From c73923e32e029920bdf9deb0719dd180e3942b93 Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Fri, 9 Dec 2011 12:44:44 +0100 Subject: [PATCH] CVE-2011-4516, CVE-2011-4517, CERT VU#887409 (#765660) Fixed problems found by static analysis of code (#761440) --- ...11-4516-CVE-2011-4517-CERT-VU-887409.patch | 23 ++ jasper-1.900.1-Coverity-BAD_SIZEOF.patch | 17 ++ jasper-1.900.1-Coverity-CHECKED_RETURN.patch | 141 ++++++++++++ jasper-1.900.1-Coverity-FORWARD_NULL.patch | 44 ++++ jasper-1.900.1-Coverity-NULL_RETURNS.patch | 61 ++++++ jasper-1.900.1-Coverity-RESOURCE_LEAK.patch | 202 ++++++++++++++++++ jasper-1.900.1-Coverity-UNREACHABLE.patch | 37 ++++ jasper-1.900.1-Coverity-UNUSED_VALUE.patch | 41 ++++ jasper.spec | 46 ++-- 9 files changed, 598 insertions(+), 14 deletions(-) create mode 100644 jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch create mode 100644 jasper-1.900.1-Coverity-BAD_SIZEOF.patch create mode 100644 jasper-1.900.1-Coverity-CHECKED_RETURN.patch create mode 100644 jasper-1.900.1-Coverity-FORWARD_NULL.patch create mode 100644 jasper-1.900.1-Coverity-NULL_RETURNS.patch create mode 100644 jasper-1.900.1-Coverity-RESOURCE_LEAK.patch create mode 100644 jasper-1.900.1-Coverity-UNREACHABLE.patch create mode 100644 jasper-1.900.1-Coverity-UNUSED_VALUE.patch diff --git a/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch b/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch new file mode 100644 index 0000000..f753080 --- /dev/null +++ b/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch @@ -0,0 +1,23 @@ +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 2011-10-25 17:25:39.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-10-25 17:29:14.379371908 +0200 +@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t + return -1; + } + compparms->numrlvls = compparms->numdlvls + 1; ++ if (compparms->numrlvls > JPC_MAXRLVLS) { ++ jpc_cox_destroycompparms(compparms); ++ return -1; ++ } + if (prtflag) { + for (i = 0; i < compparms->numrlvls; ++i) { + if (jpc_getuint8(in, &tmp)) { +@@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms + jpc_crgcomp_t *comp; + uint_fast16_t compno; + crg->numcomps = cstate->numcomps; +- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { ++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { + return -1; + } + for (compno = 0, comp = crg->comps; compno < cstate->numcomps; diff --git a/jasper-1.900.1-Coverity-BAD_SIZEOF.patch b/jasper-1.900.1-Coverity-BAD_SIZEOF.patch new file mode 100644 index 0000000..1977400 --- /dev/null +++ b/jasper-1.900.1-Coverity-BAD_SIZEOF.patch @@ -0,0 +1,17 @@ +Error: BAD_SIZEOF +jpc/jpc_enc.c:2105: bad_sizeof: Taking the size of binary expression "tcmpt->numstepsizes * sizeof (uint_fast16_t) /*8*/" is suspicious. + Did you intend "sizeof(tcmpt->numstepsizes) * sizeof (uint_fast16_t) /*8*/"? + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.bad_sizeof jasper-1.900.1/src/libjasper/jpc/jpc_enc.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.bad_sizeof 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2011-06-23 17:28:17.085690561 +0200 +@@ -2102,8 +2102,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc + + tcmpt->numstepsizes = tcmpt->numbands; + assert(tcmpt->numstepsizes <= JPC_MAXBANDS); +- memset(tcmpt->stepsizes, 0, sizeof(tcmpt->numstepsizes * +- sizeof(uint_fast16_t))); ++ memset(tcmpt->stepsizes, 0, tcmpt->numstepsizes * sizeof(uint_fast16_t)); + + /* Retrieve information about the various bands. */ + jpc_tsfb_getbands(tcmpt->tsfb, jas_seq2d_xstart(tcmpt->data), diff --git a/jasper-1.900.1-Coverity-CHECKED_RETURN.patch b/jasper-1.900.1-Coverity-CHECKED_RETURN.patch new file mode 100644 index 0000000..ea330f2 --- /dev/null +++ b/jasper-1.900.1-Coverity-CHECKED_RETURN.patch @@ -0,0 +1,141 @@ +Error: CHECKED_RETURN +jpc/jpc_cs.c:924: check_return: Calling function "jpc_putuint16" without checking return value (as is done elsewhere 11 out of 13 times). +jpc/jpc_cs.c:924: unchecked_value: No check of the return value of "jpc_putuint16(out, qcc->compno)". + +jpc/jpc_cs.c:1021: check_return: Calling function "jpc_putuint16" without checking return value (as is done elsewhere 11 out of 13 times). +jpc/jpc_cs.c:1021: unchecked_value: No check of the return value of "jpc_putuint16(out, compparms->stepsizes[i])". + +jpc/jpc_cs.c:994: check_return: Calling function "jpc_getuint16" without checking return value (as is done elsewhere 14 out of 16 times). +jpc/jpc_cs.c:994: unchecked_value: No check of the return value of "jpc_getuint16(in, compparms->stepsizes + i)". + +jpc/jpc_cs.c:905: check_return: Calling function "jpc_getuint16" without checking return value (as is done elsewhere 14 out of 16 times). +jpc/jpc_cs.c:905: unchecked_value: No check of the return value of "jpc_getuint16(in, &qcc->compno)". + +jpc/jpc_cs.c:969: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times). +jpc/jpc_cs.c:969: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)". + +jpc/jpc_cs.c:991: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times). +jpc/jpc_cs.c:991: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)". + +jpc/jpc_cs.c:901: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times). +jpc/jpc_cs.c:901: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)". + +jpc/jpc_t2enc.c:338: check_return: Calling function "jpc_putms" without checking return value (as is done elsewhere 12 out of 13 times). +jpc/jpc_t2enc.c:338: unchecked_value: No check of the return value of "jpc_putms(out, enc->cstate, ms)". + +ras/ras_enc.c:245: check_return: Calling function "jas_image_readcmpt" without checking return value (as is done elsewhere 9 out of 10 times). +ras/ras_enc.c:245: unchecked_value: No check of the return value of "jas_image_readcmpt(image, cmpts[i], 0L, y, image->brx_ - image->tlx_, 1L, data[i])". + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.checked_return jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.checked_return 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-06-24 13:52:25.636551844 +0200 +@@ -898,11 +898,15 @@ static int jpc_qcc_getparms(jpc_ms_t *ms + int len; + len = ms->len; + if (cstate->numcomps <= 256) { +- jpc_getuint8(in, &tmp); ++ if (jpc_getuint8(in, &tmp)) { ++ return -1; ++ } + qcc->compno = tmp; + --len; + } else { +- jpc_getuint16(in, &qcc->compno); ++ if (jpc_getuint16(in, &qcc->compno)) { ++ return -1; ++ } + len -= 2; + } + if (jpc_qcx_getcompparms(&qcc->compparms, cstate, in, len)) { +@@ -919,9 +923,13 @@ static int jpc_qcc_putparms(jpc_ms_t *ms + { + jpc_qcc_t *qcc = &ms->parms.qcc; + if (cstate->numcomps <= 256) { +- jpc_putuint8(out, qcc->compno); ++ if (jpc_putuint8(out, qcc->compno)) { ++ return -1; ++ } + } else { +- jpc_putuint16(out, qcc->compno); ++ if (jpc_putuint16(out, qcc->compno)) { ++ return -1; ++ } + } + if (jpc_qcx_putcompparms(&qcc->compparms, cstate, out)) { + return -1; +@@ -966,7 +974,9 @@ static int jpc_qcx_getcompparms(jpc_qcxc + cstate = 0; + + n = 0; +- jpc_getuint8(in, &tmp); ++ if (jpc_getuint8(in, &tmp)) { ++ return -1; ++ } + ++n; + compparms->qntsty = tmp & 0x1f; + compparms->numguard = (tmp >> 5) & 7; +@@ -988,10 +998,14 @@ static int jpc_qcx_getcompparms(jpc_qcxc + assert(compparms->stepsizes); + for (i = 0; i < compparms->numstepsizes; ++i) { + if (compparms->qntsty == JPC_QCX_NOQNT) { +- jpc_getuint8(in, &tmp); ++ if (jpc_getuint8(in, &tmp)) { ++ return -1; ++ } + compparms->stepsizes[i] = JPC_QCX_EXPN(tmp >> 3); + } else { +- jpc_getuint16(in, &compparms->stepsizes[i]); ++ if (jpc_getuint16(in, &compparms->stepsizes[i])) { ++ return -1; ++ } + } + } + } else { +@@ -1015,10 +1029,14 @@ static int jpc_qcx_putcompparms(jpc_qcxc + jpc_putuint8(out, ((compparms->numguard & 7) << 5) | compparms->qntsty); + for (i = 0; i < compparms->numstepsizes; ++i) { + if (compparms->qntsty == JPC_QCX_NOQNT) { +- jpc_putuint8(out, JPC_QCX_GETEXPN( +- compparms->stepsizes[i]) << 3); ++ if (jpc_putuint8(out, JPC_QCX_GETEXPN( ++ compparms->stepsizes[i]) << 3)) { ++ return -1; ++ } + } else { +- jpc_putuint16(out, compparms->stepsizes[i]); ++ if (jpc_putuint16(out, compparms->stepsizes[i])) { ++ return -1; ++ } + } + } + return 0; +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c.checked_return jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c.checked_return 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2011-06-24 12:29:32.069578992 +0200 +@@ -335,7 +335,9 @@ assert(jpc_firstone(datalen) < cblk->num + if (!(ms = jpc_ms_create(JPC_MS_EPH))) { + return -1; + } +- jpc_putms(out, enc->cstate, ms); ++ if (jpc_putms(out, enc->cstate, ms)) { ++ return -1; ++ } + jpc_ms_destroy(ms); + } + +diff -up jasper-1.900.1/src/libjasper/ras/ras_enc.c.checked_return jasper-1.900.1/src/libjasper/ras/ras_enc.c +--- jasper-1.900.1/src/libjasper/ras/ras_enc.c.checked_return 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/ras/ras_enc.c 2011-06-24 14:05:31.233482612 +0200 +@@ -242,8 +242,10 @@ static int ras_putdatastd(jas_stream_t * + + for (y = 0; y < hdr->height; y++) { + for (i = 0; i < numcmpts; ++i) { +- jas_image_readcmpt(image, cmpts[i], 0, y, jas_image_width(image), +- 1, data[i]); ++ if (jas_image_readcmpt(image, cmpts[i], 0, y, ++ jas_image_width(image), 1, data[i])) { ++ return -1; ++ } + } + z = 0; + nz = 0; diff --git a/jasper-1.900.1-Coverity-FORWARD_NULL.patch b/jasper-1.900.1-Coverity-FORWARD_NULL.patch new file mode 100644 index 0000000..ff526b4 --- /dev/null +++ b/jasper-1.900.1-Coverity-FORWARD_NULL.patch @@ -0,0 +1,44 @@ +Error: FORWARD_NULL +jpc/jpc_dec.c:2207: var_compare_op: Comparing "streams" to null implies that "streams" might be null. +jpc/jpc_dec.c:2270: var_deref_model: Passing null variable "streams" to function "jpc_streamlist_destroy", which dereferences it. +jpc/jpc_dec.c:2108: deref_parm: Directly dereferencing parameter "streamlist". + +jpc/jpc_t1enc.c:225: assign_zero: Assigning: "cblk->passes" = 0. +jpc/jpc_t1enc.c:228: alias_transfer: Assigning null: "pass" = "cblk->passes". +jpc/jpc_t1enc.c:229: var_deref_op: Dereferencing null variable "pass". + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.forward_null jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.forward_null 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-06-24 15:01:39.200600146 +0200 +@@ -2267,7 +2267,9 @@ jpc_streamlist_t *jpc_ppmstabtostreams(j + return streams; + + error: +- jpc_streamlist_destroy(streams); ++ if (streams) { ++ jpc_streamlist_destroy(streams); ++ } + return 0; + } + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c.forward_null jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c.forward_null 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2011-06-24 14:58:33.061248133 +0200 +@@ -224,7 +224,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_ + } else { + cblk->passes = 0; + } +- endpasses = &cblk->passes[cblk->numpasses]; ++ endpasses = (cblk->passes) ? &cblk->passes[cblk->numpasses] : 0; + for (pass = cblk->passes; pass != endpasses; ++pass) { + pass->start = 0; + pass->end = 0; +@@ -352,7 +352,7 @@ dump_passes(cblk->passes, cblk->numpasse + #endif + + n = 0; +- endpasses = &cblk->passes[cblk->numpasses]; ++ endpasses = (cblk->passes) ? &cblk->passes[cblk->numpasses] : 0; + for (pass = cblk->passes; pass != endpasses; ++pass) { + if (pass->start < n) { + pass->start = n; diff --git a/jasper-1.900.1-Coverity-NULL_RETURNS.patch b/jasper-1.900.1-Coverity-NULL_RETURNS.patch new file mode 100644 index 0000000..4c72270 --- /dev/null +++ b/jasper-1.900.1-Coverity-NULL_RETURNS.patch @@ -0,0 +1,61 @@ +Error: NULL_RETURNS +base/jas_image.c:213: returned_null: Function "jas_image_create0" returns null (checked 6 out of 7 times). +base/jas_image.c:213: var_assigned: Assigning: "newimage" = null return value from "jas_image_create0". +base/jas_image.c:214: dereference: Dereferencing a pointer that might be null "newimage" when calling "jas_image_growcmpts". +base/jas_image.c:777: deref_parm: Directly dereferencing parameter "image". + +base/jas_seq.c:223: returned_null: Function "jas_malloc" returns null (checked 110 out of 119 times). +base/jas_seq.c:223: var_assigned: Assigning: "mat0->rows_" = null return value from "jas_malloc". +base/jas_seq.c:225: dereference: Dereferencing a null pointer "mat0->rows_". + +jp2/jp2_cod.c:484: returned_null: Function "jas_stream_memopen" returns null (checked 12 out of 15 times). +jp2/jp2_cod.c:484: var_assigned: Assigning: "tmpstream" = null return value from "jas_stream_memopen". +jp2/jp2_cod.c:490: dereference: Dereferencing a pointer that might be null "tmpstream" when calling "jas_stream_tell". +base/jas_stream.c:677: deref_parm: Directly dereferencing parameter "stream". + + +diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS 2011-12-08 14:00:05.350020869 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:00:06.638004766 +0100 +@@ -210,7 +210,10 @@ jas_image_t *jas_image_copy(jas_image_t + jas_image_t *newimage; + int cmptno; + +- newimage = jas_image_create0(); ++ if (!(newimage = jas_image_create0())) { ++ goto error; ++ } ++ + if (jas_image_growcmpts(newimage, image->numcmpts_)) { + goto error; + } +diff -up jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS 2011-12-08 14:00:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2011-12-08 14:15:12.449680562 +0100 +@@ -220,7 +220,11 @@ void jas_matrix_bindsub(jas_matrix_t *ma + mat0->numrows_ = r1 - r0 + 1; + mat0->numcols_ = c1 - c0 + 1; + mat0->maxrows_ = mat0->numrows_; +- mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); ++ if (!(mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)))) { ++ jas_matrix_destroy(mat0); ++ return; ++ } ++ + for (i = 0; i < mat0->numrows_; ++i) { + mat0->rows_[i] = mat1->rows_[r0 + i] + c0; + } +diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS jasper-1.900.1/src/libjasper/jp2/jp2_cod.c +--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS 2011-12-08 14:00:05.633017331 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-12-08 14:00:06.677004279 +0100 +@@ -481,7 +481,9 @@ int jp2_box_put(jp2_box_t *box, jas_stre + dataflag = !(box->info->flags & (JP2_BOX_SUPER | JP2_BOX_NODATA)); + + if (dataflag) { +- tmpstream = jas_stream_memopen(0, 0); ++ if (!(tmpstream = jas_stream_memopen(0, 0))) { ++ goto error; ++ } + if (box->ops->putdata) { + if ((*box->ops->putdata)(box, tmpstream)) { + goto error; diff --git a/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch b/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch new file mode 100644 index 0000000..76f5da7 --- /dev/null +++ b/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch @@ -0,0 +1,202 @@ +Error: RESOURCE_LEAK +src/appl/imgcmp.c:504: var_assign: Assigning: "diffimage" = storage returned from "jas_image_create(3, compparms, 1025)". +src/appl/imgcmp.c:511: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to. +src/appl/imgcmp.c:537: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to. + +base/jas_image.c:254: var_assign: Assigning: "newcmpt" = storage returned from "jas_image_cmpt_create0()". +base/jas_image.c:268: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. +base/jas_image.c:271: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. +base/jas_image.c:274: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. +base/jas_image.c:277: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. + +base/jas_cm.c:611: var_assign: Assigning: "newpxformseq" = storage returned from "jas_cmpxformseq_create()". +base/jas_cm.c:617: leaked_storage: Variable "newpxformseq" going out of scope leaks the storage it points to. + +base/jas_cm.c:343: var_assign: Assigning: "newprof" = storage returned from "jas_cmprof_create()". +base/jas_cm.c:358: leaked_storage: Variable "newprof" going out of scope leaks the storage it points to. + +base/jas_cm.c:380: var_assign: Assigning: "xform" = storage returned from "jas_malloc(sizeof (jas_cmxform_t) /*16*/)". +base/jas_cm.c:461: leaked_storage: Variable "xform" going out of scope leaks the storage it points to. + +base/jas_image.c:1379: var_assign: Assigning: "xform" = storage returned from "jas_cmxform_create(inprof, outprof, NULL, 0, intent, 0)". +base/jas_image.c:1444: leaked_storage: Variable "xform" going out of scope leaks the storage it points to. + +base/jas_image.c:1306: var_assign: Assigning: "inimage" = storage returned from "jas_image_copy(image)". +base/jas_image.c:1444: leaked_storage: Variable "inimage" going out of scope leaks the storage it points to. + +base/jas_image.c:1345: var_assign: Assigning: "outimage" = storage returned from "jas_image_create0()". +base/jas_image.c:1444: leaked_storage: Variable "outimage" going out of scope leaks the storage it points to. + +bmp/bmp_enc.c:187: var_assign: Assigning: "info" = storage returned from "bmp_info_create()". +bmp/bmp_enc.c:208: leaked_storage: Variable "info" going out of scope leaks the storage it points to. + +jpc/jpc_tagtree.c:111: var_assign: Assigning: "tree" = storage returned from "jpc_tagtree_alloc()". +jpc/jpc_tagtree.c:129: leaked_storage: Variable "tree" going out of scope leaks the storage it points to. + +jpc/jpc_dec.c:452: var_assign: Assigning: "compinfos" = storage returned from "jas_malloc(dec->numcomps * sizeof (jas_image_cmptparm_t) /*56*/)". +jpc/jpc_dec.c:468: leaked_storage: Variable "compinfos" going out of scope leaks the storage it points to. + +jpc/jpc_dec.c:1483: var_assign: Assigning: "cp" = storage returned from "jas_malloc(sizeof (jpc_dec_cp_t) /*48*/)". +jpc/jpc_dec.c:1493: leaked_storage: Variable "cp" going out of scope leaks the storage it points to. +jpc/jpc_dec.c:1497: leaked_storage: Variable "cp" going out of scope leaks the storage it points to. + +mif/mif_cod.c:523: var_assign: Assigning: "cmpt" = storage returned from "mif_cmpt_create()". +mif/mif_cod.c:568: leaked_storage: Variable "cmpt" going out of scope leaks the storage it points to. + +mif/mif_cod.c:568: leaked_storage: Variable "tvp" going out of scope leaks the storage it points to. + + +diff -up jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK jasper-1.900.1/src/appl/imgcmp.c +--- jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK 2007-01-19 22:43:08.000000000 +0100 ++++ jasper-1.900.1/src/appl/imgcmp.c 2011-12-08 14:16:04.727027007 +0100 +@@ -507,6 +507,7 @@ jas_image_t *makediffimage(jas_matrix_t + + for (i = 0; i < 3; ++i) { + if (!(diffdata[i] = jas_matrix_create(height, width))) { ++ jas_image_destroy(diffimage); + fprintf(stderr, "internal error\n"); + return 0; + } +@@ -534,6 +535,7 @@ jas_image_t *makediffimage(jas_matrix_t + + for (i = 0; i < 3; ++i) { + if (jas_image_writecmpt(diffimage, i, 0, 0, width, height, diffdata[i])) { ++ jas_image_destroy(diffimage); + return 0; + } + } +diff -up jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_cm.c +--- jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK 2011-12-08 14:16:03.387043758 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2011-12-08 14:16:04.728026994 +0100 +@@ -355,6 +355,8 @@ jas_cmprof_t *jas_cmprof_copy(jas_cmprof + } + return newprof; + error: ++ if (newprof) ++ jas_cmprof_destroy(newprof); + return 0; + } + +@@ -458,6 +460,8 @@ jas_cmxform_t *jas_cmxform_create(jas_cm + } + return xform; + error: ++ if (xform) ++ jas_cmxform_destroy(xform); + return 0; + } + +@@ -614,6 +618,8 @@ static jas_cmpxformseq_t *jas_cmpxformse + goto error; + return newpxformseq; + error: ++ if (newpxformseq) ++ jas_cmpxformseq_destroy(newpxformseq); + return 0; + } + +diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK 2011-12-08 14:16:04.635028156 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:16:04.776026394 +0100 +@@ -268,15 +268,19 @@ static jas_image_cmpt_t *jas_image_cmpt_ + newcmpt->cps_ = cmpt->cps_; + newcmpt->type_ = cmpt->type_; + if (!(newcmpt->stream_ = jas_stream_memopen(0, 0))) { ++ jas_image_cmpt_destroy(newcmpt); + return 0; + } + if (jas_stream_seek(cmpt->stream_, 0, SEEK_SET)) { ++ jas_image_cmpt_destroy(newcmpt); + return 0; + } + if (jas_stream_copy(newcmpt->stream_, cmpt->stream_, -1)) { ++ jas_image_cmpt_destroy(newcmpt); + return 0; + } + if (jas_stream_seek(newcmpt->stream_, 0, SEEK_SET)) { ++ jas_image_cmpt_destroy(newcmpt); + return 0; + } + return newcmpt; +@@ -1443,5 +1447,11 @@ jas_image_dump(outimage, stderr); + #endif + return outimage; + error: ++ if (xform) ++ jas_cmxform_destroy(xform); ++ if (inimage) ++ jas_image_destroy(inimage); ++ if (outimage) ++ jas_image_destroy(outimage); + return 0; + } +diff -up jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/bmp/bmp_enc.c +--- jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/bmp/bmp_enc.c 2011-12-08 14:16:04.826025768 +0100 +@@ -205,16 +205,19 @@ int bmp_encode(jas_image_t *image, jas_s + + /* Write the bitmap header. */ + if (bmp_puthdr(out, &hdr)) { ++ bmp_info_destroy(info); + return -1; + } + + /* Write the bitmap information. */ + if (bmp_putinfo(out, info)) { ++ bmp_info_destroy(info); + return -1; + } + + /* Write the bitmap data. */ + if (bmp_putdata(out, info, image, enc->cmpts)) { ++ bmp_info_destroy(info); + return -1; + } + +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK 2011-12-08 14:16:04.594028668 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-12-08 14:17:25.677014992 +0100 +@@ -465,6 +465,7 @@ static int jpc_dec_process_sot(jpc_dec_t + + if (!(dec->image = jas_image_create(dec->numcomps, compinfos, + JAS_CLRSPC_UNKNOWN))) { ++ jas_free(compinfos); + return -1; + } + jas_free(compinfos); +@@ -1490,10 +1491,11 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u + cp->mctid = 0; + cp->csty = 0; + if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { ++ jpc_dec_cp_destroy(cp); + return 0; + } + if (!(cp->pchglist = jpc_pchglist_create())) { +- jas_free(cp->ccps); ++ jpc_dec_cp_destroy(cp); + return 0; + } + for (compno = 0, ccp = cp->ccps; compno < cp->numcomps; +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK 2011-12-08 14:16:04.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2011-12-08 14:17:55.905637082 +0100 +@@ -126,6 +126,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu + } while (n > 1); + + if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { ++ jpc_tagtree_destroy(tree); + return 0; + } + +diff -up jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/mif/mif_cod.c +--- jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK 2011-12-08 14:16:04.250032970 +0100 ++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2011-12-08 14:16:04.967024005 +0100 +@@ -564,7 +564,7 @@ static int mif_process_cmpt(mif_hdr_t *h + break; + case MIF_DATA: + if (!(cmpt->data = jas_strdup(jas_tvparser_getval(tvp)))) { +- return -1; ++ goto error; + } + break; + } diff --git a/jasper-1.900.1-Coverity-UNREACHABLE.patch b/jasper-1.900.1-Coverity-UNREACHABLE.patch new file mode 100644 index 0000000..3cae294 --- /dev/null +++ b/jasper-1.900.1-Coverity-UNREACHABLE.patch @@ -0,0 +1,37 @@ +Error: UNREACHABLE +jp2/jp2_cod.c:304: unreachable: This code cannot be reached: "abort();". + +jp2/jp2_cod.c:514: unreachable: This code cannot be reached: "abort();". + +jp2/jp2_enc.c:354: unreachable: This code cannot be reached: "abort();". + +diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.unreachable jasper-1.900.1/src/libjasper/jp2/jp2_cod.c +--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.unreachable 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-06-27 15:28:13.083137952 +0200 +@@ -301,7 +301,6 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) + } + + return box; +- abort(); + + error: + if (box) { +@@ -511,7 +510,6 @@ int jp2_box_put(jp2_box_t *box, jas_stre + } + + return 0; +- abort(); + + error: + +diff -up jasper-1.900.1/src/libjasper/jp2/jp2_enc.c.unreachable jasper-1.900.1/src/libjasper/jp2/jp2_enc.c +--- jasper-1.900.1/src/libjasper/jp2/jp2_enc.c.unreachable 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2011-06-27 15:27:58.858353979 +0200 +@@ -351,7 +351,6 @@ int sgnd; + } + + return 0; +- abort(); + + error: + diff --git a/jasper-1.900.1-Coverity-UNUSED_VALUE.patch b/jasper-1.900.1-Coverity-UNUSED_VALUE.patch new file mode 100644 index 0000000..e7d4cb5 --- /dev/null +++ b/jasper-1.900.1-Coverity-UNUSED_VALUE.patch @@ -0,0 +1,41 @@ +Error: UNUSED_VALUE +base/jas_icc.c:328: returned_pointer: Pointer "attrvalinfo" returned by "jas_iccattrvalinfo_lookup(type)" is never used. + +jpc/jpc_enc.c:788: returned_pointer: Pointer "cp" returned by "strchr(s, 66)" is never used. + +diff -up jasper-1.900.1/src/libjasper/base/jas_icc.c.unused_value jasper-1.900.1/src/libjasper/base/jas_icc.c +--- jasper-1.900.1/src/libjasper/base/jas_icc.c.unused_value 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2011-06-27 15:35:52.815263000 +0200 +@@ -266,7 +266,6 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + jas_iccattrval_t *attrval; + jas_iccattrval_t *prevattrval; + jas_icctagtabent_t *tagtabent; +- jas_iccattrvalinfo_t *attrvalinfo; + int i; + int len; + +@@ -325,7 +324,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + goto error; + } + curoff += 8; +- if (!(attrvalinfo = jas_iccattrvalinfo_lookup(type))) { ++ if (!jas_iccattrvalinfo_lookup(type)) { + #if 0 + jas_eprintf("warning: skipping unknown tag type\n"); + #endif +diff -up jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.unused_value jasper-1.900.1/src/libjasper/jpc/jpc_enc.c +--- jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.unused_value 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2011-06-27 15:36:17.437900180 +0200 +@@ -781,11 +781,10 @@ void jpc_enc_cp_destroy(jpc_enc_cp_t *cp + + int ratestrtosize(char *s, uint_fast32_t rawsize, uint_fast32_t *size) + { +- char *cp; + jpc_flt_t f; + + /* Note: This function must not modify output size on failure. */ +- if ((cp = strchr(s, 'B'))) { ++ if (strchr(s, 'B')) { + *size = atoi(s); + } else { + f = atof(s); diff --git a/jasper.spec b/jasper.spec index f90bb2a..1b3c8ac 100644 --- a/jasper.spec +++ b/jasper.spec @@ -7,12 +7,11 @@ Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper Group: System Environment/Libraries Version: 1.900.1 -Release: 17%{?dist} +Release: 18%{?dist} License: JasPer -URL: http://www.ece.uvic.ca/~mdadams/jasper/ -Source0: http://www.ece.uvic.ca/~mdadams/jasper/software/jasper-%{version}.zip -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +URL: http://www.ece.uvic.ca/~frodo/jasper/ +Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.zip Patch1: jasper-1.701.0-GL.patch # autoconf/automake bits of patch1 @@ -31,13 +30,24 @@ Patch6: jasper-1.900.1-CVE-2008-3522.patch # add pkg-config support Patch7: jasper-pkgconfig.patch +Patch8: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch + +# Issues found by static analysis of code +Patch10: jasper-1.900.1-Coverity-BAD_SIZEOF.patch +Patch11: jasper-1.900.1-Coverity-CHECKED_RETURN.patch +Patch12: jasper-1.900.1-Coverity-FORWARD_NULL.patch +Patch13: jasper-1.900.1-Coverity-NULL_RETURNS.patch +Patch14: jasper-1.900.1-Coverity-RESOURCE_LEAK.patch +Patch15: jasper-1.900.1-Coverity-UNREACHABLE.patch +Patch16: jasper-1.900.1-Coverity-UNUSED_VALUE.patch + BuildRequires: automake libtool BuildRequires: freeglut-devel BuildRequires: libGLU-devel BuildRequires: libjpeg-devel BuildRequires: pkgconfig -Requires: %{name}-libs = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description This package contains an implementation of the image compression @@ -48,7 +58,7 @@ from the JP2 and JPC formats. Summary: Header files, libraries and developer documentation Group: Development/Libraries Provides: libjasper-devel = %{version}-%{release} -Requires: %{name}-libs = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: libjpeg-devel Requires: pkgconfig %description devel @@ -65,6 +75,7 @@ Conflicts: jasper < 1.900.1-4 Summary: Nonessential utilities for %{name} Group: Development/Libraries Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description utils %{summary}, including jiv and tmrdemo. @@ -80,6 +91,15 @@ Requires: %{name} = %{version}-%{release} %patch5 -p1 -b .CVE-2008-3520 %patch6 -p1 -b .CVE-2008-3522 %patch7 -p1 -b .pkgconfig +%patch8 -p1 -b .CVE-2011-4516-4517 + +%patch10 -p1 -b .BAD_SIZEOF +%patch11 -p1 -b .CHECKED_RETURN +%patch12 -p1 -b .FORWARD_NULL +%patch13 -p1 -b .NULL_RETURNS +%patch14 -p1 -b .RESOURCE_LEAK +%patch15 -p1 -b .UNREACHABLE +%patch16 -p1 -b .UNUSED_VALUE autoreconf -i @@ -94,7 +114,6 @@ make %{?_smp_mflags} %install -rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT @@ -107,9 +126,6 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la make check -%clean -rm -rf $RPM_BUILD_ROOT - %post libs -p /sbin/ldconfig @@ -117,7 +133,6 @@ rm -rf $RPM_BUILD_ROOT %files -%defattr(-,root,root,-) %{_bindir}/imgcmp %{_bindir}/imginfo %{_bindir}/jasper @@ -125,25 +140,28 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/jasper.1* %files devel -%defattr(-,root,root,-) %doc doc/* %{_includedir}/jasper/ %{_libdir}/libjasper.so %{_libdir}/pkgconfig/jasper.pc %files libs -%defattr(-,root,root,-) %doc COPYRIGHT LICENSE NEWS README %{_libdir}/libjasper.so.1* %files utils -%defattr(-,root,root,-) %{_bindir}/jiv %{_bindir}/tmrdemo %{_mandir}/man1/jiv.1* %changelog +* Fri Dec 09 2011 Jiri Popelka - 1.900.1-18 +- CVE-2011-4516, CVE-2011-4517 jasper: heap buffer overflow flaws + lead to arbitrary code execution (CERT VU#887409) (#765660) +- Fixed problems found by static analysis of code (#761440) +- spec file modernized + * Wed Feb 09 2011 Fedora Release Engineering - 1.900.1-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild