add patches against CVE-2014-8137 CVE-2014-8138 CVE-2014-8157 and

CVE-2014-8158 originating from the Fedora project

6 files changed, 194 insertions, 3 deletions

diff --git a/print/ghostscript-gpl/Makefile b/print/ghostscript-gpl/Makefile
index 04c0f633919..bbd035b5485 100644
--- a/print/ghostscript-gpl/Makefile
+++ b/print/ghostscript-gpl/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.15 2014/12/30 07:52:41 dholland Exp $
+# $NetBSD: Makefile,v 1.16 2015/03/11 20:58:26 spz Exp $
 
 DISTNAME=	ghostscript-${GS_VERSION}
 PKGNAME=	${DISTNAME:S/ghostscript/ghostscript-gpl/}
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	print
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=ghostscript/}
 MASTER_SITES+=	http://ghostscript.com/releases/
diff --git a/print/ghostscript-gpl/distinfo b/print/ghostscript-gpl/distinfo
index d2efc41a480..d4a6ae8de6f 100644
--- a/print/ghostscript-gpl/distinfo
+++ b/print/ghostscript-gpl/distinfo
@@ -1,9 +1,13 @@
-$NetBSD: distinfo,v 1.8 2015/02/24 08:21:07 markd Exp $
+$NetBSD: distinfo,v 1.9 2015/03/11 20:58:26 spz Exp $
 
 SHA1 (ghostscript-9.06.tar.bz2) = 4c1c2b4cddd16d86b21f36ad4fc15f6100162238
 RMD160 (ghostscript-9.06.tar.bz2) = 11ef74cf783ec5f7cde0ceaaf2823a1f62fb4d1d
 Size (ghostscript-9.06.tar.bz2) = 29246039 bytes
 SHA1 (patch-CVE-2012-4405) = 1dcb4cfeceb366c144e0a1337c6ccc2d8e13e4ca
+SHA1 (patch-CVE-2014-8137) = 5375f56f3d7cdfed0c9f900d291d75bbc3182b96
+SHA1 (patch-CVE-2014-8138) = be161051680e3c6c9246f31237019470a447ee49
+SHA1 (patch-CVE-2014-8157) = 18822069b9791fc3553e812878cfca483d881cd4
+SHA1 (patch-CVE-2014-8158) = 71387f152a205caaef0fcc518dbb0fbb7b78e531
 SHA1 (patch-CVE-2014-9029) = 9636c7d6909fc0dec7ad2102b59fb14d599bac6a
 SHA1 (patch-af) = 79af4d253001f879f1b5d3ef93584ae7300361de
 SHA1 (patch-ah) = 73a05ee51845ca70e1b18c50dee98d6799a46d52
diff --git a/print/ghostscript-gpl/patches/patch-CVE-2014-8137 b/print/ghostscript-gpl/patches/patch-CVE-2014-8137
new file mode 100644
index 00000000000..5850abc6f46
--- /dev/null
+++ b/print/ghostscript-gpl/patches/patch-CVE-2014-8137
@@ -0,0 +1,62 @@
+$NetBSD: patch-CVE-2014-8137,v 1.1 2015/03/11 20:58:26 spz Exp $
+
+patch for CVE-2014-8137 taken from
+http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8137.patch
+
+--- jasper/src/libjasper/base/jas_icc.c.orig	2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/base/jas_icc.c
+@@ -1024,7 +1024,6 @@ static int jas_icccurv_input(jas_iccattr
+ 	return 0;
+ 
+ error:
+-	jas_icccurv_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1144,7 +1143,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ 	return 0;
+ error:
+-	jas_icctxtdesc_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1223,8 +1221,6 @@ static int jas_icctxt_input(jas_iccattrv
+ 		goto error;
+ 	return 0;
+ error:
+-	if (txt->string)
+-		jas_free(txt->string);
+ 	return -1;
+ }
+ 
+@@ -1349,7 +1345,6 @@ static int jas_icclut8_input(jas_iccattr
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut8_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1520,7 +1515,6 @@ static int jas_icclut16_input(jas_iccatt
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut16_destroy(attrval);
+ 	return -1;
+ }
+ 
+--- jasper/src/libjasper/jp2/jp2_dec.c.orig	2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/jp2/jp2_dec.c
+@@ -325,7 +325,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	case JP2_COLR_ICC:
+ 		iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ 		  dec->colr->data.colr.iccplen);
+-		assert(iccprof);
++		if (!iccprof) {
++			jas_eprintf("error: failed to parse ICC profile\n");
++			goto error;
++		}
+ 		jas_iccprof_gethdr(iccprof, &icchdr);
+ 		if (jas_getdbglevel() >= 1) {
+ 			jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
diff --git a/print/ghostscript-gpl/patches/patch-CVE-2014-8138 b/print/ghostscript-gpl/patches/patch-CVE-2014-8138
new file mode 100644
index 00000000000..0c499a10827
--- /dev/null
+++ b/print/ghostscript-gpl/patches/patch-CVE-2014-8138
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2014-8138,v 1.1 2015/03/11 20:58:26 spz Exp $
+
+--- jasper/src/libjasper/jp2/jp2_dec.c.orig	2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/jp2/jp2_dec.c
+@@ -444,6 +447,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	/* Determine the type of each component. */
+ 	if (dec->cdef) {
+ 		for (i = 0; i < dec->numchans; ++i) {
++			/* Is the channel number reasonable? */
++			if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++				jas_eprintf("error: invalid channel number in CDEF box\n");
++				goto error;
++			}
+ 			jas_image_setcmpttype(dec->image,
+ 			  dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ 			  jp2_getct(jas_image_clrspc(dec->image),
diff --git a/print/ghostscript-gpl/patches/patch-CVE-2014-8157 b/print/ghostscript-gpl/patches/patch-CVE-2014-8157
new file mode 100644
index 00000000000..4a8685ad9b9
--- /dev/null
+++ b/print/ghostscript-gpl/patches/patch-CVE-2014-8157
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2014-8157,v 1.1 2015/03/11 20:58:26 spz Exp $
+
+patch for CVE-2014-8157 from
+http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch
+
+--- jasper/src/libjasper/jpc/jpc_dec.c.orig	2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/jpc/jpc_dec.c
+@@ -496,7 +496,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ 		dec->curtileendoff = 0;
+ 	}
+ 
+-	if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++	if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ 		jas_eprintf("invalid tile number in SOT marker segment\n");
+ 		return -1;
+ 	}
diff --git a/print/ghostscript-gpl/patches/patch-CVE-2014-8158 b/print/ghostscript-gpl/patches/patch-CVE-2014-8158
new file mode 100644
index 00000000000..9ee1fa49af6
--- /dev/null
+++ b/print/ghostscript-gpl/patches/patch-CVE-2014-8158
@@ -0,0 +1,93 @@
+$NetBSD: patch-CVE-2014-8158,v 1.1 2015/03/11 20:58:26 spz Exp $
+
+patch for CVE-2014-8158 loosely based on
+http://pkgs.fedoraproject.org/cgit/jasper.git/plain/jasper-CVE-2014-8158.patch
+
+eradicate all code-paths activated by HAVE_VLA
+
+--- jasper/src/libjasper/jpc/jpc_qmfb.c.orig	2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/jpc/jpc_qmfb.c
+@@ -158,12 +158,8 @@ static void jpc_qmfb1d_split(jpc_fix_t *
+   jpc_fix_t *hstartptr, int hstartind, int hendind)
+ {
+ 	int bufsize = JPC_CEILDIVPOW2(endind - startind, 2);
+-#if !defined(HAVE_VLA)
+ #define QMFB_SPLITBUFSIZE 4096
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	int llen;
+ 	int hlen;
+@@ -179,7 +175,6 @@ static void jpc_qmfb1d_split(jpc_fix_t *
+ 	llen = lendind - lstartind;
+ 	hlen = hendind - hstartind;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -190,7 +185,6 @@ static void jpc_qmfb1d_split(jpc_fix_t *
+ 			return;
+ 		}
+ 	}
+-#endif
+ 
+ 	if (hstartind < lstartind) {
+ 		/* The first sample in the input signal is to appear
+@@ -272,12 +266,10 @@ static void jpc_qmfb1d_split(jpc_fix_t *
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ }
+ 
+ static void jpc_qmfb1d_join(jpc_fix_t *startptr, int startind, int endind,
+@@ -285,12 +277,8 @@ static void jpc_qmfb1d_join(jpc_fix_t *s
+   jpc_fix_t *hstartptr, int hstartind, int hendind)
+ {
+ 	int bufsize = JPC_CEILDIVPOW2(endind - startind, 2);
+-#if !defined(HAVE_VLA)
+ #define	QMFB_JOINBUFSIZE	4096
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	int llen;
+ 	int hlen;
+@@ -302,7 +290,6 @@ static void jpc_qmfb1d_join(jpc_fix_t *s
+ 	register int n;
+ 	int state;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -313,7 +300,6 @@ static void jpc_qmfb1d_join(jpc_fix_t *s
+ 			return;
+ 		}
+ 	}
+-#endif
+ 
+ 	twostep = step << 1;
+ 	llen = lendind - lstartind;
+@@ -400,12 +386,10 @@ static void jpc_qmfb1d_join(jpc_fix_t *s
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ }
+ 
+ /******************************************************************************\