pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/graphics/jasper Fix CVE-2014-8157 and CVE-2014-8158. ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/b7308a84ad09
branches:  trunk
changeset: 646456:b7308a84ad09
user:      snj <snj%pkgsrc.org@localhost>
date:      Sun Feb 08 23:04:22 2015 +0000

description:
Fix CVE-2014-8157 and CVE-2014-8158.  Bump PKGREVISION to 10.

diffstat:

 graphics/jasper/Makefile                                    |    4 +-
 graphics/jasper/distinfo                                    |    5 +-
 graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c  |   12 +
 graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c |  333 ++++++++++++
 4 files changed, 350 insertions(+), 4 deletions(-)

diffs (truncated from 390 to 300 lines):

diff -r 8a46daa9ee3d -r b7308a84ad09 graphics/jasper/Makefile
--- a/graphics/jasper/Makefile  Sun Feb 08 22:37:11 2015 +0000
+++ b/graphics/jasper/Makefile  Sun Feb 08 23:04:22 2015 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.39 2015/01/01 14:15:27 he Exp $
+# $NetBSD: Makefile,v 1.40 2015/02/08 23:04:22 snj Exp $
 
 DISTNAME=      jasper-1.900.1
-PKGREVISION=   9
+PKGREVISION=   10
 CATEGORIES=    graphics
 MASTER_SITES=  http://www.ece.uvic.ca/~mdadams/jasper/software/
 EXTRACT_SUFX=  .zip
diff -r 8a46daa9ee3d -r b7308a84ad09 graphics/jasper/distinfo
--- a/graphics/jasper/distinfo  Sun Feb 08 22:37:11 2015 +0000
+++ b/graphics/jasper/distinfo  Sun Feb 08 23:04:22 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2015/01/01 14:15:27 he Exp $
+$NetBSD: distinfo,v 1.17 2015/02/08 23:04:22 snj Exp $
 
 SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
 RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c
@@ -7,4 +7,5 @@
 SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 7902e9900130f466fa60a5389409cc9495b6260c
 SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 5a795502f9241829afa1acf0a2a341155b954108
 SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 794de4dcf8f809275a5bee5cb60d95cf9608e0a7
-SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = f51f025c9756ed0751f24997926cccefc2ef8afe
+SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 9b0d764671ef32868a390464480c5b3ee805e258
+SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 8c8d6e6fbb8ce0117a9e806777a6fdde21e6d780
diff -r 8a46daa9ee3d -r b7308a84ad09 graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c        Sun Feb 08 22:37:11 2015 +0000
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c        Sun Feb 08 23:04:22 2015 +0000
@@ -8,8 +8,20 @@
 Also add a patch from Debian (bug #413041) to fix some heap corruption
 on malformed image input (CVE-2007-2721),
 
+Apply fix for CVE-2014-8157, taken from
+https://bugzilla.redhat.com/show_bug.cgi?id=1179282
+
 --- src/libjasper/jpc/jpc_dec.c.orig   2014-12-05 12:10:45.000000000 +0000
 +++ src/libjasper/jpc/jpc_dec.c
+@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+               dec->curtileendoff = 0;
+       }
+ 
+-      if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++      if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+               jas_eprintf("invalid tile number in SOT marker segment\n");
+               return -1;
+       }
 @@ -1069,12 +1069,12 @@ static int jpc_dec_tiledecode(jpc_dec_t 
        /* Apply an inverse intercomponent transform if necessary. */
        switch (tile->cp->mctid) {
diff -r 8a46daa9ee3d -r b7308a84ad09 graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c       Sun Feb 08 23:04:22 2015 +0000
@@ -0,0 +1,333 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.1 2015/02/08 23:04:22 snj Exp $
+
+Fix CVE-2014-8158.  Patch taken from
+https://bugzilla.redhat.com/show_bug.cgi?id=1179298
+
+--- src/libjasper/jpc/jpc_qmfb.c.orig  2007-01-19 13:43:07.000000000 -0800
++++ src/libjasper/jpc/jpc_qmfb.c       2015-02-08 14:49:33.000000000 -0800
+@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ {
+ 
+       int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+       jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-      jpc_fix_t splitbuf[bufsize];
+-#endif
+       jpc_fix_t *buf = splitbuf;
+       register jpc_fix_t *srcptr;
+       register jpc_fix_t *dstptr;
+@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+       register int m;
+       int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+       /* Get a buffer. */
+       if (bufsize > QMFB_SPLITBUFSIZE) {
+               if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+                       abort();
+               }
+       }
+-#endif
+ 
+       if (numcols >= 2) {
+               hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+               }
+       }
+ 
+-#if !defined(HAVE_VLA)
+       /* If the split buffer was allocated on the heap, free this memory. */
+       if (buf != splitbuf) {
+               jas_free(buf);
+       }
+-#endif
+ 
+ }
+ 
+@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ {
+ 
+       int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+       jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-      jpc_fix_t splitbuf[bufsize];
+-#endif
+       jpc_fix_t *buf = splitbuf;
+       register jpc_fix_t *srcptr;
+       register jpc_fix_t *dstptr;
+@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+       register int m;
+       int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+       /* Get a buffer. */
+       if (bufsize > QMFB_SPLITBUFSIZE) {
+               if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+                       abort();
+               }
+       }
+-#endif
+ 
+       if (numrows >= 2) {
+               hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+               }
+       }
+ 
+-#if !defined(HAVE_VLA)
+       /* If the split buffer was allocated on the heap, free this memory. */
+       if (buf != splitbuf) {
+               jas_free(buf);
+       }
+-#endif
+ 
+ }
+ 
+@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ {
+ 
+       int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+       jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-      jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+       jpc_fix_t *buf = splitbuf;
+       jpc_fix_t *srcptr;
+       jpc_fix_t *dstptr;
+@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+       int m;
+       int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+       /* Get a buffer. */
+       if (bufsize > QMFB_SPLITBUFSIZE) {
+               if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+                       abort();
+               }
+       }
+-#endif
+ 
+       if (numrows >= 2) {
+               hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+               }
+       }
+ 
+-#if !defined(HAVE_VLA)
+       /* If the split buffer was allocated on the heap, free this memory. */
+       if (buf != splitbuf) {
+               jas_free(buf);
+       }
+-#endif
+ 
+ }
+ 
+@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ {
+ 
+       int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+       jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-      jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+       jpc_fix_t *buf = splitbuf;
+       jpc_fix_t *srcptr;
+       jpc_fix_t *dstptr;
+@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+       int m;
+       int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+       /* Get a buffer. */
+       if (bufsize > QMFB_SPLITBUFSIZE) {
+               if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+                       abort();
+               }
+       }
+-#endif
+ 
+       if (numrows >= 2) {
+               hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+               }
+       }
+ 
+-#if !defined(HAVE_VLA)
+       /* If the split buffer was allocated on the heap, free this memory. */
+       if (buf != splitbuf) {
+               jas_free(buf);
+       }
+-#endif
+ 
+ }
+ 
+@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ {
+ 
+       int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+       jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-      jpc_fix_t joinbuf[bufsize];
+-#endif
+       jpc_fix_t *buf = joinbuf;
+       register jpc_fix_t *srcptr;
+       register jpc_fix_t *dstptr;
+       register int n;
+       int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+       /* Allocate memory for the join buffer from the heap. */
+       if (bufsize > QMFB_JOINBUFSIZE) {
+               if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+                       abort();
+               }
+       }
+-#endif
+ 
+       hstartcol = (numcols + 1 - parity) >> 1;
+ 
+@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+               ++srcptr;
+       }
+ 
+-#if !defined(HAVE_VLA)
+       /* If the join buffer was allocated on the heap, free this memory. */
+       if (buf != joinbuf) {
+               jas_free(buf);
+       }
+-#endif
+ 
+ }
+ 
+@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ {
+ 
+       int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+       jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-      jpc_fix_t joinbuf[bufsize];
+-#endif
+       jpc_fix_t *buf = joinbuf;
+       register jpc_fix_t *srcptr;
+       register jpc_fix_t *dstptr;
+       register int n;
+       int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+       /* Allocate memory for the join buffer from the heap. */
+       if (bufsize > QMFB_JOINBUFSIZE) {
+               if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+                       abort();
+               }
+       }
+-#endif
+ 
+       hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+               ++srcptr;
+       }
+ 
+-#if !defined(HAVE_VLA)



Home | Main Index | Thread Index | Old Index