main/jasper: security fix for CVE-2015-5203

ref #4557
fixes #4558

2 files changed, 206 insertions, 4 deletions

diff --git a/main/jasper/APKBUILD b/main/jasper/APKBUILD
index 8073fa51e6..1622e8f86b 100644
--- a/main/jasper/APKBUILD
+++ b/main/jasper/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=jasper
 pkgver=1.900.1
-pkgrel=10
+pkgrel=11
 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
 url="http://www.ece.uvic.ca/~mdadams/jasper/"
 arch="all"
@@ -20,6 +20,7 @@ source="http://www.ece.uvic.ca/~mdadams/$pkgname/software/$pkgname-$pkgver.zip
 	CVE-2014-8157.patch
 	CVE-2014-8158.patch
 	CVE-2014-9029.patch
+	CVE-2015-5203.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -71,7 +72,8 @@ f386c336808e8fc840c8a5cb7fcc5902  CVE-2014-8137.patch
 1ec04bd2483a3ad2186b2178c237fd3b  CVE-2014-8138.patch
 1c55ee31d9ca88359abb0353b3f9d052  CVE-2014-8157.patch
 7e1266068d32cc9ecb8b75b6b1174cc3  CVE-2014-8158.patch
-83fd587d569d6b4c7e49f67caaef9bf9  CVE-2014-9029.patch"
+83fd587d569d6b4c7e49f67caaef9bf9  CVE-2014-9029.patch
+78d55c9411bdca5250581a21b19a89c7  CVE-2015-5203.patch"
 sha256sums="6b905a9c2aca2e275544212666eefc4eb44d95d0a57e4305457b407fe63f9494  jasper-1.900.1.zip
 fca9c4bddc284d6c59845e5b80adfd670e79c945f166d9624b117c6db0c10492  jpc_dec.c.patch
 e454f0fb1b994535ca02fa2468aa39ff153a78f3688db3808b6e953c44890e41  libjasper-stepsizes-overflow.patch
@@ -82,7 +84,8 @@ be19877bc67d843436288c85c17ab49917b1a3db7954b92f736f6cc3ca704756  jasper-1.900.1
 597966eabef1eeb4155415352cee37492def0abb09349e1764ae92645f3a20c1  CVE-2014-8138.patch
 60160f1eecb4cbfe7d8277e091333e9c1b4af7eeaccdfa3b539ac9658bb6a474  CVE-2014-8157.patch
 1dce24d47bcfc599bde5fa625e8b9bfbd1c6c637e4358493276d8a96338ff8b7  CVE-2014-8158.patch
-a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1  CVE-2014-9029.patch"
+a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1  CVE-2014-9029.patch
+7c73cdcca60a7ddffe4d5fe010d3f200870a8719dda571f578e7f437b7c8d6d0  CVE-2015-5203.patch"
 sha512sums="e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6  jasper-1.900.1.zip
 c449c0a405f589135b384bc284508bfdd2a29b7bb94b806b960ce72238aa5789cc11fa7d704463ebda9a1384d8d085c603180f7b419e25a91d304b447708b82c  jpc_dec.c.patch
 bafdd22b8214e2993c0a61c06c27b11b4eef68db2e9c6d8786dd54dfae92e685094b66ad6c899d19df9f0f85d3aa4fe35152dd773c5bd9a1e8453ccf8518c799  libjasper-stepsizes-overflow.patch
@@ -93,4 +96,5 @@ b689b8fdc3dfa7f7ffcb9d7e94c7eb8d11127adf55e2f67cb2311fe1495eb7a4a234e34bc5031505
 ae9d1c85688f7711a5cd7765988e85c64bf5413dede80aa8c860caa505c079d6975410ccb3b0e18c65d84624226c5e12667bb7613a91e3856dab4f99483c2956  CVE-2014-8138.patch
 44fc87f8a85a5c0b1f3669ca5ec139afcb8971f2d5bfd40ed95913dcf34fee4874301b580134ddca900091ef3cbfdd791b365a5c3ba74d0e8deb855b54322f68  CVE-2014-8157.patch
 7f2f2a990ced181fd5755cc630a8c6d75e8172c926c08350505f6b8b5e8e1f8b0891b4603a4c43da35f913c079f2759975ee7ee1532ebb87f06d01c165299ecb  CVE-2014-8158.patch
-20bac10654ea1b16d741bcc71ca91e484c4238cb285f551a19b1bac4c4cf8ec39bc33f8d3c42dbadd03e85eb667a8e286f208e9b20a5b39429bf8e4454bd9b16  CVE-2014-9029.patch"
+20bac10654ea1b16d741bcc71ca91e484c4238cb285f551a19b1bac4c4cf8ec39bc33f8d3c42dbadd03e85eb667a8e286f208e9b20a5b39429bf8e4454bd9b16  CVE-2014-9029.patch
+911c813308af2cf0697b462e70bcb888a9e9a61399cbd0a6911133c3edd69ac50ddd57523c139080578373bceda1aa23af8ca979668f911785037250c7afcca1  CVE-2015-5203.patch"
diff --git a/main/jasper/CVE-2015-5203.patch b/main/jasper/CVE-2015-5203.patch
new file mode 100644
index 0000000000..e60e61adc8
--- /dev/null
+++ b/main/jasper/CVE-2015-5203.patch
@@ -0,0 +1,198 @@
+From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 17 Aug 2015
+Subject: CVE-2015-5203
+
+Prevent integer conversion errors.
+
+jasper is vulnerable to integer conversion errors that can be leveraged,
+via crafted input, to trigger faults such as double free's. This patch
+addresses that by using size_t for buffer sizes.
+
+---
+ src/libjasper/base/jas_stream.c           |   10 +++++-----
+ src/libjasper/include/jasper/jas_stream.h |    8 ++++----
+ src/libjasper/jpc/jpc_qmfb.c              |   16 ++++++++--------
+ src/libjasper/mif/mif_cod.c               |    4 ++--
+ 4 files changed, 19 insertions(+), 19 deletions(-)
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -215,7 +215,7 @@ typedef struct {
+ 	uchar *bufstart_;
+ 
+ 	/* The buffer size. */
+-	int bufsize_;
++	size_t bufsize_;
+ 
+ 	/* The current position in the buffer. */
+ 	uchar *ptr_;
+@@ -267,7 +267,7 @@ typedef struct {
+ 	uchar *buf_;
+ 
+ 	/* The allocated size of the buffer for holding file data. */
+-	int bufsize_;
++	size_t bufsize_;
+ 
+ 	/* The length of the file. */
+ 	int_fast32_t len_;
+@@ -291,7 +291,7 @@ typedef struct {
+ jas_stream_t *jas_stream_fopen(const char *filename, const char *mode);
+ 
+ /* Open a memory buffer as a stream. */
+-jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
+ 
+ /* Open a file descriptor as a stream. */
+ jas_stream_t *jas_stream_fdopen(int fd, const char *mode);
+@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre
+ int jas_stream_puts(jas_stream_t *stream, const char *s);
+ 
+ /* Read a line of input from a stream. */
+-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize);
++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize);
+ 
+ /* Look at the next character to be read from a stream without actually
+   removing it from the stream. */
+--- a/src/libjasper/base/jas_stream.c
++++ b/src/libjasper/base/jas_stream.c
+@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char
+ static void jas_stream_destroy(jas_stream_t *stream);
+ static jas_stream_t *jas_stream_create(void);
+ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
+-  int bufsize);
++  size_t bufsize);
+ 
+ static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt);
+ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt);
+@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create()
+ 	return stream;
+ }
+ 
+-jas_stream_t *jas_stream_memopen(char *buf, int bufsize)
++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize)
+ {
+ 	jas_stream_t *stream;
+ 	jas_stream_memobj_t *obj;
+@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream
+ 	return 0;
+ }
+ 
+-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize)
+ {
+ 	int c;
+ 	char *bufptr;
+@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea
+ \******************************************************************************/
+ 
+ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
+-  int bufsize)
++  size_t bufsize)
+ {
+ 	/* If this function is being called, the buffer should not have been
+ 	  initialized yet. */
+@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob
+ 	return cnt;
+ }
+ 
+-static int mem_resize(jas_stream_memobj_t *m, int bufsize)
++static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
+ {
+ 	unsigned char *buf;
+ 
+--- a/src/libjasper/mif/mif_cod.c
++++ b/src/libjasper/mif/mif_cod.c
+@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
+ static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
+ static mif_cmpt_t *mif_cmpt_create(void);
+ static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
+-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
++static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
+ static int mif_getc(jas_stream_t *in);
+ static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
+ 
+@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
+ * MIF parsing code.
+ \******************************************************************************/
+ 
+-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
++static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
+ {
+ 	int c;
+ 	char *bufptr;
+
+--- ./src/libjasper/jpc/jpc_qmfb.c.orig
++++ ./src/libjasper/jpc/jpc_qmfb.c
+@@ -305,7 +305,7 @@
+ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -365,7 +365,7 @@
+   int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -425,7 +425,7 @@
+   int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+@@ -506,7 +506,7 @@
+   int stride, int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+@@ -586,7 +586,7 @@
+ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -643,7 +643,7 @@
+   int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -700,7 +700,7 @@
+   int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+@@ -778,7 +778,7 @@
+   int stride, int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;