patch denial of service issues CVE-2016-1577 CVE-2016-2116 CVE-2016-2089

via debian

5 files changed, 119 insertions, 3 deletions

diff --git a/graphics/jasper/Makefile b/graphics/jasper/Makefile
index 086b8fe1eea..d1b44bdaba9 100644
--- a/graphics/jasper/Makefile
+++ b/graphics/jasper/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.41 2016/02/25 08:27:03 jperkin Exp $
+# $NetBSD: Makefile,v 1.42 2016/03/13 04:11:18 tnn Exp $
 
 DISTNAME=	jasper-1.900.1
-PKGREVISION=	10
+PKGREVISION=	11
 CATEGORIES=	graphics
 MASTER_SITES=	http://www.ece.uvic.ca/~mdadams/jasper/software/
 EXTRACT_SUFX=	.zip
diff --git a/graphics/jasper/distinfo b/graphics/jasper/distinfo
index e9f68ef05d6..ac8137c3200 100644
--- a/graphics/jasper/distinfo
+++ b/graphics/jasper/distinfo
@@ -1,10 +1,13 @@
-$NetBSD: distinfo,v 1.18 2015/11/03 21:34:04 agc Exp $
+$NetBSD: distinfo,v 1.19 2016/03/13 04:11:18 tnn Exp $
 
 SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
 RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c
 SHA512 (jasper-1.900.1.zip) = e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6
 Size (jasper-1.900.1.zip) = 1415752 bytes
 SHA1 (patch-configure) = c8aa09f8432f0e3f5667ecb3ccd738c3c03f3f05
+SHA1 (patch-src_libjasper_base_jas__icc.c) = ec2faf717f8d561cda3cdc63516d843e195b102c
+SHA1 (patch-src_libjasper_base_jas__image.c) = a901a5847c4732a22c0e771c1d5763432fb5a1db
+SHA1 (patch-src_libjasper_base_jas__seq.c) = 609171c4aa905ba3e3dd74779c18c7b5ab52200c
 SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 7902e9900130f466fa60a5389409cc9495b6260c
 SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 5a795502f9241829afa1acf0a2a341155b954108
 SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 794de4dcf8f809275a5bee5cb60d95cf9608e0a7
diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c
new file mode 100644
index 00000000000..54a070b24b7
--- /dev/null
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-src_libjasper_base_jas__icc.c,v 1.1 2016/03/13 04:11:18 tnn Exp $
+
+CVE-2016-1577 prevent double free. Via Debian.
+CVE-2016-2116 memory leak / DoS. Via Debian.
+
+--- src/libjasper/base/jas_icc.c.orig	2016-03-13 04:09:54.821655643 +0000
++++ src/libjasper/base/jas_icc.c
+@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ 				if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
+ 					goto error;
+ 				jas_iccattrval_destroy(attrval);
++				attrval = 0;
+ 			} else {
+ #if 0
+ 				jas_eprintf("warning: skipping unknown tag type\n");
+@@ -1699,6 +1700,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
+ 	jas_stream_close(in);
+ 	return prof;
+ error:
++	if (in)
++		jas_stream_close(in);
+ 	return 0;
+ }
+ 
diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c
new file mode 100644
index 00000000000..e82eff39ef5
--- /dev/null
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c
@@ -0,0 +1,28 @@
+$NetBSD: patch-src_libjasper_base_jas__image.c,v 1.1 2016/03/13 04:11:18 tnn Exp $
+
+CVE-2016-2089 denial of service. Via Debian.
+
+--- src/libjasper/base/jas_image.c.orig	2007-01-19 21:43:05.000000000 +0000
++++ src/libjasper/base/jas_image.c
+@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ 		return -1;
+ 	}
+ 
++	if (!data->rows_) {
++		return -1;
++	}
++
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		if (jas_matrix_resize(data, height, width)) {
+ 			return -1;
+@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ 		return -1;
+ 	}
+ 
++	if (!data->rows_) {
++		return -1;
++	}
++
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		return -1;
+ 	}
diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c
new file mode 100644
index 00000000000..a79b05eac13
--- /dev/null
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c
@@ -0,0 +1,61 @@
+$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.1 2016/03/13 04:11:18 tnn Exp $
+
+CVE-2016-2089 denial of service. Via Debian.
+
+--- src/libjasper/base/jas_seq.c.orig	2007-01-19 21:43:05.000000000 +0000
++++ src/libjasper/base/jas_seq.c
+@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ 	jas_seqent_t *data;
+ 	int rowstep;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	assert(n >= 0);
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {