diff --git a/.gitignore b/.gitignore index e29384b..440f060 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ jasper-1.900.0.zip jasper-1.900.1.zip /jasper-1.900.2.tar.gz /jasper-1.900.3.tar.gz +/jasper-1.900.13.tar.gz diff --git a/jasper-1.900.1-CVE-2008-3520.patch b/jasper-1.900.1-CVE-2008-3520.patch index b7c1f23..bd6f56c 100644 --- a/jasper-1.900.1-CVE-2008-3520.patch +++ b/jasper-1.900.1-CVE-2008-3520.patch @@ -1,344 +1,8 @@ -diff --git a/src/libjasper/base/jas_cm.c b/src/libjasper/base/jas_cm.c -index 77514dd..e63a6d2 100644 ---- a/src/libjasper/base/jas_cm.c -+++ b/src/libjasper/base/jas_cm.c -@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cmpxformseq_t *pxformseq, int n) - { - jas_cmpxform_t **p; - assert(n >= pxformseq->numpxforms); -- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) : -- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *)); -+ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *)); - if (!p) { - return -1; - } -@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmshapmatlut_t *lut, jas_icccurv_t *curv) - jas_cmshapmatlut_cleanup(lut); - if (curv->numents == 0) { - lut->size = 2; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - lut->data[0] = 0.0; - lut->data[1] = 1.0; - } else if (curv->numents == 1) { - lut->size = 256; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - gamma = curv->ents[0] / 256.0; - for (i = 0; i < lut->size; ++i) { -@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmshapmatlut_t *lut, jas_icccurv_t *curv) - } - } else { - lut->size = curv->numents; -- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) -+ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) - goto error; - for (i = 0; i < lut->size; ++i) { - lut->data[i] = curv->ents[i] / 65535.0; -@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_cmshapmatlut_t *invlut, - return -1; - } - } -- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t)))) -+ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t)))) - return -1; - invlut->size = n; - for (i = 0; i < invlut->size; ++i) { -diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c -index 9dc4fa7..bda551d 100644 ---- a/src/libjasper/base/jas_icc.c -+++ b/src/libjasper/base/jas_icc.c -@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof, jas_stream_t *out) - jas_icctagtab_t *tagtab; - - tagtab = &prof->tagtab; -- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs * -+ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs, - sizeof(jas_icctagtabent_t)))) - goto error; - tagtab->numents = prof->attrtab->numattrs; -@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_stream_t *in, jas_icctagtab_t *tagtab) - } - if (jas_iccgetuint32(in, &tagtab->numents)) - goto error; -- if (!(tagtab->ents = jas_malloc(tagtab->numents * -+ if (!(tagtab->ents = jas_alloc2(tagtab->numents, - sizeof(jas_icctagtabent_t)))) - goto error; - tagtabent = tagtab->ents; -@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_iccattrtab_t *tab, int maxents) - { - jas_iccattr_t *newattrs; - assert(maxents >= tab->numattrs); -- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents * -- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t)); -+ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t)); - if (!newattrs) - return -1; - tab->attrs = newattrs; -@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval, jas_stream_t *in, - - if (jas_iccgetuint32(in, &curv->numents)) - goto error; -- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t)))) -+ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t)))) - goto error; - for (i = 0; i < curv->numents; ++i) { - if (jas_iccgetuint16(in, &curv->ents[i])) -@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in, - if (jas_iccgetuint32(in, &txtdesc->uclangcode) || - jas_iccgetuint32(in, &txtdesc->uclen)) - goto error; -- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2))) -+ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2))) - goto error; - if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != - JAS_CAST(int, txtdesc->uclen * 2)) -@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval, jas_stream_t *in, - jas_iccgetuint16(in, &lut8->numouttabents)) - goto error; - clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; -- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) || -- !(lut8->intabsbuf = jas_malloc(lut8->numinchans * -- lut8->numintabents * sizeof(jas_iccuint8_t))) || -- !(lut8->intabs = jas_malloc(lut8->numinchans * -+ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) || -+ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans, -+ lut8->numintabents, sizeof(jas_iccuint8_t))) || -+ !(lut8->intabs = jas_alloc2(lut8->numinchans, - sizeof(jas_iccuint8_t *)))) - goto error; - for (i = 0; i < lut8->numinchans; ++i) - lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents]; -- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans * -- lut8->numouttabents * sizeof(jas_iccuint8_t))) || -- !(lut8->outtabs = jas_malloc(lut8->numoutchans * -+ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans, -+ lut8->numouttabents, sizeof(jas_iccuint8_t))) || -+ !(lut8->outtabs = jas_alloc2(lut8->numoutchans, - sizeof(jas_iccuint8_t *)))) - goto error; - for (i = 0; i < lut8->numoutchans; ++i) -@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccattrval_t *attrval, jas_stream_t *in, - jas_iccgetuint16(in, &lut16->numouttabents)) - goto error; - clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; -- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) || -- !(lut16->intabsbuf = jas_malloc(lut16->numinchans * -- lut16->numintabents * sizeof(jas_iccuint16_t))) || -- !(lut16->intabs = jas_malloc(lut16->numinchans * -+ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) || -+ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans, -+ lut16->numintabents, sizeof(jas_iccuint16_t))) || -+ !(lut16->intabs = jas_alloc2(lut16->numinchans, - sizeof(jas_iccuint16_t *)))) - goto error; - for (i = 0; i < lut16->numinchans; ++i) - lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents]; -- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans * -- lut16->numouttabents * sizeof(jas_iccuint16_t))) || -- !(lut16->outtabs = jas_malloc(lut16->numoutchans * -+ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans, -+ lut16->numouttabents, sizeof(jas_iccuint16_t))) || -+ !(lut16->outtabs = jas_alloc2(lut16->numoutchans, - sizeof(jas_iccuint16_t *)))) - goto error; - for (i = 0; i < lut16->numoutchans; ++i) -diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c -index 876debb..c09974b 100644 ---- a/src/libjasper/base/jas_image.c -+++ b/src/libjasper/base/jas_image.c -@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmpts, jas_image_cmptparm_t *cmptparms, - image->inmem_ = true; - - /* Allocate memory for the per-component information. */ -- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * -+ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, - sizeof(jas_image_cmpt_t *)))) { - jas_image_destroy(image); - return 0; -@@ -774,8 +774,7 @@ static int jas_image_growcmpts(jas_image_t *image, int maxcmpts) - jas_image_cmpt_t **newcmpts; - int cmptno; - -- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : -- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); -+ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); - if (!newcmpts) { - return -1; - } -diff --git a/src/libjasper/base/jas_malloc.c b/src/libjasper/base/jas_malloc.c -index 13f7bc8..90658e8 100644 ---- a/src/libjasper/base/jas_malloc.c -+++ b/src/libjasper/base/jas_malloc.c -@@ -76,6 +76,9 @@ - - /* We need the prototype for memset. */ - #include -+#include -+#include -+#include - - #include "jasper/jas_malloc.h" - -@@ -113,18 +116,50 @@ void jas_free(void *ptr) - - void *jas_realloc(void *ptr, size_t size) - { -- return realloc(ptr, size); -+ return ptr ? realloc(ptr, size) : malloc(size); - } - --void *jas_calloc(size_t nmemb, size_t size) -+void *jas_realloc2(void *ptr, size_t nmemb, size_t size) -+{ -+ if (!ptr) -+ return jas_alloc2(nmemb, size); -+ if (nmemb && SIZE_MAX / nmemb < size) { -+ errno = ENOMEM; -+ return NULL; -+ } -+ return jas_realloc(ptr, nmemb * size); -+ -+} -+ -+void *jas_alloc2(size_t nmemb, size_t size) -+{ -+ if (nmemb && SIZE_MAX / nmemb < size) { -+ errno = ENOMEM; -+ return NULL; -+ } -+ -+ return jas_malloc(nmemb * size); -+} -+ -+void *jas_alloc3(size_t a, size_t b, size_t c) - { -- void *ptr; - size_t n; -- n = nmemb * size; -- if (!(ptr = jas_malloc(n * sizeof(char)))) { -- return 0; -+ -+ if (a && SIZE_MAX / a < b) { -+ errno = ENOMEM; -+ return NULL; - } -- memset(ptr, 0, n); -+ -+ return jas_alloc2(a*b, c); -+} -+ -+void *jas_calloc(size_t nmemb, size_t size) -+{ -+ void *ptr; -+ -+ ptr = jas_alloc2(nmemb, size); -+ if (ptr) -+ memset(ptr, 0, nmemb*size); - return ptr; - } - -diff --git a/src/libjasper/base/jas_seq.c b/src/libjasper/base/jas_seq.c -index 16e1778..672b60f 100644 ---- a/src/libjasper/base/jas_seq.c -+++ b/src/libjasper/base/jas_seq.c -@@ -114,7 +114,7 @@ jas_matrix_t *jas_matrix_create(int numrows, int numcols) - matrix->datasize_ = numrows * numcols; - - if (matrix->maxrows_ > 0) { -- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * -+ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, - sizeof(jas_seqent_t *)))) { - jas_matrix_destroy(matrix); - return 0; -@@ -122,7 +122,7 @@ jas_matrix_t *jas_matrix_create(int numrows, int numcols) - } - - if (matrix->datasize_ > 0) { -- if (!(matrix->data_ = jas_malloc(matrix->datasize_ * -+ if (!(matrix->data_ = jas_alloc2(matrix->datasize_, - sizeof(jas_seqent_t)))) { - jas_matrix_destroy(matrix); - return 0; -@@ -220,7 +220,7 @@ void jas_matrix_bindsub(jas_matrix_t *mat0, jas_matrix_t *mat1, int r0, int c0, - mat0->numrows_ = r1 - r0 + 1; - mat0->numcols_ = c1 - c0 + 1; - mat0->maxrows_ = mat0->numrows_; -- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *)); -+ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); - for (i = 0; i < mat0->numrows_; ++i) { - mat0->rows_[i] = mat1->rows_[r0 + i] + c0; - } -diff --git a/src/libjasper/base/jas_stream.c b/src/libjasper/base/jas_stream.c -index fa9cb30..5862478 100644 ---- a/src/libjasper/base/jas_stream.c -+++ b/src/libjasper/base/jas_stream.c -@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *buf, int bufsize) - if (buf) { - obj->buf_ = (unsigned char *) buf; - } else { -- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char)); -+ obj->buf_ = jas_malloc(obj->bufsize_); - obj->myalloc_ = 1; - } - if (!obj->buf_) { -@@ -992,7 +992,7 @@ static int mem_resize(jas_stream_memobj_t *m, int bufsize) - unsigned char *buf; - - assert(m->buf_); -- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) { -+ if (!(buf = jas_realloc(m->buf_, bufsize))) { - return -1; - } - m->buf_ = buf; -diff --git a/src/libjasper/bmp/bmp_dec.c b/src/libjasper/bmp/bmp_dec.c -index 4cb0df3..7a6dcb1 100644 ---- a/src/libjasper/bmp/bmp_dec.c -+++ b/src/libjasper/bmp/bmp_dec.c -@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_stream_t *in) - } - - if (info->numcolors > 0) { -- if (!(info->palents = jas_malloc(info->numcolors * -+ if (!(info->palents = jas_alloc2(info->numcolors, - sizeof(bmp_palent_t)))) { - bmp_info_destroy(info); - return 0; -diff --git a/src/libjasper/include/jasper/jas_malloc.h b/src/libjasper/include/jasper/jas_malloc.h -index f2a8f8b..258e4c7 100644 ---- a/src/libjasper/include/jasper/jas_malloc.h -+++ b/src/libjasper/include/jasper/jas_malloc.h -@@ -95,6 +95,9 @@ extern "C" { - #define jas_free MEMFREE - #define jas_realloc MEMREALLOC - #define jas_calloc MEMCALLOC -+#define jas_alloc2(a, b) MEMALLOC((a)*(b)) -+#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c)) -+#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b)) - #endif - - /******************************************************************************\ -@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size); - /* Allocate a block of memory and initialize the contents to zero. */ - void *jas_calloc(size_t nmemb, size_t size); - -+/* size-checked double allocation .*/ -+void *jas_alloc2(size_t, size_t); -+ -+void *jas_alloc3(size_t, size_t, size_t); -+ -+void *jas_realloc2(void *, size_t, size_t); - #endif - - #ifdef __cplusplus diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c -index 83cecb1..a95ff02 100644 +index 7f3608a..c4ba73c 100644 --- a/src/libjasper/jp2/jp2_cod.c +++ b/src/libjasper/jp2/jp2_cod.c -@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) +@@ -248,7 +248,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) box = 0; tmpstream = 0; @@ -346,603 +10,4 @@ index 83cecb1..a95ff02 100644 + if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) { goto error; } - box->ops = &jp2_boxinfo_unk.ops; -@@ -372,7 +372,7 @@ static int jp2_bpcc_getdata(jp2_box_t *box, jas_stream_t *in) - jp2_bpcc_t *bpcc = &box->data.bpcc; - unsigned int i; - bpcc->numcmpts = box->datalen; -- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) { -+ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { - return -1; - } - for (i = 0; i < bpcc->numcmpts; ++i) { -@@ -416,7 +416,7 @@ static int jp2_colr_getdata(jp2_box_t *box, jas_stream_t *in) - break; - case JP2_COLR_ICC: - colr->iccplen = box->datalen - 3; -- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) { -+ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) { - return -1; - } - if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { -@@ -453,7 +453,7 @@ static int jp2_cdef_getdata(jp2_box_t *box, jas_stream_t *in) - if (jp2_getuint16(in, &cdef->numchans)) { - return -1; - } -- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) { -+ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) { - return -1; - } - for (channo = 0; channo < cdef->numchans; ++channo) { -@@ -766,7 +766,7 @@ static int jp2_cmap_getdata(jp2_box_t *box, jas_stream_t *in) - unsigned int i; - cmap->numchans = (box->datalen) / 4; -- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) { -+ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { - return -1; - } - for (i = 0; i < cmap->numchans; ++i) { -@@ -828,10 +828,10 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in) - return -1; - } - lutsize = pclr->numlutents * pclr->numchans; -- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) { -+ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) { - return -1; - } -- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) { -+ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) { - return -1; - } - for (i = 0; i < pclr->numchans; ++i) { -diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c -index 436f09e..2f8deb1 100644 ---- a/src/libjasper/jp2/jp2_dec.c -+++ b/src/libjasper/jp2/jp2_dec.c -@@ -336,7 +336,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr) - } - - /* Allocate space for the channel-number to component-number LUT. */ -- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) { -+ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) { - jas_eprintf("error: no memory\n"); - goto error; - } -@@ -354,7 +354,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr) - if (cmapent->map == JP2_CMAP_DIRECT) { - dec->chantocmptlut[channo] = channo; - } else if (cmapent->map == JP2_CMAP_PALETTE) { -- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t)); -+ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t)); - for (i = 0; i < pclrd->numlutents; ++i) { - lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; - } -diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c -index 9e1e1fc..8eb1b96 100644 ---- a/src/libjasper/jp2/jp2_enc.c -+++ b/src/libjasper/jp2/jp2_enc.c -@@ -191,7 +191,7 @@ int sgnd; - } - bpcc = &box->data.bpcc; - bpcc->numcmpts = jas_image_numcmpts(image); -- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * -+ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, - sizeof(uint_fast8_t)))) { - goto error; - } -@@ -285,7 +285,7 @@ int sgnd; - } - cdef = &box->data.cdef; - cdef->numchans = jas_image_numcmpts(image); -- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)); -+ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)); - for (i = 0; i < jas_image_numcmpts(image); ++i) { - cdefchanent = &cdef->ents[i]; - cdefchanent->channo = i; -diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c -index 9c84c7e..6779e23 100644 ---- a/src/libjasper/jpc/jpc_cs.c -+++ b/src/libjasper/jpc/jpc_cs.c -@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, - !siz->tileheight || !siz->numcomps) { - return -1; - } -- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) { -+ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { - return -1; - } - for (i = 0; i < siz->numcomps; ++i) { -@@ -996,7 +996,7 @@ static int jpc_qcx_getcompparms(jpc_qcxcp_t *compparms, jpc_cstate_t *cstate, - jpc_qcx_destroycompparms(compparms); - return -1; - } else if (compparms->numstepsizes > 0) { -- compparms->stepsizes = jas_malloc(compparms->numstepsizes * -+ compparms->stepsizes = jas_alloc2(compparms->numstepsizes, - sizeof(uint_fast16_t)); - assert(compparms->stepsizes); - for (i = 0; i < compparms->numstepsizes; ++i) { -@@ -1112,7 +1112,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in - - ppm->len = ms->len - 1; - if (ppm->len > 0) { -- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) { -+ if (!(ppm->data = jas_malloc(ppm->len))) { - goto error; - } - if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) { -@@ -1181,7 +1181,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in - } - ppt->len = ms->len - 1; - if (ppt->len > 0) { -- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) { -+ if (!(ppt->data = jas_malloc(ppt->len))) { - goto error; - } - if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) { -@@ -1244,7 +1244,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in - uint_fast8_t tmp; - poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) : - (ms->len / 7); -- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) { -+ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) { - goto error; - } - for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno, -@@ -1349,7 +1349,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in - jpc_crgcomp_t *comp; - uint_fast16_t compno; - crg->numcomps = cstate->numcomps; -- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { -+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { - return -1; - } - for (compno = 0, comp = crg->comps; compno < cstate->numcomps; -@@ -1488,7 +1488,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in - cstate = 0; - - if (ms->len > 0) { -- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) { -+ if (!(unk->data = jas_malloc(ms->len))) { - return -1; - } - if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) { -diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c -index 69354b9..4588e0b 100644 ---- a/src/libjasper/jpc/jpc_dec.c -+++ b/src/libjasper/jpc/jpc_dec.c -@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_t *ms) - - if (dec->state == JPC_MH) { - -- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t)); -+ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t)); - assert(compinfos); - for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; - cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { -@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *dec, jpc_dec_tile_t *tile) - tile->realmode = 1; - } - tcomp->numrlvls = ccp->numrlvls; -- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls * -+ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls, - sizeof(jpc_dec_rlvl_t)))) { - return -1; - } -@@ -764,7 +764,7 @@ rlvl->bands = 0; - rlvl->cbgheightexpn); - - rlvl->numbands = (!rlvlno) ? 1 : 3; -- if (!(rlvl->bands = jas_malloc(rlvl->numbands * -+ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, - sizeof(jpc_dec_band_t)))) { - return -1; - } -@@ -797,7 +797,7 @@ rlvl->bands = 0; - - assert(rlvl->numprcs); - -- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) { -+ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) { - return -1; - } - -@@ -834,7 +834,7 @@ rlvl->bands = 0; - if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) { - return -1; - } -- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) { -+ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) { - return -1; - } - -@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_t *ms) - return -1; - } - -- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) { -+ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) { - return -1; - } - -@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_t *ms) - dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); - dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); - dec->numtiles = dec->numhtiles * dec->numvtiles; -- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { -+ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) { - return -1; - } - -@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_t *ms) - tile->pkthdrstreampos = 0; - tile->pptstab = 0; - tile->cp = 0; -- if (!(tile->tcomps = jas_malloc(dec->numcomps * -+ if (!(tile->tcomps = jas_calloc(dec->numcomps, - sizeof(jpc_dec_tcomp_t)))) { - return -1; - } -@@ -1489,7 +1489,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(uint_fast16_t numcomps) - cp->numlyrs = 0; - cp->mctid = 0; - cp->csty = 0; -- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) { -+ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { - return 0; - } - if (!(cp->pchglist = jpc_pchglist_create())) { -@@ -2048,7 +2048,7 @@ jpc_streamlist_t *jpc_streamlist_create() - } - streamlist->numstreams = 0; - streamlist->maxstreams = 100; -- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams * -+ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams, - sizeof(jas_stream_t *)))) { - jas_free(streamlist); - return 0; -@@ -2068,8 +2068,8 @@ int jpc_streamlist_insert(jpc_streamlist_t *streamlist, int streamno, - /* Grow the array of streams if necessary. */ - if (streamlist->numstreams >= streamlist->maxstreams) { - newmaxstreams = streamlist->maxstreams + 1024; -- if (!(newstreams = jas_realloc(streamlist->streams, -- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) { -+ if (!(newstreams = jas_realloc2(streamlist->streams, -+ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) { - return -1; - } - for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) { -@@ -2155,8 +2155,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab, int maxents) - { - jpc_ppxstabent_t **newents; - if (tab->maxents < maxents) { -- newents = (tab->ents) ? jas_realloc(tab->ents, maxents * -- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *)); -+ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *)); - if (!newents) { - return -1; - } -diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c -index 7ec034c..ca7cbb7 100644 ---- a/src/libjasper/jpc/jpc_enc.c -+++ b/src/libjasper/jpc/jpc_enc.c -@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *optstr, jas_image_t *image) - vsteplcm *= jas_image_cmptvstep(image, cmptno); - } - -- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) { -+ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) { - goto error; - } - for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno, -@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *optstr, jas_image_t *image) - - if (ilyrrates && numilyrrates > 0) { - tcp->numlyrs = numilyrrates + 1; -- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) * -+ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1), - sizeof(jpc_fix_t)))) { - goto error; - } -@@ -939,7 +939,7 @@ startoff = jas_stream_getrwcount(enc->out); - siz->tilewidth = cp->tilewidth; - siz->tileheight = cp->tileheight; - siz->numcomps = cp->numcmpts; -- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)); -+ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)); - assert(siz->comps); - for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) { - siz->comps[i].prec = cp->ccps[i].prec; -@@ -976,7 +976,7 @@ startoff = jas_stream_getrwcount(enc->out); - return -1; - } - crg = &enc->mrk->parms.crg; -- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t)); -+ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t)); - if (jpc_putms(enc->out, enc->cstate, enc->mrk)) { - jas_eprintf("cannot write CRG marker\n"); - return -1; -@@ -1954,7 +1954,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_enc_cp_t *cp, jas_image_t *image, int ti - tile->mctid = cp->tcp.mctid; - - tile->numlyrs = cp->tcp.numlyrs; -- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs * -+ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs, - sizeof(uint_fast32_t)))) { - goto error; - } -@@ -1963,7 +1963,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_enc_cp_t *cp, jas_image_t *image, int ti - } - - /* Allocate an array for the per-tile-component information. */ -- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) { -+ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) { - goto error; - } - /* Initialize a few members critical for error recovery. */ -@@ -2108,7 +2108,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp, - jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data), - jas_seq2d_yend(tcmpt->data), bandinfos); - -- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) { -+ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) { - goto error; - } - for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls; -@@ -2211,7 +2211,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp, - rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn); - rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs; - -- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) { -+ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) { - goto error; - } - for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands; -@@ -2288,7 +2288,7 @@ if (bandinfo->xstart != bandinfo->xend && bandinfo->ystart != bandinfo->yend) { - band->synweight = bandinfo->synenergywt; - - if (band->data) { -- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) { -+ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) { - goto error; - } - for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno, -@@ -2420,7 +2420,7 @@ if (!rlvlno) { - goto error; - } - -- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) { -+ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) { - goto error; - } - for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks; -diff --git a/src/libjasper/jpc/jpc_mqdec.c b/src/libjasper/jpc/jpc_mqdec.c -index 4cc2f46..66a8581 100644 ---- a/src/libjasper/jpc/jpc_mqdec.c -+++ b/src/libjasper/jpc/jpc_mqdec.c -@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctxs, jas_stream_t *in) - mqdec->in = in; - mqdec->maxctxs = maxctxs; - /* Allocate memory for the per-context state information. */ -- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) { -+ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) { - goto error; - } - /* Set the current context to the first context. */ -diff --git a/src/libjasper/jpc/jpc_mqenc.c b/src/libjasper/jpc/jpc_mqenc.c -index 758b361..399581e 100644 ---- a/src/libjasper/jpc/jpc_mqenc.c -+++ b/src/libjasper/jpc/jpc_mqenc.c -@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctxs, jas_stream_t *out) - mqenc->maxctxs = maxctxs; - - /* Allocate memory for the per-context state information. */ -- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) { -+ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) { - goto error; - } - -diff --git a/src/libjasper/jpc/jpc_qmfb.c b/src/libjasper/jpc/jpc_qmfb.c -index 1e24051..4fad82d 100644 ---- a/src/libjasper/jpc/jpc_qmfb.c -+++ b/src/libjasper/jpc/jpc_qmfb.c -@@ -316,7 +316,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) - - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -376,7 +376,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride, - - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -439,7 +439,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride, - - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -520,7 +520,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols, - - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide in this case. */ - abort(); - } -@@ -596,7 +596,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity) - - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } -@@ -653,7 +653,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int numrows, int stride, - - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } -@@ -713,7 +713,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride, - - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } -@@ -791,7 +791,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, int numrows, int numcols, - - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { -- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { - /* We have no choice but to commit suicide. */ - abort(); - } -diff --git a/src/libjasper/jpc/jpc_t1enc.c b/src/libjasper/jpc/jpc_t1enc.c -index 49bb194..93c96ce 100644 ---- a/src/libjasper/jpc/jpc_t1enc.c -+++ b/src/libjasper/jpc/jpc_t1enc.c -@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_stream_t *out, jpc_enc_tcmpt_t *tcmpt, j - - cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0; - if (cblk->numpasses > 0) { -- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t)); -+ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t)); - assert(cblk->passes); - } else { - cblk->passes = 0; -diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c -index b80d332..da28de5 100644 ---- a/src/libjasper/jpc/jpc_t2cod.c -+++ b/src/libjasper/jpc/jpc_t2cod.c -@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t *pchglist, int pchgno, jpc_pchg_t *pchg) - } - if (pchglist->numpchgs >= pchglist->maxpchgs) { - newmaxpchgs = pchglist->maxpchgs + 128; -- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) { -+ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) { - return -1; - } - pchglist->maxpchgs = newmaxpchgs; -diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c -index 6d2cb72..8300f9b 100644 ---- a/src/libjasper/jpc/jpc_t2dec.c -+++ b/src/libjasper/jpc/jpc_t2dec.c -@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *dec, jpc_dec_tile_t *tile) - return 0; - } - pi->numcomps = dec->numcomps; -- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { -+ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { - jpc_pi_destroy(pi); - return 0; - } -@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *dec, jpc_dec_tile_t *tile) - for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; - compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { - picomp->numrlvls = tcomp->numrlvls; -- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * -+ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, - sizeof(jpc_pirlvl_t)))) { - jpc_pi_destroy(pi); - return 0; -@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *dec, jpc_dec_tile_t *tile) - rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { - /* XXX sizeof(long) should be sizeof different type */ - pirlvl->numprcs = rlvl->numprcs; -- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * -+ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, - sizeof(long)))) { - jpc_pi_destroy(pi); - return 0; -diff --git a/src/libjasper/jpc/jpc_t2enc.c b/src/libjasper/jpc/jpc_t2enc.c -index f5e24dc..d0c5fd1 100644 ---- a/src/libjasper/jpc/jpc_t2enc.c -+++ b/src/libjasper/jpc/jpc_t2enc.c -@@ -567,7 +567,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t *cp, jpc_enc_tile_t *tile) - } - pi->pktno = -1; - pi->numcomps = cp->numcmpts; -- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { -+ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { - jpc_pi_destroy(pi); - return 0; - } -@@ -579,7 +579,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t *cp, jpc_enc_tile_t *tile) - for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps; - compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { - picomp->numrlvls = tcomp->numrlvls; -- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * -+ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, - sizeof(jpc_pirlvl_t)))) { - jpc_pi_destroy(pi); - return 0; -@@ -593,7 +593,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t *cp, jpc_enc_tile_t *tile) - /* XXX sizeof(long) should be sizeof different type */ - pirlvl->numprcs = rlvl->numprcs; - if (rlvl->numprcs) { -- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * -+ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, - sizeof(long)))) { - jpc_pi_destroy(pi); - return 0; -diff --git a/src/libjasper/jpc/jpc_tagtree.c b/src/libjasper/jpc/jpc_tagtree.c -index 06422d3..8dce000 100644 ---- a/src/libjasper/jpc/jpc_tagtree.c -+++ b/src/libjasper/jpc/jpc_tagtree.c -@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int numleafsh, int numleafsv) - ++numlvls; - } while (n > 1); - -- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) { -+ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { - return 0; - } - -diff --git a/src/libjasper/jpc/jpc_util.c b/src/libjasper/jpc/jpc_util.c -index f53e248..6da1b66 100644 ---- a/src/libjasper/jpc/jpc_util.c -+++ b/src/libjasper/jpc/jpc_util.c -@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, double **values) - } - - if (n) { -- if (!(vs = jas_malloc(n * sizeof(double)))) { -+ if (!(vs = jas_alloc2(n, sizeof(double)))) { - return -1; - } - -diff --git a/src/libjasper/mif/mif_cod.c b/src/libjasper/mif/mif_cod.c -index 5afc0a2..e0f1d3a 100644 ---- a/src/libjasper/mif/mif_cod.c -+++ b/src/libjasper/mif/mif_cod.c -@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t *hdr, int maxcmpts) - int cmptno; - mif_cmpt_t **newcmpts; - assert(maxcmpts >= hdr->numcmpts); -- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) : -- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *)); -+ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *)); - if (!newcmpts) { - return -1; - } diff --git a/jasper.spec b/jasper.spec index 032232c..09b22f0 100644 --- a/jasper.spec +++ b/jasper.spec @@ -6,10 +6,10 @@ Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper Group: System Environment/Libraries -Version: 1.900.3 +Version: 1.900.13 Release: 1%{?dist} -%if "%{version}" >= "1.900.2" +%if "%{version}" > "1.900.1" %define ext .tar.gz %else %define ext .zip @@ -19,18 +19,10 @@ License: JasPer URL: http://www.ece.uvic.ca/~frodo/jasper/ Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}%{ext} -# CVE-2007-2721 (bug #240397) -# borrowed from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041;msg=88 -Patch1: patch-libjasper-stepsizes-overflow.diff # OpenBSD hardening patches addressing couple of possible integer overflows # during the memory allocations # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520 -Patch2: jasper-1.900.1-CVE-2008-3520.patch -Patch3: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch - -# Issues found by static analysis of code -Patch110: jasper-1.900.1-Coverity-NULL_RETURNS.patch -Patch111: jasper-1.900.1-Coverity-RESOURCE_LEAK.patch +Patch1: jasper-1.900.1-CVE-2008-3520.patch # autoreconf BuildRequires: autoconf automake libtool @@ -75,13 +67,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} %prep %setup -q -n %{name}-%{version} - -%patch1 -p1 -b .CVE-2007-2721 -%patch2 -p1 -b .CVE-2008-3520 -%patch3 -p1 -b .CVE-2011-4516-4517 - -%patch110 -p1 -b .NULL_RETURNS -%patch111 -p1 -b .RESOURCE_LEAK +%patch1 -p1 -b .CVE-2008-3520 autoreconf --verbose --force --install @@ -151,6 +137,10 @@ make check %changelog +* Mon Oct 24 2016 Josef Ridky - 1.900.13-1 +- New upstream release 1.900.13 (#1385637) +- Release contains security fix for CVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693 (#1385516) + * Thu Oct 13 2016 Josef Ridky - 1.900.3-1 - New upstream release 1.900.3 diff --git a/sources b/sources index 4b63c55..0ab0692 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -648c3b863516a5204e406de4011ab140 jasper-1.900.3.tar.gz +2436b251a38155308e83a4c752bb10b6 jasper-1.900.13.tar.gz