jcgruenhage/void-packages
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

jasper: various security fixes (Alpine patches)

Browse source 
CVE-2008-3520 CVE-2008-3522 CVE-2014-8137 CVE-2014-8138
CVE-2014-8157 CVE-2014-8158 CVE-2014-9029 CVE-2015-5203
CVE-2016-1577 CVE-2016-2089 CVE-2016-2116
This commit is contained in:
Michael Gehring 2016-05-04 17:39:21 +02:00
parent 479fbb0b55
commit 4c035183ea
16 changed files with 1765 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
srcpkgs/jasper/patches/CVE-2014-8137.patch Normal file
View file

@ -0,0 +1,57 @@
--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
return 0;
error:
- jas_icccurv_destroy(attrval);
return -1;
}
@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
#endif
return 0;
error:
- jas_icctxtdesc_destroy(attrval);
return -1;
}
@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
goto error;
return 0;
error:
- if (txt->string)
- jas_free(txt->string);
return -1;
}
@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
goto error;
return 0;
error:
- jas_icclut8_destroy(attrval);
return -1;
}
@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
goto error;
return 0;
error:
- jas_icclut16_destroy(attrval);
return -1;
}
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
case JP2_COLR_ICC:
iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
dec->colr->data.colr.iccplen);
- assert(iccprof);
+ if (!iccprof) {
+ jas_eprintf("error: failed to parse ICC profile\n");
+ goto error;
+ }
jas_iccprof_gethdr(iccprof, &icchdr);
jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));

14
srcpkgs/jasper/patches/CVE-2014-8138.patch Normal file
View file

@ -0,0 +1,14 @@
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100
@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
/* Determine the type of each component. */
if (dec->cdef) {
for (i = 0; i < dec->numchans; ++i) {
+ /* Is the channel number reasonable? */
+ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
+ jas_eprintf("error: invalid channel number in CDEF box\n");
+ goto error;
+ }
jas_image_setcmpttype(dec->image,
dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
jp2_getct(jas_image_clrspc(dec->image),

12
srcpkgs/jasper/patches/CVE-2014-8157.patch Normal file
View file

@ -0,0 +1,12 @@
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100
@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
dec->curtileendoff = 0;
}
- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
+ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
jas_eprintf("invalid tile number in SOT marker segment\n");
return -1;
}

329
srcpkgs/jasper/patches/CVE-2014-8158.patch Normal file
View file

@ -0,0 +1,329 @@
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
--- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100
@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
{
int bufsize = JPC_CEILDIVPOW2(numcols, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
-#else
- jpc_fix_t splitbuf[bufsize];
-#endif
jpc_fix_t *buf = splitbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
register int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
abort();
}
}
-#endif
if (numcols >= 2) {
hstartcol = (numcols + 1 - parity) >> 1;
@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
-#else
- jpc_fix_t splitbuf[bufsize];
-#endif
jpc_fix_t *buf = splitbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
register int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
-#endif
jpc_fix_t *buf = splitbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t splitbuf[bufsize * numcols];
-#endif
jpc_fix_t *buf = splitbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
int m;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
abort();
}
}
-#endif
if (numrows >= 2) {
hstartcol = (numrows + 1 - parity) >> 1;
@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
}
}
-#if !defined(HAVE_VLA)
/* If the split buffer was allocated on the heap, free this memory. */
if (buf != splitbuf) {
jas_free(buf);
}
-#endif
}
@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
{
int bufsize = JPC_CEILDIVPOW2(numcols, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
-#else
- jpc_fix_t joinbuf[bufsize];
-#endif
jpc_fix_t *buf = joinbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
register int n;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
abort();
}
}
-#endif
hstartcol = (numcols + 1 - parity) >> 1;
@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
++srcptr;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
-#else
- jpc_fix_t joinbuf[bufsize];
-#endif
jpc_fix_t *buf = joinbuf;
register jpc_fix_t *srcptr;
register jpc_fix_t *dstptr;
register int n;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
++srcptr;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
-#endif
jpc_fix_t *buf = joinbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
register int i;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
srcptr += JPC_QMFB_COLGRPSIZE;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}
@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
{
int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-#if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
-#else
- jpc_fix_t joinbuf[bufsize * numcols];
-#endif
jpc_fix_t *buf = joinbuf;
jpc_fix_t *srcptr;
jpc_fix_t *dstptr;
@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
register int i;
int hstartcol;
-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
abort();
}
}
-#endif
hstartcol = (numrows + 1 - parity) >> 1;
@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
srcptr += numcols;
}
-#if !defined(HAVE_VLA)
/* If the join buffer was allocated on the heap, free this memory. */
if (buf != joinbuf) {
jas_free(buf);
}
-#endif
}

29
srcpkgs/jasper/patches/CVE-2014-9029.patch Normal file
View file

@ -0,0 +1,29 @@
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:45:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:44:58.000000000 +0100
@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
jpc_coc_t *coc = &ms->parms.coc;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in COC marker segment\n");
return -1;
}
@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
jpc_rgn_t *rgn = &ms->parms.rgn;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in RGN marker segment\n");
return -1;
}
@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
jpc_qcc_t *qcc = &ms->parms.qcc;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in QCC marker segment\n");
return -1;
}

198
srcpkgs/jasper/patches/CVE-2015-5203.patch Normal file
View file

@ -0,0 +1,198 @@
From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Mon, 17 Aug 2015
Subject: CVE-2015-5203
Prevent integer conversion errors.
jasper is vulnerable to integer conversion errors that can be leveraged,
via crafted input, to trigger faults such as double free's. This patch
addresses that by using size_t for buffer sizes.
---
src/libjasper/base/jas_stream.c | 10 +++++-----
src/libjasper/include/jasper/jas_stream.h | 8 ++++----
src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++--------
src/libjasper/mif/mif_cod.c | 4 ++--
4 files changed, 19 insertions(+), 19 deletions(-)
--- a/src/libjasper/include/jasper/jas_stream.h
+++ b/src/libjasper/include/jasper/jas_stream.h
@@ -215,7 +215,7 @@ typedef struct {
uchar *bufstart_;
/* The buffer size. */
- int bufsize_;
+ size_t bufsize_;
/* The current position in the buffer. */
uchar *ptr_;
@@ -267,7 +267,7 @@ typedef struct {
uchar *buf_;
/* The allocated size of the buffer for holding file data. */
- int bufsize_;
+ size_t bufsize_;
/* The length of the file. */
int_fast32_t len_;
@@ -291,7 +291,7 @@ typedef struct {
jas_stream_t *jas_stream_fopen(const char *filename, const char *mode);
/* Open a memory buffer as a stream. */
-jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
/* Open a file descriptor as a stream. */
jas_stream_t *jas_stream_fdopen(int fd, const char *mode);
@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre
int jas_stream_puts(jas_stream_t *stream, const char *s);
/* Read a line of input from a stream. */
-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize);
+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize);
/* Look at the next character to be read from a stream without actually
removing it from the stream. */
--- a/src/libjasper/base/jas_stream.c
+++ b/src/libjasper/base/jas_stream.c
@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char
static void jas_stream_destroy(jas_stream_t *stream);
static jas_stream_t *jas_stream_create(void);
static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
- int bufsize);
+ size_t bufsize);
static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt);
static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt);
@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create()
return stream;
}
-jas_stream_t *jas_stream_memopen(char *buf, int bufsize)
+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize)
{
jas_stream_t *stream;
jas_stream_memobj_t *obj;
@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream
return 0;
}
-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize)
{
int c;
char *bufptr;
@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea
\******************************************************************************/
static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
- int bufsize)
+ size_t bufsize)
{
/* If this function is being called, the buffer should not have been
initialized yet. */
@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob
return cnt;
}
-static int mem_resize(jas_stream_memobj_t *m, int bufsize)
+static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
{
unsigned char *buf;
--- a/src/libjasper/mif/mif_cod.c
+++ b/src/libjasper/mif/mif_cod.c
@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
static mif_cmpt_t *mif_cmpt_create(void);
static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
+static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
static int mif_getc(jas_stream_t *in);
static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
* MIF parsing code.
\******************************************************************************/
-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
+static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
{
int c;
char *bufptr;
--- ./src/libjasper/jpc/jpc_qmfb.c.orig
+++ ./src/libjasper/jpc/jpc_qmfb.c
@@ -305,7 +305,7 @@
void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
jpc_fix_t *buf = splitbuf;
register jpc_fix_t *srcptr;
@@ -365,7 +365,7 @@
int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
jpc_fix_t *buf = splitbuf;
register jpc_fix_t *srcptr;
@@ -425,7 +425,7 @@
int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
jpc_fix_t *buf = splitbuf;
jpc_fix_t *srcptr;
@@ -506,7 +506,7 @@
int stride, int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
jpc_fix_t *buf = splitbuf;
jpc_fix_t *srcptr;
@@ -586,7 +586,7 @@
void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
jpc_fix_t *buf = joinbuf;
register jpc_fix_t *srcptr;
@@ -643,7 +643,7 @@
int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
jpc_fix_t *buf = joinbuf;
register jpc_fix_t *srcptr;
@@ -700,7 +700,7 @@
int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
jpc_fix_t *buf = joinbuf;
jpc_fix_t *srcptr;
@@ -778,7 +778,7 @@
int stride, int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
jpc_fix_t *buf = joinbuf;
jpc_fix_t *srcptr;

14
srcpkgs/jasper/patches/CVE-2016-1577.patch Normal file
View file

@ -0,0 +1,14 @@
Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
Author: Tyler Hicks <tyhicks () canonical com>
Bug-Ubuntu: https://launchpad.net/bugs/1547865
--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c
+++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c
@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
goto error;
jas_iccattrval_destroy(attrval);
+ attrval = 0;
} else {
#if 0
jas_eprintf("warning: skipping unknown tag type\n");

83
srcpkgs/jasper/patches/CVE-2016-2089.patch Normal file
View file

@ -0,0 +1,83 @@
diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2016-02-01 14:53:56.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_image.c 2016-02-01 21:49:58.746006339 +0100
@@ -433,6 +433,10 @@ int jas_image_readcmpt(jas_image_t *imag
return -1;
}
+ if (!data->rows_) {
+ return -1;
+ }
+
if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
if (jas_matrix_resize(data, height, width)) {
return -1;
@@ -486,6 +490,10 @@ int jas_image_writecmpt(jas_image_t *ima
return -1;
}
+ if (!data->rows_) {
+ return -1;
+ }
+
if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
return -1;
}
diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2016-02-01 14:53:56.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2016-02-01 21:53:45.149193159 +0100
@@ -266,6 +266,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
int rowstep;
jas_seqent_t *data;
+ if (!matrix->rows_) {
+ return;
+ }
+
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
rowstart += rowstep) {
@@ -286,6 +290,10 @@ void jas_matrix_clip(jas_matrix_t *matri
jas_seqent_t *data;
int rowstep;
+ if (!matrix->rows_) {
+ return;
+ }
+
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
rowstart += rowstep) {
@@ -310,6 +318,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
int rowstep;
jas_seqent_t *data;
+ if (!matrix->rows_) {
+ return;
+ }
+
assert(n >= 0);
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
@@ -329,6 +341,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
int rowstep;
jas_seqent_t *data;
+ if (!matrix->rows_) {
+ return;
+ }
+
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
rowstart += rowstep) {
@@ -371,6 +387,10 @@ void jas_matrix_setall(jas_matrix_t *mat
int rowstep;
jas_seqent_t *data;
+ if (!matrix->rows_) {
+ return;
+ }
+
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
rowstart += rowstep) {

14
srcpkgs/jasper/patches/CVE-2016-2116.patch Normal file
View file

@ -0,0 +1,14 @@
Description: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf()
Author: Tyler Hicks <tyhicks () canonical com>
--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c
+++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c
@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
jas_stream_close(in);
return prof;
error:
+ if (in)
+ jas_stream_close(in);
return 0;
}

928
srcpkgs/jasper/patches/jasper-1.900.1-CVE-2008-3520.patch Normal file
View file

@ -0,0 +1,928 @@
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520
OpenBSD jas_malloc hardening patches
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_cm.c jasper-1.900.1/src/libjasper/base/jas_cm.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2009-10-22 10:27:45.000000000 +0200
@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm
{
jas_cmpxform_t **p;
assert(n >= pxformseq->numpxforms);
- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) :
- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *));
+ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *));
if (!p) {
return -1;
}
@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh
jas_cmshapmatlut_cleanup(lut);
if (curv->numents == 0) {
lut->size = 2;
- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
goto error;
lut->data[0] = 0.0;
lut->data[1] = 1.0;
} else if (curv->numents == 1) {
lut->size = 256;
- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
goto error;
gamma = curv->ents[0] / 256.0;
for (i = 0; i < lut->size; ++i) {
@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh
}
} else {
lut->size = curv->numents;
- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
goto error;
for (i = 0; i < lut->size; ++i) {
lut->data[i] = curv->ents[i] / 65535.0;
@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c
return -1;
}
}
- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t))))
+ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t))))
return -1;
invlut->size = n;
for (i = 0; i < invlut->size; ++i) {
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2009-10-22 10:27:45.000000000 +0200
@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof
jas_icctagtab_t *tagtab;
tagtab = &prof->tagtab;
- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
+ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
sizeof(jas_icctagtabent_t))))
goto error;
tagtab->numents = prof->attrtab->numattrs;
@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_str
}
if (jas_iccgetuint32(in, &tagtab->numents))
goto error;
- if (!(tagtab->ents = jas_malloc(tagtab->numents *
+ if (!(tagtab->ents = jas_alloc2(tagtab->numents,
sizeof(jas_icctagtabent_t))))
goto error;
tagtabent = tagtab->ents;
@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_icc
{
jas_iccattr_t *newattrs;
assert(maxents >= tab->numattrs);
- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
+ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
if (!newattrs)
return -1;
tab->attrs = newattrs;
@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattr
if (jas_iccgetuint32(in, &curv->numents))
goto error;
- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
+ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
goto error;
for (i = 0; i < curv->numents; ++i) {
if (jas_iccgetuint16(in, &curv->ents[i]))
@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_icca
if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
jas_iccgetuint32(in, &txtdesc->uclen))
goto error;
- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
+ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
goto error;
if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
JAS_CAST(int, txtdesc->uclen * 2))
@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattr
jas_iccgetuint16(in, &lut8->numouttabents))
goto error;
clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
- !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
- lut8->numintabents * sizeof(jas_iccuint8_t))) ||
- !(lut8->intabs = jas_malloc(lut8->numinchans *
+ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
+ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
+ lut8->numintabents, sizeof(jas_iccuint8_t))) ||
+ !(lut8->intabs = jas_alloc2(lut8->numinchans,
sizeof(jas_iccuint8_t *))))
goto error;
for (i = 0; i < lut8->numinchans; ++i)
lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
- lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
- !(lut8->outtabs = jas_malloc(lut8->numoutchans *
+ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
+ lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
+ !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
sizeof(jas_iccuint8_t *))))
goto error;
for (i = 0; i < lut8->numoutchans; ++i)
@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccatt
jas_iccgetuint16(in, &lut16->numouttabents))
goto error;
clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
- !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
- lut16->numintabents * sizeof(jas_iccuint16_t))) ||
- !(lut16->intabs = jas_malloc(lut16->numinchans *
+ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
+ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans,
+ lut16->numintabents, sizeof(jas_iccuint16_t))) ||
+ !(lut16->intabs = jas_alloc2(lut16->numinchans,
sizeof(jas_iccuint16_t *))))
goto error;
for (i = 0; i < lut16->numinchans; ++i)
lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
- lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
- !(lut16->outtabs = jas_malloc(lut16->numoutchans *
+ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
+ lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
+ !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
sizeof(jas_iccuint16_t *))))
goto error;
for (i = 0; i < lut16->numoutchans; ++i)
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_image.c 2009-10-22 10:27:45.000000000 +0200
@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmp
image->inmem_ = true;
/* Allocate memory for the per-component information. */
- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
+ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
sizeof(jas_image_cmpt_t *)))) {
jas_image_destroy(image);
return 0;
@@ -774,8 +774,7 @@ static int jas_image_growcmpts(jas_image
jas_image_cmpt_t **newcmpts;
int cmptno;
- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
+ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
if (!newcmpts) {
return -1;
}
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c jasper-1.900.1/src/libjasper/base/jas_malloc.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_malloc.c 2009-10-22 10:27:45.000000000 +0200
@@ -76,6 +76,9 @@
/* We need the prototype for memset. */
#include <string.h>
+#include <limits.h>
+#include <errno.h>
+#include <stdint.h>
#include "jasper/jas_malloc.h"
@@ -113,18 +116,50 @@ void jas_free(void *ptr)
void *jas_realloc(void *ptr, size_t size)
{
- return realloc(ptr, size);
+ return ptr ? realloc(ptr, size) : malloc(size);
}
-void *jas_calloc(size_t nmemb, size_t size)
+void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
+{
+ if (!ptr)
+ return jas_alloc2(nmemb, size);
+ if (nmemb && SIZE_MAX / nmemb < size) {
+ errno = ENOMEM;
+ return NULL;
+ }
+ return jas_realloc(ptr, nmemb * size);
+
+}
+
+void *jas_alloc2(size_t nmemb, size_t size)
+{
+ if (nmemb && SIZE_MAX / nmemb < size) {
+ errno = ENOMEM;
+ return NULL;
+ }
+
+ return jas_malloc(nmemb * size);
+}
+
+void *jas_alloc3(size_t a, size_t b, size_t c)
{
- void *ptr;
size_t n;
- n = nmemb * size;
- if (!(ptr = jas_malloc(n * sizeof(char)))) {
- return 0;
+
+ if (a && SIZE_MAX / a < b) {
+ errno = ENOMEM;
+ return NULL;
}
- memset(ptr, 0, n);
+
+ return jas_alloc2(a*b, c);
+}
+
+void *jas_calloc(size_t nmemb, size_t size)
+{
+ void *ptr;
+
+ ptr = jas_alloc2(nmemb, size);
+ if (ptr)
+ memset(ptr, 0, nmemb*size);
return ptr;
}
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2009-10-22 10:27:45.000000000 +0200
@@ -114,7 +114,7 @@ jas_matrix_t *jas_matrix_create(int numr
matrix->datasize_ = numrows * numcols;
if (matrix->maxrows_ > 0) {
- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
+ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
sizeof(jas_seqent_t *)))) {
jas_matrix_destroy(matrix);
return 0;
@@ -122,7 +122,7 @@ jas_matrix_t *jas_matrix_create(int numr
}
if (matrix->datasize_ > 0) {
- if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
+ if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
sizeof(jas_seqent_t)))) {
jas_matrix_destroy(matrix);
return 0;
@@ -220,7 +220,7 @@ void jas_matrix_bindsub(jas_matrix_t *ma
mat0->numrows_ = r1 - r0 + 1;
mat0->numcols_ = c1 - c0 + 1;
mat0->maxrows_ = mat0->numrows_;
- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
+ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
for (i = 0; i < mat0->numrows_; ++i) {
mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
}
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200
@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b
if (buf) {
obj->buf_ = (unsigned char *) buf;
} else {
- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char));
+ obj->buf_ = jas_malloc(obj->bufsize_);
obj->myalloc_ = 1;
}
if (!obj->buf_) {
@@ -992,7 +992,7 @@ static int mem_resize(jas_stream_memobj_
unsigned char *buf;
assert(m->buf_);
- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) {
+ if (!(buf = jas_realloc(m->buf_, bufsize))) {
return -1;
}
m->buf_ = buf;
diff -pruN jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c jasper-1.900.1/src/libjasper/bmp/bmp_dec.c
--- jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/bmp/bmp_dec.c 2009-10-22 10:27:45.000000000 +0200
@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea
}
if (info->numcolors > 0) {
- if (!(info->palents = jas_malloc(info->numcolors *
+ if (!(info->palents = jas_alloc2(info->numcolors,
sizeof(bmp_palent_t)))) {
bmp_info_destroy(info);
return 0;
diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h
--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100
+++ jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h 2009-10-22 10:27:45.000000000 +0200
@@ -95,6 +95,9 @@ extern "C" {
#define jas_free MEMFREE
#define jas_realloc MEMREALLOC
#define jas_calloc MEMCALLOC
+#define jas_alloc2(a, b) MEMALLOC((a)*(b))
+#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c))
+#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b))
#endif
/******************************************************************************\
@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size
/* Allocate a block of memory and initialize the contents to zero. */
void *jas_calloc(size_t nmemb, size_t size);
+/* size-checked double allocation .*/
+void *jas_alloc2(size_t, size_t);
+
+void *jas_alloc3(size_t, size_t, size_t);
+
+void *jas_realloc2(void *, size_t, size_t);
#endif
#ifdef __cplusplus
diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2009-10-22 10:30:24.000000000 +0200
@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
box = 0;
tmpstream = 0;
- if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
+ if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
goto error;
}
box->ops = &jp2_boxinfo_unk.ops;
@@ -372,7 +372,7 @@ static int jp2_bpcc_getdata(jp2_box_t *b
jp2_bpcc_t *bpcc = &box->data.bpcc;
unsigned int i;
bpcc->numcmpts = box->datalen;
- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) {
+ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
return -1;
}
for (i = 0; i < bpcc->numcmpts; ++i) {
@@ -416,7 +416,7 @@ static int jp2_colr_getdata(jp2_box_t *b
break;
case JP2_COLR_ICC:
colr->iccplen = box->datalen - 3;
- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) {
+ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) {
return -1;
}
if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
@@ -453,7 +453,7 @@ static int jp2_cdef_getdata(jp2_box_t *b
if (jp2_getuint16(in, &cdef->numchans)) {
return -1;
}
- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) {
+ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) {
return -1;
}
for (channo = 0; channo < cdef->numchans; ++channo) {
@@ -766,7 +766,7 @@ static int jp2_cmap_getdata(jp2_box_t *b
unsigned int i;
cmap->numchans = (box->datalen) / 4;
- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) {
+ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
return -1;
}
for (i = 0; i < cmap->numchans; ++i) {
@@ -828,10 +828,10 @@ static int jp2_pclr_getdata(jp2_box_t *b
return -1;
}
lutsize = pclr->numlutents * pclr->numchans;
- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) {
+ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
return -1;
}
- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) {
+ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) {
return -1;
}
for (i = 0; i < pclr->numchans; ++i) {
diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c jasper-1.900.1/src/libjasper/jp2/jp2_dec.c
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2009-10-22 10:27:45.000000000 +0200
@@ -336,7 +336,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
}
/* Allocate space for the channel-number to component-number LUT. */
- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
+ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) {
jas_eprintf("error: no memory\n");
goto error;
}
@@ -354,7 +354,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
if (cmapent->map == JP2_CMAP_DIRECT) {
dec->chantocmptlut[channo] = channo;
} else if (cmapent->map == JP2_CMAP_PALETTE) {
- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
+ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t));
for (i = 0; i < pclrd->numlutents; ++i) {
lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
}
diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c jasper-1.900.1/src/libjasper/jp2/jp2_enc.c
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2009-10-22 10:27:45.000000000 +0200
@@ -191,7 +191,7 @@ int sgnd;
}
bpcc = &box->data.bpcc;
bpcc->numcmpts = jas_image_numcmpts(image);
- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts *
+ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts,
sizeof(uint_fast8_t)))) {
goto error;
}
@@ -285,7 +285,7 @@ int sgnd;
}
cdef = &box->data.cdef;
cdef->numchans = jas_image_numcmpts(image);
- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t));
+ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t));
for (i = 0; i < jas_image_numcmpts(image); ++i) {
cdefchanent = &cdef->ents[i];
cdefchanent->channo = i;
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2009-10-22 09:58:16.000000000 +0200
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2009-10-22 10:27:45.000000000 +0200
@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms
!siz->tileheight || !siz->numcomps) {
return -1;
}
- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) {
+ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
return -1;
}
for (i = 0; i < siz->numcomps; ++i) {
@@ -986,7 +986,7 @@ static int jpc_qcx_getcompparms(jpc_qcxc
jpc_qcx_destroycompparms(compparms);
return -1;
} else if (compparms->numstepsizes > 0) {
- compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+ compparms->stepsizes = jas_alloc2(compparms->numstepsizes,
sizeof(uint_fast16_t));
assert(compparms->stepsizes);
for (i = 0; i < compparms->numstepsizes; ++i) {
@@ -1094,7 +1094,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms
ppm->len = ms->len - 1;
if (ppm->len > 0) {
- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) {
+ if (!(ppm->data = jas_malloc(ppm->len))) {
goto error;
}
if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
@@ -1163,7 +1163,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms
}
ppt->len = ms->len - 1;
if (ppt->len > 0) {
- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) {
+ if (!(ppt->data = jas_malloc(ppt->len))) {
goto error;
}
if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
@@ -1226,7 +1226,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms
uint_fast8_t tmp;
poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
(ms->len / 7);
- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) {
+ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) {
goto error;
}
for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
@@ -1331,7 +1331,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
jpc_crgcomp_t *comp;
uint_fast16_t compno;
crg->numcomps = cstate->numcomps;
- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
return -1;
}
for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
@@ -1470,7 +1470,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms
cstate = 0;
if (ms->len > 0) {
- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) {
+ if (!(unk->data = jas_malloc(ms->len))) {
return -1;
}
if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) {
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2009-10-22 09:58:16.000000000 +0200
+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2009-10-22 10:30:50.000000000 +0200
@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t
if (dec->state == JPC_MH) {
- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
+ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
assert(compinfos);
for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d
tile->realmode = 1;
}
tcomp->numrlvls = ccp->numrlvls;
- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
+ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
sizeof(jpc_dec_rlvl_t)))) {
return -1;
}
@@ -764,7 +764,7 @@ rlvl->bands = 0;
rlvl->cbgheightexpn);
rlvl->numbands = (!rlvlno) ? 1 : 3;
- if (!(rlvl->bands = jas_malloc(rlvl->numbands *
+ if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
sizeof(jpc_dec_band_t)))) {
return -1;
}
@@ -797,7 +797,7 @@ rlvl->bands = 0;
assert(rlvl->numprcs);
- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
+ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
return -1;
}
@@ -834,7 +834,7 @@ rlvl->bands = 0;
if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
return -1;
}
- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
+ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
return -1;
}
@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t
return -1;
}
- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
+ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
return -1;
}
@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t
dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
dec->numtiles = dec->numhtiles * dec->numvtiles;
- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
+ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
return -1;
}
@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t
tile->pkthdrstreampos = 0;
tile->pptstab = 0;
tile->cp = 0;
- if (!(tile->tcomps = jas_malloc(dec->numcomps *
+ if (!(tile->tcomps = jas_calloc(dec->numcomps,
sizeof(jpc_dec_tcomp_t)))) {
return -1;
}
@@ -1489,7 +1489,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
cp->numlyrs = 0;
cp->mctid = 0;
cp->csty = 0;
- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
+ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
return 0;
}
if (!(cp->pchglist = jpc_pchglist_create())) {
@@ -2048,7 +2048,7 @@ jpc_streamlist_t *jpc_streamlist_create(
}
streamlist->numstreams = 0;
streamlist->maxstreams = 100;
- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
+ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
sizeof(jas_stream_t *)))) {
jas_free(streamlist);
return 0;
@@ -2068,8 +2068,8 @@ int jpc_streamlist_insert(jpc_streamlist
/* Grow the array of streams if necessary. */
if (streamlist->numstreams >= streamlist->maxstreams) {
newmaxstreams = streamlist->maxstreams + 1024;
- if (!(newstreams = jas_realloc(streamlist->streams,
- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
+ if (!(newstreams = jas_realloc2(streamlist->streams,
+ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
return -1;
}
for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
@@ -2155,8 +2155,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab,
{
jpc_ppxstabent_t **newents;
if (tab->maxents < maxents) {
- newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
+ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
if (!newents) {
return -1;
}
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2009-10-22 10:27:45.000000000 +0200
@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt
vsteplcm *= jas_image_cmptvstep(image, cmptno);
}
- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) {
+ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) {
goto error;
}
for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno,
@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt
if (ilyrrates && numilyrrates > 0) {
tcp->numlyrs = numilyrrates + 1;
- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) *
+ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1),
sizeof(jpc_fix_t)))) {
goto error;
}
@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou
siz->tilewidth = cp->tilewidth;
siz->tileheight = cp->tileheight;
siz->numcomps = cp->numcmpts;
- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t));
+ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t));
assert(siz->comps);
for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) {
siz->comps[i].prec = cp->ccps[i].prec;
@@ -977,7 +977,7 @@ startoff = jas_stream_getrwcount(enc->ou
return -1;
}
crg = &enc->mrk->parms.crg;
- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t));
+ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t));
if (jpc_putms(enc->out, enc->cstate, enc->mrk)) {
jas_eprintf("cannot write CRG marker\n");
return -1;
@@ -1955,7 +1955,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
tile->mctid = cp->tcp.mctid;
tile->numlyrs = cp->tcp.numlyrs;
- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs *
+ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs,
sizeof(uint_fast32_t)))) {
goto error;
}
@@ -1964,7 +1964,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
}
/* Allocate an array for the per-tile-component information. */
- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) {
+ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) {
goto error;
}
/* Initialize a few members critical for error recovery. */
@@ -2110,7 +2110,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc
jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data),
jas_seq2d_yend(tcmpt->data), bandinfos);
- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) {
+ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) {
goto error;
}
for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls;
@@ -2213,7 +2213,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e
rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn);
rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs;
- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) {
+ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) {
goto error;
}
for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands;
@@ -2290,7 +2290,7 @@ if (bandinfo->xstart != bandinfo->xend &
band->synweight = bandinfo->synenergywt;
if (band->data) {
- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) {
+ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) {
goto error;
}
for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno,
@@ -2422,7 +2422,7 @@ if (!rlvlno) {
goto error;
}
- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) {
+ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) {
goto error;
}
for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks;
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c 2009-10-22 10:27:45.000000000 +0200
@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx
mqdec->in = in;
mqdec->maxctxs = maxctxs;
/* Allocate memory for the per-context state information. */
- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) {
+ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) {
goto error;
}
/* Set the current context to the first context. */
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c 2009-10-22 10:27:45.000000000 +0200
@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx
mqenc->maxctxs = maxctxs;
/* Allocate memory for the per-context state information. */
- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) {
+ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) {
goto error;
}
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2009-10-22 10:27:45.000000000 +0200
@@ -321,7 +321,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide in this case. */
abort();
}
@@ -389,7 +389,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide in this case. */
abort();
}
@@ -460,7 +460,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide in this case. */
abort();
}
@@ -549,7 +549,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide in this case. */
abort();
}
@@ -633,7 +633,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide. */
abort();
}
@@ -698,7 +698,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide. */
abort();
}
@@ -766,7 +766,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide. */
abort();
}
@@ -852,7 +852,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide. */
abort();
}
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2009-10-22 10:27:45.000000000 +0200
@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_
cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0;
if (cblk->numpasses > 0) {
- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t));
+ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t));
assert(cblk->passes);
} else {
cblk->passes = 0;
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c 2009-10-22 10:27:45.000000000 +0200
@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t *
}
if (pchglist->numpchgs >= pchglist->maxpchgs) {
newmaxpchgs = pchglist->maxpchgs + 128;
- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) {
+ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) {
return -1;
}
pchglist->maxpchgs = newmaxpchgs;
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c 2009-10-22 10:27:45.000000000 +0200
@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
return 0;
}
pi->numcomps = dec->numcomps;
- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
+ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
jpc_pi_destroy(pi);
return 0;
}
@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
picomp->numrlvls = tcomp->numrlvls;
- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
+ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
sizeof(jpc_pirlvl_t)))) {
jpc_pi_destroy(pi);
return 0;
@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
/* XXX sizeof(long) should be sizeof different type */
pirlvl->numprcs = rlvl->numprcs;
- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
+ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
sizeof(long)))) {
jpc_pi_destroy(pi);
return 0;
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2009-10-22 10:27:45.000000000 +0200
@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
}
pi->pktno = -1;
pi->numcomps = cp->numcmpts;
- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
+ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
jpc_pi_destroy(pi);
return 0;
}
@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
picomp->numrlvls = tcomp->numrlvls;
- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
+ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
sizeof(jpc_pirlvl_t)))) {
jpc_pi_destroy(pi);
return 0;
@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
/* XXX sizeof(long) should be sizeof different type */
pirlvl->numprcs = rlvl->numprcs;
if (rlvl->numprcs) {
- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
+ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
sizeof(long)))) {
jpc_pi_destroy(pi);
return 0;
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2009-10-22 10:27:45.000000000 +0200
@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
++numlvls;
} while (n > 1);
- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) {
+ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
return 0;
}
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c jasper-1.900.1/src/libjasper/jpc/jpc_util.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_util.c 2009-10-22 10:27:45.000000000 +0200
@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d
}
if (n) {
- if (!(vs = jas_malloc(n * sizeof(double)))) {
+ if (!(vs = jas_alloc2(n, sizeof(double)))) {
return -1;
}
diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c
--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2009-10-22 10:27:45.000000000 +0200
@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t *
int cmptno;
mif_cmpt_t **newcmpts;
assert(maxcmpts >= hdr->numcmpts);
- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) :
- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *));
+ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *));
if (!newcmpts) {
return -1;
}

14
srcpkgs/jasper/patches/jasper-1.900.1-CVE-2008-3522.patch Normal file
View file

@ -0,0 +1,14 @@
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200
+++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:35:53.000000000 +0200
@@ -553,7 +553,7 @@ int jas_stream_printf(jas_stream_t *stre
int ret;
va_start(ap, fmt);
- ret = vsprintf(buf, fmt, ap);
+ ret = vsnprintf(buf, sizeof buf, fmt, ap);
jas_stream_puts(stream, buf);
va_end(ap);
return ret;

25
srcpkgs/jasper/patches/jasper-1.900.1-bnc725758.patch Normal file
View file

@ -0,0 +1,25 @@
diff -up src/libjasper/jpc/jpc_cs.c.orig-725758 src/libjasper/jpc/jpc_cs.c
--- ./src/libjasper/jpc/jpc_cs.c.orig-725758 2011-12-12 18:36:53.772117206 +0100
+++ ./src/libjasper/jpc/jpc_cs.c 2011-12-12 18:36:12.805999375 +0100
@@ -744,6 +744,12 @@ static int jpc_cox_getcompparms(jpc_ms_t
return -1;
}
compparms->numrlvls = compparms->numdlvls + 1;
+ if (compparms->numrlvls > JPC_MAXRLVLS) {
+ compparms->numrlvls = 0;
+ jpc_cox_destroycompparms(compparms);
+ return -1;
+ }
+
if (prtflag) {
for (i = 0; i < compparms->numrlvls; ++i) {
if (jpc_getuint8(in, &tmp)) {
@@ -1331,7 +1337,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
jpc_crgcomp_t *comp;
uint_fast16_t compno;
crg->numcomps = cstate->numcomps;
- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
return -1;
}
for (compno = 0, comp = crg->comps; compno < cstate->numcomps;

18
srcpkgs/jasper/patches/jpc_dec.c.patch Normal file
View file

@ -0,0 +1,18 @@
diff -urN jasper-1.900.1/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-fix/src/libjasper/jpc/jpc_dec.c
--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2007-01-19 14:43:07.000000000 -0700
+++ jasper-1.900.1-fix/src/libjasper/jpc/jpc_dec.c 2008-03-06 16:51:12.000000000 -0700
@@ -1069,12 +1069,12 @@
/* Apply an inverse intercomponent transform if necessary. */
switch (tile->cp->mctid) {
case JPC_MCT_RCT:
- assert(dec->numcomps == 3);
+ assert(dec->numcomps >= 3);
jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data,
tile->tcomps[2].data);
break;
case JPC_MCT_ICT:
- assert(dec->numcomps == 3);
+ assert(dec->numcomps >= 3);
jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
tile->tcomps[2].data);
break;

14
srcpkgs/jasper/patches/libjasper-stepsizes-overflow.patch Normal file
View file

@ -0,0 +1,14 @@
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
compparms->numstepsizes = (len - n) / 2;
break;
}
- if (compparms->numstepsizes > 0) {
+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
sizeof(uint_fast16_t));
assert(compparms->stepsizes);

14
srcpkgs/jasper/patches/series Normal file
View file

@ -0,0 +1,14 @@
jpc_dec.c.patch
libjasper-stepsizes-overflow.patch
jasper-1.900.1-CVE-2008-3520.patch
jasper-1.900.1-CVE-2008-3522.patch
jasper-1.900.1-bnc725758.patch
CVE-2014-8137.patch
CVE-2014-8138.patch
CVE-2014-8157.patch
CVE-2014-8158.patch
CVE-2014-9029.patch
CVE-2015-5203.patch
CVE-2016-1577.patch
CVE-2016-2089.patch
CVE-2016-2116.patch

3
srcpkgs/jasper/template
View file

@ -1,7 +1,7 @@
# Template build file for 'jasper'.
pkgname=jasper
version=1.900.1
revision=9
revision=10
build_style=gnu-configure
configure_args="--enable-shared --disable-static --without-x --disable-opengl"
hostmakedepends="unzip"
@ -12,6 +12,7 @@ homepage="http://www.ece.uvic.ca/~mdadams/jasper"
license="JasPer-2.0"
distfiles="http://www.ece.uvic.ca/~mdadams/jasper/software/jasper-${version}.zip"
checksum=6b905a9c2aca2e275544212666eefc4eb44d95d0a57e4305457b407fe63f9494
patch_args="-Np1"
post_install() {
vlicense LICENSE