summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--graphics/jasper/Makefile3
-rw-r--r--graphics/jasper/distinfo3
-rw-r--r--graphics/jasper/patches/patch-CVE-2016-8654117
3 files changed, 121 insertions, 2 deletions
diff --git a/graphics/jasper/Makefile b/graphics/jasper/Makefile
index a48405e1a9a..4e959b5bd90 100644
--- a/graphics/jasper/Makefile
+++ b/graphics/jasper/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.44 2016/12/16 09:44:44 he Exp $
+# $NetBSD: Makefile,v 1.45 2016/12/17 23:02:51 dholland Exp $
DISTNAME= jasper-1.900.29
+PKGREVISION= 1
CATEGORIES= graphics
MASTER_SITES= http://www.ece.uvic.ca/~mdadams/jasper/software/
diff --git a/graphics/jasper/distinfo b/graphics/jasper/distinfo
index dad26c71e0a..a7c79ab5597 100644
--- a/graphics/jasper/distinfo
+++ b/graphics/jasper/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.22 2016/12/16 13:05:58 he Exp $
+$NetBSD: distinfo,v 1.23 2016/12/17 23:02:51 dholland Exp $
SHA1 (jasper-1.900.29.tar.gz) = 6d50e5ea9e822ad5f88f4451819acab2e3b47f8e
RMD160 (jasper-1.900.29.tar.gz) = 4ae47353f3dc086b3a11eff86ec7fb57d598c6fb
SHA512 (jasper-1.900.29.tar.gz) = fdf557889660b9068e3712ff809fe7d4ab0855e1afff9a39eb19763599b4e747472743e4c49a42f7d38beadc6a0aa7a7b402422422853e8bb6d683def81b1544
Size (jasper-1.900.29.tar.gz) = 1746319 bytes
+SHA1 (patch-CVE-2016-8654) = 9b430a5f872fbd2d33486d7280eeec04b552ec6f
SHA1 (patch-configure) = 14039911be04b88559e40f20a01bb46fd0db4488
SHA1 (patch-src_libjasper_base_jas__seq.c) = a0208cd0271388ae0fdc2e359da3223a35a7ae14
SHA1 (patch-src_libjasper_base_jas__stream.c) = 2e9ad538ab2c0191063fef06202949b435b0085e
diff --git a/graphics/jasper/patches/patch-CVE-2016-8654 b/graphics/jasper/patches/patch-CVE-2016-8654
new file mode 100644
index 00000000000..2e6c524088f
--- /dev/null
+++ b/graphics/jasper/patches/patch-CVE-2016-8654
@@ -0,0 +1,117 @@
+From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sat, 26 Nov 2016 20:23:23 -0800
+Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC
+ codec that was caused by a buffer being allocated with a size that was too
+ small in some cases. Added a new regression test case.
+
+---
+ data/test/bad/PoC1.jpc | Bin 0 -> 233 bytes
+ src/libjasper/jpc/jpc_qmfb.c | 28 +++++++++++++++-------------
+ 2 files changed, 15 insertions(+), 13 deletions(-)
+ create mode 100644 data/test/bad/PoC1.jpc
+
+# diff --git a/data/test/bad/PoC1.jpc b/data/test/bad/PoC1.jpc
+# new file mode 100644
+# index 0000000000000000000000000000000000000000..95239547c40ebd947169f8d87ec399759d1acd3f
+# GIT binary patch
+# literal 233
+# zcmezG|38pHlYx<efuVtcK><X=Km(8g!Vtj7&dB&bh=G@t0i>9PMS)TLe+&alg2Vq5
+# z23-b5=c3falKdho1;;R5FC%XSjbu#)BLf2i9Ux(-;Fy!1uMn15oSC2Ze*yy+*u*jh
+# z#{ZKa{p#MIIpO~#?i1JcuDH+a{XxR{o@qS)=2<S+_kGs5vcd1wR*^ZWYAZ`pBG>(V
+# z>o4CL(REnycXM0m>2?DJ+q$m14-a1!FY%njRQ9-BmDw#gXoZ8CkKEbRXJ=<JubTMl
+# Q@K-MmpN6@L&;H*808TDYDF6Tf
+#
+# literal 0
+# HcmV?d00001
+
+diff --git src/libjasper/jpc/jpc_qmfb.c src/libjasper/jpc/jpc_qmfb.c
+index 45be24e..f26070f 100644
+--- src/libjasper/jpc/jpc_qmfb.c
++++ src/libjasper/jpc/jpc_qmfb.c
+@@ -374,7 +374,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
+ register jpc_fix_t *dstptr;
+ register int n;
+ register int m;
+- int hstartcol;
++ int hstartrow;
+
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+@@ -385,9 +385,9 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
+ }
+
+ if (numrows >= 2) {
+- hstartcol = (numrows + 1 - parity) >> 1;
+- // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
+- m = numrows - hstartcol;
++ hstartrow = (numrows + 1 - parity) >> 1;
++ // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
++ m = numrows - hstartrow;
+
+ /* Save the samples destined for the highpass channel. */
+ n = m;
+@@ -408,7 +408,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
+ srcptr += stride << 1;
+ }
+ /* Copy the saved samples into the highpass channel. */
+- dstptr = &a[hstartcol * stride];
++ dstptr = &a[hstartrow * stride];
+ srcptr = buf;
+ n = m;
+ while (n-- > 0) {
+@@ -439,20 +439,21 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
+ register int n;
+ register int i;
+ int m;
+- int hstartcol;
++ int hstartrow;
+
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
++ sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+ }
+
+ if (numrows >= 2) {
+- hstartcol = (numrows + 1 - parity) >> 1;
+- // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
+- m = numrows - hstartcol;
++ hstartrow = (numrows + 1 - parity) >> 1;
++ // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
++ m = numrows - hstartrow;
+
+ /* Save the samples destined for the highpass channel. */
+ n = m;
+@@ -485,7 +486,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
+ srcptr += stride << 1;
+ }
+ /* Copy the saved samples into the highpass channel. */
+- dstptr = &a[hstartcol * stride];
++ dstptr = &a[hstartrow * stride];
+ srcptr = buf;
+ n = m;
+ while (n-- > 0) {
+@@ -526,7 +527,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols,
+
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -721,7 +722,8 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride,
+
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
++ sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }