main/jasper: various security fixes

ref #3814 CVE-2014-8137.patch CVE-2014-8138.patch CVE-2014-8157.patch CVE-2014-8158.patch
author: Natanael Copa <ncopa@alpinelinux.org> 2015-09-21 11:07:13 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-09-21 11:08:50 +0200
commit: 5cf21c2970ede23199084dd6a552640c4fe708f6 (patch)
tree: 89d91a10d34e32c87999df1b31bed4ebfcd99ef4 /main/jasper
parent: 4038b6160e7fb654fac60418fa095e966656796b (diff)
download: aports-5cf21c2970ede23199084dd6a552640c4fe708f6.tar.bz2
aports-5cf21c2970ede23199084dd6a552640c4fe708f6.tar.xz
6 files changed, 479 insertions, 51 deletions
diff --git a/main/jasper/APKBUILD b/main/jasper/APKBUILD
index 9a713a3e01..2ad1f9e21c 100644
--- a/main/jasper/APKBUILD
+++ b/main/jasper/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=jasper
 pkgver=1.900.1
-pkgrel=10
+pkgrel=11
 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
 url="http://www.ece.uvic.ca/~mdadams/jasper/"
 arch="all"
@@ -15,6 +15,10 @@ source="http://www.ece.uvic.ca/~mdadams/$pkgname/software/$pkgname-$pkgver.zip
 	jasper-1.900.1-CVE-2008-3520.patch
 	jasper-1.900.1-CVE-2008-3522.patch
 	jasper-1.900.1-bnc725758.patch
+	CVE-2014-8137.patch
+	CVE-2014-8138.patch
+	CVE-2014-8157.patch
+	CVE-2014-8158.patch
 	CVE-2014-9029.patch
 	CVE-2015-5203.patch
 	"
@@ -63,21 +67,33 @@ md5sums="a342b2b4495b3e1394e161eb5d85d754  jasper-1.900.1.zip
 911bb13529483c093d12c15eed4e9243  jasper-1.900.1-CVE-2008-3520.patch
 ed441f30c4231f319d9ff77d86db2ef9  jasper-1.900.1-CVE-2008-3522.patch
 eaf73536f989e629a8c06533e4e6fad5  jasper-1.900.1-bnc725758.patch
+f386c336808e8fc840c8a5cb7fcc5902  CVE-2014-8137.patch
+1ec04bd2483a3ad2186b2178c237fd3b  CVE-2014-8138.patch
+1c55ee31d9ca88359abb0353b3f9d052  CVE-2014-8157.patch
+7e1266068d32cc9ecb8b75b6b1174cc3  CVE-2014-8158.patch
 83fd587d569d6b4c7e49f67caaef9bf9  CVE-2014-9029.patch
-484df1eab8e50bcda1b6c1bdfc91339e  CVE-2015-5203.patch"
+78d55c9411bdca5250581a21b19a89c7  CVE-2015-5203.patch"
 sha256sums="6b905a9c2aca2e275544212666eefc4eb44d95d0a57e4305457b407fe63f9494  jasper-1.900.1.zip
 fca9c4bddc284d6c59845e5b80adfd670e79c945f166d9624b117c6db0c10492  jpc_dec.c.patch
 e454f0fb1b994535ca02fa2468aa39ff153a78f3688db3808b6e953c44890e41  libjasper-stepsizes-overflow.patch
 02236060cae28be5ac46d90ca17ce2de17e975574dd761d9117994e69bdc38d6  jasper-1.900.1-CVE-2008-3520.patch
 b0272ce179ead3692942246523462db33c0f2a92bd9f9a117ff40e8ec963fbac  jasper-1.900.1-CVE-2008-3522.patch
 be19877bc67d843436288c85c17ab49917b1a3db7954b92f736f6cc3ca704756  jasper-1.900.1-bnc725758.patch
+27350b9a72067e0325464b1e51f0fcab2701db26c918d82aac977dc345a02999  CVE-2014-8137.patch
+597966eabef1eeb4155415352cee37492def0abb09349e1764ae92645f3a20c1  CVE-2014-8138.patch
+60160f1eecb4cbfe7d8277e091333e9c1b4af7eeaccdfa3b539ac9658bb6a474  CVE-2014-8157.patch
+1dce24d47bcfc599bde5fa625e8b9bfbd1c6c637e4358493276d8a96338ff8b7  CVE-2014-8158.patch
 a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1  CVE-2014-9029.patch
-6b89a3766e6c6bf3a6203a8936273020aa8bad994f86d203eea9c7441b11bf65  CVE-2015-5203.patch"
+7c73cdcca60a7ddffe4d5fe010d3f200870a8719dda571f578e7f437b7c8d6d0  CVE-2015-5203.patch"
 sha512sums="e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6  jasper-1.900.1.zip
 c449c0a405f589135b384bc284508bfdd2a29b7bb94b806b960ce72238aa5789cc11fa7d704463ebda9a1384d8d085c603180f7b419e25a91d304b447708b82c  jpc_dec.c.patch
 bafdd22b8214e2993c0a61c06c27b11b4eef68db2e9c6d8786dd54dfae92e685094b66ad6c899d19df9f0f85d3aa4fe35152dd773c5bd9a1e8453ccf8518c799  libjasper-stepsizes-overflow.patch
 d337207260b3ac7e40e92326d95364ef21128431235e6ef9e345a6c781f328fd3aaf0dbfb8c7dde2403ab0cfc89cda664c3f2fec673187589358fe58521e83a1  jasper-1.900.1-CVE-2008-3520.patch
 d686c26f1432b522f41948c7bd188f9b74c455671d5f30ab97144977b22d4e778e475fea6d8128b607218a061c50f2cc767e66413455805e8843c04d901f708d  jasper-1.900.1-CVE-2008-3522.patch
 a83fe196d4305fea6f2265e1bcb64dd4841bf4355ca661c46841de44c9f642f995e13929111833f23f51168282d2da06c0544956edc3a863d13be2b584c1ad73  jasper-1.900.1-bnc725758.patch
+b689b8fdc3dfa7f7ffcb9d7e94c7eb8d11127adf55e2f67cb2311fe1495eb7a4a234e34bc50315059b85a257b083670a383a7cc751705fcacc49727c11152510  CVE-2014-8137.patch
+ae9d1c85688f7711a5cd7765988e85c64bf5413dede80aa8c860caa505c079d6975410ccb3b0e18c65d84624226c5e12667bb7613a91e3856dab4f99483c2956  CVE-2014-8138.patch
+44fc87f8a85a5c0b1f3669ca5ec139afcb8971f2d5bfd40ed95913dcf34fee4874301b580134ddca900091ef3cbfdd791b365a5c3ba74d0e8deb855b54322f68  CVE-2014-8157.patch
+7f2f2a990ced181fd5755cc630a8c6d75e8172c926c08350505f6b8b5e8e1f8b0891b4603a4c43da35f913c079f2759975ee7ee1532ebb87f06d01c165299ecb  CVE-2014-8158.patch
 20bac10654ea1b16d741bcc71ca91e484c4238cb285f551a19b1bac4c4cf8ec39bc33f8d3c42dbadd03e85eb667a8e286f208e9b20a5b39429bf8e4454bd9b16  CVE-2014-9029.patch
-ccff9980c0e697877700e362cb865d454d8351d12c2b0459118aaedef5e1663fb3a4e2c042bb90a74c2b67237bb5723e6b181b073e223f71a3341d87531177b4  CVE-2015-5203.patch"
+911c813308af2cf0697b462e70bcb888a9e9a61399cbd0a6911133c3edd69ac50ddd57523c139080578373bceda1aa23af8ca979668f911785037250c7afcca1  CVE-2015-5203.patch"
diff --git a/main/jasper/CVE-2014-8137.patch b/main/jasper/CVE-2014-8137.patch
new file mode 100644
index 0000000000..9600cd3231
--- /dev/null
+++ b/main/jasper/CVE-2014-8137.patch
@@ -0,0 +1,57 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c	2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ 	return 0;
+ 
+ error:
+-	jas_icccurv_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ 	return 0;
+ error:
+-	jas_icctxtdesc_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ 		goto error;
+ 	return 0;
+ error:
+-	if (txt->string)
+-		jas_free(txt->string);
+ 	return -1;
+ }
+ 
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut8_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut16_destroy(attrval);
+ 	return -1;
+ }
+ 
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	case JP2_COLR_ICC:
+ 		iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ 		  dec->colr->data.colr.iccplen);
+-		assert(iccprof);
++		if (!iccprof) {
++			jas_eprintf("error: failed to parse ICC profile\n");
++			goto error;
++		}
+ 		jas_iccprof_gethdr(iccprof, &icchdr);
+ 		jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ 		jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
diff --git a/main/jasper/CVE-2014-8138.patch b/main/jasper/CVE-2014-8138.patch
new file mode 100644
index 0000000000..5aaf8abb1d
--- /dev/null
+++ b/main/jasper/CVE-2014-8138.patch
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	/* Determine the type of each component. */
+ 	if (dec->cdef) {
+ 		for (i = 0; i < dec->numchans; ++i) {
++			/* Is the channel number reasonable? */
++			if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++				jas_eprintf("error: invalid channel number in CDEF box\n");
++				goto error;
++			}
+ 			jas_image_setcmpttype(dec->image,
+ 			  dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ 			  jp2_getct(jas_image_clrspc(dec->image),
diff --git a/main/jasper/CVE-2014-8157.patch b/main/jasper/CVE-2014-8157.patch
new file mode 100644
index 0000000000..ebfc1b2d0f
--- /dev/null
+++ b/main/jasper/CVE-2014-8157.patch
@@ -0,0 +1,12 @@
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157	2015-01-19 16:59:36.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c	2015-01-19 17:07:41.609863268 +0100
+@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ 		dec->curtileendoff = 0;
+ 	}
+ 
+-	if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++	if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ 		jas_eprintf("invalid tile number in SOT marker segment\n");
+ 		return -1;
+ 	}
diff --git a/main/jasper/CVE-2014-8158.patch b/main/jasper/CVE-2014-8158.patch
new file mode 100644
index 0000000000..ce9e4b497f
--- /dev/null
+++ b/main/jasper/CVE-2014-8158.patch
@@ -0,0 +1,329 @@
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158	2015-01-19 17:25:28.730195502 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c	2015-01-19 17:27:20.214663127 +0100
+@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 	register int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numcols >= 2) {
+ 		hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 	register int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 	int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 	int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numcols + 1 - parity) >> 1;
+ 
+@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ 		++srcptr;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ 		++srcptr;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 	register int i;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 		srcptr += JPC_QMFB_COLGRPSIZE;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize * numcols];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 	register int i;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 		srcptr += numcols;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
diff --git a/main/jasper/CVE-2015-5203.patch b/main/jasper/CVE-2015-5203.patch
index 5bf53b36f7..e60e61adc8 100644
--- a/main/jasper/CVE-2015-5203.patch
+++ b/main/jasper/CVE-2015-5203.patch
@@ -101,98 +101,98 @@ addresses that by using size_t for buffer sizes.
  {
  	unsigned char *buf;
  
---- a/src/libjasper/jpc/jpc_qmfb.c
-+++ b/src/libjasper/jpc/jpc_qmfb.c
-@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = {
+--- a/src/libjasper/mif/mif_cod.c
++++ b/src/libjasper/mif/mif_cod.c
+@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
+ static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
+ static mif_cmpt_t *mif_cmpt_create(void);
+ static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
+-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
++static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
+ static int mif_getc(jas_stream_t *in);
+ static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
+ 
+@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
+ * MIF parsing code.
+ \******************************************************************************/
+ 
+-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
++static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
+ {
+ 	int c;
+ 	char *bufptr;
+
+--- ./src/libjasper/jpc/jpc_qmfb.c.orig
++++ ./src/libjasper/jpc/jpc_qmfb.c
+@@ -305,7 +305,7 @@
  void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
 +	size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
- #else
-@@ -373,7 +373,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -365,7 +365,7 @@
    int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
- #else
-@@ -441,7 +441,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -425,7 +425,7 @@
    int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -530,7 +530,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+@@ -506,7 +506,7 @@
    int stride, int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -618,7 +618,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+@@ -586,7 +586,7 @@
  void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
 +	size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
- #else
-@@ -683,7 +683,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -643,7 +643,7 @@
    int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
- #else
-@@ -748,7 +748,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -700,7 +700,7 @@
    int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -834,7 +834,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+@@ -778,7 +778,7 @@
    int stride, int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
---- a/src/libjasper/mif/mif_cod.c
-+++ b/src/libjasper/mif/mif_cod.c
-@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
- static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
- static mif_cmpt_t *mif_cmpt_create(void);
- static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
--static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
-+static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
- static int mif_getc(jas_stream_t *in);
- static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
- 
-@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
- * MIF parsing code.
- \******************************************************************************/
- 
--static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
-+static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
- {
- 	int c;
- 	char *bufptr;
-
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
author	Natanael Copa <ncopa@alpinelinux.org>	2015-09-21 11:07:13 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-09-21 11:08:50 +0200
commit	5cf21c2970ede23199084dd6a552640c4fe708f6 (patch)
tree	89d91a10d34e32c87999df1b31bed4ebfcd99ef4 /main/jasper
parent	4038b6160e7fb654fac60418fa095e966656796b (diff)
download	aports-5cf21c2970ede23199084dd6a552640c4fe708f6.tar.bz2 aports-5cf21c2970ede23199084dd6a552640c4fe708f6.tar.xz