diff options
author | he <he> | 2016-12-16 09:44:44 +0000 |
---|---|---|
committer | he <he> | 2016-12-16 09:44:44 +0000 |
commit | 01ca487bce99291b15d75ff05f1df036d6980f63 (patch) | |
tree | c52cd430c10f10abfc11eee84664639cc15f4bb2 | |
parent | d5efaa366d324a0062c392afb50216a1811bc8ea (diff) | |
download | pkgsrc-01ca487bce99291b15d75ff05f1df036d6980f63.tar.gz |
Upgrade jasper from 1.900.1 to 1.900.29.
This integrates most of the patches we had applied in pkgsrc.
The changes are in ChangeLog, and are not well summarized anywhere
I can find, sorry...
OK from adam@
29 files changed, 239 insertions, 1548 deletions
diff --git a/graphics/jasper/Makefile b/graphics/jasper/Makefile index 98ecf1d1e16..a48405e1a9a 100644 --- a/graphics/jasper/Makefile +++ b/graphics/jasper/Makefile @@ -1,10 +1,8 @@ -# $NetBSD: Makefile,v 1.43 2016/05/16 14:03:40 he Exp $ +# $NetBSD: Makefile,v 1.44 2016/12/16 09:44:44 he Exp $ -DISTNAME= jasper-1.900.1 -PKGREVISION= 12 +DISTNAME= jasper-1.900.29 CATEGORIES= graphics MASTER_SITES= http://www.ece.uvic.ca/~mdadams/jasper/software/ -EXTRACT_SUFX= .zip MAINTAINER= adam@NetBSD.org HOMEPAGE= http://www.ece.uvic.ca/~mdadams/jasper/ @@ -16,6 +14,11 @@ USE_LIBTOOL= yes GNU_CONFIGURE= yes CONFIGURE_ARGS+= --enable-shared --without-x --disable-opengl +USE_TOOLS+= gmake +USE_TOOLS+= pkg-config + +PKGCONFIG_OVERRIDE= pkgconfig/jasper.pc + # The solaris stdbool.h requires c99 which is fine for jasper, but # not so good for things that depend upon jasper. See PR#43901 CONFIGURE_ENV.SunOS+= ac_cv_header_stdbool_h=no diff --git a/graphics/jasper/PLIST b/graphics/jasper/PLIST index d4b7c36df88..2193781e24b 100644 --- a/graphics/jasper/PLIST +++ b/graphics/jasper/PLIST @@ -1,11 +1,10 @@ -@comment $NetBSD: PLIST,v 1.9 2009/06/14 17:59:19 joerg Exp $ +@comment $NetBSD: PLIST,v 1.10 2016/12/16 09:44:44 he Exp $ bin/imgcmp bin/imginfo bin/jasper bin/tmrdemo include/jasper/jas_cm.h include/jasper/jas_config.h -include/jasper/jas_config2.h include/jasper/jas_debug.h include/jasper/jas_fix.h include/jasper/jas_getopt.h @@ -29,3 +28,4 @@ man/man1/jasper.1 man/man1/jiv.1 share/doc/jasper/jasper.pdf share/doc/jasper/jpeg2000.pdf +lib/pkgconfig/jasper.pc diff --git a/graphics/jasper/distinfo b/graphics/jasper/distinfo index faa48c9d580..9a2c8a25e81 100644 --- a/graphics/jasper/distinfo +++ b/graphics/jasper/distinfo @@ -1,32 +1,15 @@ -$NetBSD: distinfo,v 1.20 2016/05/16 14:03:40 he Exp $ +$NetBSD: distinfo,v 1.21 2016/12/16 09:44:44 he Exp $ -SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191 -RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c -SHA512 (jasper-1.900.1.zip) = e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6 -Size (jasper-1.900.1.zip) = 1415752 bytes -SHA1 (patch-configure) = c8aa09f8432f0e3f5667ecb3ccd738c3c03f3f05 -SHA1 (patch-src_libjasper_base_jas__cm.c) = 51bcaa7d992616c4caf764d190d42c8c802324f8 -SHA1 (patch-src_libjasper_base_jas__icc.c) = 855e8b733a4a043d06cea60deaa497784e55838c -SHA1 (patch-src_libjasper_base_jas__image.c) = d9119ab45d95f954604167374f5f97c1d94d508f -SHA1 (patch-src_libjasper_base_jas__malloc.c) = 887509258c8a957932bb212b747aa5b8932e82af -SHA1 (patch-src_libjasper_base_jas__seq.c) = bc1c38439eb61e3c50a5900e38e4a8992bc790fe -SHA1 (patch-src_libjasper_base_jas__stream.c) = 1e6cbd1cf0a273f94144e1f12624b9a5d612dd84 -SHA1 (patch-src_libjasper_bmp_bmp__dec.c) = 162f760235fba871c48afc273276fad884250ed6 -SHA1 (patch-src_libjasper_include_jasper_jas__malloc.h) = 3d6e873f11074bc54bd6dc5665d3c80413ef89fe -SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 656f23983f97e3b5eea49898e9f29d6b3eef5b19 -SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 9b8fbb8e947e403fed6c610a0d4a0c63640462e5 -SHA1 (patch-src_libjasper_jp2_jp2__enc.c) = f6a86101e04a2efdb0840b44a2b892de18683c59 -SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 603ee1ac6089bd190581fd0e00efabc18a41f48a -SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 026235b7f59ecaa8ee148f0301dd96dc9a570e80 -SHA1 (patch-src_libjasper_jpc_jpc__enc.c) = 81cf4df888d1542cf52fadb202b82a05c8bdfd83 -SHA1 (patch-src_libjasper_jpc_jpc__mqdec.c) = bcf41d1da270478a731494a913bd626ba7d533f4 -SHA1 (patch-src_libjasper_jpc_jpc__mqenc.c) = b6c80212129f82268c43e5a3e39a7c7e1c12655a -SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 6e7b5180047c6c8855aa22a3dd94d8deeb39b560 -SHA1 (patch-src_libjasper_jpc_jpc__t1enc.c) = 3aade36d3a171ad08f7be93c48bb51ab9fb9126f -SHA1 (patch-src_libjasper_jpc_jpc__t2cod.c) = ce1a300066db7adfed03f55fc47d6392dd2d2221 -SHA1 (patch-src_libjasper_jpc_jpc__t2dec.c) = 06a2e58843b59bbf698a5aa15ba253fa51f18568 -SHA1 (patch-src_libjasper_jpc_jpc__t2enc.c) = 0a6119b4fc5a6305a8adb92357805af1fb55f1d9 -SHA1 (patch-src_libjasper_jpc_jpc__tagtree.c) = 9f0594c4aa576ef5d0cb85ec2c01c364efecf855 -SHA1 (patch-src_libjasper_jpc_jpc__util.c) = e7069e6106d7dd883aab18a1fa20c9dbfe1bebf1 -SHA1 (patch-src_libjasper_mif_mif__cod.c) = 7c34864c0c9f82eee89795673014feb5824fc7b5 -SHA1 (patch-src_libjasper_pnm_pnm__enc.c) = 3279f184f6191ea69d1b5ef8fb270ffcc6a69640 +SHA1 (jasper-1.900.29.tar.gz) = 6d50e5ea9e822ad5f88f4451819acab2e3b47f8e +RMD160 (jasper-1.900.29.tar.gz) = 4ae47353f3dc086b3a11eff86ec7fb57d598c6fb +SHA512 (jasper-1.900.29.tar.gz) = fdf557889660b9068e3712ff809fe7d4ab0855e1afff9a39eb19763599b4e747472743e4c49a42f7d38beadc6a0aa7a7b402422422853e8bb6d683def81b1544 +Size (jasper-1.900.29.tar.gz) = 1746319 bytes +SHA1 (patch-configure) = 14039911be04b88559e40f20a01bb46fd0db4488 +SHA1 (patch-src_libjasper_base_jas__seq.c) = a0208cd0271388ae0fdc2e359da3223a35a7ae14 +SHA1 (patch-src_libjasper_base_jas__stream.c) = 2e9ad538ab2c0191063fef06202949b435b0085e +SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = bfbe752e105d75fbad71a01080013c7a5a8645d8 +SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 3cbf3a6355168aaa60a68ff8042f7cb4f6d847c4 +SHA1 (patch-src_libjasper_jp2_jp2__enc.c) = 4f23040e7039514bbbc60360121f1820e82017cc +SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = f76765ff7656af6b44cd4035b26656909abe45f9 +SHA1 (patch-src_libjasper_jpc_jpc__enc.c) = 10fbe41e67da4f2575fb541013833ed85992efea +SHA1 (patch-src_libjasper_pnm_pnm__enc.c) = a2d5d53cd28f653f9e6e302f76c187fba50b1ce2 diff --git a/graphics/jasper/patches/patch-configure b/graphics/jasper/patches/patch-configure index 73a16445600..979e9934dd2 100644 --- a/graphics/jasper/patches/patch-configure +++ b/graphics/jasper/patches/patch-configure @@ -1,10 +1,10 @@ -$NetBSD: patch-configure,v 1.1 2015/01/01 14:15:27 he Exp $ +$NetBSD: patch-configure,v 1.2 2016/12/16 09:44:44 he Exp $ Check for C99 conformance for stdbool.h, don't just test its presence. --- configure.orig 2007-01-19 21:54:48.000000000 +0000 +++ configure 2007-08-12 20:56:30.000000000 +0000 -@@ -20979,6 +20979,163 @@ _ACEOF +@@ -8286,6 +8286,163 @@ fi fi @@ -168,12 +168,174 @@ Check for C99 conformance for stdbool.h, don't just test its presence. -@@ -20990,7 +21147,7 @@ fi - +@@ -13727,6 +13884,170 @@ _ACEOF + fi --for ac_header in fcntl.h limits.h unistd.h stdint.h stdbool.h io.h windows.h sys/types.h sys/time.h stdlib.h stddef.h -+for ac_header in fcntl.h limits.h unistd.h stdint.h io.h windows.h sys/types.h sys/time.h stdlib.h stddef.h - do - as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` - if eval "test \"\${$as_ac_Header+set}\" = set"; then ++echo "$as_me:$LINENO: checking for stdbool.h that conforms to C99" >&5 ++echo $ECHO_N "checking for stdbool.h that conforms to C99... $ECHO_C" >&6 ++if test "${ac_cv_header_stdbool_h+set}" = set; then ++ echo $ECHO_N "(cached) $ECHO_C" >&6 ++else ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++#include <stdbool.h> ++#ifndef bool ++# error bool is not defined ++#endif ++#ifndef false ++# error false is not defined ++#endif ++#if false ++# error false is not 0 ++#endif ++#ifndef true ++# error true is not defined ++#endif ++#if true != 1 ++# error true is not 1 ++#endif ++#ifndef __bool_true_false_are_defined ++# error __bool_true_false_are_defined is not defined ++#endif ++ ++ struct s { _Bool s: 1; _Bool t; } s; ++ ++ char a[true == 1 ? 1 : -1]; ++ char b[false == 0 ? 1 : -1]; ++ char c[__bool_true_false_are_defined == 1 ? 1 : -1]; ++ char d[(bool) -0.5 == true ? 1 : -1]; ++ bool e = &s; ++ char f[(_Bool) -0.0 == false ? 1 : -1]; ++ char g[true]; ++ char h[sizeof (_Bool)]; ++ char i[sizeof s.t]; ++ ++int ++main () ++{ ++ return !a + !b + !c + !d + !e + !f + !g + !h + !i; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 ++ (eval $ac_compile) 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' ++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; } && ++ { ac_try='test -s conftest.$ac_objext' ++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; }; then ++ ac_cv_header_stdbool_h=yes ++else ++ echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ac_cv_header_stdbool_h=no ++fi ++rm -f conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++echo "$as_me:$LINENO: result: $ac_cv_header_stdbool_h" >&5 ++echo "${ECHO_T}$ac_cv_header_stdbool_h" >&6 ++echo "$as_me:$LINENO: checking for _Bool" >&5 ++echo $ECHO_N "checking for _Bool... $ECHO_C" >&6 ++if test "${ac_cv_type__Bool+set}" = set; then ++ echo $ECHO_N "(cached) $ECHO_C" >&6 ++else ++ cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++$ac_includes_default ++int ++main () ++{ ++if ((_Bool *) 0) ++ return 0; ++if (sizeof (_Bool)) ++ return 0; ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext ++if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 ++ (eval $ac_compile) 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' ++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; } && ++ { ac_try='test -s conftest.$ac_objext' ++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; }; then ++ ac_cv_type__Bool=yes ++else ++ echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ac_cv_type__Bool=no ++fi ++rm -f conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++echo "$as_me:$LINENO: result: $ac_cv_type__Bool" >&5 ++echo "${ECHO_T}$ac_cv_type__Bool" >&6 ++if test $ac_cv_type__Bool = yes; then ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE__BOOL 1 ++_ACEOF ++ ++ ++fi ++ ++if test $ac_cv_header_stdbool_h = yes; then ++ ++cat >>confdefs.h <<\_ACEOF ++#define HAVE_STDBOOL_H 1 ++_ACEOF ++ ++fi ++ ++ ++ ++ ++ ++ ++ + ############################################################ + # Check for header files. + ############################################################ diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__cm.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__cm.c deleted file mode 100644 index c46236ae8da..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__cm.c +++ /dev/null @@ -1,51 +0,0 @@ -$NetBSD: patch-src_libjasper_base_jas__cm.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/base/jas_cm.c.orig 2007-01-19 21:43:05.000000000 +0000 -+++ src/libjasper/base/jas_cm.c -@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm - { - jas_cmpxform_t **p; - assert(n >= pxformseq->numpxforms); -- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) : -- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *)); -+ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *)); - if (!p) { - return -1; - } -@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh - jas_cmshapmatlut_cleanup(lut); - if (curv->numents == 0) { - lut->size = 2; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - lut->data[0] = 0.0; - lut->data[1] = 1.0; - } else if (curv->numents == 1) { - lut->size = 256; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - gamma = curv->ents[0] / 256.0; - for (i = 0; i < lut->size; ++i) { -@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh - } - } else { - lut->size = curv->numents; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - for (i = 0; i < lut->size; ++i) { - lut->data[i] = curv->ents[i] / 65535.0; -@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c - return -1; - } - } -- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t)))) -+ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t)))) - return -1; - invlut->size = n; - for (i = 0; i < invlut->size; ++i) { diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c deleted file mode 100644 index dac73a7cb27..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c +++ /dev/null @@ -1,123 +0,0 @@ -$NetBSD: patch-src_libjasper_base_jas__icc.c,v 1.2 2016/05/16 14:03:40 he Exp $ - -CVE-2016-1577 prevent double free. Via Debian. -CVE-2016-2116 memory leak / DoS. Via Debian. - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/base/jas_icc.c.old 2016-03-31 14:47:00.000000000 +0200 -+++ src/libjasper/base/jas_icc.c 2016-03-31 14:48:20.000000000 +0200 -@@ -300,6 +300,7 @@ - if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) - goto error; - jas_iccattrval_destroy(attrval); -+ attrval = 0; - } else { - #if 0 - jas_eprintf("warning: skipping unknown tag type\n"); -@@ -373,7 +374,7 @@ - jas_icctagtab_t *tagtab; - - tagtab = &prof->tagtab; -- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs * -+ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs, - sizeof(jas_icctagtabent_t)))) - goto error; - tagtab->numents = prof->attrtab->numattrs; -@@ -522,7 +523,7 @@ - } - if (jas_iccgetuint32(in, &tagtab->numents)) - goto error; -- if (!(tagtab->ents = jas_malloc(tagtab->numents * -+ if (!(tagtab->ents = jas_alloc2(tagtab->numents, - sizeof(jas_icctagtabent_t)))) - goto error; - tagtabent = tagtab->ents; -@@ -743,8 +744,7 @@ - { - jas_iccattr_t *newattrs; - assert(maxents >= tab->numattrs); -- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents * -- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t)); -+ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t)); - if (!newattrs) - return -1; - tab->attrs = newattrs; -@@ -999,7 +999,7 @@ - - if (jas_iccgetuint32(in, &curv->numents)) - goto error; -- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t)))) -+ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t)))) - goto error; - for (i = 0; i < curv->numents; ++i) { - if (jas_iccgetuint16(in, &curv->ents[i])) -@@ -1100,7 +1100,7 @@ - if (jas_iccgetuint32(in, &txtdesc->uclangcode) || - jas_iccgetuint32(in, &txtdesc->uclen)) - goto error; -- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2))) -+ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2))) - goto error; - if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != - JAS_CAST(int, txtdesc->uclen * 2)) -@@ -1292,17 +1292,17 @@ - jas_iccgetuint16(in, &lut8->numouttabents)) - goto error; - clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; -- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) || -- !(lut8->intabsbuf = jas_malloc(lut8->numinchans * -- lut8->numintabents * sizeof(jas_iccuint8_t))) || -- !(lut8->intabs = jas_malloc(lut8->numinchans * -+ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) || -+ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans, -+ lut8->numintabents, sizeof(jas_iccuint8_t))) || -+ !(lut8->intabs = jas_alloc2(lut8->numinchans, - sizeof(jas_iccuint8_t *)))) - goto error; - for (i = 0; i < lut8->numinchans; ++i) - lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents]; -- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans * -- lut8->numouttabents * sizeof(jas_iccuint8_t))) || -- !(lut8->outtabs = jas_malloc(lut8->numoutchans * -+ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans, -+ lut8->numouttabents, sizeof(jas_iccuint8_t))) || -+ !(lut8->outtabs = jas_alloc2(lut8->numoutchans, - sizeof(jas_iccuint8_t *)))) - goto error; - for (i = 0; i < lut8->numoutchans; ++i) -@@ -1461,17 +1461,17 @@ - jas_iccgetuint16(in, &lut16->numouttabents)) - goto error; - clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; -- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) || -- !(lut16->intabsbuf = jas_malloc(lut16->numinchans * -- lut16->numintabents * sizeof(jas_iccuint16_t))) || -- !(lut16->intabs = jas_malloc(lut16->numinchans * -+ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) || -+ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans, -+ lut16->numintabents, sizeof(jas_iccuint16_t))) || -+ !(lut16->intabs = jas_alloc2(lut16->numinchans, - sizeof(jas_iccuint16_t *)))) - goto error; - for (i = 0; i < lut16->numinchans; ++i) - lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents]; -- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans * -- lut16->numouttabents * sizeof(jas_iccuint16_t))) || -- !(lut16->outtabs = jas_malloc(lut16->numoutchans * -+ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans, -+ lut16->numouttabents, sizeof(jas_iccuint16_t))) || -+ !(lut16->outtabs = jas_alloc2(lut16->numoutchans, - sizeof(jas_iccuint16_t *)))) - goto error; - for (i = 0; i < lut16->numoutchans; ++i) -@@ -1699,6 +1699,8 @@ - jas_stream_close(in); - return prof; - error: -+ if (in) -+ jas_stream_close(in); - return 0; - } - diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c deleted file mode 100644 index a3c8abc92e4..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c +++ /dev/null @@ -1,50 +0,0 @@ -$NetBSD: patch-src_libjasper_base_jas__image.c,v 1.2 2016/05/16 14:03:40 he Exp $ - -CVE-2016-2089 denial of service. Via Debian. - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/base/jas_image.c.old 2016-03-31 14:47:00.000000000 +0200 -+++ src/libjasper/base/jas_image.c 2016-03-31 14:47:50.000000000 +0200 -@@ -142,7 +142,7 @@ - image->inmem_ = true; - - /* Allocate memory for the per-component information. */ -- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * -+ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, - sizeof(jas_image_cmpt_t *)))) { - jas_image_destroy(image); - return 0; -@@ -426,6 +426,10 @@ - return -1; - } - -+ if (!data->rows_) { -+ return -1; -+ } -+ - if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { - if (jas_matrix_resize(data, height, width)) { - return -1; -@@ -479,6 +483,10 @@ - return -1; - } - -+ if (!data->rows_) { -+ return -1; -+ } -+ - if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { - return -1; - } -@@ -774,8 +782,7 @@ - jas_image_cmpt_t **newcmpts; - int cmptno; - -- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : -- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); -+ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); - if (!newcmpts) { - return -1; - } diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__malloc.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__malloc.c deleted file mode 100644 index af4cf0dfcbe..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__malloc.c +++ /dev/null @@ -1,75 +0,0 @@ -$NetBSD: patch-src_libjasper_base_jas__malloc.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/base/jas_malloc.c.orig 2007-01-19 21:43:05.000000000 +0000 -+++ src/libjasper/base/jas_malloc.c -@@ -76,6 +76,9 @@ - - /* We need the prototype for memset. */ - #include <string.h> -+#include <limits.h> -+#include <errno.h> -+#include <stdint.h> - - #include "jasper/jas_malloc.h" - -@@ -113,18 +116,50 @@ void jas_free(void *ptr) - - void *jas_realloc(void *ptr, size_t size) - { -- return realloc(ptr, size); -+ return ptr ? realloc(ptr, size) : malloc(size); - } - --void *jas_calloc(size_t nmemb, size_t size) -+void *jas_realloc2(void *ptr, size_t nmemb, size_t size) -+{ -+ if (!ptr) -+ return jas_alloc2(nmemb, size); -+ if (nmemb && SIZE_MAX / nmemb < size) { -+ errno = ENOMEM; -+ return NULL; -+ } -+ return jas_realloc(ptr, nmemb * size); -+ -+} -+ -+void *jas_alloc2(size_t nmemb, size_t size) -+{ -+ if (nmemb && SIZE_MAX / nmemb < size) { -+ errno = ENOMEM; -+ return NULL; -+ } -+ -+ return jas_malloc(nmemb * size); -+} -+ -+void *jas_alloc3(size_t a, size_t b, size_t c) - { -- void *ptr; - size_t n; -- n = nmemb * size; -- if (!(ptr = jas_malloc(n * sizeof(char)))) { -- return 0; -+ -+ if (a && SIZE_MAX / a < b) { -+ errno = ENOMEM; -+ return NULL; - } -- memset(ptr, 0, n); -+ -+ return jas_alloc2(a*b, c); -+} -+ -+void *jas_calloc(size_t nmemb, size_t size) -+{ -+ void *ptr; -+ -+ ptr = jas_alloc2(nmemb, size); -+ if (ptr) -+ memset(ptr, 0, nmemb*size); - return ptr; - } - diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c index d544287720d..201849c547f 100644 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c +++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c @@ -1,101 +1,16 @@ -$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.2 2016/05/16 14:03:40 he Exp $ +$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.3 2016/12/16 09:44:44 he Exp $ -CVE-2016-2089 denial of service. Via Debian. +Replace one sprintf with snprintf. -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/base/jas_seq.c.old 2016-03-31 14:47:00.000000000 +0200 +--- src/libjasper/base/jas_seq.c.orig 2016-03-31 14:47:00.000000000 +0200 +++ src/libjasper/base/jas_seq.c 2016-03-31 14:47:50.000000000 +0200 -@@ -114,7 +114,7 @@ - matrix->datasize_ = numrows * numcols; - - if (matrix->maxrows_ > 0) { -- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * -+ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, - sizeof(jas_seqent_t *)))) { - jas_matrix_destroy(matrix); - return 0; -@@ -122,7 +122,7 @@ - } - - if (matrix->datasize_ > 0) { -- if (!(matrix->data_ = jas_malloc(matrix->datasize_ * -+ if (!(matrix->data_ = jas_alloc2(matrix->datasize_, - sizeof(jas_seqent_t)))) { - jas_matrix_destroy(matrix); - return 0; -@@ -220,7 +220,7 @@ - mat0->numrows_ = r1 - r0 + 1; - mat0->numcols_ = c1 - c0 + 1; - mat0->maxrows_ = mat0->numrows_; -- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *)); -+ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); - for (i = 0; i < mat0->numrows_; ++i) { - mat0->rows_[i] = mat1->rows_[r0 + i] + c0; - } -@@ -262,6 +262,10 @@ - int rowstep; - jas_seqent_t *data; - -+ if (!matrix->rows_) { -+ return; -+ } -+ - rowstep = jas_matrix_rowstep(matrix); - for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, - rowstart += rowstep) { -@@ -282,6 +286,10 @@ - jas_seqent_t *data; - int rowstep; - -+ if (!matrix->rows_) { -+ return; -+ } -+ - rowstep = jas_matrix_rowstep(matrix); - for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, - rowstart += rowstep) { -@@ -306,6 +314,10 @@ - int rowstep; - jas_seqent_t *data; - -+ if (!matrix->rows_) { -+ return; -+ } -+ - assert(n >= 0); - rowstep = jas_matrix_rowstep(matrix); - for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, -@@ -325,6 +337,10 @@ - int rowstep; - jas_seqent_t *data; - -+ if (!matrix->rows_) { -+ return; -+ } -+ - rowstep = jas_matrix_rowstep(matrix); - for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, - rowstart += rowstep) { -@@ -367,6 +383,10 @@ - int rowstep; - jas_seqent_t *data; - -+ if (!matrix->rows_) { -+ return; -+ } -+ - rowstep = jas_matrix_rowstep(matrix); - for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, - rowstart += rowstep) { -@@ -432,7 +452,8 @@ +@@ -493,7 +493,8 @@ int jas_seq2d_output(jas_matrix_t *matri for (i = 0; i < jas_matrix_numrows(matrix); ++i) { for (j = 0; j < jas_matrix_numcols(matrix); ++j) { x = jas_matrix_get(matrix, i, j); - sprintf(sbuf, "%s%4ld", (strlen(buf) > 0) ? " " : "", -+ snprintf(sbuf, sizeof sbuf, -+ "%s%4ld", (strlen(buf) > 0) ? " " : "", ++ snprintf(sbuf, sizeof sbuf, ++ "%s%4ld", (strlen(buf) > 0) ? " " : "", JAS_CAST(long, x)); - n = strlen(buf); - if (n + strlen(sbuf) > MAXLINELEN) { + n = JAS_CAST(int, strlen(buf)); + if (n + JAS_CAST(int, strlen(sbuf)) > MAXLINELEN) { diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c index 637dc645e67..6002f955d49 100644 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c +++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c @@ -1,24 +1,10 @@ -$NetBSD: patch-src_libjasper_base_jas__stream.c,v 1.1 2016/05/16 14:03:40 he Exp $ +$NetBSD: patch-src_libjasper_base_jas__stream.c,v 1.2 2016/12/16 09:44:44 he Exp $ -Fix CVE-2008-3521 and CVE-2008-3522, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 +Use mkstemp instead of tmpnam-based temp file creation. --- src/libjasper/base/jas_stream.c.orig 2007-01-19 21:43:05.000000000 +0000 +++ src/libjasper/base/jas_stream.c -@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b - if (buf) { - obj->buf_ = (unsigned char *) buf; - } else { -- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char)); -+ obj->buf_ = jas_malloc(obj->bufsize_); - obj->myalloc_ = 1; - } - if (!obj->buf_) { -@@ -361,28 +361,22 @@ jas_stream_t *jas_stream_tmpfile() - } - obj->fd = -1; - obj->flags = 0; -- obj->pathname[0] = '\0'; +@@ -517,11 +517,10 @@ jas_stream_t *jas_stream_tmpfile() stream->obj_ = obj; /* Choose a file name. */ @@ -32,13 +18,9 @@ https://bugs.gentoo.org/show_bug.cgi?id=222819 jas_stream_destroy(stream); return 0; } - - /* Unlink the file so that it will disappear if the program - terminates abnormally. */ -- /* Under UNIX, one can unlink an open file and continue to do I/O -- on it. Not all operating systems support this functionality, however. -- For example, under Microsoft Windows the unlink operation will fail, -- since the file is open. */ +@@ -533,8 +532,8 @@ jas_stream_t *jas_stream_tmpfile() + For example, under Microsoft Windows the unlink operation will fail, + since the file is open. */ if (unlink(obj->pathname)) { - /* We will try unlinking the file again after it is closed. */ - obj->flags |= JAS_STREAM_FILEOBJ_DELONCLOSE; @@ -47,21 +29,3 @@ https://bugs.gentoo.org/show_bug.cgi?id=222819 } /* Use full buffering. */ -@@ -553,7 +547,7 @@ int jas_stream_printf(jas_stream_t *stre - int ret; - - va_start(ap, fmt); -- ret = vsprintf(buf, fmt, ap); -+ ret = vsnprintf(buf, sizeof buf, fmt, ap); - jas_stream_puts(stream, buf); - va_end(ap); - return ret; -@@ -992,7 +986,7 @@ static int mem_resize(jas_stream_memobj_ - unsigned char *buf; - - assert(m->buf_); -- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) { -+ if (!(buf = jas_realloc(m->buf_, bufsize))) { - return -1; - } - m->buf_ = buf; diff --git a/graphics/jasper/patches/patch-src_libjasper_bmp_bmp__dec.c b/graphics/jasper/patches/patch-src_libjasper_bmp_bmp__dec.c deleted file mode 100644 index a32eb4a6d02..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_bmp_bmp__dec.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-src_libjasper_bmp_bmp__dec.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/bmp/bmp_dec.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/bmp/bmp_dec.c -@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea - } - - if (info->numcolors > 0) { -- if (!(info->palents = jas_malloc(info->numcolors * -+ if (!(info->palents = jas_alloc2(info->numcolors, - sizeof(bmp_palent_t)))) { - bmp_info_destroy(info); - return 0; diff --git a/graphics/jasper/patches/patch-src_libjasper_include_jasper_jas__malloc.h b/graphics/jasper/patches/patch-src_libjasper_include_jasper_jas__malloc.h deleted file mode 100644 index d8cd67dc7a8..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_include_jasper_jas__malloc.h +++ /dev/null @@ -1,30 +0,0 @@ -$NetBSD: patch-src_libjasper_include_jasper_jas__malloc.h,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/include/jasper/jas_malloc.h.orig 2007-01-19 21:43:04.000000000 +0000 -+++ src/libjasper/include/jasper/jas_malloc.h -@@ -95,6 +95,9 @@ extern "C" { - #define jas_free MEMFREE - #define jas_realloc MEMREALLOC - #define jas_calloc MEMCALLOC -+#define jas_alloc2(a, b) MEMALLOC((a)*(b)) -+#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c)) -+#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b)) - #endif - - /******************************************************************************\ -@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size - /* Allocate a block of memory and initialize the contents to zero. */ - void *jas_calloc(size_t nmemb, size_t size); - -+/* size-checked double allocation .*/ -+void *jas_alloc2(size_t, size_t); -+ -+void *jas_alloc3(size_t, size_t, size_t); -+ -+void *jas_realloc2(void *, size_t, size_t); - #endif - - #ifdef __cplusplus diff --git a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c index c860c3af353..b5fd18c8a5f 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c +++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c @@ -1,49 +1,10 @@ -$NetBSD: patch-src_libjasper_jp2_jp2__cod.c,v 1.2 2016/05/16 14:03:40 he Exp $ +$NetBSD: patch-src_libjasper_jp2_jp2__cod.c,v 1.3 2016/12/16 09:44:44 he Exp $ Only output debug info if debuglevel >= 1. -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jp2/jp2_cod.c.old 2016-03-31 14:47:00.000000000 +0200 -+++ src/libjasper/jp2/jp2_cod.c 2016-03-31 14:48:20.000000000 +0200 -@@ -372,7 +372,7 @@ - jp2_bpcc_t *bpcc = &box->data.bpcc; - unsigned int i; - bpcc->numcmpts = box->datalen; -- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) { -+ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { - return -1; - } - for (i = 0; i < bpcc->numcmpts; ++i) { -@@ -416,7 +416,7 @@ - break; - case JP2_COLR_ICC: - colr->iccplen = box->datalen - 3; -- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) { -+ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) { - return -1; - } - if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { -@@ -453,7 +453,7 @@ - if (jp2_getuint16(in, &cdef->numchans)) { - return -1; - } -- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) { -+ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) { - return -1; - } - for (channo = 0; channo < cdef->numchans; ++channo) { -@@ -766,7 +766,7 @@ - unsigned int i; - - cmap->numchans = (box->datalen) / 4; -- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) { -+ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { - return -1; - } - for (i = 0; i < cmap->numchans; ++i) { -@@ -795,11 +795,15 @@ +--- src/libjasper/jp2/jp2_cod.c.orig 2016-11-16 15:03:41.000000000 +0000 ++++ src/libjasper/jp2/jp2_cod.c +@@ -808,11 +808,15 @@ static void jp2_cmap_dumpdata(jp2_box_t jp2_cmap_t *cmap = &box->data.cmap; unsigned int i; jp2_cmapent_t *ent; @@ -57,21 +18,8 @@ https://bugs.gentoo.org/show_bug.cgi?id=222819 - (int) ent->cmptno, (int) ent->map, (int) ent->pcol); + if (jas_getdbglevel() >= 1) { + fprintf(out, "cmptno=%d; map=%d; pcol=%d\n", -+ (int) ent->cmptno, (int) ent->map, (int) ent->pcol); ++ (int) ent->cmptno, (int) ent->map, (int) ent->pcol); + } } } -@@ -828,10 +832,10 @@ - return -1; - } - lutsize = pclr->numlutents * pclr->numchans; -- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) { -+ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) { - return -1; - } -- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) { -+ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) { - return -1; - } - for (i = 0; i < pclr->numchans; ++i) { diff --git a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c index 27d086cda13..570012c6517 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c +++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c @@ -1,17 +1,12 @@ -$NetBSD: patch-src_libjasper_jp2_jp2__dec.c,v 1.2 2016/05/16 14:03:40 he Exp $ +$NetBSD: patch-src_libjasper_jp2_jp2__dec.c,v 1.3 2016/12/16 09:44:44 he Exp $ Only output debug info if debuglevel >= 1. -Apply fix for oCERT-2014-012, from -https://bugzilla.redhat.com/show_bug.cgi?id=1173162 -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jp2/jp2_dec.c.old 2016-03-31 14:47:00.000000000 +0200 -+++ src/libjasper/jp2/jp2_dec.c 2016-03-31 14:48:20.000000000 +0200 -@@ -293,7 +293,9 @@ - dec->colr->data.colr.iccplen); - assert(iccprof); +--- src/libjasper/jp2/jp2_dec.c.orig 2016-11-16 15:03:41.000000000 +0000 ++++ src/libjasper/jp2/jp2_dec.c +@@ -302,7 +302,9 @@ jas_image_t *jp2_decode(jas_stream_t *in + goto error; + } jas_iccprof_gethdr(iccprof, &icchdr); - jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + if (jas_getdbglevel() >= 1) { @@ -20,35 +15,3 @@ https://bugs.gentoo.org/show_bug.cgi?id=222819 jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); dec->image->cmprof_ = jas_cmprof_createfromiccprof(iccprof); assert(dec->image->cmprof_); -@@ -336,7 +338,7 @@ - } - - /* Allocate space for the channel-number to component-number LUT. */ -- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) { -+ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) { - jas_eprintf("error: no memory\n"); - goto error; - } -@@ -354,7 +356,7 @@ - if (cmapent->map == JP2_CMAP_DIRECT) { - dec->chantocmptlut[channo] = channo; - } else if (cmapent->map == JP2_CMAP_PALETTE) { -- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t)); -+ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t)); - for (i = 0; i < pclrd->numlutents; ++i) { - lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; - } -@@ -386,6 +388,13 @@ - /* Determine the type of each component. */ - if (dec->cdef) { - for (i = 0; i < dec->numchans; ++i) { -+ /* Is the channel number reasonable? */ -+ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { -+ jas_eprintf("error: invalid channel number in CDEF box\n"); -+ -+ goto error; -+ -+ } - jas_image_setcmpttype(dec->image, - dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], - jp2_getct(jas_image_clrspc(dec->image), diff --git a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c index 445eae3bbb3..a5c484ee6c8 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c +++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c @@ -1,35 +1,18 @@ -$NetBSD: patch-src_libjasper_jp2_jp2__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ +$NetBSD: patch-src_libjasper_jp2_jp2__enc.c,v 1.2 2016/12/16 09:44:44 he Exp $ -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 +Replace an sprintf() with snprintf(). --- src/libjasper/jp2/jp2_enc.c.orig 2007-01-19 21:43:05.000000000 +0000 +++ src/libjasper/jp2/jp2_enc.c -@@ -191,7 +191,7 @@ int sgnd; - } - bpcc = &box->data.bpcc; - bpcc->numcmpts = jas_image_numcmpts(image); -- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * -+ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, - sizeof(uint_fast8_t)))) { - goto error; - } -@@ -285,7 +285,7 @@ int sgnd; - } - cdef = &box->data.cdef; - cdef->numchans = jas_image_numcmpts(image); -- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)); -+ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)); - for (i = 0; i < jas_image_numcmpts(image); ++i) { - cdefchanent = &cdef->ents[i]; - cdefchanent->channo = i; -@@ -343,7 +343,8 @@ int sgnd; +@@ -343,8 +343,9 @@ int jp2_encode(jas_image_t *image, jas_s /* Output the JPEG-2000 code stream. */ overhead = jas_stream_getrwcount(out); - sprintf(buf, "%s\n_jp2overhead=%lu\n", (optstr ? optstr : ""), -+ snprintf(buf, sizeof buf, "%s\n_jp2overhead=%lu\n", -+ (optstr ? optstr : ""), - (unsigned long) overhead); +- (unsigned long) overhead); ++ snprintf(buf, sizeof buf, "%s\n_jp2overhead=%lu\n", ++ (optstr ? optstr : ""), ++ (unsigned long) overhead); if (jpc_encode(image, out, buf)) { + goto error; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c deleted file mode 100644 index e386e8dabd3..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c +++ /dev/null @@ -1,88 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__cs.c,v 1.2 2016/05/16 14:03:40 he Exp $ - -Add fixes for CVE-2011-4516 and CVE-2011-4517. - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_cs.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_cs.c -@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms - !siz->tileheight || !siz->numcomps) { - return -1; - } -- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) { -+ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { - return -1; - } - for (i = 0; i < siz->numcomps; ++i) { -@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t - return -1; - } - compparms->numrlvls = compparms->numdlvls + 1; -+ if (compparms->numrlvls > JPC_MAXRLVLS) { -+ jpc_cox_destroycompparms(compparms); -+ return -1; -+ } - if (prtflag) { - for (i = 0; i < compparms->numrlvls; ++i) { - if (jpc_getuint8(in, &tmp)) { -@@ -982,8 +986,11 @@ static int jpc_qcx_getcompparms(jpc_qcxc - compparms->numstepsizes = (len - n) / 2; - break; - } -- if (compparms->numstepsizes > 0) { -- compparms->stepsizes = jas_malloc(compparms->numstepsizes * -+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { -+ jpc_qcx_destroycompparms(compparms); -+ return -1; -+ } else if (compparms->numstepsizes > 0) { -+ compparms->stepsizes = jas_alloc2(compparms->numstepsizes, - sizeof(uint_fast16_t)); - assert(compparms->stepsizes); - for (i = 0; i < compparms->numstepsizes; ++i) { -@@ -1091,7 +1098,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms - - ppm->len = ms->len - 1; - if (ppm->len > 0) { -- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) { -+ if (!(ppm->data = jas_malloc(ppm->len))) { - goto error; - } - if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) { -@@ -1160,7 +1167,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms - } - ppt->len = ms->len - 1; - if (ppt->len > 0) { -- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) { -+ if (!(ppt->data = jas_malloc(ppt->len))) { - goto error; - } - if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) { -@@ -1223,7 +1230,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms - uint_fast8_t tmp; - poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) : - (ms->len / 7); -- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) { -+ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) { - goto error; - } - for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno, -@@ -1328,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms - jpc_crgcomp_t *comp; - uint_fast16_t compno; - crg->numcomps = cstate->numcomps; -- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { -+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { - return -1; - } - for (compno = 0, comp = crg->comps; compno < cstate->numcomps; -@@ -1467,7 +1474,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms - cstate = 0; - - if (ms->len > 0) { -- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) { -+ if (!(unk->data = jas_malloc(ms->len))) { - return -1; - } - if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) { diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c index dd00becf38e..43518f2beb5 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c @@ -1,154 +1,13 @@ $NetBSD$ -Apply fixes from -http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469786 -and -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9029 - -Also add a patch from Debian (bug #413041) to fix some heap corruption -on malformed image input (CVE-2007-2721), - -Apply fix for CVE-2014-8157, taken from -https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 +Only print on debug >= 1. --- src/libjasper/jpc/jpc_dec.c.old 2016-03-31 14:47:00.000000000 +0200 +++ src/libjasper/jpc/jpc_dec.c 2016-03-31 14:48:20.000000000 +0200 -@@ -449,7 +449,7 @@ - - if (dec->state == JPC_MH) { - -- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t)); -+ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t)); - assert(compinfos); - for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; - cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { -@@ -489,7 +489,7 @@ - dec->curtileendoff = 0; - } - -- if (JAS_CAST(int, sot->tileno) > dec->numtiles) { -+ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { - jas_eprintf("invalid tile number in SOT marker segment\n"); - return -1; - } -@@ -692,7 +692,7 @@ - tile->realmode = 1; - } - tcomp->numrlvls = ccp->numrlvls; -- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls * -+ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls, - sizeof(jpc_dec_rlvl_t)))) { - return -1; - } -@@ -764,7 +764,7 @@ - rlvl->cbgheightexpn); - - rlvl->numbands = (!rlvlno) ? 1 : 3; -- if (!(rlvl->bands = jas_malloc(rlvl->numbands * -+ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, - sizeof(jpc_dec_band_t)))) { - return -1; - } -@@ -797,7 +797,7 @@ - - assert(rlvl->numprcs); - -- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) { -+ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) { - return -1; - } - -@@ -834,7 +834,7 @@ - if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) { - return -1; - } -- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) { -+ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) { - return -1; - } - -@@ -1069,12 +1069,12 @@ - /* Apply an inverse intercomponent transform if necessary. */ - switch (tile->cp->mctid) { - case JPC_MCT_RCT: -- assert(dec->numcomps == 3); -+ assert(dec->numcomps >= 3); - jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, - tile->tcomps[2].data); - break; - case JPC_MCT_ICT: -- assert(dec->numcomps == 3); -+ assert(dec->numcomps >= 3); - jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, - tile->tcomps[2].data); - break; -@@ -1181,7 +1181,7 @@ - return -1; - } - -- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) { -+ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) { - return -1; - } - -@@ -1204,7 +1204,7 @@ - dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); - dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); - dec->numtiles = dec->numhtiles * dec->numvtiles; -- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { -+ if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) { - return -1; - } - -@@ -1228,12 +1228,13 @@ - tile->pkthdrstreampos = 0; - tile->pptstab = 0; - tile->cp = 0; -- if (!(tile->tcomps = jas_malloc(dec->numcomps * -+ if (!(tile->tcomps = jas_alloc2(dec->numcomps, - sizeof(jpc_dec_tcomp_t)))) { - return -1; - } - for (compno = 0, cmpt = dec->cmpts, tcomp = tile->tcomps; - compno < dec->numcomps; ++compno, ++cmpt, ++tcomp) { -+ tcomp->numrlvls = 0; - tcomp->rlvls = 0; - tcomp->data = 0; - tcomp->xstart = JPC_CEILDIV(tile->xstart, cmpt->hstep); -@@ -1280,7 +1281,7 @@ - jpc_coc_t *coc = &ms->parms.coc; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, coc->compno) > dec->numcomps) { -+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in COC marker segment\n"); - return -1; - } -@@ -1306,7 +1307,7 @@ - jpc_rgn_t *rgn = &ms->parms.rgn; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, rgn->compno) > dec->numcomps) { -+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in RGN marker segment\n"); - return -1; - } -@@ -1355,7 +1356,7 @@ - jpc_qcc_t *qcc = &ms->parms.qcc; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, qcc->compno) > dec->numcomps) { -+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in QCC marker segment\n"); - return -1; - } -@@ -1466,7 +1467,9 @@ - dec = 0; +@@ -1565,7 +1565,9 @@ static int jpc_dec_process_unk(jpc_dec_t - jas_eprintf("warning: ignoring unknown marker segment\n"); + jas_eprintf("warning: ignoring unknown marker segment (0x%x)\n", + ms->id); - jpc_ms_dump(ms, stderr); + if (jas_getdbglevel() >= 1) { + jpc_ms_dump(ms, stderr); @@ -156,42 +15,3 @@ https://bugs.gentoo.org/show_bug.cgi?id=222819 return 0; } -@@ -1489,7 +1492,7 @@ - cp->numlyrs = 0; - cp->mctid = 0; - cp->csty = 0; -- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) { -+ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { - return 0; - } - if (!(cp->pchglist = jpc_pchglist_create())) { -@@ -2048,7 +2051,7 @@ - } - streamlist->numstreams = 0; - streamlist->maxstreams = 100; -- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams * -+ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams, - sizeof(jas_stream_t *)))) { - jas_free(streamlist); - return 0; -@@ -2068,8 +2071,8 @@ - /* Grow the array of streams if necessary. */ - if (streamlist->numstreams >= streamlist->maxstreams) { - newmaxstreams = streamlist->maxstreams + 1024; -- if (!(newstreams = jas_realloc(streamlist->streams, -- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) { -+ if (!(newstreams = jas_realloc2(streamlist->streams, -+ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) { - return -1; - } - for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) { -@@ -2155,8 +2158,7 @@ - { - jpc_ppxstabent_t **newents; - if (tab->maxents < maxents) { -- newents = (tab->ents) ? jas_realloc(tab->ents, maxents * -- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *)); -+ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *)); - if (!newents) { - return -1; - } diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c index e10acd11eb9..ee67fe8170b 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c @@ -1,107 +1,16 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ +$NetBSD: patch-src_libjasper_jpc_jpc__enc.c,v 1.2 2016/12/16 09:44:44 he Exp $ -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 +Replace an sprintf() with snprintf(). --- src/libjasper/jpc/jpc_enc.c.orig 2007-01-19 21:43:07.000000000 +0000 +++ src/libjasper/jpc/jpc_enc.c -@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt - vsteplcm *= jas_image_cmptvstep(image, cmptno); - } - -- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) { -+ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) { - goto error; - } - for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno, -@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt - - if (ilyrrates && numilyrrates > 0) { - tcp->numlyrs = numilyrrates + 1; -- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) * -+ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1), - sizeof(jpc_fix_t)))) { - goto error; - } -@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou - siz->tilewidth = cp->tilewidth; - siz->tileheight = cp->tileheight; - siz->numcomps = cp->numcmpts; -- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)); -+ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)); - assert(siz->comps); - for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) { - siz->comps[i].prec = cp->ccps[i].prec; -@@ -958,7 +958,8 @@ startoff = jas_stream_getrwcount(enc->ou +@@ -957,7 +957,8 @@ startoff = jas_stream_getrwcount(enc->ou if (!(enc->mrk = jpc_ms_create(JPC_MS_COM))) { return -1; } - sprintf(buf, "Creator: JasPer Version %s", jas_getversion()); -+ snprintf(buf, sizeof buf, "Creator: JasPer Version %s", -+ jas_getversion()); ++ snprintf(buf, sizeof buf, "Creator: JasPer Version %s", ++ jas_getversion()); com = &enc->mrk->parms.com; - com->len = strlen(buf); + com->len = JAS_CAST(uint_fast16_t, strlen(buf)); com->regid = JPC_COM_LATIN; -@@ -977,7 +978,7 @@ startoff = jas_stream_getrwcount(enc->ou - return -1; - } - crg = &enc->mrk->parms.crg; -- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t)); -+ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t)); - if (jpc_putms(enc->out, enc->cstate, enc->mrk)) { - jas_eprintf("cannot write CRG marker\n"); - return -1; -@@ -1955,7 +1956,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_ - tile->mctid = cp->tcp.mctid; - - tile->numlyrs = cp->tcp.numlyrs; -- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs * -+ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs, - sizeof(uint_fast32_t)))) { - goto error; - } -@@ -1964,7 +1965,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_ - } - - /* Allocate an array for the per-tile-component information. */ -- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) { -+ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) { - goto error; - } - /* Initialize a few members critical for error recovery. */ -@@ -2110,7 +2111,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc - jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data), - jas_seq2d_yend(tcmpt->data), bandinfos); - -- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) { -+ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) { - goto error; - } - for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls; -@@ -2213,7 +2214,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e - rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn); - rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs; - -- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) { -+ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) { - goto error; - } - for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands; -@@ -2290,7 +2291,7 @@ if (bandinfo->xstart != bandinfo->xend & - band->synweight = bandinfo->synenergywt; - - if (band->data) { -- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) { -+ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) { - goto error; - } - for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno, -@@ -2422,7 +2423,7 @@ if (!rlvlno) { - goto error; - } - -- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) { -+ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) { - goto error; - } - for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqdec.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqdec.c deleted file mode 100644 index 6b95fe44b10..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqdec.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__mqdec.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_mqdec.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_mqdec.c -@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx - mqdec->in = in; - mqdec->maxctxs = maxctxs; - /* Allocate memory for the per-context state information. */ -- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) { -+ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) { - goto error; - } - /* Set the current context to the first context. */ diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqenc.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqenc.c deleted file mode 100644 index 1abe368a853..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqenc.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__mqenc.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_mqenc.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_mqenc.c -@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx - mqenc->maxctxs = maxctxs; - - /* Allocate memory for the per-context state information. */ -- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) { -+ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) { - goto error; - } - diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c deleted file mode 100644 index 0d91b73117c..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c +++ /dev/null @@ -1,344 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.2 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2014-8158. Patch taken from -https://bugzilla.redhat.com/show_bug.cgi?id=1179298 - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_qmfb.c.old 2016-03-31 14:47:00.000000000 +0200 -+++ src/libjasper/jpc/jpc_qmfb.c 2016-03-31 14:48:03.000000000 +0200 -@@ -306,11 +306,7 @@ - { - - int bufsize = JPC_CEILDIVPOW2(numcols, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; --#else -- jpc_fix_t splitbuf[bufsize]; --#endif - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; -@@ -318,15 +314,13 @@ - register int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } - } --#endif - - if (numcols >= 2) { - hstartcol = (numcols + 1 - parity) >> 1; -@@ -360,12 +354,10 @@ - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -374,11 +366,7 @@ - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; --#else -- jpc_fix_t splitbuf[bufsize]; --#endif - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; -@@ -386,15 +374,13 @@ - register int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -428,12 +414,10 @@ - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -442,11 +426,7 @@ - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; --#endif - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -457,15 +437,13 @@ - int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -517,12 +495,10 @@ - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -531,11 +507,7 @@ - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t splitbuf[bufsize * numcols]; --#endif - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -546,15 +518,13 @@ - int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -606,12 +576,10 @@ - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -619,26 +587,20 @@ - { - - int bufsize = JPC_CEILDIVPOW2(numcols, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; --#else -- jpc_fix_t joinbuf[bufsize]; --#endif - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; - register int n; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } - } --#endif - - hstartcol = (numcols + 1 - parity) >> 1; - -@@ -670,12 +632,10 @@ - ++srcptr; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -684,26 +644,20 @@ - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; --#else -- jpc_fix_t joinbuf[bufsize]; --#endif - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; - register int n; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -735,12 +689,10 @@ - ++srcptr; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -749,11 +701,7 @@ - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; --#endif - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -763,15 +711,13 @@ - register int i; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -821,12 +767,10 @@ - srcptr += JPC_QMFB_COLGRPSIZE; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -835,11 +779,7 @@ - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t joinbuf[bufsize * numcols]; --#endif - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -849,15 +789,13 @@ - register int i; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -907,12 +845,10 @@ - srcptr += numcols; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t1enc.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t1enc.c deleted file mode 100644 index 665805bf66d..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t1enc.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__t1enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_t1enc.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_t1enc.c -@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_ - - cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0; - if (cblk->numpasses > 0) { -- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t)); -+ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t)); - assert(cblk->passes); - } else { - cblk->passes = 0; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2cod.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2cod.c deleted file mode 100644 index 7d732a1a600..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2cod.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__t2cod.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_t2cod.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_t2cod.c -@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t * - } - if (pchglist->numpchgs >= pchglist->maxpchgs) { - newmaxpchgs = pchglist->maxpchgs + 128; -- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) { -+ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) { - return -1; - } - pchglist->maxpchgs = newmaxpchgs; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2dec.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2dec.c deleted file mode 100644 index 6739bb9c4a8..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2dec.c +++ /dev/null @@ -1,34 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__t2dec.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_t2dec.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_t2dec.c -@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d - return 0; - } - pi->numcomps = dec->numcomps; -- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { -+ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { - jpc_pi_destroy(pi); - return 0; - } -@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d - for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; - compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { - picomp->numrlvls = tcomp->numrlvls; -- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * -+ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, - sizeof(jpc_pirlvl_t)))) { - jpc_pi_destroy(pi); - return 0; -@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d - rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { - /* XXX sizeof(long) should be sizeof different type */ - pirlvl->numprcs = rlvl->numprcs; -- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * -+ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, - sizeof(long)))) { - jpc_pi_destroy(pi); - return 0; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2enc.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2enc.c deleted file mode 100644 index e490862ac3c..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2enc.c +++ /dev/null @@ -1,34 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__t2enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_t2enc.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_t2enc.c -@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t - } - pi->pktno = -1; - pi->numcomps = cp->numcmpts; -- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { -+ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { - jpc_pi_destroy(pi); - return 0; - } -@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t - for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps; - compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { - picomp->numrlvls = tcomp->numrlvls; -- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * -+ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, - sizeof(jpc_pirlvl_t)))) { - jpc_pi_destroy(pi); - return 0; -@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t - /* XXX sizeof(long) should be sizeof different type */ - pirlvl->numprcs = rlvl->numprcs; - if (rlvl->numprcs) { -- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * -+ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, - sizeof(long)))) { - jpc_pi_destroy(pi); - return 0; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__tagtree.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__tagtree.c deleted file mode 100644 index c42fbd21a0d..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__tagtree.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__tagtree.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_tagtree.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_tagtree.c -@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu - ++numlvls; - } while (n > 1); - -- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) { -+ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { - return 0; - } - diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__util.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__util.c deleted file mode 100644 index 2bcade477e8..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__util.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__util.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/jpc/jpc_util.c.orig 2007-01-19 21:43:07.000000000 +0000 -+++ src/libjasper/jpc/jpc_util.c -@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d - } - - if (n) { -- if (!(vs = jas_malloc(n * sizeof(double)))) { -+ if (!(vs = jas_alloc2(n, sizeof(double)))) { - return -1; - } - diff --git a/graphics/jasper/patches/patch-src_libjasper_mif_mif__cod.c b/graphics/jasper/patches/patch-src_libjasper_mif_mif__cod.c deleted file mode 100644 index fe60cdc21af..00000000000 --- a/graphics/jasper/patches/patch-src_libjasper_mif_mif__cod.c +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-src_libjasper_mif_mif__cod.c,v 1.1 2016/05/16 14:03:40 he Exp $ - -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 - ---- src/libjasper/mif/mif_cod.c.orig 2007-01-19 21:43:05.000000000 +0000 -+++ src/libjasper/mif/mif_cod.c -@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t * - int cmptno; - mif_cmpt_t **newcmpts; - assert(maxcmpts >= hdr->numcmpts); -- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) : -- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *)); -+ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *)); - if (!newcmpts) { - return -1; - } diff --git a/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c b/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c index 03a8cf23acc..3e5a9269f20 100644 --- a/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c +++ b/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c @@ -1,7 +1,6 @@ -$NetBSD: patch-src_libjasper_pnm_pnm__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ +$NetBSD: patch-src_libjasper_pnm_pnm__enc.c,v 1.2 2016/12/16 09:44:44 he Exp $ -Fix CVE-2008-3520, patches from -https://bugs.gentoo.org/show_bug.cgi?id=222819 +Replace one sprintf() with snprintf(). --- src/libjasper/pnm/pnm_enc.c.orig 2007-01-19 21:43:05.000000000 +0000 +++ src/libjasper/pnm/pnm_enc.c |