENO: checking for _Bool" >&5
+echo $ECHO_N "checking for _Bool... $ECHO_C" >&6
+if test "${ac_cv_type__Bool+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+int
+main ()
+{
+if ((_Bool *) 0)
+ return 0;
+if (sizeof (_Bool))
+ return 0;
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+ (eval $ac_compile) 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -z "$ac_c_werror_flag"
+ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; } &&
+ { ac_try='test -s conftest.$ac_objext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_type__Bool=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_type__Bool=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_type__Bool" >&5
+echo "${ECHO_T}$ac_cv_type__Bool" >&6
+if test $ac_cv_type__Bool = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE__BOOL 1
+_ACEOF
+
+
+fi
+
+if test $ac_cv_header_stdbool_h = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_STDBOOL_H 1
+_ACEOF
+
+fi
@@ -20990,7 +21147,7 @@ fi
-for ac_header in fcntl.h limits.h unistd.h stdint.h stdbool.h io.h windows.h sys/types.h sys/time.h stdlib.h stddef.h
+for ac_header in fcntl.h limits.h unistd.h stdint.h io.h windows.h sys/types.h sys/time.h stdlib.h stddef.h
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
if eval "test \"\${$as_ac_Header+set}\" = set"; then
$NetBSD: patch-src_libjasper_jp2_jp2__cod.c,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $
Only output debug info if debuglevel >= 1.
--- src/libjasper/jp2/jp2_cod.c.orig 2006-12-08 00:23:36.000000000 +0000
+++ src/libjasper/jp2/jp2_cod.c
@@ -795,11 +795,15 @@ static void jp2_cmap_dumpdata(jp2_box_t
jp2_cmap_t *cmap = &box->data.cmap;
unsigned int i;
jp2_cmapent_t *ent;
- fprintf(out, "numchans = %d\n", (int) cmap->numchans);
+ if (jas_getdbglevel() >= 1) {
+ fprintf(out, "numchans = %d\n", (int) cmap->numchans);
+ }
for (i = 0; i < cmap->numchans; ++i) {
ent = &cmap->ents[i];
- fprintf(out, "cmptno=%d; map=%d; pcol=%d\n",
- (int) ent->cmptno, (int) ent->map, (int) ent->pcol);
+ if (jas_getdbglevel() >= 1) {
+ fprintf(out, "cmptno=%d; map=%d; pcol=%d\n",
+ (int) ent->cmptno, (int) ent->map, (int) ent->pcol);
+ }
}
}
$NetBSD: patch-src_libjasper_jp2_jp2__dec.c,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $
Only output debug info if debuglevel >= 1.
Apply fix for oCERT-2014-012, from
https://bugzilla.redhat.com/show_bug.cgi?id=1173162
--- src/libjasper/jp2/jp2_dec.c.orig 2004-02-09 01:34:40.000000000 +0000
+++ src/libjasper/jp2/jp2_dec.c
@@ -293,7 +293,9 @@ jas_image_t *jp2_decode(jas_stream_t *in
dec->colr->data.colr.iccplen);
assert(iccprof);
jas_iccprof_gethdr(iccprof, &icchdr);
- jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ if (jas_getdbglevel() >= 1) {
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ }
jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
dec->image->cmprof_ = jas_cmprof_createfromiccprof(iccprof);
assert(dec->image->cmprof_);
@@ -386,6 +388,13 @@ jas_image_t *jp2_decode(jas_stream_t *in
/* Determine the type of each component. */
if (dec->cdef) {
for (i = 0; i < dec->numchans; ++i) {
+ /* Is the channel number reasonable? */
+ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
+ jas_eprintf("error: invalid channel number in CDEF box\n");
+
+ goto error;
+
+ }
jas_image_setcmpttype(dec->image,
dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
jp2_getct(jas_image_clrspc(dec->image),
$NetBSD: patch-src_libjasper_jpc_jpc__cs.c,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $
Add fixes for CVE-2011-4516 and CVE-2011-4517.
--- src/libjasper/jpc/jpc_cs.c.orig 2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_cs.c
@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t
return -1;
}
compparms->numrlvls = compparms->numdlvls + 1;
+ if (compparms->numrlvls > JPC_MAXRLVLS) {
+ jpc_cox_destroycompparms(compparms);
+ return -1;
+ }
if (prtflag) {
for (i = 0; i < compparms->numrlvls; ++i) {
if (jpc_getuint8(in, &tmp)) {
@@ -982,7 +986,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
compparms->numstepsizes = (len - n) / 2;
break;
}
- if (compparms->numstepsizes > 0) {
+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
sizeof(uint_fast16_t));
assert(compparms->stepsizes);
@@ -1328,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
jpc_crgcomp_t *comp;
uint_fast16_t compno;
crg->numcomps = cstate->numcomps;
- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
+ if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(jpc_crgcomp_t)))) {
return -1;
}
for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.1.2.2 2015/02/19 21:18:52 tron Exp $
Fix CVE-2014-8158. Patch taken from
https://bugzilla.redhat.com/show_bug.cgi?id=1179298
--- src/libjasper/jpc/jpc_qmfb.c.orig 2007-01-19 13:43:07.000000000 -0800
+++ src/libjasper/jpc/jpc_qmfb.c 2015-02-08 14:49:33.000000000 -0800
@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
{
int bufsize = JPC_CEILDIVPOW2(numcols, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
-#else
- jpc_fix_t splitbuf[bufsize];
-#endif
jpc_fix_t *buf = splitbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
register int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
abort();
}
}
-#endif
if (numcols >= 2) {
hstartcol = (numcols + 1 - parity) >> 1;
@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
-#else
- jpc_fix_t splitbuf[bufsize];
-#endif
jpc_fix_t *buf = splitbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
register int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
-#endif
jpc_fix_t *buf = splitbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t splitbuf[bufsize * numcols];
-#endif
jpc_fix_t *buf = splitbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
{
int bufsize = JPC_CEILDIVPOW2(numcols, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
-#else
- jpc_fix_t joinbuf[bufsize];
-#endif
jpc_fix_t *buf = joinbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
register int n;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
abort();
}
}
-#endif
hstartcol = (numcols + 1 - parity) >> 1;
@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
++srcptr;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
-#else
- jpc_fix_t joinbuf[bufsize];
-#endif
jpc_fix_t *buf = joinbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
register int n;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
++srcptr;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
-#endif
jpc_fix_t *buf = joinbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
register int i;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
srcptr += JPC_QMFB_COLGRPSIZE;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t joinbuf[bufsize * numcols];
-#endif
jpc_fix_t *buf = joinbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
register int i;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
srcptr += numcols;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
$NetBSD$
Apply fixes from
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469786
and
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9029
Also add a patch from Debian (bug #413041) to fix some heap corruption
on malformed image input (CVE-2007-2721),
Apply fix for CVE-2014-8157, taken from
https://bugzilla.redhat.com/show_bug.cgi?id=1179282
--- src/libjasper/jpc/jpc_dec.c.orig 2014-12-05 12:10:45.000000000 +0000
+++ src/libjasper/jpc/jpc_dec.c
@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
dec->curtileendoff = 0;
}
- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
+ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
jas_eprintf("invalid tile number in SOT marker segment\n");
return -1;
}
@@ -1069,12 +1069,12 @@ static int jpc_dec_tiledecode(jpc_dec_t
/* Apply an inverse intercomponent transform if necessary. */
switch (tile->cp->mctid) {
case JPC_MCT_RCT:
- assert(dec->numcomps == 3);
+ assert(dec->numcomps >= 3);
jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data,
tile->tcomps[2].data);
break;
case JPC_MCT_ICT:
- assert(dec->numcomps == 3);
+ assert(dec->numcomps >= 3);
jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
tile->tcomps[2].data);
break;
@@ -1234,6 +1234,7 @@ static int jpc_dec_process_siz(jpc_dec_t
}
for (compno = 0, cmpt = dec->cmpts, tcomp = tile->tcomps;
compno < dec->numcomps; ++compno, ++cmpt, ++tcomp) {
+ tcomp->numrlvls = 0;
tcomp->rlvls = 0;
tcomp->data = 0;
tcomp->xstart = JPC_CEILDIV(tile->xstart, cmpt->hstep);
@@ -1280,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
jpc_coc_t *coc = &ms->parms.coc;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in COC marker segment\n");
return -1;
}
@@ -1306,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
jpc_rgn_t *rgn = &ms->parms.rgn;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in RGN marker segment\n");
return -1;
}
@@ -1355,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
jpc_qcc_t *qcc = &ms->parms.qcc;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in QCC marker segment\n");
return -1;
}
@@ -1466,7 +1467,9 @@ static int jpc_dec_process_unk(jpc_dec_t
dec = 0;
jas_eprintf("warning: ignoring unknown marker segment\n");
- jpc_ms_dump(ms, stderr);
+ if (jas_getdbglevel() >= 1) {
+ jpc_ms_dump(ms, stderr);
+ }
return 0;
}