pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/jasper Fix CVE-2014-8157 and CVE-2014-8158. ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/b7308a84ad09
branches: trunk
changeset: 646456:b7308a84ad09
user: snj <snj%pkgsrc.org@localhost>
date: Sun Feb 08 23:04:22 2015 +0000
description:
Fix CVE-2014-8157 and CVE-2014-8158. Bump PKGREVISION to 10.
diffstat:
graphics/jasper/Makefile | 4 +-
graphics/jasper/distinfo | 5 +-
graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c | 12 +
graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c | 333 ++++++++++++
4 files changed, 350 insertions(+), 4 deletions(-)
diffs (truncated from 390 to 300 lines):
diff -r 8a46daa9ee3d -r b7308a84ad09 graphics/jasper/Makefile
--- a/graphics/jasper/Makefile Sun Feb 08 22:37:11 2015 +0000
+++ b/graphics/jasper/Makefile Sun Feb 08 23:04:22 2015 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.39 2015/01/01 14:15:27 he Exp $
+# $NetBSD: Makefile,v 1.40 2015/02/08 23:04:22 snj Exp $
DISTNAME= jasper-1.900.1
-PKGREVISION= 9
+PKGREVISION= 10
CATEGORIES= graphics
MASTER_SITES= http://www.ece.uvic.ca/~mdadams/jasper/software/
EXTRACT_SUFX= .zip
diff -r 8a46daa9ee3d -r b7308a84ad09 graphics/jasper/distinfo
--- a/graphics/jasper/distinfo Sun Feb 08 22:37:11 2015 +0000
+++ b/graphics/jasper/distinfo Sun Feb 08 23:04:22 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2015/01/01 14:15:27 he Exp $
+$NetBSD: distinfo,v 1.17 2015/02/08 23:04:22 snj Exp $
SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c
@@ -7,4 +7,5 @@
SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 7902e9900130f466fa60a5389409cc9495b6260c
SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 5a795502f9241829afa1acf0a2a341155b954108
SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 794de4dcf8f809275a5bee5cb60d95cf9608e0a7
-SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = f51f025c9756ed0751f24997926cccefc2ef8afe
+SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 9b0d764671ef32868a390464480c5b3ee805e258
+SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 8c8d6e6fbb8ce0117a9e806777a6fdde21e6d780
diff -r 8a46daa9ee3d -r b7308a84ad09 graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c Sun Feb 08 22:37:11 2015 +0000
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c Sun Feb 08 23:04:22 2015 +0000
@@ -8,8 +8,20 @@
Also add a patch from Debian (bug #413041) to fix some heap corruption
on malformed image input (CVE-2007-2721),
+Apply fix for CVE-2014-8157, taken from
+https://bugzilla.redhat.com/show_bug.cgi?id=1179282
+
--- src/libjasper/jpc/jpc_dec.c.orig 2014-12-05 12:10:45.000000000 +0000
+++ src/libjasper/jpc/jpc_dec.c
+@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ dec->curtileendoff = 0;
+ }
+
+- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ jas_eprintf("invalid tile number in SOT marker segment\n");
+ return -1;
+ }
@@ -1069,12 +1069,12 @@ static int jpc_dec_tiledecode(jpc_dec_t
/* Apply an inverse intercomponent transform if necessary. */
switch (tile->cp->mctid) {
diff -r 8a46daa9ee3d -r b7308a84ad09 graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c Sun Feb 08 23:04:22 2015 +0000
@@ -0,0 +1,333 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.1 2015/02/08 23:04:22 snj Exp $
+
+Fix CVE-2014-8158. Patch taken from
+https://bugzilla.redhat.com/show_bug.cgi?id=1179298
+
+--- src/libjasper/jpc/jpc_qmfb.c.orig 2007-01-19 13:43:07.000000000 -0800
++++ src/libjasper/jpc/jpc_qmfb.c 2015-02-08 14:49:33.000000000 -0800
+@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ abort();
+ }
+ }
+-#endif
+
+ if (numcols >= 2) {
+ hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numcols + 1 - parity) >> 1;
+
+@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
Home |
Main Index |
Thread Index |
Old Index