1 files changed, 48 insertions, 8 deletions

diff --git a/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c
index a79b05eac13..d544287720d 100644
--- a/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c
@@ -1,10 +1,40 @@
-$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.1 2016/03/13 04:11:18 tnn Exp $
+$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.2 2016/05/16 14:03:40 he Exp $
 
 CVE-2016-2089 denial of service. Via Debian.
 
---- src/libjasper/base/jas_seq.c.orig	2007-01-19 21:43:05.000000000 +0000
-+++ src/libjasper/base/jas_seq.c
-@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/base/jas_seq.c.old	2016-03-31 14:47:00.000000000 +0200
++++ src/libjasper/base/jas_seq.c	2016-03-31 14:47:50.000000000 +0200
+@@ -114,7 +114,7 @@
+ 	matrix->datasize_ = numrows * numcols;
+ 
+ 	if (matrix->maxrows_ > 0) {
+-		if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
++		if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ 		  sizeof(jas_seqent_t *)))) {
+ 			jas_matrix_destroy(matrix);
+ 			return 0;
+@@ -122,7 +122,7 @@
+ 	}
+ 
+ 	if (matrix->datasize_ > 0) {
+-		if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
++		if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ 		  sizeof(jas_seqent_t)))) {
+ 			jas_matrix_destroy(matrix);
+ 			return 0;
+@@ -220,7 +220,7 @@
+ 	mat0->numrows_ = r1 - r0 + 1;
+ 	mat0->numcols_ = c1 - c0 + 1;
+ 	mat0->maxrows_ = mat0->numrows_;
+-	mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
++	mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
+ 	for (i = 0; i < mat0->numrows_; ++i) {
+ 		mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ 	}
+@@ -262,6 +262,10 @@
  	int rowstep;
  	jas_seqent_t *data;
  
@@ -15,7 +45,7 @@ CVE-2016-2089 denial of service. Via Debian.
  	rowstep = jas_matrix_rowstep(matrix);
  	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
  	  rowstart += rowstep) {
-@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+@@ -282,6 +286,10 @@
  	jas_seqent_t *data;
  	int rowstep;
  
@@ -26,7 +56,7 @@ CVE-2016-2089 denial of service. Via Debian.
  	rowstep = jas_matrix_rowstep(matrix);
  	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
  	  rowstart += rowstep) {
-@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+@@ -306,6 +314,10 @@
  	int rowstep;
  	jas_seqent_t *data;
  
@@ -37,7 +67,7 @@ CVE-2016-2089 denial of service. Via Debian.
  	assert(n >= 0);
  	rowstep = jas_matrix_rowstep(matrix);
  	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
-@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+@@ -325,6 +337,10 @@
  	int rowstep;
  	jas_seqent_t *data;
  
@@ -48,7 +78,7 @@ CVE-2016-2089 denial of service. Via Debian.
  	rowstep = jas_matrix_rowstep(matrix);
  	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
  	  rowstart += rowstep) {
-@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+@@ -367,6 +383,10 @@
  	int rowstep;
  	jas_seqent_t *data;
  
@@ -59,3 +89,13 @@ CVE-2016-2089 denial of service. Via Debian.
  	rowstep = jas_matrix_rowstep(matrix);
  	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
  	  rowstart += rowstep) {
+@@ -432,7 +452,8 @@
+ 	for (i = 0; i < jas_matrix_numrows(matrix); ++i) {
+ 		for (j = 0; j < jas_matrix_numcols(matrix); ++j) {
+ 			x = jas_matrix_get(matrix, i, j);
+-			sprintf(sbuf, "%s%4ld", (strlen(buf) > 0) ? " " : "",
++			snprintf(sbuf, sizeof sbuf, 
++			    "%s%4ld", (strlen(buf) > 0) ? " " : "",
+ 			  JAS_CAST(long, x));
+ 			n = strlen(buf);
+ 			if (n + strlen(sbuf) > MAXLINELEN) {