Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2021-03-18 22:55:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jasper" Thu Mar 18 22:55:16 2021 rev:8 rq:879870 version:2.0.27 Changes: -------- --- /work/SRC/openSUSE:Factory/jasper/jasper.changes 2021-03-06 21:18:52.973251512 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new.2401/jasper.changes 2021-03-18 22:55:20.467556802 +0100 @@ -1,0 +2,13 @@ +Thu Mar 18 11:28:45 UTC 2021 - Michael Vetter <[email protected]> + +- Update to 2.0.27: + * Check for an image containing no samples in the PGX + decoder. (#271, #272, #273, #274, #275, #276, #281) + * Check for dimensions of zero in the JPC and JPEG decoders. + * Fix an arguably incorrect type for an integer literal + in the PGX decoder. (#270) + * Check for an invalid component reference in the + JP2 decoder. (#269) + * Check on integer size in JP2 decoder. (#278) + +------------------------------------------------------------------- Old: ---- version-2.0.26.tar.gz New: ---- version-2.0.27.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jasper.spec ++++++ --- /var/tmp/diff_new_pack.UQ9hO3/_old 2021-03-18 22:55:21.079557462 +0100 +++ /var/tmp/diff_new_pack.UQ9hO3/_new 2021-03-18 22:55:21.083557467 +0100 @@ -17,7 +17,7 @@ Name: jasper -Version: 2.0.26 +Version: 2.0.27 Release: 0 Summary: An Implementation of the JPEG-2000 Standard, Part 1 License: SUSE-Public-Domain ++++++ version-2.0.26.tar.gz -> version-2.0.27.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.26/CMakeLists.txt new/jasper-version-2.0.27/CMakeLists.txt --- old/jasper-version-2.0.26/CMakeLists.txt 2021-03-05 14:59:24.000000000 +0100 +++ new/jasper-version-2.0.27/CMakeLists.txt 2021-03-18 12:23:26.000000000 +0100 @@ -17,7 +17,7 @@ # The major, minor, and micro version numbers of the project. set(JAS_VERSION_MAJOR 2) set(JAS_VERSION_MINOR 0) -set(JAS_VERSION_PATCH 26) +set(JAS_VERSION_PATCH 27) # The project version. set(JAS_VERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.26/NEWS new/jasper-version-2.0.27/NEWS --- old/jasper-version-2.0.26/NEWS 2021-03-05 14:59:24.000000000 +0100 +++ new/jasper-version-2.0.27/NEWS 2021-03-18 12:23:26.000000000 +0100 @@ -1,3 +1,15 @@ +2.0.27 (2021-03-18) +=================== + +* Check for an image containing no samples in the PGX + decoder. (#271, #272, #273, #274, #275, #276, #281) +* Check for dimensions of zero in the JPC and JPEG decoders. +* Fix an arguably incorrect type for an integer literal + in the PGX decoder. (#270) +* Check for an invalid component reference in the + JP2 decoder. (#269) +* Check on integer size in JP2 decoder. (#278) + 2.0.26 (2021-03-05) =================== @@ -142,3 +154,23 @@ * Fix various memory leaks * Plenty of code cleanups, and performance improvements + +* Some macros were changed to inline functions. This has to potential to + impact some code that made assumptions about the implementation. Some + potentially impacted macros include: + jas_matrix_numrows, jas_matrix_numcols + jas_matrix_get + jas_seq_get, jas_seq_start, jas_seq_end + jpc_ms_gettype + jas_matrix_set and jas_seq_set is affected differently; the old macro was + an actual expression returning the value, while the new function does not. + The following macros have been changed, too, but are likely not + affected, since they have been an rvalue-expression anyway: + JP2_DTYPETOBPC, JP2_BPCTODTYPE + JAS_IMAGE_CDT_{SETSGND,GETSGND,SETPREC,GETPREC} + jas_image_cmptdtype + macros from here + jas_matrix_setv, jas_matrix_getvref + jas_matrix_bind{row,col} + the jpc_fix_ family + the JPC_QCX and JPC_COX families Binary files old/jasper-version-2.0.26/data/test/bad/269.jp2 and new/jasper-version-2.0.27/data/test/bad/269.jp2 differ Binary files old/jasper-version-2.0.26/data/test/bad/271a.pgx and new/jasper-version-2.0.27/data/test/bad/271a.pgx differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.26/data/test/bad/271b.pgx new/jasper-version-2.0.27/data/test/bad/271b.pgx --- old/jasper-version-2.0.26/data/test/bad/271b.pgx 1970-01-01 01:00:00.000000000 +0100 +++ new/jasper-version-2.0.27/data/test/bad/271b.pgx 2021-03-18 12:23:26.000000000 +0100 @@ -0,0 +1 @@ +PG LM 1 888883479 0 \ No newline at end of file Binary files old/jasper-version-2.0.26/data/test/bad/274.pgx and new/jasper-version-2.0.27/data/test/bad/274.pgx differ Binary files old/jasper-version-2.0.26/data/test/bad/276.pgx and new/jasper-version-2.0.27/data/test/bad/276.pgx differ Binary files old/jasper-version-2.0.26/data/test/bad/277.jp2 and new/jasper-version-2.0.27/data/test/bad/277.jp2 differ Binary files old/jasper-version-2.0.26/data/test/bad/281a.pgx and new/jasper-version-2.0.27/data/test/bad/281a.pgx differ Binary files old/jasper-version-2.0.26/data/test/bad/281b.pgx and new/jasper-version-2.0.27/data/test/bad/281b.pgx differ Binary files old/jasper-version-2.0.26/data/test/other/278.jp2 and new/jasper-version-2.0.27/data/test/other/278.jp2 differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.26/src/libjasper/jp2/jp2_cod.c new/jasper-version-2.0.27/src/libjasper/jp2/jp2_cod.c --- old/jasper-version-2.0.26/src/libjasper/jp2/jp2_cod.c 2021-03-05 14:59:24.000000000 +0100 +++ new/jasper-version-2.0.27/src/libjasper/jp2/jp2_cod.c 2021-03-18 12:23:26.000000000 +0100 @@ -83,7 +83,12 @@ * Function prototypes. \******************************************************************************/ -#define ONES(n) ((1 << (n)) - 1) +static inline uint_fast32_t ones(int n) +{ + assert(n >= 0); + return (((uint_fast32_t) 1) << n) - 1; + //return ((1 << (n)) - 1); +} static const jp2_boxinfo_t *jp2_boxinfolookup(int type); @@ -926,6 +931,11 @@ m = (n + 7) / 8; + if (n < 0 || n > JAS_CAST(int, 8 * sizeof(int_fast32_t))) { + jas_eprintf("jp2_getint: invalid integer size (%d bits)\n", n); + return -1; + } + v = 0; for (i = 0; i < m; ++i) { if ((c = jas_stream_getc(in)) == EOF) { @@ -933,11 +943,11 @@ } v = (v << 8) | c; } - v &= ONES(n); + v &= ones(n); if (s) { int sb; - sb = v & (1 << (8 * m - 1)); - *val = ((~v) + 1) & ONES(8 * m); + sb = v & (JAS_CAST(uint_fast32_t, 1) << (8 * m - 1)); + *val = ((~v) + 1) & ones(8 * m); if (sb) { *val = -*val; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.26/src/libjasper/jp2/jp2_dec.c new/jasper-version-2.0.27/src/libjasper/jp2/jp2_dec.c --- old/jasper-version-2.0.26/src/libjasper/jp2/jp2_dec.c 2021-03-05 14:59:24.000000000 +0100 +++ new/jasper-version-2.0.27/src/libjasper/jp2/jp2_dec.c 2021-03-18 12:23:26.000000000 +0100 @@ -451,7 +451,13 @@ } } else { for (i = 0; i < dec->numchans; ++i) { - jas_image_setcmpttype(dec->image, dec->chantocmptlut[i], + unsigned compno = dec->chantocmptlut[i]; + if (compno >= jas_image_numcmpts(dec->image)) { + jas_eprintf( + "error: invalid component reference (%d)\n", compno); + goto error; + } + jas_image_setcmpttype(dec->image, compno, jp2_getct(jas_image_clrspc(dec->image), 0, i + 1)); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.26/src/libjasper/jpc/jpc_dec.c new/jasper-version-2.0.27/src/libjasper/jpc/jpc_dec.c --- old/jasper-version-2.0.26/src/libjasper/jpc/jpc_dec.c 2021-03-05 14:59:24.000000000 +0100 +++ new/jasper-version-2.0.27/src/libjasper/jpc/jpc_dec.c 2021-03-18 12:23:26.000000000 +0100 @@ -1305,6 +1305,10 @@ cmpt->hsubstep = 0; cmpt->vsubstep = 0; + if (!cmpt->width || !cmpt->height) { + jas_eprintf("image component has no samples\n"); + return -1; + } if (!jas_safe_size_mul(cmpt->width, cmpt->height, &num_samples_delta)) { jas_eprintf("image too large\n"); return -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.26/src/libjasper/jpg/jpg_dec.c new/jasper-version-2.0.27/src/libjasper/jpg/jpg_dec.c --- old/jasper-version-2.0.26/src/libjasper/jpg/jpg_dec.c 2021-03-05 14:59:24.000000000 +0100 +++ new/jasper-version-2.0.27/src/libjasper/jpg/jpg_dec.c 2021-03-18 12:23:26.000000000 +0100 @@ -264,6 +264,10 @@ cinfo.image_width, cinfo.image_height, cinfo.num_components) ); + if (!cinfo.image_width || !cinfo.image_height || !cinfo.num_components) { + jas_eprintf("image has no samples"); + goto error; + } if (opts.max_samples > 0) { if (!jas_safe_size_mul3(cinfo.image_width, cinfo.image_height, cinfo.num_components, &num_samples)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.26/src/libjasper/pgx/pgx_dec.c new/jasper-version-2.0.27/src/libjasper/pgx/pgx_dec.c --- old/jasper-version-2.0.26/src/libjasper/pgx/pgx_dec.c 2021-03-05 14:59:24.000000000 +0100 +++ new/jasper-version-2.0.27/src/libjasper/pgx/pgx_dec.c 2021-03-18 12:23:26.000000000 +0100 @@ -180,6 +180,10 @@ jas_eprintf("image too large\n"); goto error; } + if (!num_samples) { + jas_eprintf("image has no samples\n"); + goto error; + } if (opts.max_samples > 0 && num_samples > opts.max_samples) { jas_eprintf( "maximum number of samples would be exceeded (%zu > %zu)\n", @@ -356,7 +360,7 @@ goto error; } j = bigendian ? (wordsize - 1 - i) : i; - val = val | ((c & 0xff) << (8 * j)); + val = val | ((c & 0xffU) << (8 * j)); } val &= (1 << prec) - 1; return val;
