add a patch from Debian (bug #413041) to fix some heap corruption

on malformed image input (CVE-2007-2721),
also fix some initialisation which could cause random misbehaviour
on cleanup,
bump PKGREVISION

4 files changed, 33 insertions, 8 deletions

diff --git a/graphics/jasper/Makefile b/graphics/jasper/Makefile
index ea3139501e9..cbe70e73492 100644
--- a/graphics/jasper/Makefile
+++ b/graphics/jasper/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.27 2007/08/17 22:18:15 joerg Exp $
+# $NetBSD: Makefile,v 1.28 2008/03/20 19:58:16 drochner Exp $
 
 DISTNAME=	jasper-1.900.1
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	http://www.ece.uvic.ca/~mdadams/jasper/software/
 EXTRACT_SUFX=	.zip
diff --git a/graphics/jasper/distinfo b/graphics/jasper/distinfo
index 7cf9995aa98..2b518863563 100644
--- a/graphics/jasper/distinfo
+++ b/graphics/jasper/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.11 2007/08/12 21:53:42 salo Exp $
+$NetBSD: distinfo,v 1.12 2008/03/20 19:58:16 drochner Exp $
 
 SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
 RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c
 Size (jasper-1.900.1.zip) = 1415752 bytes
 SHA1 (patch-ad) = 85637e42cdb1245babd5736c2d039558025738a6
 SHA1 (patch-ae) = bfe00f76582a44ad748706c3fc81c4d6b8aede35
-SHA1 (patch-ag) = 63da6dcbdca3f8e4508be8f934ec047abf5cb1f1
+SHA1 (patch-ag) = 0a3cf7ffff67001529198c23c3ca2499c71be7fa
 SHA1 (patch-ah) = 5455854277ad52adb4a22be08219facd796bbf1a
+SHA1 (patch-ai) = 000e9e4fe04d7dd4b5982953c39dbbd311487348
diff --git a/graphics/jasper/patches/patch-ag b/graphics/jasper/patches/patch-ag
index 0a5f325a053..140c335c55e 100644
--- a/graphics/jasper/patches/patch-ag
+++ b/graphics/jasper/patches/patch-ag
@@ -1,8 +1,16 @@
-$NetBSD: patch-ag,v 1.3 2007/01/06 23:28:07 wiz Exp $
+$NetBSD: patch-ag,v 1.4 2008/03/20 19:58:16 drochner Exp $
 
---- src/libjasper/jpc/jpc_dec.c.orig	2006-12-07 06:32:06.000000000 +0000
-+++ src/libjasper/jpc/jpc_dec.c
-@@ -1466,7 +1466,9 @@ static int jpc_dec_process_unk(jpc_dec_t
+--- ./src/libjasper/jpc/jpc_dec.c.orig	2007-01-19 22:43:07.000000000 +0100
++++ ./src/libjasper/jpc/jpc_dec.c
+@@ -1234,6 +1234,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ 		}
+ 		for (compno = 0, cmpt = dec->cmpts, tcomp = tile->tcomps;
+ 		  compno < dec->numcomps; ++compno, ++cmpt, ++tcomp) {
++			tcomp->numrlvls = 0;
+ 			tcomp->rlvls = 0;
+ 			tcomp->data = 0;
+ 			tcomp->xstart = JPC_CEILDIV(tile->xstart, cmpt->hstep);
+@@ -1466,7 +1467,9 @@ static int jpc_dec_process_unk(jpc_dec_t
  	dec = 0;
  
  	jas_eprintf("warning: ignoring unknown marker segment\n");
diff --git a/graphics/jasper/patches/patch-ai b/graphics/jasper/patches/patch-ai
new file mode 100644
index 00000000000..faf20a02620
--- /dev/null
+++ b/graphics/jasper/patches/patch-ai
@@ -0,0 +1,16 @@
+$NetBSD: patch-ai,v 1.1 2008/03/20 19:58:16 drochner Exp $
+
+--- src/libjasper/jpc/jpc_cs.c.orig	2007-01-19 22:43:07.000000000 +0100
++++ src/libjasper/jpc/jpc_cs.c
+@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ 		compparms->numstepsizes = (len - n) / 2;
+ 		break;
+ 	}
+-	if (compparms->numstepsizes > 0) {
++	if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++		jpc_qcx_destroycompparms(compparms);
++                return -1;
++        } else if (compparms->numstepsizes > 0) {
+ 		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+ 		  sizeof(uint_fast16_t));
+ 		assert(compparms->stepsizes);