diff options
-rw-r--r-- | graphics/jasper/Makefile | 3 | ||||
-rw-r--r-- | graphics/jasper/distinfo | 3 | ||||
-rw-r--r-- | graphics/jasper/patches/patch-CVE-2016-8654 | 117 |
3 files changed, 121 insertions, 2 deletions
diff --git a/graphics/jasper/Makefile b/graphics/jasper/Makefile index a48405e1a9a..4e959b5bd90 100644 --- a/graphics/jasper/Makefile +++ b/graphics/jasper/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.44 2016/12/16 09:44:44 he Exp $ +# $NetBSD: Makefile,v 1.45 2016/12/17 23:02:51 dholland Exp $ DISTNAME= jasper-1.900.29 +PKGREVISION= 1 CATEGORIES= graphics MASTER_SITES= http://www.ece.uvic.ca/~mdadams/jasper/software/ diff --git a/graphics/jasper/distinfo b/graphics/jasper/distinfo index dad26c71e0a..a7c79ab5597 100644 --- a/graphics/jasper/distinfo +++ b/graphics/jasper/distinfo @@ -1,9 +1,10 @@ -$NetBSD: distinfo,v 1.22 2016/12/16 13:05:58 he Exp $ +$NetBSD: distinfo,v 1.23 2016/12/17 23:02:51 dholland Exp $ SHA1 (jasper-1.900.29.tar.gz) = 6d50e5ea9e822ad5f88f4451819acab2e3b47f8e RMD160 (jasper-1.900.29.tar.gz) = 4ae47353f3dc086b3a11eff86ec7fb57d598c6fb SHA512 (jasper-1.900.29.tar.gz) = fdf557889660b9068e3712ff809fe7d4ab0855e1afff9a39eb19763599b4e747472743e4c49a42f7d38beadc6a0aa7a7b402422422853e8bb6d683def81b1544 Size (jasper-1.900.29.tar.gz) = 1746319 bytes +SHA1 (patch-CVE-2016-8654) = 9b430a5f872fbd2d33486d7280eeec04b552ec6f SHA1 (patch-configure) = 14039911be04b88559e40f20a01bb46fd0db4488 SHA1 (patch-src_libjasper_base_jas__seq.c) = a0208cd0271388ae0fdc2e359da3223a35a7ae14 SHA1 (patch-src_libjasper_base_jas__stream.c) = 2e9ad538ab2c0191063fef06202949b435b0085e diff --git a/graphics/jasper/patches/patch-CVE-2016-8654 b/graphics/jasper/patches/patch-CVE-2016-8654 new file mode 100644 index 00000000000..2e6c524088f --- /dev/null +++ b/graphics/jasper/patches/patch-CVE-2016-8654 @@ -0,0 +1,117 @@ +From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001 +From: Michael Adams <mdadams@ece.uvic.ca> +Date: Sat, 26 Nov 2016 20:23:23 -0800 +Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC + codec that was caused by a buffer being allocated with a size that was too + small in some cases. Added a new regression test case. + +--- + data/test/bad/PoC1.jpc | Bin 0 -> 233 bytes + src/libjasper/jpc/jpc_qmfb.c | 28 +++++++++++++++------------- + 2 files changed, 15 insertions(+), 13 deletions(-) + create mode 100644 data/test/bad/PoC1.jpc + +# diff --git a/data/test/bad/PoC1.jpc b/data/test/bad/PoC1.jpc +# new file mode 100644 +# index 0000000000000000000000000000000000000000..95239547c40ebd947169f8d87ec399759d1acd3f +# GIT binary patch +# literal 233 +# zcmezG|38pHlYx<efuVtcK><X=Km(8g!Vtj7&dB&bh=G@t0i>9PMS)TLe+&alg2Vq5 +# z23-b5=c3falKdho1;;R5FC%XSjbu#)BLf2i9Ux(-;Fy!1uMn15oSC2Ze*yy+*u*jh +# z#{ZKa{p#MIIpO~#?i1JcuDH+a{XxR{o@qS)=2<S+_kGs5vcd1wR*^ZWYAZ`pBG>(V +# z>o4CL(REnycXM0m>2?DJ+q$m14-a1!FY%njRQ9-BmDw#gXoZ8CkKEbRXJ=<JubTMl +# Q@K-MmpN6@L&;H*808TDYDF6Tf +# +# literal 0 +# HcmV?d00001 + +diff --git src/libjasper/jpc/jpc_qmfb.c src/libjasper/jpc/jpc_qmfb.c +index 45be24e..f26070f 100644 +--- src/libjasper/jpc/jpc_qmfb.c ++++ src/libjasper/jpc/jpc_qmfb.c +@@ -374,7 +374,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride, + register jpc_fix_t *dstptr; + register int n; + register int m; +- int hstartcol; ++ int hstartrow; + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +@@ -385,9 +385,9 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride, + } + + if (numrows >= 2) { +- hstartcol = (numrows + 1 - parity) >> 1; +- // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol); +- m = numrows - hstartcol; ++ hstartrow = (numrows + 1 - parity) >> 1; ++ // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow); ++ m = numrows - hstartrow; + + /* Save the samples destined for the highpass channel. */ + n = m; +@@ -408,7 +408,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride, + srcptr += stride << 1; + } + /* Copy the saved samples into the highpass channel. */ +- dstptr = &a[hstartcol * stride]; ++ dstptr = &a[hstartrow * stride]; + srcptr = buf; + n = m; + while (n-- > 0) { +@@ -439,20 +439,21 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride, + register int n; + register int i; + int m; +- int hstartcol; ++ int hstartrow; + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, ++ sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } + } + + if (numrows >= 2) { +- hstartcol = (numrows + 1 - parity) >> 1; +- // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol); +- m = numrows - hstartcol; ++ hstartrow = (numrows + 1 - parity) >> 1; ++ // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow); ++ m = numrows - hstartrow; + + /* Save the samples destined for the highpass channel. */ + n = m; +@@ -485,7 +486,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride, + srcptr += stride << 1; + } + /* Copy the saved samples into the highpass channel. */ +- dstptr = &a[hstartcol * stride]; ++ dstptr = &a[hstartrow * stride]; + srcptr = buf; + n = m; + while (n-- > 0) { +@@ -526,7 +527,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols, + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -721,7 +722,8 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride, + + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, ++ sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } |