diff options
Diffstat (limited to 'graphics/jasper/patches/patch-CVE-2016-8654')
| -rw-r--r-- | graphics/jasper/patches/patch-CVE-2016-8654 | 119 |
1 files changed, 0 insertions, 119 deletions
diff --git a/graphics/jasper/patches/patch-CVE-2016-8654 b/graphics/jasper/patches/patch-CVE-2016-8654 deleted file mode 100644 index c3332e1a42f..00000000000 --- a/graphics/jasper/patches/patch-CVE-2016-8654 +++ /dev/null @@ -1,119 +0,0 @@ -$NetBSD: patch-CVE-2016-8654,v 1.2 2016/12/17 23:10:25 dholland Exp $ - -From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001 -From: Michael Adams <mdadams@ece.uvic.ca> -Date: Sat, 26 Nov 2016 20:23:23 -0800 -Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC - codec that was caused by a buffer being allocated with a size that was too - small in some cases. Added a new regression test case. - ---- - data/test/bad/PoC1.jpc | Bin 0 -> 233 bytes - src/libjasper/jpc/jpc_qmfb.c | 28 +++++++++++++++------------- - 2 files changed, 15 insertions(+), 13 deletions(-) - create mode 100644 data/test/bad/PoC1.jpc - -# diff --git a/data/test/bad/PoC1.jpc b/data/test/bad/PoC1.jpc -# new file mode 100644 -# index 0000000000000000000000000000000000000000..95239547c40ebd947169f8d87ec399759d1acd3f -# GIT binary patch -# literal 233 -# zcmezG|38pHlYx<efuVtcK><X=Km(8g!Vtj7&dB&bh=G@t0i>9PMS)TLe+&alg2Vq5 -# z23-b5=c3falKdho1;;R5FC%XSjbu#)BLf2i9Ux(-;Fy!1uMn15oSC2Ze*yy+*u*jh -# z#{ZKa{p#MIIpO~#?i1JcuDH+a{XxR{o@qS)=2<S+_kGs5vcd1wR*^ZWYAZ`pBG>(V -# z>o4CL(REnycXM0m>2?DJ+q$m14-a1!FY%njRQ9-BmDw#gXoZ8CkKEbRXJ=<JubTMl -# Q@K-MmpN6@L&;H*808TDYDF6Tf -# -# literal 0 -# HcmV?d00001 - -diff --git src/libjasper/jpc/jpc_qmfb.c src/libjasper/jpc/jpc_qmfb.c -index 45be24e..f26070f 100644 ---- src/libjasper/jpc/jpc_qmfb.c -+++ src/libjasper/jpc/jpc_qmfb.c -@@ -374,7 +374,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride, - register jpc_fix_t *dstptr; - register int n; - register int m; -- int hstartcol; -+ int hstartrow; - - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -@@ -385,9 +385,9 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride, - } - - if (numrows >= 2) { -- hstartcol = (numrows + 1 - parity) >> 1; -- // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol); -- m = numrows - hstartcol; -+ hstartrow = (numrows + 1 - parity) >> 1; -+ // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow); -+ m = numrows - hstartrow; - - /* Save the samples destined for the highpass channel. */ - n = m; -@@ -408,7 +408,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride, - srcptr += stride << 1; - } - /* Copy the saved samples into the highpass channel. */ -- dstptr = &a[hstartcol * stride]; -+ dstptr = &a[hstartrow * stride]; - srcptr = buf; - n = m; - while (n-- > 0) { -@@ -439,20 +439,21 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride, - register int n; - register int i; - int m; -- int hstartcol; -+ int hstartrow; - - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, -+ sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } - } - - if (numrows >= 2) { -- hstartcol = (numrows + 1 - parity) >> 1; -- // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol); -- m = numrows - hstartcol; -+ hstartrow = (numrows + 1 - parity) >> 1; -+ // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow); -+ m = numrows - hstartrow; - - /* Save the samples destined for the highpass channel. */ - n = m; -@@ -485,7 +486,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride, - srcptr += stride << 1; - } - /* Copy the saved samples into the highpass channel. */ -- dstptr = &a[hstartcol * stride]; -+ dstptr = &a[hstartrow * stride]; - srcptr = buf; - n = m; - while (n-- > 0) { -@@ -526,7 +527,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols, - - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -721,7 +722,8 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride, - - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, -+ sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } |