rpms/jasper
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to the latest version - 1.900.28

Browse Source
This commit is contained in:
Josef Ridky 2016-11-14 10:19:57 +01:00
parent 1c22196677
commit 168cc2af7e
7 changed files with 9 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ jasper-1.900.1.zip
/jasper-1.900.2.tar.gz /jasper-1.900.2.tar.gz
/jasper-1.900.3.tar.gz /jasper-1.900.3.tar.gz
/jasper-1.900.13.tar.gz /jasper-1.900.13.tar.gz
/jasper-1.900.28.tar.gz

23
jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
View File

@ -1,23 +0,0 @@
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 2011-10-25 17:25:39.000000000 +0200
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-10-25 17:29:14.379371908 +0200
@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t
return -1;
}
compparms->numrlvls = compparms->numdlvls + 1;
+ if (compparms->numrlvls > JPC_MAXRLVLS) {
+ jpc_cox_destroycompparms(compparms);
+ return -1;
+ }
if (prtflag) {
for (i = 0; i < compparms->numrlvls; ++i) {
if (jpc_getuint8(in, &tmp)) {
@@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
jpc_crgcomp_t *comp;
uint_fast16_t compno;
crg->numcomps = cstate->numcomps;
- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
return -1;
}
for (compno = 0, comp = crg->comps; compno < cstate->numcomps;

61
jasper-1.900.1-Coverity-NULL_RETURNS.patch
View File

@ -1,61 +0,0 @@
Error: NULL_RETURNS
base/jas_image.c:213: returned_null: Function "jas_image_create0" returns null (checked 6 out of 7 times).
base/jas_image.c:213: var_assigned: Assigning: "newimage" = null return value from "jas_image_create0".
base/jas_image.c:214: dereference: Dereferencing a pointer that might be null "newimage" when calling "jas_image_growcmpts".
base/jas_image.c:777: deref_parm: Directly dereferencing parameter "image".
base/jas_seq.c:223: returned_null: Function "jas_malloc" returns null (checked 110 out of 119 times).
base/jas_seq.c:223: var_assigned: Assigning: "mat0->rows_" = null return value from "jas_malloc".
base/jas_seq.c:225: dereference: Dereferencing a null pointer "mat0->rows_".
jp2/jp2_cod.c:484: returned_null: Function "jas_stream_memopen" returns null (checked 12 out of 15 times).
jp2/jp2_cod.c:484: var_assigned: Assigning: "tmpstream" = null return value from "jas_stream_memopen".
jp2/jp2_cod.c:490: dereference: Dereferencing a pointer that might be null "tmpstream" when calling "jas_stream_tell".
base/jas_stream.c:677: deref_parm: Directly dereferencing parameter "stream".
diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_image.c
--- jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS 2011-12-08 14:00:05.350020869 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:00:06.638004766 +0100
@@ -210,7 +210,10 @@ jas_image_t *jas_image_copy(jas_image_t
jas_image_t *newimage;
int cmptno;
- newimage = jas_image_create0();
+ if (!(newimage = jas_image_create0())) {
+ goto error;
+ }
+
if (jas_image_growcmpts(newimage, image->numcmpts_)) {
goto error;
}
diff -up jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_seq.c
--- jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS 2011-12-08 14:00:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2011-12-08 14:15:12.449680562 +0100
@@ -220,7 +220,11 @@ void jas_matrix_bindsub(jas_matrix_t *ma
mat0->numrows_ = r1 - r0 + 1;
mat0->numcols_ = c1 - c0 + 1;
mat0->maxrows_ = mat0->numrows_;
- mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
+ if (!(mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)))) {
+ jas_matrix_destroy(mat0);
+ return;
+ }
+
for (i = 0; i < mat0->numrows_; ++i) {
mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
}
diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS 2011-12-08 14:00:05.633017331 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-12-08 14:00:06.677004279 +0100
@@ -481,7 +481,9 @@ int jp2_box_put(jp2_box_t *box, jas_stre
dataflag = !(box->info->flags & (JP2_BOX_SUPER | JP2_BOX_NODATA));
if (dataflag) {
- tmpstream = jas_stream_memopen(0, 0);
+ if (!(tmpstream = jas_stream_memopen(0, 0))) {
+ goto error;
+ }
if (box->ops->putdata) {
if ((*box->ops->putdata)(box, tmpstream)) {
goto error;

202
jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
View File

@ -1,202 +0,0 @@
Error: RESOURCE_LEAK
src/appl/imgcmp.c:504: var_assign: Assigning: "diffimage" = storage returned from "jas_image_create(3, compparms, 1025)".
src/appl/imgcmp.c:511: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to.
src/appl/imgcmp.c:537: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to.
base/jas_image.c:254: var_assign: Assigning: "newcmpt" = storage returned from "jas_image_cmpt_create0()".
base/jas_image.c:268: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
base/jas_image.c:271: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
base/jas_image.c:274: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
base/jas_image.c:277: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
base/jas_cm.c:611: var_assign: Assigning: "newpxformseq" = storage returned from "jas_cmpxformseq_create()".
base/jas_cm.c:617: leaked_storage: Variable "newpxformseq" going out of scope leaks the storage it points to.
base/jas_cm.c:343: var_assign: Assigning: "newprof" = storage returned from "jas_cmprof_create()".
base/jas_cm.c:358: leaked_storage: Variable "newprof" going out of scope leaks the storage it points to.
base/jas_cm.c:380: var_assign: Assigning: "xform" = storage returned from "jas_malloc(sizeof (jas_cmxform_t) /*16*/)".
base/jas_cm.c:461: leaked_storage: Variable "xform" going out of scope leaks the storage it points to.
base/jas_image.c:1379: var_assign: Assigning: "xform" = storage returned from "jas_cmxform_create(inprof, outprof, NULL, 0, intent, 0)".
base/jas_image.c:1444: leaked_storage: Variable "xform" going out of scope leaks the storage it points to.
base/jas_image.c:1306: var_assign: Assigning: "inimage" = storage returned from "jas_image_copy(image)".
base/jas_image.c:1444: leaked_storage: Variable "inimage" going out of scope leaks the storage it points to.
base/jas_image.c:1345: var_assign: Assigning: "outimage" = storage returned from "jas_image_create0()".
base/jas_image.c:1444: leaked_storage: Variable "outimage" going out of scope leaks the storage it points to.
bmp/bmp_enc.c:187: var_assign: Assigning: "info" = storage returned from "bmp_info_create()".
bmp/bmp_enc.c:208: leaked_storage: Variable "info" going out of scope leaks the storage it points to.
jpc/jpc_tagtree.c:111: var_assign: Assigning: "tree" = storage returned from "jpc_tagtree_alloc()".
jpc/jpc_tagtree.c:129: leaked_storage: Variable "tree" going out of scope leaks the storage it points to.
jpc/jpc_dec.c:452: var_assign: Assigning: "compinfos" = storage returned from "jas_malloc(dec->numcomps * sizeof (jas_image_cmptparm_t) /*56*/)".
jpc/jpc_dec.c:468: leaked_storage: Variable "compinfos" going out of scope leaks the storage it points to.
jpc/jpc_dec.c:1483: var_assign: Assigning: "cp" = storage returned from "jas_malloc(sizeof (jpc_dec_cp_t) /*48*/)".
jpc/jpc_dec.c:1493: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
jpc/jpc_dec.c:1497: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
mif/mif_cod.c:523: var_assign: Assigning: "cmpt" = storage returned from "mif_cmpt_create()".
mif/mif_cod.c:568: leaked_storage: Variable "cmpt" going out of scope leaks the storage it points to.
mif/mif_cod.c:568: leaked_storage: Variable "tvp" going out of scope leaks the storage it points to.
diff -up jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK jasper-1.900.1/src/appl/imgcmp.c
--- jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK 2007-01-19 22:43:08.000000000 +0100
+++ jasper-1.900.1/src/appl/imgcmp.c 2011-12-08 14:16:04.727027007 +0100
@@ -507,6 +507,7 @@ jas_image_t *makediffimage(jas_matrix_t
for (i = 0; i < 3; ++i) {
if (!(diffdata[i] = jas_matrix_create(height, width))) {
+ jas_image_destroy(diffimage);
fprintf(stderr, "internal error\n");
return 0;
}
@@ -534,6 +535,7 @@ jas_image_t *makediffimage(jas_matrix_t
for (i = 0; i < 3; ++i) {
if (jas_image_writecmpt(diffimage, i, 0, 0, width, height, diffdata[i])) {
+ jas_image_destroy(diffimage);
return 0;
}
}
diff -up jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_cm.c
--- jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK 2011-12-08 14:16:03.387043758 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2011-12-08 14:16:04.728026994 +0100
@@ -355,6 +355,8 @@ jas_cmprof_t *jas_cmprof_copy(jas_cmprof
}
return newprof;
error:
+ if (newprof)
+ jas_cmprof_destroy(newprof);
return 0;
}
@@ -458,6 +460,8 @@ jas_cmxform_t *jas_cmxform_create(jas_cm
}
return xform;
error:
+ if (xform)
+ jas_cmxform_destroy(xform);
return 0;
}
@@ -614,6 +618,8 @@ static jas_cmpxformseq_t *jas_cmpxformse
goto error;
return newpxformseq;
error:
+ if (newpxformseq)
+ jas_cmpxformseq_destroy(newpxformseq);
return 0;
}
diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_image.c
--- jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK 2011-12-08 14:16:04.635028156 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:16:04.776026394 +0100
@@ -268,15 +268,19 @@ static jas_image_cmpt_t *jas_image_cmpt_
newcmpt->cps_ = cmpt->cps_;
newcmpt->type_ = cmpt->type_;
if (!(newcmpt->stream_ = jas_stream_memopen(0, 0))) {
+ jas_image_cmpt_destroy(newcmpt);
return 0;
}
if (jas_stream_seek(cmpt->stream_, 0, SEEK_SET)) {
+ jas_image_cmpt_destroy(newcmpt);
return 0;
}
if (jas_stream_copy(newcmpt->stream_, cmpt->stream_, -1)) {
+ jas_image_cmpt_destroy(newcmpt);
return 0;
}
if (jas_stream_seek(newcmpt->stream_, 0, SEEK_SET)) {
+ jas_image_cmpt_destroy(newcmpt);
return 0;
}
return newcmpt;
@@ -1443,5 +1447,11 @@ jas_image_dump(outimage, stderr);
#endif
return outimage;
error:
+ if (xform)
+ jas_cmxform_destroy(xform);
+ if (inimage)
+ jas_image_destroy(inimage);
+ if (outimage)
+ jas_image_destroy(outimage);
return 0;
}
diff -up jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/bmp/bmp_enc.c
--- jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/bmp/bmp_enc.c 2011-12-08 14:16:04.826025768 +0100
@@ -205,16 +205,19 @@ int bmp_encode(jas_image_t *image, jas_s
/* Write the bitmap header. */
if (bmp_puthdr(out, &hdr)) {
+ bmp_info_destroy(info);
return -1;
}
/* Write the bitmap information. */
if (bmp_putinfo(out, info)) {
+ bmp_info_destroy(info);
return -1;
}
/* Write the bitmap data. */
if (bmp_putdata(out, info, image, enc->cmpts)) {
+ bmp_info_destroy(info);
return -1;
}
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK 2011-12-08 14:16:04.594028668 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-12-08 14:17:25.677014992 +0100
@@ -465,6 +465,7 @@ static int jpc_dec_process_sot(jpc_dec_t
if (!(dec->image = jas_image_create(dec->numcomps, compinfos,
JAS_CLRSPC_UNKNOWN))) {
+ jas_free(compinfos);
return -1;
}
jas_free(compinfos);
@@ -1490,10 +1491,11 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
cp->mctid = 0;
cp->csty = 0;
if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
+ jpc_dec_cp_destroy(cp);
return 0;
}
if (!(cp->pchglist = jpc_pchglist_create())) {
- jas_free(cp->ccps);
+ jpc_dec_cp_destroy(cp);
return 0;
}
for (compno = 0, ccp = cp->ccps; compno < cp->numcomps;
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
--- jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK 2011-12-08 14:16:04.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2011-12-08 14:17:55.905637082 +0100
@@ -126,6 +126,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
} while (n > 1);
if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
+ jpc_tagtree_destroy(tree);
return 0;
}
diff -up jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/mif/mif_cod.c
--- jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK 2011-12-08 14:16:04.250032970 +0100
+++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2011-12-08 14:16:04.967024005 +0100
@@ -564,7 +564,7 @@ static int mif_process_cmpt(mif_hdr_t *h
break;
case MIF_DATA:
if (!(cmpt->data = jas_strdup(jas_tvparser_getval(tvp)))) {
- return -1;
+ goto error;
}
break;
}

9
jasper.spec
View File

@ -6,7 +6,7 @@
Summary: Implementation of the JPEG-2000 standard, Part 1 Summary: Implementation of the JPEG-2000 standard, Part 1
Name: jasper Name: jasper
Group: System Environment/Libraries Group: System Environment/Libraries
Version: 1.900.13 Version: 1.900.28
Release: 1%{?dist} Release: 1%{?dist}
%if "%{version}" > "1.900.1" %if "%{version}" > "1.900.1"
@ -128,7 +128,7 @@ make check
%files libs %files libs
%doc COPYRIGHT LICENSE NEWS README %doc COPYRIGHT LICENSE NEWS README
%{_libdir}/libjasper.so.1* %{_libdir}/libjasper.so.4*
%files utils %files utils
%{_bindir}/jiv %{_bindir}/jiv
@ -137,6 +137,11 @@ make check
%changelog %changelog
* Mon Nov 14 2016 Josef Ridky <jridky@redhat.com> - 1.900.28-1
- New upstream release 1.900.28 (#1389636)
- CVE-2016-9262 jasper: Multiple overflow vulnerabilities leading to use after free (#1393883)
- Upgrade libjasper.so.1* to libjasper.so.4*
* Mon Oct 24 2016 Josef Ridky <jridky@redhat.com> - 1.900.13-1 * Mon Oct 24 2016 Josef Ridky <jridky@redhat.com> - 1.900.13-1
- New upstream release 1.900.13 (#1385637) - New upstream release 1.900.13 (#1385637)
- Release contains security fix for CVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693 (#1385516) - Release contains security fix for CVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693 (#1385516)

14
patch-libjasper-stepsizes-overflow.diff
View File

@ -1,14 +0,0 @@
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
compparms->numstepsizes = (len - n) / 2;
break;
}
- if (compparms->numstepsizes > 0) {
+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
sizeof(uint_fast16_t));
assert(compparms->stepsizes);

2
sources
View File

@ -1 +1 @@
2436b251a38155308e83a4c752bb10b6 jasper-1.900.13.tar.gz 979fd58a439ccaba8eb3b806d7e6a87e jasper-1.900.28.tar.gz