Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/jasper.git#56f26ca8d9b83fbe37df18a39c1e462c1a8ec9f2

jasper-CVE-2021-3272.patch

@@ -0,0 +1,47 @@
+From 49174ab592cdfa6f1a929a2ee3d4b4976f9459fd Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Tue, 19 Jan 2021 22:59:33 -0800
+Subject: [PATCH] Fixes #259
+
+---
+ src/libjasper/jp2/jp2_dec.c |  12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
+index 4acf004..60dee42 100644
+--- a/src/libjasper/jp2/jp2_dec.c
++++ b/src/libjasper/jp2/jp2_dec.c
+@@ -255,7 +255,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr)
+ 	  with the data in the code stream? */
+ 	if ((samedtype && dec->ihdr->data.ihdr.bpc != JP2_DTYPETOBPC(dtype)) ||
+ 	  (!samedtype && dec->ihdr->data.ihdr.bpc != JP2_IHDR_BPCNULL)) {
+-		jas_eprintf("warning: component data type mismatch\n");
++		jas_eprintf("warning: component data type mismatch (IHDR)\n");
+ 	}
+ 
+ 	/* Is the compression type supported? */
+@@ -278,7 +278,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr)
+ 			  ++i) {
+ 				if (jas_image_cmptdtype(dec->image, i) !=
+ 				  JP2_BPCTODTYPE(dec->bpcc->data.bpcc.bpcs[i])) {
+-					jas_eprintf("warning: component data type mismatch\n");
++					jas_eprintf("warning: component data type mismatch (BPCC)\n");
+ 				}
+ 			}
+ 		} else {
+@@ -409,6 +409,14 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr)
+ 		}
+ 	}
+ 
++	/* Ensure that the number of channels being used by the decoder
++	  matches the number of image components. */
++	if (dec->numchans != jas_image_numcmpts(dec->image)) {
++		jas_eprintf("error: mismatch in number of components (%d != %d)\n",
++		  dec->numchans, jas_image_numcmpts(dec->image));
++		goto error;
++	}
++
+ 	/* Mark all components as being of unknown type. */
+ 
+ 	for (i = 0; i < JAS_CAST(jas_uint, jas_image_numcmpts(dec->image)); ++i) {
+

jasper.spec

@@ -6,7 +6,7 @@
 Summary: Implementation of the JPEG-2000 standard, Part 1
 Name:    jasper
 Version: 2.0.24
-Release: 1%{?dist}
+Release: 3%{?dist}
 
 License: JasPer
 URL:     http://www.ece.uvic.ca/~frodo/jasper/
@@ -15,6 +15,7 @@ Source0: https://github.com/jasper-software/jasper/archive/version-%{version}.ta
 # skip hard-coded prefix/lib rpath
 Patch2: jasper-2.0.14-rpath.patch
 Patch3: jasper-freeglut.patch
+Patch4: jasper-CVE-2021-3272.patch
 
 # architecture related patches
 Patch100: jasper-2.0.2-test-ppc64-disable.patch
@@ -68,6 +69,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 # Need to disable one test to be able to build it on ppc64 arch
 # At ppc64 this test just stuck (nothing happend - no exception or error)
 %patch3 -p1 -b .freeglut
+%patch4 -p1 -b .CVE-2021-3272
 
 %if "%{_arch}" == "ppc64"
 %patch100 -p1 -b .test-ppc64-disable
@@ -128,6 +130,12 @@ make test -C builder
 
 
 %changelog
+* Thu Jan 28 2021 Josef Ridky <jridky@redhat.com> - 2.0.24-3
+- fix CVE-2021-3272 (#1921328)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.24-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
 * Mon Jan 25 2021 Josef Ridky <jridky@redhat.com> - 2.0.24-1
 - New upstream release 2.0.24 (#1905690)