- CVE-2007-2721 (#240397)

jasper.spec

@@ -11,7 +11,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1
 Name:    jasper
 Group:   System Environment/Libraries
 Version: 1.900.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 License: JasPer License Version 2.0
 %if "%{?geo:1}" == "1"
@@ -28,6 +28,9 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Patch1: jasper-1.701.0-GL.patch
 # autoconf/automake bits of patch1
 Patch2: jasper-1.701.0-GL-ac.patch
+# CVE-2007-2721 (bug #240397)
+# borrowed from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413041;msg=88
+Patch3: patch-libjasper-stepsizes-overflow.diff
 
 BuildRequires: automake 
 BuildRequires: libjpeg-devel
@@ -52,6 +55,7 @@ Requires: libjpeg-devel
 %setup -q -n %{name}-%{version}%{?geo:.GEO}
 
 %patch1 -p1 -b .GL
+%patch3 -p1 -b .CVE-2007-2721
 
 %if "%{?geo:1}" == "1"
 chmod +x configure configure.ac
@@ -64,6 +68,7 @@ automake -a
 %endif
 
 
+
 %build
 
 %configure \
@@ -115,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Wed May 23 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 1.900.1-2
+- CVE-2007-2721 (#240397)
+
 * Thu Mar 29 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 1.900.1-1
 - jasper-1.900.1
 

patch-libjasper-stepsizes-overflow.diff

@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2007-04-06 01:29:02.000000000 +0200
+@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ 		compparms->numstepsizes = (len - n) / 2;
+ 		break;
+ 	}
+-	if (compparms->numstepsizes > 0) {
++	if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++		jpc_qcx_destroycompparms(compparms);
++                return -1;
++        } else if (compparms->numstepsizes > 0) {
+ 		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+ 		  sizeof(uint_fast16_t));
+ 		assert(compparms->stepsizes);