Your message dated Tue, 14 Oct 2008 21:32:27 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#501021: fixed in jasper 1.900.1-5.1 has caused the Debian Bug report #501021, regarding jasper: CVE-2008-352[0-2] multiple integer overflows in jas_alloc calls to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 501021: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501021 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: jasper Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for jasper. CVE-2008-3522[0]: | Buffer overflow in the jas_stream_printf function in | libjasper/base/jas_stream.c in JasPer 1.900.1 might allow | context-dependent attackers to have an unknown impact via vectors | related to the mif_hdr_put function and use of vsprintf. CVE-2008-3521[1]: | The jas_stream_tmpfile function in libjasper/base/jas_stream.c in | JasPer 1.900.1 allows local users to overwrite arbitrary files via a | symlink attack on a tmp.XXXXXXXXXX temporary file. CVE-2008-3520[2]: | Multiple integer overflows in JasPer 1.900.1 might allow | context-dependent attackers to have an unknown impact via a crafted | image file, related to integer multiplication for memory allocation. CVE-2008-3521 is not really important as the file is opened with O_EXCL but a patch for all these three issues is attached. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522 http://security-tracker.debian.net/tracker/CVE-2008-3522 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3521 http://security-tracker.debian.net/tracker/CVE-2008-3521 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520 http://security-tracker.debian.net/tracker/CVE-2008-3520 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_cm.c jasper-1.900.1.new/src/libjasper/base/jas_cm.c --- jasper-1.900.1.orig/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/base/jas_cm.c 2008-10-03 14:17:55.000000000 +0200 @@ -704,8 +704,7 @@ { jas_cmpxform_t **p; assert(n >= pxformseq->numpxforms); - p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) : - jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *)); + p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *)); if (!p) { return -1; } @@ -889,13 +888,13 @@ jas_cmshapmatlut_cleanup(lut); if (curv->numents == 0) { lut->size = 2; - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) goto error; lut->data[0] = 0.0; lut->data[1] = 1.0; } else if (curv->numents == 1) { lut->size = 256; - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) goto error; gamma = curv->ents[0] / 256.0; for (i = 0; i < lut->size; ++i) { @@ -903,7 +902,7 @@ } } else { lut->size = curv->numents; - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) goto error; for (i = 0; i < lut->size; ++i) { lut->data[i] = curv->ents[i] / 65535.0; @@ -953,7 +952,7 @@ return -1; } } - if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t)))) + if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t)))) return -1; invlut->size = n; for (i = 0; i < invlut->size; ++i) { diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1.new/src/libjasper/base/jas_icc.c --- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/base/jas_icc.c 2008-10-03 14:17:55.000000000 +0200 @@ -373,7 +373,7 @@ jas_icctagtab_t *tagtab; tagtab = &prof->tagtab; - if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs * + if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs, sizeof(jas_icctagtabent_t)))) goto error; tagtab->numents = prof->attrtab->numattrs; @@ -522,7 +522,7 @@ } if (jas_iccgetuint32(in, &tagtab->numents)) goto error; - if (!(tagtab->ents = jas_malloc(tagtab->numents * + if (!(tagtab->ents = jas_alloc2(tagtab->numents, sizeof(jas_icctagtabent_t)))) goto error; tagtabent = tagtab->ents; @@ -743,8 +743,7 @@ { jas_iccattr_t *newattrs; assert(maxents >= tab->numattrs); - newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents * - sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t)); + newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t)); if (!newattrs) return -1; tab->attrs = newattrs; @@ -999,7 +998,7 @@ if (jas_iccgetuint32(in, &curv->numents)) goto error; - if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t)))) + if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t)))) goto error; for (i = 0; i < curv->numents; ++i) { if (jas_iccgetuint16(in, &curv->ents[i])) @@ -1100,7 +1099,7 @@ if (jas_iccgetuint32(in, &txtdesc->uclangcode) || jas_iccgetuint32(in, &txtdesc->uclen)) goto error; - if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2))) + if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2))) goto error; if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != JAS_CAST(int, txtdesc->uclen * 2)) @@ -1292,17 +1291,17 @@ jas_iccgetuint16(in, &lut8->numouttabents)) goto error; clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; - if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) || - !(lut8->intabsbuf = jas_malloc(lut8->numinchans * - lut8->numintabents * sizeof(jas_iccuint8_t))) || - !(lut8->intabs = jas_malloc(lut8->numinchans * + if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) || + !(lut8->intabsbuf = jas_alloc3(lut8->numinchans, + lut8->numintabents, sizeof(jas_iccuint8_t))) || + !(lut8->intabs = jas_alloc2(lut8->numinchans, sizeof(jas_iccuint8_t *)))) goto error; for (i = 0; i < lut8->numinchans; ++i) lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents]; - if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans * - lut8->numouttabents * sizeof(jas_iccuint8_t))) || - !(lut8->outtabs = jas_malloc(lut8->numoutchans * + if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans, + lut8->numouttabents, sizeof(jas_iccuint8_t))) || + !(lut8->outtabs = jas_alloc2(lut8->numoutchans, sizeof(jas_iccuint8_t *)))) goto error; for (i = 0; i < lut8->numoutchans; ++i) @@ -1461,17 +1460,17 @@ jas_iccgetuint16(in, &lut16->numouttabents)) goto error; clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; - if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) || - !(lut16->intabsbuf = jas_malloc(lut16->numinchans * - lut16->numintabents * sizeof(jas_iccuint16_t))) || - !(lut16->intabs = jas_malloc(lut16->numinchans * + if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) || + !(lut16->intabsbuf = jas_alloc3(lut16->numinchans, + lut16->numintabents, sizeof(jas_iccuint16_t))) || + !(lut16->intabs = jas_alloc2(lut16->numinchans, sizeof(jas_iccuint16_t *)))) goto error; for (i = 0; i < lut16->numinchans; ++i) lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents]; - if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans * - lut16->numouttabents * sizeof(jas_iccuint16_t))) || - !(lut16->outtabs = jas_malloc(lut16->numoutchans * + if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans, + lut16->numouttabents, sizeof(jas_iccuint16_t))) || + !(lut16->outtabs = jas_alloc2(lut16->numoutchans, sizeof(jas_iccuint16_t *)))) goto error; for (i = 0; i < lut16->numoutchans; ++i) diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1.new/src/libjasper/base/jas_image.c --- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/base/jas_image.c 2008-10-03 14:17:55.000000000 +0200 @@ -142,7 +142,7 @@ image->inmem_ = true; /* Allocate memory for the per-component information. */ - if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * + if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, sizeof(jas_image_cmpt_t *)))) { jas_image_destroy(image); return 0; @@ -774,8 +774,7 @@ jas_image_cmpt_t **newcmpts; int cmptno; - newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : - jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); + newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); if (!newcmpts) { return -1; } diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c jasper-1.900.1.new/src/libjasper/base/jas_malloc.c --- jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/base/jas_malloc.c 2008-10-03 14:17:55.000000000 +0200 @@ -76,6 +76,9 @@ /* We need the prototype for memset. */ #include <string.h> +#include <limits.h> +#include <errno.h> +#include <stdint.h> #include "jasper/jas_malloc.h" @@ -113,18 +116,50 @@ void *jas_realloc(void *ptr, size_t size) { - return realloc(ptr, size); + return ptr ? realloc(ptr, size) : malloc(size); } -void *jas_calloc(size_t nmemb, size_t size) +void *jas_realloc2(void *ptr, size_t nmemb, size_t size) +{ + if (!ptr) + return jas_alloc2(nmemb, size); + if (nmemb && SIZE_MAX / nmemb < size) { + errno = ENOMEM; + return NULL; + } + return jas_realloc(ptr, nmemb * size); + +} + +void *jas_alloc2(size_t nmemb, size_t size) +{ + if (nmemb && SIZE_MAX / nmemb < size) { + errno = ENOMEM; + return NULL; + } + + return jas_malloc(nmemb * size); +} + +void *jas_alloc3(size_t a, size_t b, size_t c) { - void *ptr; size_t n; - n = nmemb * size; - if (!(ptr = jas_malloc(n * sizeof(char)))) { - return 0; + + if (a && SIZE_MAX / a < b) { + errno = ENOMEM; + return NULL; } - memset(ptr, 0, n); + + return jas_alloc2(a*b, c); +} + +void *jas_calloc(size_t nmemb, size_t size) +{ + void *ptr; + + ptr = jas_alloc2(nmemb, size); + if (ptr) + memset(ptr, 0, nmemb*size); return ptr; } diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1.new/src/libjasper/base/jas_seq.c --- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/base/jas_seq.c 2008-10-03 14:17:55.000000000 +0200 @@ -114,7 +114,7 @@ matrix->datasize_ = numrows * numcols; if (matrix->maxrows_ > 0) { - if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * + if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, sizeof(jas_seqent_t *)))) { jas_matrix_destroy(matrix); return 0; @@ -122,7 +122,7 @@ } if (matrix->datasize_ > 0) { - if (!(matrix->data_ = jas_malloc(matrix->datasize_ * + if (!(matrix->data_ = jas_alloc2(matrix->datasize_, sizeof(jas_seqent_t)))) { jas_matrix_destroy(matrix); return 0; @@ -220,7 +220,7 @@ mat0->numrows_ = r1 - r0 + 1; mat0->numcols_ = c1 - c0 + 1; mat0->maxrows_ = mat0->numrows_; - mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *)); + mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); for (i = 0; i < mat0->numrows_; ++i) { mat0->rows_[i] = mat1->rows_[r0 + i] + c0; } diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1.new/src/libjasper/base/jas_stream.c --- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/base/jas_stream.c 2008-10-03 14:19:55.000000000 +0200 @@ -212,7 +212,7 @@ if (buf) { obj->buf_ = (unsigned char *) buf; } else { - obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char)); + obj->buf_ = jas_malloc(obj->bufsize_); obj->myalloc_ = 1; } if (!obj->buf_) { @@ -361,28 +361,22 @@ } obj->fd = -1; obj->flags = 0; - obj->pathname[0] = '\0'; stream->obj_ = obj; /* Choose a file name. */ - tmpnam(obj->pathname); + snprintf(obj->pathname, L_tmpnam, "%stmp.XXXXXXXXXX", P_tmpdir); /* Open the underlying file. */ - if ((obj->fd = open(obj->pathname, O_CREAT | O_EXCL | O_RDWR | O_TRUNC | O_BINARY, - JAS_STREAM_PERMS)) < 0) { + if ((obj->fd = mkstemp(obj->pathname)) < 0) { jas_stream_destroy(stream); return 0; } /* Unlink the file so that it will disappear if the program terminates abnormally. */ - /* Under UNIX, one can unlink an open file and continue to do I/O - on it. Not all operating systems support this functionality, however. - For example, under Microsoft Windows the unlink operation will fail, - since the file is open. */ if (unlink(obj->pathname)) { - /* We will try unlinking the file again after it is closed. */ - obj->flags |= JAS_STREAM_FILEOBJ_DELONCLOSE; + jas_stream_destroy(stream); + return 0; } /* Use full buffering. */ @@ -553,7 +547,7 @@ int ret; va_start(ap, fmt); - ret = vsprintf(buf, fmt, ap); + ret = vsnprintf(buf, sizeof buf, fmt, ap); jas_stream_puts(stream, buf); va_end(ap); return ret; @@ -992,7 +986,7 @@ unsigned char *buf; assert(m->buf_); - if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) { + if (!(buf = jas_realloc(m->buf_, bufsize))) { return -1; } m->buf_ = buf; diff -Nurad jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c jasper-1.900.1.new/src/libjasper/bmp/bmp_dec.c --- jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/bmp/bmp_dec.c 2008-10-03 14:17:55.000000000 +0200 @@ -283,7 +283,7 @@ } if (info->numcolors > 0) { - if (!(info->palents = jas_malloc(info->numcolors * + if (!(info->palents = jas_alloc2(info->numcolors, sizeof(bmp_palent_t)))) { bmp_info_destroy(info); return 0; diff -Nurad jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h jasper-1.900.1.new/src/libjasper/include/jasper/jas_malloc.h --- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/include/jasper/jas_malloc.h 2008-10-03 14:17:55.000000000 +0200 @@ -95,6 +95,9 @@ #define jas_free MEMFREE #define jas_realloc MEMREALLOC #define jas_calloc MEMCALLOC +#define jas_alloc2(a, b) MEMALLOC((a)*(b)) +#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c)) +#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b)) #endif /******************************************************************************\ @@ -115,6 +118,12 @@ /* Allocate a block of memory and initialize the contents to zero. */ void *jas_calloc(size_t nmemb, size_t size); +/* size-checked double allocation .*/ +void *jas_alloc2(size_t, size_t); + +void *jas_alloc3(size_t, size_t, size_t); + +void *jas_realloc2(void *, size_t, size_t); #endif #ifdef __cplusplus diff -Nurad jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1.new/src/libjasper/jp2/jp2_cod.c --- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jp2/jp2_cod.c 2008-10-03 14:17:55.000000000 +0200 @@ -372,7 +372,7 @@ jp2_bpcc_t *bpcc = &box->data.bpcc; unsigned int i; bpcc->numcmpts = box->datalen; - if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) { + if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { return -1; } for (i = 0; i < bpcc->numcmpts; ++i) { @@ -416,7 +416,7 @@ break; case JP2_COLR_ICC: colr->iccplen = box->datalen - 3; - if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) { + if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) { return -1; } if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { @@ -453,7 +453,7 @@ if (jp2_getuint16(in, &cdef->numchans)) { return -1; } - if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) { + if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) { return -1; } for (channo = 0; channo < cdef->numchans; ++channo) { @@ -766,7 +766,7 @@ unsigned int i; cmap->numchans = (box->datalen) / 4; - if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) { + if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { return -1; } for (i = 0; i < cmap->numchans; ++i) { @@ -828,10 +828,10 @@ return -1; } lutsize = pclr->numlutents * pclr->numchans; - if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) { + if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) { return -1; } - if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) { + if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) { return -1; } for (i = 0; i < pclr->numchans; ++i) { diff -Nurad jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c jasper-1.900.1.new/src/libjasper/jp2/jp2_dec.c --- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jp2/jp2_dec.c 2008-10-03 14:17:55.000000000 +0200 @@ -336,7 +336,7 @@ } /* Allocate space for the channel-number to component-number LUT. */ - if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) { + if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) { jas_eprintf("error: no memory\n"); goto error; } @@ -354,7 +354,7 @@ if (cmapent->map == JP2_CMAP_DIRECT) { dec->chantocmptlut[channo] = channo; } else if (cmapent->map == JP2_CMAP_PALETTE) { - lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t)); + lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t)); for (i = 0; i < pclrd->numlutents; ++i) { lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; } diff -Nurad jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c jasper-1.900.1.new/src/libjasper/jp2/jp2_enc.c --- jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jp2/jp2_enc.c 2008-10-03 14:17:55.000000000 +0200 @@ -191,7 +191,7 @@ } bpcc = &box->data.bpcc; bpcc->numcmpts = jas_image_numcmpts(image); - if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * + if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { goto error; } @@ -285,7 +285,7 @@ } cdef = &box->data.cdef; cdef->numchans = jas_image_numcmpts(image); - cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)); + cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)); for (i = 0; i < jas_image_numcmpts(image); ++i) { cdefchanent = &cdef->ents[i]; cdefchanent->channo = i; diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1.new/src/libjasper/jpc/jpc_cs.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_cs.c 2008-10-03 14:17:55.000000000 +0200 @@ -502,7 +502,7 @@ !siz->tileheight || !siz->numcomps) { return -1; } - if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) { + if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { return -1; } for (i = 0; i < siz->numcomps; ++i) { @@ -982,8 +982,11 @@ compparms->numstepsizes = (len - n) / 2; break; } - if (compparms->numstepsizes > 0) { - compparms->stepsizes = jas_malloc(compparms->numstepsizes * + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { + compparms->stepsizes = jas_alloc2(compparms->numstepsizes, sizeof(uint_fast16_t)); assert(compparms->stepsizes); for (i = 0; i < compparms->numstepsizes; ++i) { @@ -1091,7 +1094,7 @@ ppm->len = ms->len - 1; if (ppm->len > 0) { - if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) { + if (!(ppm->data = jas_malloc(ppm->len))) { goto error; } if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) { @@ -1160,7 +1163,7 @@ } ppt->len = ms->len - 1; if (ppt->len > 0) { - if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) { + if (!(ppt->data = jas_malloc(ppt->len))) { goto error; } if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) { @@ -1223,7 +1226,7 @@ uint_fast8_t tmp; poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) : (ms->len / 7); - if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) { + if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) { goto error; } for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno, @@ -1328,7 +1331,7 @@ jpc_crgcomp_t *comp; uint_fast16_t compno; crg->numcomps = cstate->numcomps; - if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { + if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { return -1; } for (compno = 0, comp = crg->comps; compno < cstate->numcomps; @@ -1467,7 +1470,7 @@ cstate = 0; if (ms->len > 0) { - if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) { + if (!(unk->data = jas_malloc(ms->len))) { return -1; } if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) { diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1.new/src/libjasper/jpc/jpc_dec.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_dec.c 2008-10-03 14:17:55.000000000 +0200 @@ -449,7 +449,7 @@ if (dec->state == JPC_MH) { - compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t)); + compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t)); assert(compinfos); for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { @@ -692,7 +692,7 @@ tile->realmode = 1; } tcomp->numrlvls = ccp->numrlvls; - if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls * + if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls, sizeof(jpc_dec_rlvl_t)))) { return -1; } @@ -764,7 +764,7 @@ rlvl->cbgheightexpn); rlvl->numbands = (!rlvlno) ? 1 : 3; - if (!(rlvl->bands = jas_malloc(rlvl->numbands * + if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_dec_band_t)))) { return -1; } @@ -797,7 +797,7 @@ assert(rlvl->numprcs); - if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) { + if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) { return -1; } @@ -834,7 +834,7 @@ if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) { return -1; } - if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) { + if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) { return -1; } @@ -1069,12 +1069,12 @@ /* Apply an inverse intercomponent transform if necessary. */ switch (tile->cp->mctid) { case JPC_MCT_RCT: - assert(dec->numcomps == 3); + assert(dec->numcomps == 3 || dec->numcomps == 4); jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break; case JPC_MCT_ICT: - assert(dec->numcomps == 3); + assert(dec->numcomps == 3 || dec->numcomps == 4); jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break; @@ -1181,7 +1181,7 @@ return -1; } - if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) { + if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) { return -1; } @@ -1204,7 +1204,7 @@ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); dec->numtiles = dec->numhtiles * dec->numvtiles; - if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { + if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) { return -1; } @@ -1228,7 +1228,7 @@ tile->pkthdrstreampos = 0; tile->pptstab = 0; tile->cp = 0; - if (!(tile->tcomps = jas_malloc(dec->numcomps * + if (!(tile->tcomps = jas_alloc2(dec->numcomps, sizeof(jpc_dec_tcomp_t)))) { return -1; } @@ -1489,7 +1489,7 @@ cp->numlyrs = 0; cp->mctid = 0; cp->csty = 0; - if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) { + if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { return 0; } if (!(cp->pchglist = jpc_pchglist_create())) { @@ -2048,7 +2048,7 @@ } streamlist->numstreams = 0; streamlist->maxstreams = 100; - if (!(streamlist->streams = jas_malloc(streamlist->maxstreams * + if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams, sizeof(jas_stream_t *)))) { jas_free(streamlist); return 0; @@ -2068,8 +2068,8 @@ /* Grow the array of streams if necessary. */ if (streamlist->numstreams >= streamlist->maxstreams) { newmaxstreams = streamlist->maxstreams + 1024; - if (!(newstreams = jas_realloc(streamlist->streams, - (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) { + if (!(newstreams = jas_realloc2(streamlist->streams, + (newmaxstreams + 1024), sizeof(jas_stream_t *)))) { return -1; } for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) { @@ -2155,8 +2155,7 @@ { jpc_ppxstabent_t **newents; if (tab->maxents < maxents) { - newents = (tab->ents) ? jas_realloc(tab->ents, maxents * - sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *)); + newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *)); if (!newents) { return -1; } diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1.new/src/libjasper/jpc/jpc_enc.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_enc.c 2008-10-03 14:17:55.000000000 +0200 @@ -403,7 +403,7 @@ vsteplcm *= jas_image_cmptvstep(image, cmptno); } - if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) { + if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) { goto error; } for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno, @@ -656,7 +656,7 @@ if (ilyrrates && numilyrrates > 0) { tcp->numlyrs = numilyrrates + 1; - if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) * + if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1), sizeof(jpc_fix_t)))) { goto error; } @@ -940,7 +940,7 @@ siz->tilewidth = cp->tilewidth; siz->tileheight = cp->tileheight; siz->numcomps = cp->numcmpts; - siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)); + siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)); assert(siz->comps); for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) { siz->comps[i].prec = cp->ccps[i].prec; @@ -977,7 +977,7 @@ return -1; } crg = &enc->mrk->parms.crg; - crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t)); + crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t)); if (jpc_putms(enc->out, enc->cstate, enc->mrk)) { jas_eprintf("cannot write CRG marker\n"); return -1; @@ -1955,7 +1955,7 @@ tile->mctid = cp->tcp.mctid; tile->numlyrs = cp->tcp.numlyrs; - if (!(tile->lyrsizes = jas_malloc(tile->numlyrs * + if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs, sizeof(uint_fast32_t)))) { goto error; } @@ -1964,7 +1964,7 @@ } /* Allocate an array for the per-tile-component information. */ - if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) { + if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) { goto error; } /* Initialize a few members critical for error recovery. */ @@ -2110,7 +2110,7 @@ jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data), jas_seq2d_yend(tcmpt->data), bandinfos); - if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) { + if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) { goto error; } for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls; @@ -2213,7 +2213,7 @@ rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn); rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs; - if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) { + if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) { goto error; } for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands; @@ -2290,7 +2290,7 @@ band->synweight = bandinfo->synenergywt; if (band->data) { - if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) { + if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) { goto error; } for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno, @@ -2422,7 +2422,7 @@ goto error; } - if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) { + if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) { goto error; } for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks; diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c jasper-1.900.1.new/src/libjasper/jpc/jpc_mqdec.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_mqdec.c 2008-10-03 14:17:55.000000000 +0200 @@ -118,7 +118,7 @@ mqdec->in = in; mqdec->maxctxs = maxctxs; /* Allocate memory for the per-context state information. */ - if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) { + if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) { goto error; } /* Set the current context to the first context. */ diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c jasper-1.900.1.new/src/libjasper/jpc/jpc_mqenc.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_mqenc.c 2008-10-03 14:17:55.000000000 +0200 @@ -197,7 +197,7 @@ mqenc->maxctxs = maxctxs; /* Allocate memory for the per-context state information. */ - if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) { + if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) { goto error; } diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c 2008-10-03 14:17:55.000000000 +0200 @@ -321,7 +321,7 @@ #if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide in this case. */ abort(); } @@ -389,7 +389,7 @@ #if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide in this case. */ abort(); } @@ -460,7 +460,7 @@ #if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide in this case. */ abort(); } @@ -549,7 +549,7 @@ #if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide in this case. */ abort(); } @@ -633,7 +633,7 @@ #if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } @@ -698,7 +698,7 @@ #if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } @@ -766,7 +766,7 @@ #if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } @@ -852,7 +852,7 @@ #if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t1enc.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t1enc.c 2008-10-03 14:17:55.000000000 +0200 @@ -219,7 +219,7 @@ cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0; if (cblk->numpasses > 0) { - cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t)); + cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t)); assert(cblk->passes); } else { cblk->passes = 0; diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c 2008-10-03 14:17:55.000000000 +0200 @@ -573,7 +573,7 @@ } if (pchglist->numpchgs >= pchglist->maxpchgs) { newmaxpchgs = pchglist->maxpchgs + 128; - if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) { + if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) { return -1; } pchglist->maxpchgs = newmaxpchgs; diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2dec.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2dec.c 2008-10-03 14:17:55.000000000 +0200 @@ -478,7 +478,7 @@ return 0; } pi->numcomps = dec->numcomps; - if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { + if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { jpc_pi_destroy(pi); return 0; } @@ -490,7 +490,7 @@ for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { picomp->numrlvls = tcomp->numrlvls; - if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * + if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, sizeof(jpc_pirlvl_t)))) { jpc_pi_destroy(pi); return 0; @@ -503,7 +503,7 @@ rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { /* XXX sizeof(long) should be sizeof different type */ pirlvl->numprcs = rlvl->numprcs; - if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * + if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, sizeof(long)))) { jpc_pi_destroy(pi); return 0; diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2enc.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2enc.c 2008-10-03 14:17:55.000000000 +0200 @@ -565,7 +565,7 @@ } pi->pktno = -1; pi->numcomps = cp->numcmpts; - if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { + if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { jpc_pi_destroy(pi); return 0; } @@ -577,7 +577,7 @@ for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps; compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { picomp->numrlvls = tcomp->numrlvls; - if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * + if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, sizeof(jpc_pirlvl_t)))) { jpc_pi_destroy(pi); return 0; @@ -591,7 +591,7 @@ /* XXX sizeof(long) should be sizeof different type */ pirlvl->numprcs = rlvl->numprcs; if (rlvl->numprcs) { - if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * + if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, sizeof(long)))) { jpc_pi_destroy(pi); return 0; diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c jasper-1.900.1.new/src/libjasper/jpc/jpc_tagtree.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_tagtree.c 2008-10-03 14:17:55.000000000 +0200 @@ -125,7 +125,7 @@ ++numlvls; } while (n > 1); - if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) { + if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { return 0; } diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c jasper-1.900.1.new/src/libjasper/jpc/jpc_util.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/jpc/jpc_util.c 2008-10-03 14:17:55.000000000 +0200 @@ -109,7 +109,7 @@ } if (n) { - if (!(vs = jas_malloc(n * sizeof(double)))) { + if (!(vs = jas_alloc2(n, sizeof(double)))) { return -1; } diff -Nurad jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1.new/src/libjasper/mif/mif_cod.c --- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1.new/src/libjasper/mif/mif_cod.c 2008-10-03 14:17:55.000000000 +0200 @@ -438,8 +438,7 @@ int cmptno; mif_cmpt_t **newcmpts; assert(maxcmpts >= hdr->numcmpts); - newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) : - jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *)); + newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *)); if (!newcmpts) { return -1; }pgp6NYVne6PFs.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: jasper Source-Version: 1.900.1-5.1 We believe that the bug you reported is fixed in the latest version of jasper, which is due to be installed in the Debian FTP archive: jasper_1.900.1-5.1.diff.gz to pool/main/j/jasper/jasper_1.900.1-5.1.diff.gz jasper_1.900.1-5.1.dsc to pool/main/j/jasper/jasper_1.900.1-5.1.dsc libjasper-dev_1.900.1-5.1_amd64.deb to pool/main/j/jasper/libjasper-dev_1.900.1-5.1_amd64.deb libjasper-runtime_1.900.1-5.1_amd64.deb to pool/main/j/jasper/libjasper-runtime_1.900.1-5.1_amd64.deb libjasper1_1.900.1-5.1_amd64.deb to pool/main/j/jasper/libjasper1_1.900.1-5.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pierre Habouzit <[EMAIL PROTECTED]> (supplier of updated jasper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 12 Oct 2008 21:40:59 +0200 Source: jasper Binary: libjasper1 libjasper-dev libjasper-runtime Architecture: source amd64 Version: 1.900.1-5.1 Distribution: unstable Urgency: low Maintainer: Roland Stigge <[EMAIL PROTECTED]> Changed-By: Pierre Habouzit <[EMAIL PROTECTED]> Description: libjasper-dev - Development files for the JasPer JPEG-2000 library libjasper-runtime - Programs for manipulating JPEG-2000 files libjasper1 - The JasPer JPEG-2000 runtime library Closes: 501021 Changes: jasper (1.900.1-5.1) unstable; urgency=low . * Non-maintainer upload. * add patches/02_security.dpatch to fix various CVEs (Closes: #501021): + CVE-2008-3522[0]: Buffer overflow. + CVE-2008-3521[1]: unsecure temporary files handling. + CVE-2008-3520[2]: Multiple integer overflows. Checksums-Sha1: 3e685ca6968d53af74b69d5756fa1bbc18d264ef 1075 jasper_1.900.1-5.1.dsc 21ae9cfe449f702a5b728ae37729c2b3be19e5a4 38130 jasper_1.900.1-5.1.diff.gz addca5ace15eae26fbda8d84df618f355ab64314 154672 libjasper1_1.900.1-5.1_amd64.deb 7b4ff1a1b0dcf9515f0304ab947db6b25319c164 561204 libjasper-dev_1.900.1-5.1_amd64.deb a44990054971b7a3ba0f76aacfcc3a0c149c8ce5 25764 libjasper-runtime_1.900.1-5.1_amd64.deb Checksums-Sha256: 0f3b1d9e87d170b99f8065e781737fb08fb07bc3bd3c33d5a74767417de7f9fe 1075 jasper_1.900.1-5.1.dsc 7711d45a3fbf7c3cc33ccfe412b20ce96879402b88e924bec6af58d9d7963663 38130 jasper_1.900.1-5.1.diff.gz 8519043830ae889ec17b8ff3d1f9513a29b3deaff439ba096686a1d2fcb7aa8e 154672 libjasper1_1.900.1-5.1_amd64.deb f534ffb780523db1e90e0be0a8cdcd36856d65b4c5159ea04f8aa52225d3b6af 561204 libjasper-dev_1.900.1-5.1_amd64.deb dd383db420997babd1975105187ec82f706b198cf8a5730fb7b11894876ba219 25764 libjasper-runtime_1.900.1-5.1_amd64.deb Files: c25f6aa88120c2d5d7edf270ef2f824d 1075 graphics optional jasper_1.900.1-5.1.dsc 59db283db89575286272c42121dc1794 38130 graphics optional jasper_1.900.1-5.1.diff.gz 7db5018df734b17eb84d253ad592f7aa 154672 libs optional libjasper1_1.900.1-5.1_amd64.deb bbfe223db0d46d89d52992911b719e7b 561204 libdevel optional libjasper-dev_1.900.1-5.1_amd64.deb cbc7b67f4e62ff7c0c5357effdee9d53 25764 graphics optional libjasper-runtime_1.900.1-5.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjyVz4ACgkQvGr7W6HudhzQzQCfQBeiHg6dqaoHWZOx8n7dHn++ UZ8AmwS9Tht0oazGt1A8Q9TI3ATKLDTe =HmDb -----END PGP SIGNATURE-----
--- End Message ---