Rebase to the latest version - 1.900.28
This commit is contained in:
parent
1c22196677
commit
168cc2af7e
1
.gitignore
vendored
1
.gitignore
vendored
@ -6,3 +6,4 @@ jasper-1.900.1.zip
|
||||
/jasper-1.900.2.tar.gz
|
||||
/jasper-1.900.3.tar.gz
|
||||
/jasper-1.900.13.tar.gz
|
||||
/jasper-1.900.28.tar.gz
|
||||
|
@ -1,23 +0,0 @@
|
||||
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
|
||||
--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 2011-10-25 17:25:39.000000000 +0200
|
||||
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-10-25 17:29:14.379371908 +0200
|
||||
@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t
|
||||
return -1;
|
||||
}
|
||||
compparms->numrlvls = compparms->numdlvls + 1;
|
||||
+ if (compparms->numrlvls > JPC_MAXRLVLS) {
|
||||
+ jpc_cox_destroycompparms(compparms);
|
||||
+ return -1;
|
||||
+ }
|
||||
if (prtflag) {
|
||||
for (i = 0; i < compparms->numrlvls; ++i) {
|
||||
if (jpc_getuint8(in, &tmp)) {
|
||||
@@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
|
||||
jpc_crgcomp_t *comp;
|
||||
uint_fast16_t compno;
|
||||
crg->numcomps = cstate->numcomps;
|
||||
- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
|
||||
+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
|
||||
return -1;
|
||||
}
|
||||
for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
|
@ -1,61 +0,0 @@
|
||||
Error: NULL_RETURNS
|
||||
base/jas_image.c:213: returned_null: Function "jas_image_create0" returns null (checked 6 out of 7 times).
|
||||
base/jas_image.c:213: var_assigned: Assigning: "newimage" = null return value from "jas_image_create0".
|
||||
base/jas_image.c:214: dereference: Dereferencing a pointer that might be null "newimage" when calling "jas_image_growcmpts".
|
||||
base/jas_image.c:777: deref_parm: Directly dereferencing parameter "image".
|
||||
|
||||
base/jas_seq.c:223: returned_null: Function "jas_malloc" returns null (checked 110 out of 119 times).
|
||||
base/jas_seq.c:223: var_assigned: Assigning: "mat0->rows_" = null return value from "jas_malloc".
|
||||
base/jas_seq.c:225: dereference: Dereferencing a null pointer "mat0->rows_".
|
||||
|
||||
jp2/jp2_cod.c:484: returned_null: Function "jas_stream_memopen" returns null (checked 12 out of 15 times).
|
||||
jp2/jp2_cod.c:484: var_assigned: Assigning: "tmpstream" = null return value from "jas_stream_memopen".
|
||||
jp2/jp2_cod.c:490: dereference: Dereferencing a pointer that might be null "tmpstream" when calling "jas_stream_tell".
|
||||
base/jas_stream.c:677: deref_parm: Directly dereferencing parameter "stream".
|
||||
|
||||
|
||||
diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_image.c
|
||||
--- jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS 2011-12-08 14:00:05.350020869 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:00:06.638004766 +0100
|
||||
@@ -210,7 +210,10 @@ jas_image_t *jas_image_copy(jas_image_t
|
||||
jas_image_t *newimage;
|
||||
int cmptno;
|
||||
|
||||
- newimage = jas_image_create0();
|
||||
+ if (!(newimage = jas_image_create0())) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
if (jas_image_growcmpts(newimage, image->numcmpts_)) {
|
||||
goto error;
|
||||
}
|
||||
diff -up jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_seq.c
|
||||
--- jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS 2011-12-08 14:00:05.000000000 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2011-12-08 14:15:12.449680562 +0100
|
||||
@@ -220,7 +220,11 @@ void jas_matrix_bindsub(jas_matrix_t *ma
|
||||
mat0->numrows_ = r1 - r0 + 1;
|
||||
mat0->numcols_ = c1 - c0 + 1;
|
||||
mat0->maxrows_ = mat0->numrows_;
|
||||
- mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
|
||||
+ if (!(mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)))) {
|
||||
+ jas_matrix_destroy(mat0);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < mat0->numrows_; ++i) {
|
||||
mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
|
||||
}
|
||||
diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
|
||||
--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS 2011-12-08 14:00:05.633017331 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-12-08 14:00:06.677004279 +0100
|
||||
@@ -481,7 +481,9 @@ int jp2_box_put(jp2_box_t *box, jas_stre
|
||||
dataflag = !(box->info->flags & (JP2_BOX_SUPER | JP2_BOX_NODATA));
|
||||
|
||||
if (dataflag) {
|
||||
- tmpstream = jas_stream_memopen(0, 0);
|
||||
+ if (!(tmpstream = jas_stream_memopen(0, 0))) {
|
||||
+ goto error;
|
||||
+ }
|
||||
if (box->ops->putdata) {
|
||||
if ((*box->ops->putdata)(box, tmpstream)) {
|
||||
goto error;
|
@ -1,202 +0,0 @@
|
||||
Error: RESOURCE_LEAK
|
||||
src/appl/imgcmp.c:504: var_assign: Assigning: "diffimage" = storage returned from "jas_image_create(3, compparms, 1025)".
|
||||
src/appl/imgcmp.c:511: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to.
|
||||
src/appl/imgcmp.c:537: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to.
|
||||
|
||||
base/jas_image.c:254: var_assign: Assigning: "newcmpt" = storage returned from "jas_image_cmpt_create0()".
|
||||
base/jas_image.c:268: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
|
||||
base/jas_image.c:271: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
|
||||
base/jas_image.c:274: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
|
||||
base/jas_image.c:277: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
|
||||
|
||||
base/jas_cm.c:611: var_assign: Assigning: "newpxformseq" = storage returned from "jas_cmpxformseq_create()".
|
||||
base/jas_cm.c:617: leaked_storage: Variable "newpxformseq" going out of scope leaks the storage it points to.
|
||||
|
||||
base/jas_cm.c:343: var_assign: Assigning: "newprof" = storage returned from "jas_cmprof_create()".
|
||||
base/jas_cm.c:358: leaked_storage: Variable "newprof" going out of scope leaks the storage it points to.
|
||||
|
||||
base/jas_cm.c:380: var_assign: Assigning: "xform" = storage returned from "jas_malloc(sizeof (jas_cmxform_t) /*16*/)".
|
||||
base/jas_cm.c:461: leaked_storage: Variable "xform" going out of scope leaks the storage it points to.
|
||||
|
||||
base/jas_image.c:1379: var_assign: Assigning: "xform" = storage returned from "jas_cmxform_create(inprof, outprof, NULL, 0, intent, 0)".
|
||||
base/jas_image.c:1444: leaked_storage: Variable "xform" going out of scope leaks the storage it points to.
|
||||
|
||||
base/jas_image.c:1306: var_assign: Assigning: "inimage" = storage returned from "jas_image_copy(image)".
|
||||
base/jas_image.c:1444: leaked_storage: Variable "inimage" going out of scope leaks the storage it points to.
|
||||
|
||||
base/jas_image.c:1345: var_assign: Assigning: "outimage" = storage returned from "jas_image_create0()".
|
||||
base/jas_image.c:1444: leaked_storage: Variable "outimage" going out of scope leaks the storage it points to.
|
||||
|
||||
bmp/bmp_enc.c:187: var_assign: Assigning: "info" = storage returned from "bmp_info_create()".
|
||||
bmp/bmp_enc.c:208: leaked_storage: Variable "info" going out of scope leaks the storage it points to.
|
||||
|
||||
jpc/jpc_tagtree.c:111: var_assign: Assigning: "tree" = storage returned from "jpc_tagtree_alloc()".
|
||||
jpc/jpc_tagtree.c:129: leaked_storage: Variable "tree" going out of scope leaks the storage it points to.
|
||||
|
||||
jpc/jpc_dec.c:452: var_assign: Assigning: "compinfos" = storage returned from "jas_malloc(dec->numcomps * sizeof (jas_image_cmptparm_t) /*56*/)".
|
||||
jpc/jpc_dec.c:468: leaked_storage: Variable "compinfos" going out of scope leaks the storage it points to.
|
||||
|
||||
jpc/jpc_dec.c:1483: var_assign: Assigning: "cp" = storage returned from "jas_malloc(sizeof (jpc_dec_cp_t) /*48*/)".
|
||||
jpc/jpc_dec.c:1493: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
|
||||
jpc/jpc_dec.c:1497: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
|
||||
|
||||
mif/mif_cod.c:523: var_assign: Assigning: "cmpt" = storage returned from "mif_cmpt_create()".
|
||||
mif/mif_cod.c:568: leaked_storage: Variable "cmpt" going out of scope leaks the storage it points to.
|
||||
|
||||
mif/mif_cod.c:568: leaked_storage: Variable "tvp" going out of scope leaks the storage it points to.
|
||||
|
||||
|
||||
diff -up jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK jasper-1.900.1/src/appl/imgcmp.c
|
||||
--- jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK 2007-01-19 22:43:08.000000000 +0100
|
||||
+++ jasper-1.900.1/src/appl/imgcmp.c 2011-12-08 14:16:04.727027007 +0100
|
||||
@@ -507,6 +507,7 @@ jas_image_t *makediffimage(jas_matrix_t
|
||||
|
||||
for (i = 0; i < 3; ++i) {
|
||||
if (!(diffdata[i] = jas_matrix_create(height, width))) {
|
||||
+ jas_image_destroy(diffimage);
|
||||
fprintf(stderr, "internal error\n");
|
||||
return 0;
|
||||
}
|
||||
@@ -534,6 +535,7 @@ jas_image_t *makediffimage(jas_matrix_t
|
||||
|
||||
for (i = 0; i < 3; ++i) {
|
||||
if (jas_image_writecmpt(diffimage, i, 0, 0, width, height, diffdata[i])) {
|
||||
+ jas_image_destroy(diffimage);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
diff -up jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_cm.c
|
||||
--- jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK 2011-12-08 14:16:03.387043758 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2011-12-08 14:16:04.728026994 +0100
|
||||
@@ -355,6 +355,8 @@ jas_cmprof_t *jas_cmprof_copy(jas_cmprof
|
||||
}
|
||||
return newprof;
|
||||
error:
|
||||
+ if (newprof)
|
||||
+ jas_cmprof_destroy(newprof);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -458,6 +460,8 @@ jas_cmxform_t *jas_cmxform_create(jas_cm
|
||||
}
|
||||
return xform;
|
||||
error:
|
||||
+ if (xform)
|
||||
+ jas_cmxform_destroy(xform);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -614,6 +618,8 @@ static jas_cmpxformseq_t *jas_cmpxformse
|
||||
goto error;
|
||||
return newpxformseq;
|
||||
error:
|
||||
+ if (newpxformseq)
|
||||
+ jas_cmpxformseq_destroy(newpxformseq);
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_image.c
|
||||
--- jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK 2011-12-08 14:16:04.635028156 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:16:04.776026394 +0100
|
||||
@@ -268,15 +268,19 @@ static jas_image_cmpt_t *jas_image_cmpt_
|
||||
newcmpt->cps_ = cmpt->cps_;
|
||||
newcmpt->type_ = cmpt->type_;
|
||||
if (!(newcmpt->stream_ = jas_stream_memopen(0, 0))) {
|
||||
+ jas_image_cmpt_destroy(newcmpt);
|
||||
return 0;
|
||||
}
|
||||
if (jas_stream_seek(cmpt->stream_, 0, SEEK_SET)) {
|
||||
+ jas_image_cmpt_destroy(newcmpt);
|
||||
return 0;
|
||||
}
|
||||
if (jas_stream_copy(newcmpt->stream_, cmpt->stream_, -1)) {
|
||||
+ jas_image_cmpt_destroy(newcmpt);
|
||||
return 0;
|
||||
}
|
||||
if (jas_stream_seek(newcmpt->stream_, 0, SEEK_SET)) {
|
||||
+ jas_image_cmpt_destroy(newcmpt);
|
||||
return 0;
|
||||
}
|
||||
return newcmpt;
|
||||
@@ -1443,5 +1447,11 @@ jas_image_dump(outimage, stderr);
|
||||
#endif
|
||||
return outimage;
|
||||
error:
|
||||
+ if (xform)
|
||||
+ jas_cmxform_destroy(xform);
|
||||
+ if (inimage)
|
||||
+ jas_image_destroy(inimage);
|
||||
+ if (outimage)
|
||||
+ jas_image_destroy(outimage);
|
||||
return 0;
|
||||
}
|
||||
diff -up jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/bmp/bmp_enc.c
|
||||
--- jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK 2007-01-19 22:43:07.000000000 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/bmp/bmp_enc.c 2011-12-08 14:16:04.826025768 +0100
|
||||
@@ -205,16 +205,19 @@ int bmp_encode(jas_image_t *image, jas_s
|
||||
|
||||
/* Write the bitmap header. */
|
||||
if (bmp_puthdr(out, &hdr)) {
|
||||
+ bmp_info_destroy(info);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Write the bitmap information. */
|
||||
if (bmp_putinfo(out, info)) {
|
||||
+ bmp_info_destroy(info);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Write the bitmap data. */
|
||||
if (bmp_putdata(out, info, image, enc->cmpts)) {
|
||||
+ bmp_info_destroy(info);
|
||||
return -1;
|
||||
}
|
||||
|
||||
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
|
||||
--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK 2011-12-08 14:16:04.594028668 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-12-08 14:17:25.677014992 +0100
|
||||
@@ -465,6 +465,7 @@ static int jpc_dec_process_sot(jpc_dec_t
|
||||
|
||||
if (!(dec->image = jas_image_create(dec->numcomps, compinfos,
|
||||
JAS_CLRSPC_UNKNOWN))) {
|
||||
+ jas_free(compinfos);
|
||||
return -1;
|
||||
}
|
||||
jas_free(compinfos);
|
||||
@@ -1490,10 +1491,11 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
|
||||
cp->mctid = 0;
|
||||
cp->csty = 0;
|
||||
if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
|
||||
+ jpc_dec_cp_destroy(cp);
|
||||
return 0;
|
||||
}
|
||||
if (!(cp->pchglist = jpc_pchglist_create())) {
|
||||
- jas_free(cp->ccps);
|
||||
+ jpc_dec_cp_destroy(cp);
|
||||
return 0;
|
||||
}
|
||||
for (compno = 0, ccp = cp->ccps; compno < cp->numcomps;
|
||||
diff -up jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
|
||||
--- jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK 2011-12-08 14:16:04.000000000 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2011-12-08 14:17:55.905637082 +0100
|
||||
@@ -126,6 +126,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
|
||||
} while (n > 1);
|
||||
|
||||
if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
|
||||
+ jpc_tagtree_destroy(tree);
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff -up jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/mif/mif_cod.c
|
||||
--- jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK 2011-12-08 14:16:04.250032970 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2011-12-08 14:16:04.967024005 +0100
|
||||
@@ -564,7 +564,7 @@ static int mif_process_cmpt(mif_hdr_t *h
|
||||
break;
|
||||
case MIF_DATA:
|
||||
if (!(cmpt->data = jas_strdup(jas_tvparser_getval(tvp)))) {
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
break;
|
||||
}
|
@ -6,7 +6,7 @@
|
||||
Summary: Implementation of the JPEG-2000 standard, Part 1
|
||||
Name: jasper
|
||||
Group: System Environment/Libraries
|
||||
Version: 1.900.13
|
||||
Version: 1.900.28
|
||||
Release: 1%{?dist}
|
||||
|
||||
%if "%{version}" > "1.900.1"
|
||||
@ -128,7 +128,7 @@ make check
|
||||
|
||||
%files libs
|
||||
%doc COPYRIGHT LICENSE NEWS README
|
||||
%{_libdir}/libjasper.so.1*
|
||||
%{_libdir}/libjasper.so.4*
|
||||
|
||||
%files utils
|
||||
%{_bindir}/jiv
|
||||
@ -137,6 +137,11 @@ make check
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Nov 14 2016 Josef Ridky <jridky@redhat.com> - 1.900.28-1
|
||||
- New upstream release 1.900.28 (#1389636)
|
||||
- CVE-2016-9262 jasper: Multiple overflow vulnerabilities leading to use after free (#1393883)
|
||||
- Upgrade libjasper.so.1* to libjasper.so.4*
|
||||
|
||||
* Mon Oct 24 2016 Josef Ridky <jridky@redhat.com> - 1.900.13-1
|
||||
- New upstream release 1.900.13 (#1385637)
|
||||
- Release contains security fix for CVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693 (#1385516)
|
||||
|
@ -1,14 +0,0 @@
|
||||
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
|
||||
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
|
||||
@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
|
||||
compparms->numstepsizes = (len - n) / 2;
|
||||
break;
|
||||
}
|
||||
- if (compparms->numstepsizes > 0) {
|
||||
+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
|
||||
+ jpc_qcx_destroycompparms(compparms);
|
||||
+ return -1;
|
||||
+ } else if (compparms->numstepsizes > 0) {
|
||||
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
|
||||
sizeof(uint_fast16_t));
|
||||
assert(compparms->stepsizes);
|
Loading…
Reference in New Issue
Block a user