Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=27bbe4a8fae1e6514c754a51efc3c05fa7584636
commit 27bbe4a8fae1e6514c754a51efc3c05fa7584636 Author: DeX77 <[email protected]> Date: Sun Jan 8 21:01:35 2017 +0100 jasper-2.0.10-1-x86_64 * version bump diff --git a/source/xlib/jasper/CVE-2008-3520.patch b/source/xlib/jasper/CVE-2008-3520.patch deleted file mode 100644 index 0c69c79..0000000 --- a/source/xlib/jasper/CVE-2008-3520.patch +++ /dev/null @@ -1,835 +0,0 @@ ---- src/libjasper/base/jas_cm.c -+++ src/libjasper/base/jas_cm.c -@@ -704,8 +704,7 @@ - { - jas_cmpxform_t **p; - assert(n >= pxformseq->numpxforms); -- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) : -- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *)); -+ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *)); - if (!p) { - return -1; - } -@@ -889,13 +888,13 @@ - jas_cmshapmatlut_cleanup(lut); - if (curv->numents == 0) { - lut->size = 2; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - lut->data[0] = 0.0; - lut->data[1] = 1.0; - } else if (curv->numents == 1) { - lut->size = 256; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - gamma = curv->ents[0] / 256.0; - for (i = 0; i < lut->size; ++i) { -@@ -903,7 +902,7 @@ - } - } else { - lut->size = curv->numents; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - for (i = 0; i < lut->size; ++i) { - lut->data[i] = curv->ents[i] / 65535.0; -@@ -953,7 +952,7 @@ - return -1; - } - } -- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t)))) -+ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t)))) - return -1; - invlut->size = n; - for (i = 0; i < invlut->size; ++i) { ---- src/libjasper/base/jas_icc.c -+++ src/libjasper/base/jas_icc.c -@@ -373,7 +373,7 @@ - jas_icctagtab_t *tagtab; - - tagtab = &prof->tagtab; -- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs * -+ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs, - sizeof(jas_icctagtabent_t)))) - goto error; - tagtab->numents = prof->attrtab->numattrs; -@@ -522,7 +522,7 @@ - } - if (jas_iccgetuint32(in, &tagtab->numents)) - goto error; -- if (!(tagtab->ents = jas_malloc(tagtab->numents * -+ if (!(tagtab->ents = jas_alloc2(tagtab->numents, - sizeof(jas_icctagtabent_t)))) - goto error; - tagtabent = tagtab->ents; -@@ -743,8 +743,7 @@ - { - jas_iccattr_t *newattrs; - assert(maxents >= tab->numattrs); -- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents * -- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t)); -+ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t)); - if (!newattrs) - return -1; - tab->attrs = newattrs; -@@ -999,7 +998,7 @@ - - if (jas_iccgetuint32(in, &curv->numents)) - goto error; -- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t)))) -+ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t)))) - goto error; - for (i = 0; i < curv->numents; ++i) { - if (jas_iccgetuint16(in, &curv->ents[i])) -@@ -1100,7 +1099,7 @@ - if (jas_iccgetuint32(in, &txtdesc->uclangcode) || - jas_iccgetuint32(in, &txtdesc->uclen)) - goto error; -- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2))) -+ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2))) - goto error; - if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != - JAS_CAST(int, txtdesc->uclen * 2)) -@@ -1292,17 +1291,17 @@ - jas_iccgetuint16(in, &lut8->numouttabents)) - goto error; - clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; -- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) || -- !(lut8->intabsbuf = jas_malloc(lut8->numinchans * -- lut8->numintabents * sizeof(jas_iccuint8_t))) || -- !(lut8->intabs = jas_malloc(lut8->numinchans * -+ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) || -+ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans, -+ lut8->numintabents, sizeof(jas_iccuint8_t))) || -+ !(lut8->intabs = jas_alloc2(lut8->numinchans, - sizeof(jas_iccuint8_t *)))) - goto error; - for (i = 0; i < lut8->numinchans; ++i) - lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents]; -- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans * -- lut8->numouttabents * sizeof(jas_iccuint8_t))) || -- !(lut8->outtabs = jas_malloc(lut8->numoutchans * -+ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans, -+ lut8->numouttabents, sizeof(jas_iccuint8_t))) || -+ !(lut8->outtabs = jas_alloc2(lut8->numoutchans, - sizeof(jas_iccuint8_t *)))) - goto error; - for (i = 0; i < lut8->numoutchans; ++i) -@@ -1461,17 +1460,17 @@ - jas_iccgetuint16(in, &lut16->numouttabents)) - goto error; - clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; -- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) || -+ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) || - !(lut16->intabsbuf = jas_malloc(lut16->numinchans * - lut16->numintabents * sizeof(jas_iccuint16_t))) || -- !(lut16->intabs = jas_malloc(lut16->numinchans * -+ !(lut16->intabs = jas_alloc2(lut16->numinchans, - sizeof(jas_iccuint16_t *)))) - goto error; - for (i = 0; i < lut16->numinchans; ++i) - lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents]; -- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans * -- lut16->numouttabents * sizeof(jas_iccuint16_t))) || -- !(lut16->outtabs = jas_malloc(lut16->numoutchans * -+ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans, -+ lut16->numouttabents, sizeof(jas_iccuint16_t))) || -+ !(lut16->outtabs = jas_alloc2(lut16->numoutchans, - sizeof(jas_iccuint16_t *)))) - goto error; - for (i = 0; i < lut16->numoutchans; ++i) ---- src/libjasper/base/jas_image.c -+++ src/libjasper/base/jas_image.c -@@ -142,7 +142,7 @@ - image->inmem_ = true; - - /* Allocate memory for the per-component information. */ -- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * -+ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, - sizeof(jas_image_cmpt_t *)))) { - jas_image_destroy(image); - return 0; -@@ -774,8 +774,7 @@ - jas_image_cmpt_t **newcmpts; - int cmptno; - -- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : -- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); -+ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); - if (!newcmpts) { - return -1; - } ---- src/libjasper/base/jas_malloc.c -+++ src/libjasper/base/jas_malloc.c -@@ -76,6 +76,9 @@ - - /* We need the prototype for memset. */ - #include <string.h> -+#include <limits.h> -+#include <errno.h> -+#include <stdint.h> - - #include "jasper/jas_malloc.h" - -@@ -113,18 +116,50 @@ - - void *jas_realloc(void *ptr, size_t size) - { -- return realloc(ptr, size); -+ return ptr ? realloc(ptr, size) : malloc(size); - } - --void *jas_calloc(size_t nmemb, size_t size) -+void *jas_realloc2(void *ptr, size_t nmemb, size_t size) -+{ -+ if (!ptr) -+ return jas_alloc2(nmemb, size); -+ if (nmemb && SIZE_MAX / nmemb < size) { -+ errno = ENOMEM; -+ return NULL; -+ } -+ return jas_realloc(ptr, nmemb * size); -+ -+} -+ -+void *jas_alloc2(size_t nmemb, size_t size) -+{ -+ if (nmemb && SIZE_MAX / nmemb < size) { -+ errno = ENOMEM; -+ return NULL; -+ } -+ -+ return jas_malloc(nmemb * size); -+} -+ -+void *jas_alloc3(size_t a, size_t b, size_t c) - { -- void *ptr; - size_t n; -- n = nmemb * size; -- if (!(ptr = jas_malloc(n * sizeof(char)))) { -- return 0; -+ -+ if (a && SIZE_MAX / a < b) { -+ errno = ENOMEM; -+ return NULL; - } -- memset(ptr, 0, n); -+ -+ return jas_alloc2(a*b, c); -+} -+ -+void *jas_calloc(size_t nmemb, size_t size) -+{ -+ void *ptr; -+ -+ ptr = jas_alloc2(nmemb, size); -+ if (ptr) -+ memset(ptr, 0, nmemb*size); - return ptr; - } - ---- src/libjasper/base/jas_seq.c -+++ src/libjasper/base/jas_seq.c -@@ -114,7 +114,7 @@ - matrix->datasize_ = numrows * numcols; - - if (matrix->maxrows_ > 0) { -- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * -+ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, - sizeof(jas_seqent_t *)))) { - jas_matrix_destroy(matrix); - return 0; -@@ -122,7 +122,7 @@ - } - - if (matrix->datasize_ > 0) { -- if (!(matrix->data_ = jas_malloc(matrix->datasize_ * -+ if (!(matrix->data_ = jas_alloc2(matrix->datasize_, - sizeof(jas_seqent_t)))) { - jas_matrix_destroy(matrix); - return 0; -@@ -220,7 +220,7 @@ - mat0->numrows_ = r1 - r0 + 1; - mat0->numcols_ = c1 - c0 + 1; - mat0->maxrows_ = mat0->numrows_; -- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *)); -+ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); - for (i = 0; i < mat0->numrows_; ++i) { - mat0->rows_[i] = mat1->rows_[r0 + i] + c0; - } -@@ -432,7 +432,8 @@ - for (i = 0; i < jas_matrix_numrows(matrix); ++i) { - for (j = 0; j < jas_matrix_numcols(matrix); ++j) { - x = jas_matrix_get(matrix, i, j); -- sprintf(sbuf, "%s%4ld", (strlen(buf) > 0) ? " " : "", -+ snprintf(sbuf, sizeof sbuf, -+ "%s%4ld", (strlen(buf) > 0) ? " " : "", - JAS_CAST(long, x)); - n = strlen(buf); - if (n + strlen(sbuf) > MAXLINELEN) { ---- src/libjasper/base/jas_stream.c -+++ src/libjasper/base/jas_stream.c -@@ -212,7 +212,7 @@ - if (buf) { - obj->buf_ = (unsigned char *) buf; - } else { -- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char)); -+ obj->buf_ = jas_malloc(obj->bufsize_); - obj->myalloc_ = 1; - } - if (!obj->buf_) { -@@ -361,28 +361,22 @@ - } - obj->fd = -1; - obj->flags = 0; -- obj->pathname[0] = '\0'; - stream->obj_ = obj; - - /* Choose a file name. */ -- tmpnam(obj->pathname); -+ snprintf(obj->pathname, L_tmpnam, "%stmp.XXXXXXXXXX", P_tmpdir); - - /* Open the underlying file. */ -- if ((obj->fd = open(obj->pathname, O_CREAT | O_EXCL | O_RDWR | O_TRUNC | O_BINARY, -- JAS_STREAM_PERMS)) < 0) { -+ if ((obj->fd = mkstemp(obj->pathname)) < 0) { - jas_stream_destroy(stream); - return 0; - } - - /* Unlink the file so that it will disappear if the program - terminates abnormally. */ -- /* Under UNIX, one can unlink an open file and continue to do I/O -- on it. Not all operating systems support this functionality, however. -- For example, under Microsoft Windows the unlink operation will fail, -- since the file is open. */ - if (unlink(obj->pathname)) { -- /* We will try unlinking the file again after it is closed. */ -- obj->flags |= JAS_STREAM_FILEOBJ_DELONCLOSE; -+ jas_stream_destroy(stream); -+ return 0; - } - - /* Use full buffering. */ -@@ -553,7 +547,7 @@ - int ret; - - va_start(ap, fmt); -- ret = vsprintf(buf, fmt, ap); -+ ret = vsnprintf(buf, sizeof buf, fmt, ap); - jas_stream_puts(stream, buf); - va_end(ap); - return ret; -@@ -992,7 +986,7 @@ - unsigned char *buf; - - assert(m->buf_); -- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) { -+ if (!(buf = jas_realloc(m->buf_, bufsize))) { - return -1; - } - m->buf_ = buf; ---- src/libjasper/bmp/bmp_dec.c -+++ src/libjasper/bmp/bmp_dec.c -@@ -283,7 +283,7 @@ - } - - if (info->numcolors > 0) { -- if (!(info->palents = jas_malloc(info->numcolors * -+ if (!(info->palents = jas_alloc2(info->numcolors, - sizeof(bmp_palent_t)))) { - bmp_info_destroy(info); - return 0; ---- src/libjasper/include/jasper/jas_malloc.h -+++ src/libjasper/include/jasper/jas_malloc.h -@@ -95,6 +95,9 @@ - #define jas_free MEMFREE - #define jas_realloc MEMREALLOC - #define jas_calloc MEMCALLOC -+#define jas_alloc2(a, b) MEMALLOC((a)*(b)) -+#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c)) -+#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b)) - #endif - - /******************************************************************************\ -@@ -115,6 +118,12 @@ - /* Allocate a block of memory and initialize the contents to zero. */ - void *jas_calloc(size_t nmemb, size_t size); - -+/* size-checked double allocation .*/ -+void *jas_alloc2(size_t, size_t); -+ -+void *jas_alloc3(size_t, size_t, size_t); -+ -+void *jas_realloc2(void *, size_t, size_t); - #endif - - #ifdef __cplusplus ---- src/libjasper/jp2/jp2_cod.c -+++ src/libjasper/jp2/jp2_cod.c -@@ -795,11 +795,15 @@ - jp2_cmap_t *cmap = &box->data.cmap; - unsigned int i; - jp2_cmapent_t *ent; -- fprintf(out, "numchans = %d\n", (int) cmap->numchans); -+ if (jas_getdbglevel() >= 1) { -+ fprintf(out, "numchans = %d\n", (int) cmap->numchans); -+ } - for (i = 0; i < cmap->numchans; ++i) { - ent = &cmap->ents[i]; -- fprintf(out, "cmptno=%d; map=%d; pcol=%d\n", -- (int) ent->cmptno, (int) ent->map, (int) ent->pcol); -+ if (jas_getdbglevel() >= 1) { -+ fprintf(out, "cmptno=%d; map=%d; pcol=%d\n", -+ (int) ent->cmptno, (int) ent->map, (int) ent->pcol); -+ } - } - } - ---- src/libjasper/jp2/jp2_dec.c -+++ src/libjasper/jp2/jp2_dec.c -@@ -293,7 +293,9 @@ - dec->colr->data.colr.iccplen); - assert(iccprof); - jas_iccprof_gethdr(iccprof, &icchdr); -- jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); -+ if (jas_getdbglevel() >= 1) { -+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); -+ } - jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); - dec->image->cmprof_ = jas_cmprof_createfromiccprof(iccprof); - assert(dec->image->cmprof_); ---- src/libjasper/jp2/jp2_enc.c -+++ src/libjasper/jp2/jp2_enc.c -@@ -191,7 +191,7 @@ - } - bpcc = &box->data.bpcc; - bpcc->numcmpts = jas_image_numcmpts(image); -- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * -+ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, - sizeof(uint_fast8_t)))) { - goto error; - } -@@ -285,7 +285,7 @@ - } - cdef = &box->data.cdef; - cdef->numchans = jas_image_numcmpts(image); -- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)); -+ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)); - for (i = 0; i < jas_image_numcmpts(image); ++i) { - cdefchanent = &cdef->ents[i]; - cdefchanent->channo = i; -@@ -343,7 +343,8 @@ - /* Output the JPEG-2000 code stream. */ - - overhead = jas_stream_getrwcount(out); -- sprintf(buf, "%s\n_jp2overhead=%lu\n", (optstr ? optstr : ""), -+ snprintf(buf, sizeof buf, "%s\n_jp2overhead=%lu\n", -+ (optstr ? optstr : ""), - (unsigned long) overhead); - - if (jpc_encode(image, out, buf)) { ---- src/libjasper/jpc/jpc_cs.c -+++ src/libjasper/jpc/jpc_cs.c -@@ -502,7 +502,7 @@ - !siz->tileheight || !siz->numcomps) { - return -1; - } -- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) { -+ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { - return -1; - } - for (i = 0; i < siz->numcomps; ++i) { -@@ -986,7 +986,7 @@ - jpc_qcx_destroycompparms(compparms); - return -1; - } else if (compparms->numstepsizes > 0) { -- compparms->stepsizes = jas_malloc(compparms->numstepsizes * -+ compparms->stepsizes = jas_alloc2(compparms->numstepsizes, - sizeof(uint_fast16_t)); - assert(compparms->stepsizes); - for (i = 0; i < compparms->numstepsizes; ++i) { -@@ -1094,7 +1094,7 @@ - - ppm->len = ms->len - 1; - if (ppm->len > 0) { -- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) { -+ if (!(ppm->data = jas_malloc(ppm->len))) { - goto error; - } - if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) { -@@ -1163,7 +1163,7 @@ - } - ppt->len = ms->len - 1; - if (ppt->len > 0) { -- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) { -+ if (!(ppt->data = jas_malloc(ppt->len))) { - goto error; - } - if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) { -@@ -1226,7 +1226,7 @@ - uint_fast8_t tmp; - poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) : - (ms->len / 7); -- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) { -+ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) { - goto error; - } - for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno, -@@ -1331,7 +1331,7 @@ - jpc_crgcomp_t *comp; - uint_fast16_t compno; - crg->numcomps = cstate->numcomps; -- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { -+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { - return -1; - } - for (compno = 0, comp = crg->comps; compno < cstate->numcomps; -@@ -1470,7 +1470,7 @@ - cstate = 0; - - if (ms->len > 0) { -- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) { -+ if (!(unk->data = jas_malloc(ms->len))) { - return -1; - } - if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) { ---- src/libjasper/jpc/jpc_dec.c -+++ src/libjasper/jpc/jpc_dec.c -@@ -1466,7 +1466,9 @@ - dec = 0; - - jas_eprintf("warning: ignoring unknown marker segment\n"); -- jpc_ms_dump(ms, stderr); -+ if (jas_getdbglevel() >= 1) { -+ jpc_ms_dump(ms, stderr); -+ } - return 0; - } - ---- src/libjasper/jpc/jpc_enc.c -+++ src/libjasper/jpc/jpc_enc.c -@@ -403,7 +403,7 @@ - vsteplcm *= jas_image_cmptvstep(image, cmptno); - } - -- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) { -+ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) { - goto error; - } - for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno, -@@ -656,7 +656,7 @@ - - if (ilyrrates && numilyrrates > 0) { - tcp->numlyrs = numilyrrates + 1; -- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) * -+ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1), - sizeof(jpc_fix_t)))) { - goto error; - } -@@ -940,7 +940,7 @@ - siz->tilewidth = cp->tilewidth; - siz->tileheight = cp->tileheight; - siz->numcomps = cp->numcmpts; -- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)); -+ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)); - assert(siz->comps); - for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) { - siz->comps[i].prec = cp->ccps[i].prec; -@@ -958,7 +958,8 @@ - if (!(enc->mrk = jpc_ms_create(JPC_MS_COM))) { - return -1; - } -- sprintf(buf, "Creator: JasPer Version %s", jas_getversion()); -+ snprintf(buf, sizeof buf, "Creator: JasPer Version %s", -+ jas_getversion()); - com = &enc->mrk->parms.com; - com->len = strlen(buf); - com->regid = JPC_COM_LATIN; -@@ -977,7 +978,7 @@ - return -1; - } - crg = &enc->mrk->parms.crg; -- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t)); -+ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t)); - if (jpc_putms(enc->out, enc->cstate, enc->mrk)) { - jas_eprintf("cannot write CRG marker\n"); - return -1; -@@ -1955,7 +1956,7 @@ - tile->mctid = cp->tcp.mctid; - - tile->numlyrs = cp->tcp.numlyrs; -- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs * -+ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs, - sizeof(uint_fast32_t)))) { - goto error; - } -@@ -1964,7 +1965,7 @@ - } - - /* Allocate an array for the per-tile-component information. */ -- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) { -+ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) { - goto error; - } - /* Initialize a few members critical for error recovery. */ -@@ -2110,7 +2111,7 @@ - jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data), - jas_seq2d_yend(tcmpt->data), bandinfos); - -- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) { -+ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) { - goto error; - } - for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls; -@@ -2213,7 +2214,7 @@ - rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn); - rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs; - -- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) { -+ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) { - goto error; - } - for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands; -@@ -2290,7 +2291,7 @@ - band->synweight = bandinfo->synenergywt; - - if (band->data) { -- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) { -+ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) { - goto error; - } - for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno, -@@ -2422,7 +2423,7 @@ - goto error; - } - -- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) { -+ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) { - goto error; - } - for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks; ---- src/libjasper/jpc/jpc_mqdec.c -+++ src/libjasper/jpc/jpc_mqdec.c -@@ -118,7 +118,7 @@ - mqdec->in = in; - mqdec->maxctxs = maxctxs; - /* Allocate memory for the per-context state information. */ -- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) { -+ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) { - goto error; - } - /* Set the current context to the first context. */ ---- src/libjasper/jpc/jpc_mqenc.c -+++ src/libjasper/jpc/jpc_mqenc.c -@@ -197,7 +197,7 @@ - mqenc->maxctxs = maxctxs; - - /* Allocate memory for the per-context state information. */ -- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) { -+ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) { - goto error; - } - ---- src/libjasper/jpc/jpc_qmfb.c -+++ src/libjasper/jpc/jpc_qmfb.c -@@ -321,7 +321,7 @@ - #if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -389,7 +389,7 @@ - #if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -460,7 +460,7 @@ - #if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -549,7 +549,7 @@ - #if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -633,7 +633,7 @@ - #if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } -@@ -698,7 +698,7 @@ - #if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } -@@ -766,7 +766,7 @@ - #if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } -@@ -852,7 +852,7 @@ - #if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } ---- src/libjasper/jpc/jpc_t1enc.c -+++ src/libjasper/jpc/jpc_t1enc.c -@@ -219,7 +219,7 @@ - - cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0; - if (cblk->numpasses > 0) { -- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t)); -+ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t)); - assert(cblk->passes); - } else { - cblk->passes = 0; ---- src/libjasper/jpc/jpc_t2cod.c -+++ src/libjasper/jpc/jpc_t2cod.c -@@ -573,7 +573,7 @@ - } - if (pchglist->numpchgs >= pchglist->maxpchgs) { - newmaxpchgs = pchglist->maxpchgs + 128; -- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) { -+ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) { - return -1; - } - pchglist->maxpchgs = newmaxpchgs; ---- src/libjasper/jpc/jpc_t2dec.c -+++ src/libjasper/jpc/jpc_t2dec.c -@@ -478,7 +478,7 @@ - return 0; - } - pi->numcomps = dec->numcomps; -- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { -+ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { - jpc_pi_destroy(pi); - return 0; - } -@@ -490,7 +490,7 @@ - for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; - compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { - picomp->numrlvls = tcomp->numrlvls; -- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * -+ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, - sizeof(jpc_pirlvl_t)))) { - jpc_pi_destroy(pi); - return 0; -@@ -503,7 +503,7 @@ - rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { - /* XXX sizeof(long) should be sizeof different type */ - pirlvl->numprcs = rlvl->numprcs; -- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * -+ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, - sizeof(long)))) { - jpc_pi_destroy(pi); - return 0; ---- src/libjasper/jpc/jpc_t2enc.c -+++ src/libjasper/jpc/jpc_t2enc.c -@@ -565,7 +565,7 @@ - } - pi->pktno = -1; - pi->numcomps = cp->numcmpts; -- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { -+ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { - jpc_pi_destroy(pi); - return 0; - } -@@ -577,7 +577,7 @@ - for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps; - compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { - picomp->numrlvls = tcomp->numrlvls; -- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * -+ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, - sizeof(jpc_pirlvl_t)))) { - jpc_pi_destroy(pi); - return 0; -@@ -591,7 +591,7 @@ - /* XXX sizeof(long) should be sizeof different type */ - pirlvl->numprcs = rlvl->numprcs; - if (rlvl->numprcs) { -- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * -+ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, - sizeof(long)))) { - jpc_pi_destroy(pi); - return 0; ---- src/libjasper/jpc/jpc_tagtree.c -+++ src/libjasper/jpc/jpc_tagtree.c -@@ -125,7 +125,7 @@ - ++numlvls; - } while (n > 1); - -- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) { -+ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { - return 0; - } - ---- src/libjasper/jpc/jpc_util.c -+++ src/libjasper/jpc/jpc_util.c -@@ -109,7 +109,7 @@ - } - - if (n) { -- if (!(vs = jas_malloc(n * sizeof(double)))) { -+ if (!(vs = jas_alloc2(n, sizeof(double)))) { - return -1; - } - ---- src/libjasper/mif/mif_cod.c -+++ src/libjasper/mif/mif_cod.c -@@ -438,8 +438,7 @@ - int cmptno; - mif_cmpt_t **newcmpts; - assert(maxcmpts >= hdr->numcmpts); -- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) : -- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *)); -+ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *)); - if (!newcmpts) { - return -1; - } ---- src/libjasper/pnm/pnm_enc.c -+++ src/libjasper/pnm/pnm_enc.c -@@ -374,7 +374,7 @@ - } - } - } else { -- n = sprintf(buf, "%s%ld", ((!(!x && !cmptno)) ? " " : ""), -+ n = snprintf(buf, sizeof buf, "%s%ld", ((!(!x && !cmptno)) ? " " : ""), - (long) v); - if (linelen > 0 && linelen + n > PNM_MAXLINELEN) { - jas_stream_printf(out, "\n"); diff --git a/source/xlib/jasper/CVE-2011-4516-4517.patch b/source/xlib/jasper/CVE-2011-4516-4517.patch deleted file mode 100644 index 774a062..0000000 --- a/source/xlib/jasper/CVE-2011-4516-4517.patch +++ /dev/null @@ -1,31 +0,0 @@ -Description: Fix for CVE-2011-4516 and CVE-2011-4517 - This patch fixes a possible denial of service and code execution via - heap-based buffer overflows. -Author: Michael Gilbert <[email protected]> -Origin: Patch thanks to Red Hat -Bug-Debian: http://bugs.debian.org/652649 - -Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c -=================================================================== ---- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500 -@@ -744,6 +744,10 @@ - return -1; - } - compparms->numrlvls = compparms->numdlvls + 1; -+ if (compparms->numrlvls > JPC_MAXRLVLS) { -+ jpc_cox_destroycompparms(compparms); -+ return -1; -+ } - if (prtflag) { - for (i = 0; i < compparms->numrlvls; ++i) { - if (jpc_getuint8(in, &tmp)) { -@@ -1331,7 +1335,7 @@ - jpc_crgcomp_t *comp; - uint_fast16_t compno; - crg->numcomps = cstate->numcomps; -- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { -+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { - return -1; - } - for (compno = 0, comp = crg->comps; compno < cstate->numcomps; diff --git a/source/xlib/jasper/CVE-2014-8137.patch b/source/xlib/jasper/CVE-2014-8137.patch deleted file mode 100644 index 4822a4e..0000000 --- a/source/xlib/jasper/CVE-2014-8137.patch +++ /dev/null @@ -1,66 +0,0 @@ -Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy() -Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283, - https://bugzilla.redhat.com/attachment.cgi?id=967284 -Bug-Debian: https://bugs.debian.org/773463 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157 -Forwarded: no -Author: Tomas Hoger <[email protected]> -Last-Update: 2014-12-20 - ---- a/src/libjasper/base/jas_icc.c -+++ b/src/libjasper/base/jas_icc.c -@@ -1010,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattr - return 0; - - error: -- jas_icccurv_destroy(attrval); - return -1; - } - -@@ -1128,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_icca - #endif - return 0; - error: -- jas_icctxtdesc_destroy(attrval); - return -1; - } - -@@ -1207,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrv - goto error; - return 0; - error: -- if (txt->string) -- jas_free(txt->string); - return -1; - } - -@@ -1329,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattr - goto error; - return 0; - error: -- jas_icclut8_destroy(attrval); - return -1; - } - -@@ -1498,7 +1493,6 @@ static int jas_icclut16_input(jas_iccatt - goto error; - return 0; - error: -- jas_icclut16_destroy(attrval); - return -1; - } - ---- a/src/libjasper/jp2/jp2_dec.c -+++ b/src/libjasper/jp2/jp2_dec.c -@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in - case JP2_COLR_ICC: - iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, - dec->colr->data.colr.iccplen); -- assert(iccprof); -+ if (!iccprof) { -+ jas_eprintf("error: failed to parse ICC profile\n"); -+ goto error; -+ } - jas_iccprof_gethdr(iccprof, &icchdr); - jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); - jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); diff --git a/source/xlib/jasper/CVE-2014-8138.patch b/source/xlib/jasper/CVE-2014-8138.patch deleted file mode 100644 index 8223c45..0000000 --- a/source/xlib/jasper/CVE-2014-8138.patch +++ /dev/null @@ -1,22 +0,0 @@ -Description: CVE-2014-8138: heap overflow in jp2_decode() -Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967280 -Bug-Debian: https://bugs.debian.org/773463 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173162 -Forwarded: no -Author: Tomas Hoger <[email protected]> -Last-Update: 2014-12-20 - ---- a/src/libjasper/jp2/jp2_dec.c -+++ b/src/libjasper/jp2/jp2_dec.c -@@ -389,6 +389,11 @@ jas_image_t *jp2_decode(jas_stream_t *in - /* Determine the type of each component. */ - if (dec->cdef) { - for (i = 0; i < dec->numchans; ++i) { -+ /* Is the channel number reasonable? */ -+ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { -+ jas_eprintf("error: invalid channel number in CDEF box\n"); -+ goto error; -+ } - jas_image_setcmpttype(dec->image, - dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], - jp2_getct(jas_image_clrspc(dec->image), diff --git a/source/xlib/jasper/CVE-2014-8157.patch b/source/xlib/jasper/CVE-2014-8157.patch deleted file mode 100644 index 16d46b6..0000000 --- a/source/xlib/jasper/CVE-2014-8157.patch +++ /dev/null @@ -1,17 +0,0 @@ -Description: fix denial of service or code execution via off-by-one -Origin: vendor, http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775970 - -diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c ---- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100 -@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t - dec->curtileendoff = 0; - } - -- if (JAS_CAST(int, sot->tileno) > dec->numtiles) { -+ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { - jas_eprintf("invalid tile number in SOT marker segment\n"); - return -1; - } diff --git a/source/xlib/jasper/CVE-2014-8158.patch b/source/xlib/jasper/CVE-2014-8158.patch deleted file mode 100644 index 9525e01..0000000 --- a/source/xlib/jasper/CVE-2014-8158.patch +++ /dev/null @@ -1,334 +0,0 @@ -Description: fix denial of service or code execution via memory corruption -Origin: vendor, http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8158.patch -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179298 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775970 - -diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c ---- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100 -@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in - { - - int bufsize = JPC_CEILDIVPOW2(numcols, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; --#else -- jpc_fix_t splitbuf[bufsize]; --#endif - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; -@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in - register int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in - abort(); - } - } --#endif - - if (numcols >= 2) { - hstartcol = (numcols + 1 - parity) >> 1; -@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; --#else -- jpc_fix_t splitbuf[bufsize]; --#endif - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; -@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - register int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; --#endif - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t splitbuf[bufsize * numcols]; --#endif - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int - { - - int bufsize = JPC_CEILDIVPOW2(numcols, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; --#else -- jpc_fix_t joinbuf[bufsize]; --#endif - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; - register int n; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int - abort(); - } - } --#endif - - hstartcol = (numcols + 1 - parity) >> 1; - -@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int - ++srcptr; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; --#else -- jpc_fix_t joinbuf[bufsize]; --#endif - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; - register int n; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int - ++srcptr; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; --#endif - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - register int i; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { -@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - srcptr += JPC_QMFB_COLGRPSIZE; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t joinbuf[bufsize * numcols]; --#endif - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - register int i; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { -@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - srcptr += numcols; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - diff --git a/source/xlib/jasper/CVE-2014-9029.patch b/source/xlib/jasper/CVE-2014-9029.patch deleted file mode 100644 index 80adb0d..0000000 --- a/source/xlib/jasper/CVE-2014-9029.patch +++ /dev/null @@ -1,36 +0,0 @@ -Description: CVE-2014-9029: Heap overflows in libjasper -Origin: vendor -Forwarded: no -Author: Tomas Hoger <[email protected]> -Reviewed-by: Salvatore Bonaccorso <[email protected]> -Last-Update: 2014-11-28 - ---- a/src/libjasper/jpc/jpc_dec.c -+++ b/src/libjasper/jpc/jpc_dec.c -@@ -1280,7 +1280,7 @@ static int jpc_dec_process_coc(jpc_dec_t - jpc_coc_t *coc = &ms->parms.coc; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, coc->compno) > dec->numcomps) { -+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in COC marker segment\n"); - return -1; - } -@@ -1306,7 +1306,7 @@ static int jpc_dec_process_rgn(jpc_dec_t - jpc_rgn_t *rgn = &ms->parms.rgn; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, rgn->compno) > dec->numcomps) { -+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in RGN marker segment\n"); - return -1; - } -@@ -1355,7 +1355,7 @@ static int jpc_dec_process_qcc(jpc_dec_t - jpc_qcc_t *qcc = &ms->parms.qcc; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, qcc->compno) > dec->numcomps) { -+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in QCC marker segment\n"); - return -1; - } diff --git a/source/xlib/jasper/FrugalBuild b/source/xlib/jasper/FrugalBuild index 2a85838..c5ecc6d 100644 --- a/source/xlib/jasper/FrugalBuild +++ b/source/xlib/jasper/FrugalBuild @@ -2,32 +2,18 @@ # Maintainer: crazy <[email protected]> pkgname=jasper -pkgver=1.900.1 -pkgrel=10 +pkgver=2.0.10 +pkgrel=1 pkgdesc="Jasper is a implementation of the codec specified in the JPEG-2000 Part-1 standard." -url="http://www.ece.uvic.ca/~mdadams/jasper/"; -up2date="lynx -dump http://www.ece.uvic.ca/~mdadams/jasper/|grep -m1 'jasper-\(.*\).zip'|sed 's/.*-\(.*\).z.*/\1/'" -source=($url/software/$pkgname-$pkgver.zip jasper-stepsizes-overflow.diff \ - CVE-2008-3520.patch) +url="http://www.ece.uvic.ca/~frodo/jasper"; +up2date="Flasttar $url" +source=($url/software/jasper-$pkgver.tar.gz) depends=('libjpeg>=9a-2') makedepends=('unzip' 'libglu>=9.0.0-3' 'x11-protos' 'freeglut>=3.0.0-2') groups=('xlib') archs=("x86_64") Fconfopts+=" --enable-shared --disable-static" -sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191' \ - 'f298566fef08c8a589d072582112cd51c72c3983' \ - '1cbe124abc3c0dff101362f634c175e6a63892e7') - -# FSA fix *** -source=(${source[@]} CVE-2011-4516-4517.patch CVE-2014-9029.patch CVE-2014-8137.patch - CVE-2014-8138.patch CVE-2014-8157.patch CVE-2014-8158.patch) -sha1sums=(${sha1sums[@]} '120ae721defcc4f2e713296e3d5c37d6a733d63f' \ - '099d96e2d5e1a23496af58b6c7968b28f1ff469b' \ - 'a4827ddcb64c30bc6e3c22023ef5d9c45bf37202' \ - '3f5f49e60010626651fb4484ac9dc576b42c64ed' \ - '7d97e10f8180040080996bab17c0e5ec177b4cc8' \ - '3e6d2b52f77e8fe4b3eb34c589cbe7871ce79dd0') -# *********** - +sha1sums=('42518b05fd73242f8ee8047d2e35e0275a697a5f') +Finclude cmake # optimization OK diff --git a/source/xlib/jasper/jasper-stepsizes-overflow.diff b/source/xlib/jasper/jasper-stepsizes-overflow.diff deleted file mode 100644 index 097559f..0000000 --- a/source/xlib/jasper/jasper-stepsizes-overflow.diff +++ /dev/null @@ -1,14 +0,0 @@ ---- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200 -@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc - compparms->numstepsizes = (len - n) / 2; - break; - } -- if (compparms->numstepsizes > 0) { -+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { -+ jpc_qcx_destroycompparms(compparms); -+ return -1; -+ } else if (compparms->numstepsizes > 0) { - compparms->stepsizes = jas_malloc(compparms->numstepsizes * - sizeof(uint_fast16_t)); - assert(compparms->stepsizes); _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
