4c035183ea
CVE-2008-3520 CVE-2008-3522 CVE-2014-8137 CVE-2014-8138 CVE-2014-8157 CVE-2014-8158 CVE-2014-9029 CVE-2015-5203 CVE-2016-1577 CVE-2016-2089 CVE-2016-2116
198 lines
6.4 KiB
Diff
198 lines
6.4 KiB
Diff
From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001
|
|
From: mancha <mancha1 AT zoho DOT com>
|
|
Date: Mon, 17 Aug 2015
|
|
Subject: CVE-2015-5203
|
|
|
|
Prevent integer conversion errors.
|
|
|
|
jasper is vulnerable to integer conversion errors that can be leveraged,
|
|
via crafted input, to trigger faults such as double free's. This patch
|
|
addresses that by using size_t for buffer sizes.
|
|
|
|
---
|
|
src/libjasper/base/jas_stream.c | 10 +++++-----
|
|
src/libjasper/include/jasper/jas_stream.h | 8 ++++----
|
|
src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++--------
|
|
src/libjasper/mif/mif_cod.c | 4 ++--
|
|
4 files changed, 19 insertions(+), 19 deletions(-)
|
|
|
|
--- a/src/libjasper/include/jasper/jas_stream.h
|
|
+++ b/src/libjasper/include/jasper/jas_stream.h
|
|
@@ -215,7 +215,7 @@ typedef struct {
|
|
uchar *bufstart_;
|
|
|
|
/* The buffer size. */
|
|
- int bufsize_;
|
|
+ size_t bufsize_;
|
|
|
|
/* The current position in the buffer. */
|
|
uchar *ptr_;
|
|
@@ -267,7 +267,7 @@ typedef struct {
|
|
uchar *buf_;
|
|
|
|
/* The allocated size of the buffer for holding file data. */
|
|
- int bufsize_;
|
|
+ size_t bufsize_;
|
|
|
|
/* The length of the file. */
|
|
int_fast32_t len_;
|
|
@@ -291,7 +291,7 @@ typedef struct {
|
|
jas_stream_t *jas_stream_fopen(const char *filename, const char *mode);
|
|
|
|
/* Open a memory buffer as a stream. */
|
|
-jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
|
|
+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
|
|
|
|
/* Open a file descriptor as a stream. */
|
|
jas_stream_t *jas_stream_fdopen(int fd, const char *mode);
|
|
@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre
|
|
int jas_stream_puts(jas_stream_t *stream, const char *s);
|
|
|
|
/* Read a line of input from a stream. */
|
|
-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize);
|
|
+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize);
|
|
|
|
/* Look at the next character to be read from a stream without actually
|
|
removing it from the stream. */
|
|
--- a/src/libjasper/base/jas_stream.c
|
|
+++ b/src/libjasper/base/jas_stream.c
|
|
@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char
|
|
static void jas_stream_destroy(jas_stream_t *stream);
|
|
static jas_stream_t *jas_stream_create(void);
|
|
static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
|
|
- int bufsize);
|
|
+ size_t bufsize);
|
|
|
|
static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt);
|
|
static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt);
|
|
@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create()
|
|
return stream;
|
|
}
|
|
|
|
-jas_stream_t *jas_stream_memopen(char *buf, int bufsize)
|
|
+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize)
|
|
{
|
|
jas_stream_t *stream;
|
|
jas_stream_memobj_t *obj;
|
|
@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream
|
|
return 0;
|
|
}
|
|
|
|
-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
|
|
+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize)
|
|
{
|
|
int c;
|
|
char *bufptr;
|
|
@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea
|
|
\******************************************************************************/
|
|
|
|
static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
|
|
- int bufsize)
|
|
+ size_t bufsize)
|
|
{
|
|
/* If this function is being called, the buffer should not have been
|
|
initialized yet. */
|
|
@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob
|
|
return cnt;
|
|
}
|
|
|
|
-static int mem_resize(jas_stream_memobj_t *m, int bufsize)
|
|
+static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
|
|
{
|
|
unsigned char *buf;
|
|
|
|
--- a/src/libjasper/mif/mif_cod.c
|
|
+++ b/src/libjasper/mif/mif_cod.c
|
|
@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
|
|
static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
|
|
static mif_cmpt_t *mif_cmpt_create(void);
|
|
static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
|
|
-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
|
|
+static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
|
|
static int mif_getc(jas_stream_t *in);
|
|
static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
|
|
|
|
@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
|
|
* MIF parsing code.
|
|
\******************************************************************************/
|
|
|
|
-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
|
|
+static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
|
|
{
|
|
int c;
|
|
char *bufptr;
|
|
|
|
--- ./src/libjasper/jpc/jpc_qmfb.c.orig
|
|
+++ ./src/libjasper/jpc/jpc_qmfb.c
|
|
@@ -305,7 +305,7 @@
|
|
void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
|
|
{
|
|
|
|
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
|
|
+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
|
|
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
|
|
jpc_fix_t *buf = splitbuf;
|
|
register jpc_fix_t *srcptr;
|
|
@@ -365,7 +365,7 @@
|
|
int parity)
|
|
{
|
|
|
|
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
|
|
jpc_fix_t *buf = splitbuf;
|
|
register jpc_fix_t *srcptr;
|
|
@@ -425,7 +425,7 @@
|
|
int parity)
|
|
{
|
|
|
|
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
|
|
jpc_fix_t *buf = splitbuf;
|
|
jpc_fix_t *srcptr;
|
|
@@ -506,7 +506,7 @@
|
|
int stride, int parity)
|
|
{
|
|
|
|
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
|
|
jpc_fix_t *buf = splitbuf;
|
|
jpc_fix_t *srcptr;
|
|
@@ -586,7 +586,7 @@
|
|
void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
|
|
{
|
|
|
|
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
|
|
+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
|
|
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
|
|
jpc_fix_t *buf = joinbuf;
|
|
register jpc_fix_t *srcptr;
|
|
@@ -643,7 +643,7 @@
|
|
int parity)
|
|
{
|
|
|
|
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
|
|
jpc_fix_t *buf = joinbuf;
|
|
register jpc_fix_t *srcptr;
|
|
@@ -700,7 +700,7 @@
|
|
int parity)
|
|
{
|
|
|
|
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
|
|
jpc_fix_t *buf = joinbuf;
|
|
jpc_fix_t *srcptr;
|
|
@@ -778,7 +778,7 @@
|
|
int stride, int parity)
|
|
{
|
|
|
|
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
|
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
|
|
jpc_fix_t *buf = joinbuf;
|
|
jpc_fix_t *srcptr;
|