Resolves: #1254244 - CVE-2015-5203 - double free in jasper_image_stop_load()
This commit is contained in:
Josef Ridky
parent
2fdffecfed
commit
3620992738
183
jasper-CVE-2015-5203.patch
Normal file
183
jasper-CVE-2015-5203.patch
Normal file
@ -0,0 +1,183 @@
|
||||
diff -urNp jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1.new/src/libjasper/base/jas_stream.c
|
||||
--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2016-08-11 13:35:09.160895769 +0200
|
||||
+++ jasper-1.900.1.new/src/libjasper/base/jas_stream.c 2016-08-11 13:39:33.800843489 +0200
|
||||
@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char
|
||||
static void jas_stream_destroy(jas_stream_t *stream);
|
||||
static jas_stream_t *jas_stream_create(void);
|
||||
static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
|
||||
- int bufsize);
|
||||
+ size_t bufsize);
|
||||
|
||||
static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt);
|
||||
static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt);
|
||||
@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create()
|
||||
return stream;
|
||||
}
|
||||
|
||||
-jas_stream_t *jas_stream_memopen(char *buf, int bufsize)
|
||||
+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize)
|
||||
{
|
||||
jas_stream_t *stream;
|
||||
jas_stream_memobj_t *obj;
|
||||
@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream
|
||||
return 0;
|
||||
}
|
||||
|
||||
-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
|
||||
+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize)
|
||||
{
|
||||
int c;
|
||||
char *bufptr;
|
||||
@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea
|
||||
\******************************************************************************/
|
||||
|
||||
static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
|
||||
- int bufsize)
|
||||
+ size_t bufsize)
|
||||
{
|
||||
/* If this function is being called, the buffer should not have been
|
||||
initialized yet. */
|
||||
@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob
|
||||
return cnt;
|
||||
}
|
||||
|
||||
-static int mem_resize(jas_stream_memobj_t *m, int bufsize)
|
||||
+static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
|
||||
{
|
||||
unsigned char *buf;
|
||||
|
||||
diff -urNp jasper-1.900.1.orig/src/libjasper/include/jasper/jas_stream.h jasper-1.900.1.new/src/libjasper/include/jasper/jas_stream.h
|
||||
--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_stream.h 2007-01-19 22:43:04.000000000 +0100
|
||||
+++ jasper-1.900.1.new/src/libjasper/include/jasper/jas_stream.h 2016-08-11 13:41:27.841153595 +0200
|
||||
@@ -215,7 +215,7 @@ typedef struct {
|
||||
uchar *bufstart_;
|
||||
|
||||
/* The buffer size. */
|
||||
- int bufsize_;
|
||||
+ size_t bufsize_;
|
||||
|
||||
/* The current position in the buffer. */
|
||||
uchar *ptr_;
|
||||
@@ -267,7 +267,7 @@ typedef struct {
|
||||
uchar *buf_;
|
||||
|
||||
/* The allocated size of the buffer for holding file data. */
|
||||
- int bufsize_;
|
||||
+ size_t bufsize_;
|
||||
|
||||
/* The length of the file. */
|
||||
int_fast32_t len_;
|
||||
@@ -291,7 +291,7 @@ typedef struct {
|
||||
jas_stream_t *jas_stream_fopen(const char *filename, const char *mode);
|
||||
|
||||
/* Open a memory buffer as a stream. */
|
||||
-jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
|
||||
+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
|
||||
|
||||
/* Open a file descriptor as a stream. */
|
||||
jas_stream_t *jas_stream_fdopen(int fd, const char *mode);
|
||||
@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre
|
||||
int jas_stream_puts(jas_stream_t *stream, const char *s);
|
||||
|
||||
/* Read a line of input from a stream. */
|
||||
-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize);
|
||||
+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize);
|
||||
|
||||
/* Look at the next character to be read from a stream without actually
|
||||
removing it from the stream. */
|
||||
diff -urNp jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c
|
||||
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2016-08-11 13:35:09.170895681 +0200
|
||||
+++ jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c 2016-08-11 13:45:20.847809678 +0200
|
||||
@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = {
|
||||
void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
|
||||
{
|
||||
|
||||
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
|
||||
+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
|
||||
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
|
||||
jpc_fix_t *buf = splitbuf;
|
||||
register jpc_fix_t *srcptr;
|
||||
@@ -365,7 +365,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
|
||||
int parity)
|
||||
{
|
||||
|
||||
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
|
||||
jpc_fix_t *buf = splitbuf;
|
||||
register jpc_fix_t *srcptr;
|
||||
@@ -425,7 +425,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
|
||||
int parity)
|
||||
{
|
||||
|
||||
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
|
||||
jpc_fix_t *buf = splitbuf;
|
||||
jpc_fix_t *srcptr;
|
||||
@@ -506,7 +506,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
|
||||
int stride, int parity)
|
||||
{
|
||||
|
||||
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
|
||||
jpc_fix_t *buf = splitbuf;
|
||||
jpc_fix_t *srcptr;
|
||||
@@ -586,7 +586,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
|
||||
void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
|
||||
{
|
||||
|
||||
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
|
||||
+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
|
||||
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
|
||||
jpc_fix_t *buf = joinbuf;
|
||||
register jpc_fix_t *srcptr;
|
||||
@@ -643,7 +643,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
|
||||
int parity)
|
||||
{
|
||||
|
||||
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
|
||||
jpc_fix_t *buf = joinbuf;
|
||||
register jpc_fix_t *srcptr;
|
||||
@@ -700,7 +700,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
|
||||
int parity)
|
||||
{
|
||||
|
||||
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
|
||||
jpc_fix_t *buf = joinbuf;
|
||||
jpc_fix_t *srcptr;
|
||||
@@ -778,7 +778,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
|
||||
int stride, int parity)
|
||||
{
|
||||
|
||||
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
|
||||
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
|
||||
jpc_fix_t *buf = joinbuf;
|
||||
jpc_fix_t *srcptr;
|
||||
diff -urNp jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1.new/src/libjasper/mif/mif_cod.c
|
||||
--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2016-08-11 13:35:09.179895601 +0200
|
||||
+++ jasper-1.900.1.new/src/libjasper/mif/mif_cod.c 2016-08-11 13:46:26.166415464 +0200
|
||||
@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
|
||||
static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
|
||||
static mif_cmpt_t *mif_cmpt_create(void);
|
||||
static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
|
||||
-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
|
||||
+static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
|
||||
static int mif_getc(jas_stream_t *in);
|
||||
static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
|
||||
|
||||
@@ -657,7 +657,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
|
||||
* MIF parsing code.
|
||||
\******************************************************************************/
|
||||
|
||||
-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
|
||||
+static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
|
||||
{
|
||||
int c;
|
||||
char *bufptr;
|
||||
@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1
|
||||
Name: jasper
|
||||
Group: System Environment/Libraries
|
||||
Version: 1.900.1
|
||||
Release: 32%{?dist}
|
||||
Release: 33%{?dist}
|
||||
|
||||
License: JasPer
|
||||
URL: http://www.ece.uvic.ca/~frodo/jasper/
|
||||
@ -37,6 +37,7 @@ Patch10: jasper-CVE-2014-8137.patch
|
||||
Patch11: jasper-CVE-2014-8138.patch
|
||||
Patch12: jasper-CVE-2014-8157.patch
|
||||
Patch13: jasper-CVE-2014-8158.patch
|
||||
Patch14: jasper-CVE-2015-5203.patch
|
||||
|
||||
# Issues found by static analysis of code
|
||||
Patch110: jasper-1.900.1-Coverity-BAD_SIZEOF.patch
|
||||
@ -104,6 +105,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
%patch11 -p1 -b .CVE-2014-8138
|
||||
%patch12 -p1 -b .CVE-2014-8157
|
||||
%patch13 -p1 -b .CVE-2014-8158
|
||||
%patch14 -p1 -b .CVE-2015-5203
|
||||
|
||||
%patch110 -p1 -b .BAD_SIZEOF
|
||||
%patch111 -p1 -b .CHECKED_RETURN
|
||||
@ -181,6 +183,9 @@ make check
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Aug 11 2016 Josef Ridky <jridky@redhat.com> - 1.900.1-33
|
||||
- CVE-2015-5203 - double free in jasper_image_stop_load() (#1254244)
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.900.1-32
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user