diff options
| author | he <he@pkgsrc.org> | 2016-05-16 14:03:40 +0000 |
|---|---|---|
| committer | he <he@pkgsrc.org> | 2016-05-16 14:03:40 +0000 |
| commit | 5f10758ad49a8e35a1adc55465c899ab877db87d (patch) | |
| tree | dd724519497181d6bcf9dc607bb3be54bcf65cb1 | |
| parent | 41c0cb27a1e5305a3f7c21d24cd586257737a1ac (diff) | |
| download | pkgsrc-5f10758ad49a8e35a1adc55465c899ab877db87d.tar.gz | |
Add fixes for CVE-2008-3520 and CVE-2008-3522, patches from
https://bugs.gentoo.org/show_bug.cgi?id=222819
Bump PKGREVISION.
27 files changed, 1094 insertions, 92 deletions
diff --git a/graphics/jasper/Makefile b/graphics/jasper/Makefile index d1b44bdaba9..98ecf1d1e16 100644 --- a/graphics/jasper/Makefile +++ b/graphics/jasper/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.42 2016/03/13 04:11:18 tnn Exp $ +# $NetBSD: Makefile,v 1.43 2016/05/16 14:03:40 he Exp $ DISTNAME= jasper-1.900.1 -PKGREVISION= 11 +PKGREVISION= 12 CATEGORIES= graphics MASTER_SITES= http://www.ece.uvic.ca/~mdadams/jasper/software/ EXTRACT_SUFX= .zip diff --git a/graphics/jasper/distinfo b/graphics/jasper/distinfo index ac8137c3200..faa48c9d580 100644 --- a/graphics/jasper/distinfo +++ b/graphics/jasper/distinfo @@ -1,15 +1,32 @@ -$NetBSD: distinfo,v 1.19 2016/03/13 04:11:18 tnn Exp $ +$NetBSD: distinfo,v 1.20 2016/05/16 14:03:40 he Exp $ SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191 RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c SHA512 (jasper-1.900.1.zip) = e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6 Size (jasper-1.900.1.zip) = 1415752 bytes SHA1 (patch-configure) = c8aa09f8432f0e3f5667ecb3ccd738c3c03f3f05 -SHA1 (patch-src_libjasper_base_jas__icc.c) = ec2faf717f8d561cda3cdc63516d843e195b102c -SHA1 (patch-src_libjasper_base_jas__image.c) = a901a5847c4732a22c0e771c1d5763432fb5a1db -SHA1 (patch-src_libjasper_base_jas__seq.c) = 609171c4aa905ba3e3dd74779c18c7b5ab52200c -SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 7902e9900130f466fa60a5389409cc9495b6260c -SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 5a795502f9241829afa1acf0a2a341155b954108 -SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 794de4dcf8f809275a5bee5cb60d95cf9608e0a7 -SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 9b0d764671ef32868a390464480c5b3ee805e258 -SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 8c8d6e6fbb8ce0117a9e806777a6fdde21e6d780 +SHA1 (patch-src_libjasper_base_jas__cm.c) = 51bcaa7d992616c4caf764d190d42c8c802324f8 +SHA1 (patch-src_libjasper_base_jas__icc.c) = 855e8b733a4a043d06cea60deaa497784e55838c +SHA1 (patch-src_libjasper_base_jas__image.c) = d9119ab45d95f954604167374f5f97c1d94d508f +SHA1 (patch-src_libjasper_base_jas__malloc.c) = 887509258c8a957932bb212b747aa5b8932e82af +SHA1 (patch-src_libjasper_base_jas__seq.c) = bc1c38439eb61e3c50a5900e38e4a8992bc790fe +SHA1 (patch-src_libjasper_base_jas__stream.c) = 1e6cbd1cf0a273f94144e1f12624b9a5d612dd84 +SHA1 (patch-src_libjasper_bmp_bmp__dec.c) = 162f760235fba871c48afc273276fad884250ed6 +SHA1 (patch-src_libjasper_include_jasper_jas__malloc.h) = 3d6e873f11074bc54bd6dc5665d3c80413ef89fe +SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 656f23983f97e3b5eea49898e9f29d6b3eef5b19 +SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 9b8fbb8e947e403fed6c610a0d4a0c63640462e5 +SHA1 (patch-src_libjasper_jp2_jp2__enc.c) = f6a86101e04a2efdb0840b44a2b892de18683c59 +SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 603ee1ac6089bd190581fd0e00efabc18a41f48a +SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 026235b7f59ecaa8ee148f0301dd96dc9a570e80 +SHA1 (patch-src_libjasper_jpc_jpc__enc.c) = 81cf4df888d1542cf52fadb202b82a05c8bdfd83 +SHA1 (patch-src_libjasper_jpc_jpc__mqdec.c) = bcf41d1da270478a731494a913bd626ba7d533f4 +SHA1 (patch-src_libjasper_jpc_jpc__mqenc.c) = b6c80212129f82268c43e5a3e39a7c7e1c12655a +SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 6e7b5180047c6c8855aa22a3dd94d8deeb39b560 +SHA1 (patch-src_libjasper_jpc_jpc__t1enc.c) = 3aade36d3a171ad08f7be93c48bb51ab9fb9126f +SHA1 (patch-src_libjasper_jpc_jpc__t2cod.c) = ce1a300066db7adfed03f55fc47d6392dd2d2221 +SHA1 (patch-src_libjasper_jpc_jpc__t2dec.c) = 06a2e58843b59bbf698a5aa15ba253fa51f18568 +SHA1 (patch-src_libjasper_jpc_jpc__t2enc.c) = 0a6119b4fc5a6305a8adb92357805af1fb55f1d9 +SHA1 (patch-src_libjasper_jpc_jpc__tagtree.c) = 9f0594c4aa576ef5d0cb85ec2c01c364efecf855 +SHA1 (patch-src_libjasper_jpc_jpc__util.c) = e7069e6106d7dd883aab18a1fa20c9dbfe1bebf1 +SHA1 (patch-src_libjasper_mif_mif__cod.c) = 7c34864c0c9f82eee89795673014feb5824fc7b5 +SHA1 (patch-src_libjasper_pnm_pnm__enc.c) = 3279f184f6191ea69d1b5ef8fb270ffcc6a69640 diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__cm.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__cm.c new file mode 100644 index 00000000000..c46236ae8da --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__cm.c @@ -0,0 +1,51 @@ +$NetBSD: patch-src_libjasper_base_jas__cm.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/base/jas_cm.c.orig 2007-01-19 21:43:05.000000000 +0000 ++++ src/libjasper/base/jas_cm.c +@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm + { + jas_cmpxform_t **p; + assert(n >= pxformseq->numpxforms); +- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) : +- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *)); ++ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *)); + if (!p) { + return -1; + } +@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh + jas_cmshapmatlut_cleanup(lut); + if (curv->numents == 0) { + lut->size = 2; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + lut->data[0] = 0.0; + lut->data[1] = 1.0; + } else if (curv->numents == 1) { + lut->size = 256; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + gamma = curv->ents[0] / 256.0; + for (i = 0; i < lut->size; ++i) { +@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh + } + } else { + lut->size = curv->numents; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + for (i = 0; i < lut->size; ++i) { + lut->data[i] = curv->ents[i] / 65535.0; +@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c + return -1; + } + } +- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t)))) ++ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t)))) + return -1; + invlut->size = n; + for (i = 0; i < invlut->size; ++i) { diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c index 54a070b24b7..dac73a7cb27 100644 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c +++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c @@ -1,11 +1,14 @@ -$NetBSD: patch-src_libjasper_base_jas__icc.c,v 1.1 2016/03/13 04:11:18 tnn Exp $ +$NetBSD: patch-src_libjasper_base_jas__icc.c,v 1.2 2016/05/16 14:03:40 he Exp $ CVE-2016-1577 prevent double free. Via Debian. CVE-2016-2116 memory leak / DoS. Via Debian. ---- src/libjasper/base/jas_icc.c.orig 2016-03-13 04:09:54.821655643 +0000 -+++ src/libjasper/base/jas_icc.c -@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/base/jas_icc.c.old 2016-03-31 14:47:00.000000000 +0200 ++++ src/libjasper/base/jas_icc.c 2016-03-31 14:48:20.000000000 +0200 +@@ -300,6 +300,7 @@ if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) goto error; jas_iccattrval_destroy(attrval); @@ -13,7 +16,103 @@ CVE-2016-2116 memory leak / DoS. Via Debian. } else { #if 0 jas_eprintf("warning: skipping unknown tag type\n"); -@@ -1699,6 +1700,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf +@@ -373,7 +374,7 @@ + jas_icctagtab_t *tagtab; + + tagtab = &prof->tagtab; +- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs * ++ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs, + sizeof(jas_icctagtabent_t)))) + goto error; + tagtab->numents = prof->attrtab->numattrs; +@@ -522,7 +523,7 @@ + } + if (jas_iccgetuint32(in, &tagtab->numents)) + goto error; +- if (!(tagtab->ents = jas_malloc(tagtab->numents * ++ if (!(tagtab->ents = jas_alloc2(tagtab->numents, + sizeof(jas_icctagtabent_t)))) + goto error; + tagtabent = tagtab->ents; +@@ -743,8 +744,7 @@ + { + jas_iccattr_t *newattrs; + assert(maxents >= tab->numattrs); +- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents * +- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t)); ++ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t)); + if (!newattrs) + return -1; + tab->attrs = newattrs; +@@ -999,7 +999,7 @@ + + if (jas_iccgetuint32(in, &curv->numents)) + goto error; +- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t)))) ++ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t)))) + goto error; + for (i = 0; i < curv->numents; ++i) { + if (jas_iccgetuint16(in, &curv->ents[i])) +@@ -1100,7 +1100,7 @@ + if (jas_iccgetuint32(in, &txtdesc->uclangcode) || + jas_iccgetuint32(in, &txtdesc->uclen)) + goto error; +- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2))) ++ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2))) + goto error; + if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != + JAS_CAST(int, txtdesc->uclen * 2)) +@@ -1292,17 +1292,17 @@ + jas_iccgetuint16(in, &lut8->numouttabents)) + goto error; + clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; +- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) || +- !(lut8->intabsbuf = jas_malloc(lut8->numinchans * +- lut8->numintabents * sizeof(jas_iccuint8_t))) || +- !(lut8->intabs = jas_malloc(lut8->numinchans * ++ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) || ++ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans, ++ lut8->numintabents, sizeof(jas_iccuint8_t))) || ++ !(lut8->intabs = jas_alloc2(lut8->numinchans, + sizeof(jas_iccuint8_t *)))) + goto error; + for (i = 0; i < lut8->numinchans; ++i) + lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents]; +- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans * +- lut8->numouttabents * sizeof(jas_iccuint8_t))) || +- !(lut8->outtabs = jas_malloc(lut8->numoutchans * ++ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans, ++ lut8->numouttabents, sizeof(jas_iccuint8_t))) || ++ !(lut8->outtabs = jas_alloc2(lut8->numoutchans, + sizeof(jas_iccuint8_t *)))) + goto error; + for (i = 0; i < lut8->numoutchans; ++i) +@@ -1461,17 +1461,17 @@ + jas_iccgetuint16(in, &lut16->numouttabents)) + goto error; + clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; +- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) || +- !(lut16->intabsbuf = jas_malloc(lut16->numinchans * +- lut16->numintabents * sizeof(jas_iccuint16_t))) || +- !(lut16->intabs = jas_malloc(lut16->numinchans * ++ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) || ++ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans, ++ lut16->numintabents, sizeof(jas_iccuint16_t))) || ++ !(lut16->intabs = jas_alloc2(lut16->numinchans, + sizeof(jas_iccuint16_t *)))) + goto error; + for (i = 0; i < lut16->numinchans; ++i) + lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents]; +- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans * +- lut16->numouttabents * sizeof(jas_iccuint16_t))) || +- !(lut16->outtabs = jas_malloc(lut16->numoutchans * ++ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans, ++ lut16->numouttabents, sizeof(jas_iccuint16_t))) || ++ !(lut16->outtabs = jas_alloc2(lut16->numoutchans, + sizeof(jas_iccuint16_t *)))) + goto error; + for (i = 0; i < lut16->numoutchans; ++i) +@@ -1699,6 +1699,8 @@ jas_stream_close(in); return prof; error: diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c index e82eff39ef5..a3c8abc92e4 100644 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c +++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c @@ -1,10 +1,22 @@ -$NetBSD: patch-src_libjasper_base_jas__image.c,v 1.1 2016/03/13 04:11:18 tnn Exp $ +$NetBSD: patch-src_libjasper_base_jas__image.c,v 1.2 2016/05/16 14:03:40 he Exp $ CVE-2016-2089 denial of service. Via Debian. ---- src/libjasper/base/jas_image.c.orig 2007-01-19 21:43:05.000000000 +0000 -+++ src/libjasper/base/jas_image.c -@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/base/jas_image.c.old 2016-03-31 14:47:00.000000000 +0200 ++++ src/libjasper/base/jas_image.c 2016-03-31 14:47:50.000000000 +0200 +@@ -142,7 +142,7 @@ + image->inmem_ = true; + + /* Allocate memory for the per-component information. */ +- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * ++ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, + sizeof(jas_image_cmpt_t *)))) { + jas_image_destroy(image); + return 0; +@@ -426,6 +426,10 @@ return -1; } @@ -15,7 +27,7 @@ CVE-2016-2089 denial of service. Via Debian. if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { if (jas_matrix_resize(data, height, width)) { return -1; -@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima +@@ -479,6 +483,10 @@ return -1; } @@ -26,3 +38,13 @@ CVE-2016-2089 denial of service. Via Debian. if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { return -1; } +@@ -774,8 +782,7 @@ + jas_image_cmpt_t **newcmpts; + int cmptno; + +- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : +- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); ++ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); + if (!newcmpts) { + return -1; + } diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__malloc.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__malloc.c new file mode 100644 index 00000000000..af4cf0dfcbe --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__malloc.c @@ -0,0 +1,75 @@ +$NetBSD: patch-src_libjasper_base_jas__malloc.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/base/jas_malloc.c.orig 2007-01-19 21:43:05.000000000 +0000 ++++ src/libjasper/base/jas_malloc.c +@@ -76,6 +76,9 @@ + + /* We need the prototype for memset. */ + #include <string.h> ++#include <limits.h> ++#include <errno.h> ++#include <stdint.h> + + #include "jasper/jas_malloc.h" + +@@ -113,18 +116,50 @@ void jas_free(void *ptr) + + void *jas_realloc(void *ptr, size_t size) + { +- return realloc(ptr, size); ++ return ptr ? realloc(ptr, size) : malloc(size); + } + +-void *jas_calloc(size_t nmemb, size_t size) ++void *jas_realloc2(void *ptr, size_t nmemb, size_t size) ++{ ++ if (!ptr) ++ return jas_alloc2(nmemb, size); ++ if (nmemb && SIZE_MAX / nmemb < size) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ return jas_realloc(ptr, nmemb * size); ++ ++} ++ ++void *jas_alloc2(size_t nmemb, size_t size) ++{ ++ if (nmemb && SIZE_MAX / nmemb < size) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ ++ return jas_malloc(nmemb * size); ++} ++ ++void *jas_alloc3(size_t a, size_t b, size_t c) + { +- void *ptr; + size_t n; +- n = nmemb * size; +- if (!(ptr = jas_malloc(n * sizeof(char)))) { +- return 0; ++ ++ if (a && SIZE_MAX / a < b) { ++ errno = ENOMEM; ++ return NULL; + } +- memset(ptr, 0, n); ++ ++ return jas_alloc2(a*b, c); ++} ++ ++void *jas_calloc(size_t nmemb, size_t size) ++{ ++ void *ptr; ++ ++ ptr = jas_alloc2(nmemb, size); ++ if (ptr) ++ memset(ptr, 0, nmemb*size); + return ptr; + } + diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c index a79b05eac13..d544287720d 100644 --- a/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c +++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c @@ -1,10 +1,40 @@ -$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.1 2016/03/13 04:11:18 tnn Exp $ +$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.2 2016/05/16 14:03:40 he Exp $ CVE-2016-2089 denial of service. Via Debian. ---- src/libjasper/base/jas_seq.c.orig 2007-01-19 21:43:05.000000000 +0000 -+++ src/libjasper/base/jas_seq.c -@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/base/jas_seq.c.old 2016-03-31 14:47:00.000000000 +0200 ++++ src/libjasper/base/jas_seq.c 2016-03-31 14:47:50.000000000 +0200 +@@ -114,7 +114,7 @@ + matrix->datasize_ = numrows * numcols; + + if (matrix->maxrows_ > 0) { +- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * ++ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, + sizeof(jas_seqent_t *)))) { + jas_matrix_destroy(matrix); + return 0; +@@ -122,7 +122,7 @@ + } + + if (matrix->datasize_ > 0) { +- if (!(matrix->data_ = jas_malloc(matrix->datasize_ * ++ if (!(matrix->data_ = jas_alloc2(matrix->datasize_, + sizeof(jas_seqent_t)))) { + jas_matrix_destroy(matrix); + return 0; +@@ -220,7 +220,7 @@ + mat0->numrows_ = r1 - r0 + 1; + mat0->numcols_ = c1 - c0 + 1; + mat0->maxrows_ = mat0->numrows_; +- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *)); ++ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); + for (i = 0; i < mat0->numrows_; ++i) { + mat0->rows_[i] = mat1->rows_[r0 + i] + c0; + } +@@ -262,6 +262,10 @@ int rowstep; jas_seqent_t *data; @@ -15,7 +45,7 @@ CVE-2016-2089 denial of service. Via Debian. rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { -@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri +@@ -282,6 +286,10 @@ jas_seqent_t *data; int rowstep; @@ -26,7 +56,7 @@ CVE-2016-2089 denial of service. Via Debian. rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { -@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix +@@ -306,6 +314,10 @@ int rowstep; jas_seqent_t *data; @@ -37,7 +67,7 @@ CVE-2016-2089 denial of service. Via Debian. assert(n >= 0); rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, -@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix +@@ -325,6 +337,10 @@ int rowstep; jas_seqent_t *data; @@ -48,7 +78,7 @@ CVE-2016-2089 denial of service. Via Debian. rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { -@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat +@@ -367,6 +383,10 @@ int rowstep; jas_seqent_t *data; @@ -59,3 +89,13 @@ CVE-2016-2089 denial of service. Via Debian. rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { +@@ -432,7 +452,8 @@ + for (i = 0; i < jas_matrix_numrows(matrix); ++i) { + for (j = 0; j < jas_matrix_numcols(matrix); ++j) { + x = jas_matrix_get(matrix, i, j); +- sprintf(sbuf, "%s%4ld", (strlen(buf) > 0) ? " " : "", ++ snprintf(sbuf, sizeof sbuf, ++ "%s%4ld", (strlen(buf) > 0) ? " " : "", + JAS_CAST(long, x)); + n = strlen(buf); + if (n + strlen(sbuf) > MAXLINELEN) { diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c new file mode 100644 index 00000000000..637dc645e67 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c @@ -0,0 +1,67 @@ +$NetBSD: patch-src_libjasper_base_jas__stream.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3521 and CVE-2008-3522, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/base/jas_stream.c.orig 2007-01-19 21:43:05.000000000 +0000 ++++ src/libjasper/base/jas_stream.c +@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b + if (buf) { + obj->buf_ = (unsigned char *) buf; + } else { +- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char)); ++ obj->buf_ = jas_malloc(obj->bufsize_); + obj->myalloc_ = 1; + } + if (!obj->buf_) { +@@ -361,28 +361,22 @@ jas_stream_t *jas_stream_tmpfile() + } + obj->fd = -1; + obj->flags = 0; +- obj->pathname[0] = '\0'; + stream->obj_ = obj; + + /* Choose a file name. */ +- tmpnam(obj->pathname); ++ snprintf(obj->pathname, L_tmpnam, "%stmp.XXXXXXXXXX", P_tmpdir); + + /* Open the underlying file. */ +- if ((obj->fd = open(obj->pathname, O_CREAT | O_EXCL | O_RDWR | O_TRUNC | O_BINARY, +- JAS_STREAM_PERMS)) < 0) { ++ if ((obj->fd = mkstemp(obj->pathname)) < 0) { + jas_stream_destroy(stream); + return 0; + } + + /* Unlink the file so that it will disappear if the program + terminates abnormally. */ +- /* Under UNIX, one can unlink an open file and continue to do I/O +- on it. Not all operating systems support this functionality, however. +- For example, under Microsoft Windows the unlink operation will fail, +- since the file is open. */ + if (unlink(obj->pathname)) { +- /* We will try unlinking the file again after it is closed. */ +- obj->flags |= JAS_STREAM_FILEOBJ_DELONCLOSE; ++ jas_stream_destroy(stream); ++ return 0; + } + + /* Use full buffering. */ +@@ -553,7 +547,7 @@ int jas_stream_printf(jas_stream_t *stre + int ret; + + va_start(ap, fmt); +- ret = vsprintf(buf, fmt, ap); ++ ret = vsnprintf(buf, sizeof buf, fmt, ap); + jas_stream_puts(stream, buf); + va_end(ap); + return ret; +@@ -992,7 +986,7 @@ static int mem_resize(jas_stream_memobj_ + unsigned char *buf; + + assert(m->buf_); +- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) { ++ if (!(buf = jas_realloc(m->buf_, bufsize))) { + return -1; + } + m->buf_ = buf; diff --git a/graphics/jasper/patches/patch-src_libjasper_bmp_bmp__dec.c b/graphics/jasper/patches/patch-src_libjasper_bmp_bmp__dec.c new file mode 100644 index 00000000000..a32eb4a6d02 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_bmp_bmp__dec.c @@ -0,0 +1,16 @@ +$NetBSD: patch-src_libjasper_bmp_bmp__dec.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/bmp/bmp_dec.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/bmp/bmp_dec.c +@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea + } + + if (info->numcolors > 0) { +- if (!(info->palents = jas_malloc(info->numcolors * ++ if (!(info->palents = jas_alloc2(info->numcolors, + sizeof(bmp_palent_t)))) { + bmp_info_destroy(info); + return 0; diff --git a/graphics/jasper/patches/patch-src_libjasper_include_jasper_jas__malloc.h b/graphics/jasper/patches/patch-src_libjasper_include_jasper_jas__malloc.h new file mode 100644 index 00000000000..d8cd67dc7a8 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_include_jasper_jas__malloc.h @@ -0,0 +1,30 @@ +$NetBSD: patch-src_libjasper_include_jasper_jas__malloc.h,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/include/jasper/jas_malloc.h.orig 2007-01-19 21:43:04.000000000 +0000 ++++ src/libjasper/include/jasper/jas_malloc.h +@@ -95,6 +95,9 @@ extern "C" { + #define jas_free MEMFREE + #define jas_realloc MEMREALLOC + #define jas_calloc MEMCALLOC ++#define jas_alloc2(a, b) MEMALLOC((a)*(b)) ++#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c)) ++#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b)) + #endif + + /******************************************************************************\ +@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size + /* Allocate a block of memory and initialize the contents to zero. */ + void *jas_calloc(size_t nmemb, size_t size); + ++/* size-checked double allocation .*/ ++void *jas_alloc2(size_t, size_t); ++ ++void *jas_alloc3(size_t, size_t, size_t); ++ ++void *jas_realloc2(void *, size_t, size_t); + #endif + + #ifdef __cplusplus diff --git a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c index 38463ea05eb..c860c3af353 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c +++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c @@ -1,10 +1,49 @@ -$NetBSD: patch-src_libjasper_jp2_jp2__cod.c,v 1.1 2015/01/01 14:15:27 he Exp $ +$NetBSD: patch-src_libjasper_jp2_jp2__cod.c,v 1.2 2016/05/16 14:03:40 he Exp $ Only output debug info if debuglevel >= 1. ---- src/libjasper/jp2/jp2_cod.c.orig 2006-12-08 00:23:36.000000000 +0000 -+++ src/libjasper/jp2/jp2_cod.c -@@ -795,11 +795,15 @@ static void jp2_cmap_dumpdata(jp2_box_t +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jp2/jp2_cod.c.old 2016-03-31 14:47:00.000000000 +0200 ++++ src/libjasper/jp2/jp2_cod.c 2016-03-31 14:48:20.000000000 +0200 +@@ -372,7 +372,7 @@ + jp2_bpcc_t *bpcc = &box->data.bpcc; + unsigned int i; + bpcc->numcmpts = box->datalen; +- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) { ++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { + return -1; + } + for (i = 0; i < bpcc->numcmpts; ++i) { +@@ -416,7 +416,7 @@ + break; + case JP2_COLR_ICC: + colr->iccplen = box->datalen - 3; +- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) { ++ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) { + return -1; + } + if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { +@@ -453,7 +453,7 @@ + if (jp2_getuint16(in, &cdef->numchans)) { + return -1; + } +- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) { ++ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) { + return -1; + } + for (channo = 0; channo < cdef->numchans; ++channo) { +@@ -766,7 +766,7 @@ + unsigned int i; + + cmap->numchans = (box->datalen) / 4; +- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) { ++ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { + return -1; + } + for (i = 0; i < cmap->numchans; ++i) { +@@ -795,11 +795,15 @@ jp2_cmap_t *cmap = &box->data.cmap; unsigned int i; jp2_cmapent_t *ent; @@ -23,3 +62,16 @@ Only output debug info if debuglevel >= 1. } } +@@ -828,10 +832,10 @@ + return -1; + } + lutsize = pclr->numlutents * pclr->numchans; +- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) { ++ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) { + return -1; + } +- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) { ++ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) { + return -1; + } + for (i = 0; i < pclr->numchans; ++i) { diff --git a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c index fa1c873d0b1..27d086cda13 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c +++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c @@ -1,12 +1,15 @@ -$NetBSD: patch-src_libjasper_jp2_jp2__dec.c,v 1.1 2015/01/01 14:15:27 he Exp $ +$NetBSD: patch-src_libjasper_jp2_jp2__dec.c,v 1.2 2016/05/16 14:03:40 he Exp $ Only output debug info if debuglevel >= 1. Apply fix for oCERT-2014-012, from https://bugzilla.redhat.com/show_bug.cgi?id=1173162 ---- src/libjasper/jp2/jp2_dec.c.orig 2004-02-09 01:34:40.000000000 +0000 -+++ src/libjasper/jp2/jp2_dec.c -@@ -293,7 +293,9 @@ jas_image_t *jp2_decode(jas_stream_t *in +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jp2/jp2_dec.c.old 2016-03-31 14:47:00.000000000 +0200 ++++ src/libjasper/jp2/jp2_dec.c 2016-03-31 14:48:20.000000000 +0200 +@@ -293,7 +293,9 @@ dec->colr->data.colr.iccplen); assert(iccprof); jas_iccprof_gethdr(iccprof, &icchdr); @@ -17,7 +20,25 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1173162 jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); dec->image->cmprof_ = jas_cmprof_createfromiccprof(iccprof); assert(dec->image->cmprof_); -@@ -386,6 +388,13 @@ jas_image_t *jp2_decode(jas_stream_t *in +@@ -336,7 +338,7 @@ + } + + /* Allocate space for the channel-number to component-number LUT. */ +- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) { ++ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) { + jas_eprintf("error: no memory\n"); + goto error; + } +@@ -354,7 +356,7 @@ + if (cmapent->map == JP2_CMAP_DIRECT) { + dec->chantocmptlut[channo] = channo; + } else if (cmapent->map == JP2_CMAP_PALETTE) { +- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t)); ++ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t)); + for (i = 0; i < pclrd->numlutents; ++i) { + lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; + } +@@ -386,6 +388,13 @@ /* Determine the type of each component. */ if (dec->cdef) { for (i = 0; i < dec->numchans; ++i) { diff --git a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c new file mode 100644 index 00000000000..445eae3bbb3 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c @@ -0,0 +1,35 @@ +$NetBSD: patch-src_libjasper_jp2_jp2__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jp2/jp2_enc.c.orig 2007-01-19 21:43:05.000000000 +0000 ++++ src/libjasper/jp2/jp2_enc.c +@@ -191,7 +191,7 @@ int sgnd; + } + bpcc = &box->data.bpcc; + bpcc->numcmpts = jas_image_numcmpts(image); +- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * ++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, + sizeof(uint_fast8_t)))) { + goto error; + } +@@ -285,7 +285,7 @@ int sgnd; + } + cdef = &box->data.cdef; + cdef->numchans = jas_image_numcmpts(image); +- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)); ++ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)); + for (i = 0; i < jas_image_numcmpts(image); ++i) { + cdefchanent = &cdef->ents[i]; + cdefchanent->channo = i; +@@ -343,7 +343,8 @@ int sgnd; + /* Output the JPEG-2000 code stream. */ + + overhead = jas_stream_getrwcount(out); +- sprintf(buf, "%s\n_jp2overhead=%lu\n", (optstr ? optstr : ""), ++ snprintf(buf, sizeof buf, "%s\n_jp2overhead=%lu\n", ++ (optstr ? optstr : ""), + (unsigned long) overhead); + + if (jpc_encode(image, out, buf)) { diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c index afffca3fc6f..e386e8dabd3 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c @@ -1,9 +1,21 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__cs.c,v 1.1 2015/01/01 14:15:27 he Exp $ +$NetBSD: patch-src_libjasper_jpc_jpc__cs.c,v 1.2 2016/05/16 14:03:40 he Exp $ Add fixes for CVE-2011-4516 and CVE-2011-4517. +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + --- src/libjasper/jpc/jpc_cs.c.orig 2007-01-19 21:43:07.000000000 +0000 +++ src/libjasper/jpc/jpc_cs.c +@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms + !siz->tileheight || !siz->numcomps) { + return -1; + } +- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) { ++ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { + return -1; + } + for (i = 0; i < siz->numcomps; ++i) { @@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t return -1; } @@ -15,24 +27,62 @@ Add fixes for CVE-2011-4516 and CVE-2011-4517. if (prtflag) { for (i = 0; i < compparms->numrlvls; ++i) { if (jpc_getuint8(in, &tmp)) { -@@ -982,7 +986,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc +@@ -982,8 +986,11 @@ static int jpc_qcx_getcompparms(jpc_qcxc compparms->numstepsizes = (len - n) / 2; break; } - if (compparms->numstepsizes > 0) { +- compparms->stepsizes = jas_malloc(compparms->numstepsizes * + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { - compparms->stepsizes = jas_malloc(compparms->numstepsizes * ++ compparms->stepsizes = jas_alloc2(compparms->numstepsizes, sizeof(uint_fast16_t)); assert(compparms->stepsizes); + for (i = 0; i < compparms->numstepsizes; ++i) { +@@ -1091,7 +1098,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms + + ppm->len = ms->len - 1; + if (ppm->len > 0) { +- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) { ++ if (!(ppm->data = jas_malloc(ppm->len))) { + goto error; + } + if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) { +@@ -1160,7 +1167,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms + } + ppt->len = ms->len - 1; + if (ppt->len > 0) { +- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) { ++ if (!(ppt->data = jas_malloc(ppt->len))) { + goto error; + } + if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) { +@@ -1223,7 +1230,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms + uint_fast8_t tmp; + poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) : + (ms->len / 7); +- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) { ++ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) { + goto error; + } + for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno, @@ -1328,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms jpc_crgcomp_t *comp; uint_fast16_t compno; crg->numcomps = cstate->numcomps; - if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { -+ if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(jpc_crgcomp_t)))) { ++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { return -1; } for (compno = 0, comp = crg->comps; compno < cstate->numcomps; +@@ -1467,7 +1474,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms + cstate = 0; + + if (ms->len > 0) { +- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) { ++ if (!(unk->data = jas_malloc(ms->len))) { + return -1; + } + if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) { diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c index c5145b8eb3a..dd00becf38e 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c @@ -11,9 +11,21 @@ on malformed image input (CVE-2007-2721), Apply fix for CVE-2014-8157, taken from https://bugzilla.redhat.com/show_bug.cgi?id=1179282 ---- src/libjasper/jpc/jpc_dec.c.orig 2014-12-05 12:10:45.000000000 +0000 -+++ src/libjasper/jpc/jpc_dec.c -@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_dec.c.old 2016-03-31 14:47:00.000000000 +0200 ++++ src/libjasper/jpc/jpc_dec.c 2016-03-31 14:48:20.000000000 +0200 +@@ -449,7 +449,7 @@ + + if (dec->state == JPC_MH) { + +- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t)); ++ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t)); + assert(compinfos); + for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; + cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { +@@ -489,7 +489,7 @@ dec->curtileendoff = 0; } @@ -22,7 +34,43 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282 jas_eprintf("invalid tile number in SOT marker segment\n"); return -1; } -@@ -1069,12 +1069,12 @@ static int jpc_dec_tiledecode(jpc_dec_t +@@ -692,7 +692,7 @@ + tile->realmode = 1; + } + tcomp->numrlvls = ccp->numrlvls; +- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls * ++ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls, + sizeof(jpc_dec_rlvl_t)))) { + return -1; + } +@@ -764,7 +764,7 @@ + rlvl->cbgheightexpn); + + rlvl->numbands = (!rlvlno) ? 1 : 3; +- if (!(rlvl->bands = jas_malloc(rlvl->numbands * ++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, + sizeof(jpc_dec_band_t)))) { + return -1; + } +@@ -797,7 +797,7 @@ + + assert(rlvl->numprcs); + +- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) { ++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) { + return -1; + } + +@@ -834,7 +834,7 @@ + if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) { + return -1; + } +- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) { ++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) { + return -1; + } + +@@ -1069,12 +1069,12 @@ /* Apply an inverse intercomponent transform if necessary. */ switch (tile->cp->mctid) { case JPC_MCT_RCT: @@ -37,7 +85,32 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282 jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break; -@@ -1234,6 +1234,7 @@ static int jpc_dec_process_siz(jpc_dec_t +@@ -1181,7 +1181,7 @@ + return -1; + } + +- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) { ++ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) { + return -1; + } + +@@ -1204,7 +1204,7 @@ + dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); + dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); + dec->numtiles = dec->numhtiles * dec->numvtiles; +- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { ++ if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) { + return -1; + } + +@@ -1228,12 +1228,13 @@ + tile->pkthdrstreampos = 0; + tile->pptstab = 0; + tile->cp = 0; +- if (!(tile->tcomps = jas_malloc(dec->numcomps * ++ if (!(tile->tcomps = jas_alloc2(dec->numcomps, + sizeof(jpc_dec_tcomp_t)))) { + return -1; } for (compno = 0, cmpt = dec->cmpts, tcomp = tile->tcomps; compno < dec->numcomps; ++compno, ++cmpt, ++tcomp) { @@ -45,7 +118,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282 tcomp->rlvls = 0; tcomp->data = 0; tcomp->xstart = JPC_CEILDIV(tile->xstart, cmpt->hstep); -@@ -1280,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t +@@ -1280,7 +1281,7 @@ jpc_coc_t *coc = &ms->parms.coc; jpc_dec_tile_t *tile; @@ -54,7 +127,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282 jas_eprintf("invalid component number in COC marker segment\n"); return -1; } -@@ -1306,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t +@@ -1306,7 +1307,7 @@ jpc_rgn_t *rgn = &ms->parms.rgn; jpc_dec_tile_t *tile; @@ -63,7 +136,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282 jas_eprintf("invalid component number in RGN marker segment\n"); return -1; } -@@ -1355,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t +@@ -1355,7 +1356,7 @@ jpc_qcc_t *qcc = &ms->parms.qcc; jpc_dec_tile_t *tile; @@ -72,7 +145,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282 jas_eprintf("invalid component number in QCC marker segment\n"); return -1; } -@@ -1466,7 +1467,9 @@ static int jpc_dec_process_unk(jpc_dec_t +@@ -1466,7 +1467,9 @@ dec = 0; jas_eprintf("warning: ignoring unknown marker segment\n"); @@ -83,3 +156,42 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282 return 0; } +@@ -1489,7 +1492,7 @@ + cp->numlyrs = 0; + cp->mctid = 0; + cp->csty = 0; +- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) { ++ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { + return 0; + } + if (!(cp->pchglist = jpc_pchglist_create())) { +@@ -2048,7 +2051,7 @@ + } + streamlist->numstreams = 0; + streamlist->maxstreams = 100; +- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams * ++ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams, + sizeof(jas_stream_t *)))) { + jas_free(streamlist); + return 0; +@@ -2068,8 +2071,8 @@ + /* Grow the array of streams if necessary. */ + if (streamlist->numstreams >= streamlist->maxstreams) { + newmaxstreams = streamlist->maxstreams + 1024; +- if (!(newstreams = jas_realloc(streamlist->streams, +- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) { ++ if (!(newstreams = jas_realloc2(streamlist->streams, ++ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) { + return -1; + } + for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) { +@@ -2155,8 +2158,7 @@ + { + jpc_ppxstabent_t **newents; + if (tab->maxents < maxents) { +- newents = (tab->ents) ? jas_realloc(tab->ents, maxents * +- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *)); ++ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *)); + if (!newents) { + return -1; + } diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c new file mode 100644 index 00000000000..e10acd11eb9 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c @@ -0,0 +1,107 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_enc.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_enc.c +@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt + vsteplcm *= jas_image_cmptvstep(image, cmptno); + } + +- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) { ++ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) { + goto error; + } + for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno, +@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt + + if (ilyrrates && numilyrrates > 0) { + tcp->numlyrs = numilyrrates + 1; +- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) * ++ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1), + sizeof(jpc_fix_t)))) { + goto error; + } +@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou + siz->tilewidth = cp->tilewidth; + siz->tileheight = cp->tileheight; + siz->numcomps = cp->numcmpts; +- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)); ++ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)); + assert(siz->comps); + for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) { + siz->comps[i].prec = cp->ccps[i].prec; +@@ -958,7 +958,8 @@ startoff = jas_stream_getrwcount(enc->ou + if (!(enc->mrk = jpc_ms_create(JPC_MS_COM))) { + return -1; + } +- sprintf(buf, "Creator: JasPer Version %s", jas_getversion()); ++ snprintf(buf, sizeof buf, "Creator: JasPer Version %s", ++ jas_getversion()); + com = &enc->mrk->parms.com; + com->len = strlen(buf); + com->regid = JPC_COM_LATIN; +@@ -977,7 +978,7 @@ startoff = jas_stream_getrwcount(enc->ou + return -1; + } + crg = &enc->mrk->parms.crg; +- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t)); ++ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t)); + if (jpc_putms(enc->out, enc->cstate, enc->mrk)) { + jas_eprintf("cannot write CRG marker\n"); + return -1; +@@ -1955,7 +1956,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_ + tile->mctid = cp->tcp.mctid; + + tile->numlyrs = cp->tcp.numlyrs; +- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs * ++ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs, + sizeof(uint_fast32_t)))) { + goto error; + } +@@ -1964,7 +1965,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_ + } + + /* Allocate an array for the per-tile-component information. */ +- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) { ++ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) { + goto error; + } + /* Initialize a few members critical for error recovery. */ +@@ -2110,7 +2111,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc + jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data), + jas_seq2d_yend(tcmpt->data), bandinfos); + +- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) { ++ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) { + goto error; + } + for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls; +@@ -2213,7 +2214,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e + rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn); + rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs; + +- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) { ++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) { + goto error; + } + for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands; +@@ -2290,7 +2291,7 @@ if (bandinfo->xstart != bandinfo->xend & + band->synweight = bandinfo->synenergywt; + + if (band->data) { +- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) { ++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) { + goto error; + } + for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno, +@@ -2422,7 +2423,7 @@ if (!rlvlno) { + goto error; + } + +- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) { ++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) { + goto error; + } + for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqdec.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqdec.c new file mode 100644 index 00000000000..6b95fe44b10 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqdec.c @@ -0,0 +1,16 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__mqdec.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_mqdec.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_mqdec.c +@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx + mqdec->in = in; + mqdec->maxctxs = maxctxs; + /* Allocate memory for the per-context state information. */ +- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) { ++ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) { + goto error; + } + /* Set the current context to the first context. */ diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqenc.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqenc.c new file mode 100644 index 00000000000..1abe368a853 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqenc.c @@ -0,0 +1,16 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__mqenc.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_mqenc.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_mqenc.c +@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx + mqenc->maxctxs = maxctxs; + + /* Allocate memory for the per-context state information. */ +- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) { ++ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) { + goto error; + } + diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c index 7297531b334..0d91b73117c 100644 --- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c @@ -1,11 +1,14 @@ -$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.1 2015/02/08 23:04:22 snj Exp $ +$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.2 2016/05/16 14:03:40 he Exp $ Fix CVE-2014-8158. Patch taken from https://bugzilla.redhat.com/show_bug.cgi?id=1179298 ---- src/libjasper/jpc/jpc_qmfb.c.orig 2007-01-19 13:43:07.000000000 -0800 -+++ src/libjasper/jpc/jpc_qmfb.c 2015-02-08 14:49:33.000000000 -0800 -@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_qmfb.c.old 2016-03-31 14:47:00.000000000 +0200 ++++ src/libjasper/jpc/jpc_qmfb.c 2016-03-31 14:48:03.000000000 +0200 +@@ -306,11 +306,7 @@ { int bufsize = JPC_CEILDIVPOW2(numcols, 1); @@ -17,15 +20,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; -@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in +@@ -318,15 +314,13 @@ register int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ abort(); } } @@ -33,7 +37,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 if (numcols >= 2) { hstartcol = (numcols + 1 - parity) >> 1; -@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in +@@ -360,12 +354,10 @@ } } @@ -46,7 +50,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 } -@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in +@@ -374,11 +366,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); @@ -58,15 +62,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; -@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in +@@ -386,15 +374,13 @@ register int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ abort(); } } @@ -74,7 +79,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; -@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in +@@ -428,12 +414,10 @@ } } @@ -87,7 +92,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 } -@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, +@@ -442,11 +426,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); @@ -99,15 +104,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 jpc_fix_t *buf = splitbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; -@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, +@@ -457,15 +437,13 @@ int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ abort(); } } @@ -115,7 +121,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; -@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, +@@ -517,12 +495,10 @@ } } @@ -128,7 +134,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 } -@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, +@@ -531,11 +507,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); @@ -140,15 +146,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 jpc_fix_t *buf = splitbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; -@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, +@@ -546,15 +518,13 @@ int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ abort(); } } @@ -156,7 +163,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; -@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, +@@ -606,12 +576,10 @@ } } @@ -169,7 +176,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 } -@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int +@@ -619,26 +587,20 @@ { int bufsize = JPC_CEILDIVPOW2(numcols, 1); @@ -187,8 +194,9 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ abort(); } } @@ -196,7 +204,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 hstartcol = (numcols + 1 - parity) >> 1; -@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int +@@ -670,12 +632,10 @@ ++srcptr; } @@ -209,7 +217,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 } -@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int +@@ -684,26 +644,20 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); @@ -227,8 +235,9 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ abort(); } } @@ -236,7 +245,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 hstartcol = (numrows + 1 - parity) >> 1; -@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int +@@ -735,12 +689,10 @@ ++srcptr; } @@ -249,7 +258,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 } -@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, +@@ -749,11 +701,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); @@ -261,15 +270,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 jpc_fix_t *buf = joinbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; -@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, +@@ -763,15 +711,13 @@ register int i; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { -@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, +- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ abort(); } } @@ -277,7 +287,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 hstartcol = (numrows + 1 - parity) >> 1; -@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, +@@ -821,12 +767,10 @@ srcptr += JPC_QMFB_COLGRPSIZE; } @@ -290,7 +300,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 } -@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, +@@ -835,11 +779,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); @@ -302,15 +312,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 jpc_fix_t *buf = joinbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; -@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, +@@ -849,15 +789,13 @@ register int i; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { -@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, +- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ abort(); } } @@ -318,7 +329,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298 hstartcol = (numrows + 1 - parity) >> 1; -@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, +@@ -907,12 +845,10 @@ srcptr += numcols; } diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t1enc.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t1enc.c new file mode 100644 index 00000000000..665805bf66d --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t1enc.c @@ -0,0 +1,16 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__t1enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_t1enc.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_t1enc.c +@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_ + + cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0; + if (cblk->numpasses > 0) { +- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t)); ++ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t)); + assert(cblk->passes); + } else { + cblk->passes = 0; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2cod.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2cod.c new file mode 100644 index 00000000000..7d732a1a600 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2cod.c @@ -0,0 +1,16 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__t2cod.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_t2cod.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_t2cod.c +@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t * + } + if (pchglist->numpchgs >= pchglist->maxpchgs) { + newmaxpchgs = pchglist->maxpchgs + 128; +- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) { ++ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) { + return -1; + } + pchglist->maxpchgs = newmaxpchgs; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2dec.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2dec.c new file mode 100644 index 00000000000..6739bb9c4a8 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2dec.c @@ -0,0 +1,34 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__t2dec.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_t2dec.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_t2dec.c +@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d + return 0; + } + pi->numcomps = dec->numcomps; +- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { ++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { + jpc_pi_destroy(pi); + return 0; + } +@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d + for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; + compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { + picomp->numrlvls = tcomp->numrlvls; +- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * ++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, + sizeof(jpc_pirlvl_t)))) { + jpc_pi_destroy(pi); + return 0; +@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d + rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { + /* XXX sizeof(long) should be sizeof different type */ + pirlvl->numprcs = rlvl->numprcs; +- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * ++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, + sizeof(long)))) { + jpc_pi_destroy(pi); + return 0; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2enc.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2enc.c new file mode 100644 index 00000000000..e490862ac3c --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2enc.c @@ -0,0 +1,34 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__t2enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_t2enc.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_t2enc.c +@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t + } + pi->pktno = -1; + pi->numcomps = cp->numcmpts; +- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { ++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { + jpc_pi_destroy(pi); + return 0; + } +@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t + for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps; + compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { + picomp->numrlvls = tcomp->numrlvls; +- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * ++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, + sizeof(jpc_pirlvl_t)))) { + jpc_pi_destroy(pi); + return 0; +@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t + /* XXX sizeof(long) should be sizeof different type */ + pirlvl->numprcs = rlvl->numprcs; + if (rlvl->numprcs) { +- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * ++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, + sizeof(long)))) { + jpc_pi_destroy(pi); + return 0; diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__tagtree.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__tagtree.c new file mode 100644 index 00000000000..c42fbd21a0d --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__tagtree.c @@ -0,0 +1,16 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__tagtree.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_tagtree.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_tagtree.c +@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu + ++numlvls; + } while (n > 1); + +- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) { ++ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { + return 0; + } + diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__util.c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__util.c new file mode 100644 index 00000000000..2bcade477e8 --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__util.c @@ -0,0 +1,16 @@ +$NetBSD: patch-src_libjasper_jpc_jpc__util.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/jpc/jpc_util.c.orig 2007-01-19 21:43:07.000000000 +0000 ++++ src/libjasper/jpc/jpc_util.c +@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d + } + + if (n) { +- if (!(vs = jas_malloc(n * sizeof(double)))) { ++ if (!(vs = jas_alloc2(n, sizeof(double)))) { + return -1; + } + diff --git a/graphics/jasper/patches/patch-src_libjasper_mif_mif__cod.c b/graphics/jasper/patches/patch-src_libjasper_mif_mif__cod.c new file mode 100644 index 00000000000..fe60cdc21af --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_mif_mif__cod.c @@ -0,0 +1,17 @@ +$NetBSD: patch-src_libjasper_mif_mif__cod.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/mif/mif_cod.c.orig 2007-01-19 21:43:05.000000000 +0000 ++++ src/libjasper/mif/mif_cod.c +@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t * + int cmptno; + mif_cmpt_t **newcmpts; + assert(maxcmpts >= hdr->numcmpts); +- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) : +- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *)); ++ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *)); + if (!newcmpts) { + return -1; + } diff --git a/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c b/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c new file mode 100644 index 00000000000..03a8cf23acc --- /dev/null +++ b/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c @@ -0,0 +1,16 @@ +$NetBSD: patch-src_libjasper_pnm_pnm__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $ + +Fix CVE-2008-3520, patches from +https://bugs.gentoo.org/show_bug.cgi?id=222819 + +--- src/libjasper/pnm/pnm_enc.c.orig 2007-01-19 21:43:05.000000000 +0000 ++++ src/libjasper/pnm/pnm_enc.c +@@ -374,7 +374,7 @@ static int pnm_putdata(jas_stream_t *out + } + } + } else { +- n = sprintf(buf, "%s%ld", ((!(!x && !cmptno)) ? " " : ""), ++ n = snprintf(buf, sizeof buf, "%s%ld", ((!(!x && !cmptno)) ? " " : ""), + (long) v); + if (linelen > 0 && linelen + n > PNM_MAXLINELEN) { + jas_stream_printf(out, "\n"); |