summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfeld <feld@FreeBSD.org>2016-02-24 20:22:24 +0000
committerfeld <feld@FreeBSD.org>2016-02-24 20:22:24 +0000
commitb3fb18555aa6c0f806acebb6b956856a3dd6c305 (patch)
tree14454eb120e5c5ee8e940f92ddd49be6848cf80a
parent53b8b4e92a91629564592c7ad7c2b84d65d83aa6 (diff)
downloadFreeBSD-ports-b3fb18555aa6c0f806acebb6b956856a3dd6c305.zip
FreeBSD-ports-b3fb18555aa6c0f806acebb6b956856a3dd6c305.tar.gz
MFH: r409237
- make option UUID default - fix double-free in in jas_iccattrval_destroy() Obtained from: RedHat Security: CVE-2014-8137 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173157 - fix heap overflow in jp2_decode() Obtained from: RedHat Security: CVE-2014-8138 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173162 - dec->numtiles off-by-one check in jpc_dec_process_sot() Obtained from: RedHat, Fedora Security: CVE-2014-8157 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - multiple stack-based buffer overflows Obtained from: RedHat, Fedora Security: CVE-2014-8158 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - fix Heap overflows in libjasper Obtained from: RedHat Security: CVE-2014-9029 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1167537 - fix Use-after-free (and double-free) Security: CVE-2015-5221 Security: http://www.openwall.com/lists/oss-security/2015/08/20/4 PR: 203504 - patch (rows_ NULL check) Obtained from: RedHat Security: CVE-2016-2089 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 Approved by: ports-secteam (with hat)
Diffstat
-rw-r--r--graphics/jasper/Makefile3
-rw-r--r--graphics/jasper/files/patch-jas_icc.c49
-rw-r--r--graphics/jasper/files/patch-jas_image.c26
-rw-r--r--graphics/jasper/files/patch-jas_seq.c57
-rw-r--r--graphics/jasper/files/patch-jas_types.h6
-rw-r--r--graphics/jasper/files/patch-jp2_cod.c16
-rw-r--r--graphics/jasper/files/patch-jp2_dec.c30
-rw-r--r--graphics/jasper/files/patch-jp2_enc.c8
-rw-r--r--graphics/jasper/files/patch-jpc_dec.c38
-rw-r--r--graphics/jasper/files/patch-jpc_qmfb.c289
-rw-r--r--graphics/jasper/files/patch-mif_cod.c13
11 files changed, 464 insertions, 71 deletions
diff --git a/graphics/jasper/Makefile b/graphics/jasper/Makefile
index 222402d..8340380 100644
--- a/graphics/jasper/Makefile
+++ b/graphics/jasper/Makefile
@@ -3,7 +3,7 @@
PORTNAME= jasper
PORTVERSION= 1.900.1
-PORTREVISION= 15
+PORTREVISION= 16
CATEGORIES= graphics
MASTER_SITES= http://www.ece.uvic.ca/~mdadams/jasper/software/ \
ftp://ftp.imagemagick.org/pub/ImageMagick/delegates/
@@ -21,6 +21,7 @@ CONFIGURE_ARGS= --enable-shared --enable-static
USE_LDCONFIG= yes
OPTIONS_DEFINE= OPENGL UUID DOCS
+OPTIONS_DEFAULT=UUID
UUID_DESC= UUID support (required by GDAL)
.include <bsd.port.options.mk>
diff --git a/graphics/jasper/files/patch-jas_icc.c b/graphics/jasper/files/patch-jas_icc.c
index 15e8007..19d5192 100644
--- a/graphics/jasper/files/patch-jas_icc.c
+++ b/graphics/jasper/files/patch-jas_icc.c
@@ -1,5 +1,5 @@
--- src/libjasper/base/jas_icc.c.orig 2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/base/jas_icc.c 2013-04-17 22:32:23.000000000 +0200
++++ src/libjasper/base/jas_icc.c 2016-02-20 13:49:45.521860000 +0100
@@ -373,7 +373,7 @@
jas_icctagtab_t *tagtab;
@@ -37,7 +37,15 @@
goto error;
for (i = 0; i < curv->numents; ++i) {
if (jas_iccgetuint16(in, &curv->ents[i]))
-@@ -1100,7 +1099,7 @@
+@@ -1011,7 +1010,6 @@
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1100,7 +1098,7 @@
if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
jas_iccgetuint32(in, &txtdesc->uclen))
goto error;
@@ -46,7 +54,24 @@
goto error;
if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
JAS_CAST(int, txtdesc->uclen * 2))
-@@ -1292,17 +1291,17 @@
+@@ -1129,7 +1127,6 @@
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1208,8 +1205,6 @@
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1292,17 +1287,17 @@
jas_iccgetuint16(in, &lut8->numouttabents))
goto error;
clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
@@ -71,7 +96,15 @@
sizeof(jas_iccuint8_t *))))
goto error;
for (i = 0; i < lut8->numoutchans; ++i)
-@@ -1461,17 +1460,17 @@
+@@ -1330,7 +1325,6 @@
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1461,17 +1455,17 @@
jas_iccgetuint16(in, &lut16->numouttabents))
goto error;
clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
@@ -96,3 +129,11 @@
sizeof(jas_iccuint16_t *))))
goto error;
for (i = 0; i < lut16->numoutchans; ++i)
+@@ -1499,7 +1493,6 @@
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
diff --git a/graphics/jasper/files/patch-jas_image.c b/graphics/jasper/files/patch-jas_image.c
index 43adc59e..f14568c 100644
--- a/graphics/jasper/files/patch-jas_image.c
+++ b/graphics/jasper/files/patch-jas_image.c
@@ -1,5 +1,5 @@
--- src/libjasper/base/jas_image.c.orig 2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/base/jas_image.c 2013-04-17 22:32:23.000000000 +0200
++++ src/libjasper/base/jas_image.c 2016-02-20 13:59:00.999124000 +0100
@@ -142,7 +142,7 @@
image->inmem_ = true;
@@ -9,7 +9,29 @@
sizeof(jas_image_cmpt_t *)))) {
jas_image_destroy(image);
return 0;
-@@ -774,8 +774,7 @@
+@@ -426,6 +426,10 @@
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ if (jas_matrix_resize(data, height, width)) {
+ return -1;
+@@ -479,6 +483,10 @@
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ return -1;
+ }
+@@ -774,8 +782,7 @@
jas_image_cmpt_t **newcmpts;
int cmptno;
diff --git a/graphics/jasper/files/patch-jas_seq.c b/graphics/jasper/files/patch-jas_seq.c
index 8baa54d..ee301cd 100644
--- a/graphics/jasper/files/patch-jas_seq.c
+++ b/graphics/jasper/files/patch-jas_seq.c
@@ -1,5 +1,5 @@
--- src/libjasper/base/jas_seq.c.orig 2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/base/jas_seq.c 2013-04-17 22:32:23.000000000 +0200
++++ src/libjasper/base/jas_seq.c 2016-02-20 13:59:01.014091000 +0100
@@ -114,7 +114,7 @@
matrix->datasize_ = numrows * numcols;
@@ -27,3 +27,58 @@
for (i = 0; i < mat0->numrows_; ++i) {
mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
}
+@@ -262,6 +262,10 @@
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -282,6 +286,10 @@
+ jas_seqent_t *data;
+ int rowstep;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -306,6 +314,10 @@
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ assert(n >= 0);
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -367,6 +383,10 @@
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
diff --git a/graphics/jasper/files/patch-jas_types.h b/graphics/jasper/files/patch-jas_types.h
index 1c1bc83..f515adb 100644
--- a/graphics/jasper/files/patch-jas_types.h
+++ b/graphics/jasper/files/patch-jas_types.h
@@ -1,6 +1,6 @@
---- src/libjasper/include/jasper/jas_types.h Sat Oct 4 12:57:58 2003
-+++ src/libjasper/include/jasper/jas_types.h Wed Dec 17 10:29:46 2003
-@@ -223,13 +223,13 @@
+--- src/libjasper/include/jasper/jas_types.h.orig 2007-01-19 22:43:04.000000000 +0100
++++ src/libjasper/include/jasper/jas_types.h 2016-02-20 13:49:45.555375000 +0100
+@@ -179,13 +179,13 @@
#endif
/**********/
#if !defined(INT_FAST64_MIN)
diff --git a/graphics/jasper/files/patch-jp2_cod.c b/graphics/jasper/files/patch-jp2_cod.c
index afe4a98..ea838a4 100644
--- a/graphics/jasper/files/patch-jp2_cod.c
+++ b/graphics/jasper/files/patch-jp2_cod.c
@@ -1,6 +1,6 @@
---- src/libjasper/jp2/jp2_cod.c.orig 2013-04-17 22:32:23.000000000 +0200
-+++ src/libjasper/jp2/jp2_cod.c 2013-04-17 22:32:23.000000000 +0200
-@@ -255,7 +255,7 @@
+--- src/libjasper/jp2/jp2_cod.c.orig 2007-01-19 22:43:05.000000000 +0100
++++ src/libjasper/jp2/jp2_cod.c 2016-02-20 13:49:45.560559000 +0100
+@@ -247,7 +247,7 @@
box = 0;
tmpstream = 0;
@@ -9,7 +9,7 @@
goto error;
}
box->ops = &jp2_boxinfo_unk.ops;
-@@ -380,7 +380,7 @@
+@@ -372,7 +372,7 @@
jp2_bpcc_t *bpcc = &box->data.bpcc;
unsigned int i;
bpcc->numcmpts = box->datalen;
@@ -18,7 +18,7 @@
return -1;
}
for (i = 0; i < bpcc->numcmpts; ++i) {
-@@ -424,7 +424,7 @@
+@@ -416,7 +416,7 @@
break;
case JP2_COLR_ICC:
colr->iccplen = box->datalen - 3;
@@ -27,7 +27,7 @@
return -1;
}
if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
-@@ -461,7 +461,7 @@
+@@ -453,7 +453,7 @@
if (jp2_getuint16(in, &cdef->numchans)) {
return -1;
}
@@ -36,7 +36,7 @@
return -1;
}
for (channo = 0; channo < cdef->numchans; ++channo) {
-@@ -774,7 +774,7 @@
+@@ -766,7 +766,7 @@
unsigned int i;
cmap->numchans = (box->datalen) / 4;
@@ -45,7 +45,7 @@
return -1;
}
for (i = 0; i < cmap->numchans; ++i) {
-@@ -836,10 +836,10 @@
+@@ -828,10 +828,10 @@
return -1;
}
lutsize = pclr->numlutents * pclr->numchans;
diff --git a/graphics/jasper/files/patch-jp2_dec.c b/graphics/jasper/files/patch-jp2_dec.c
index 0a847fd..da45b7b 100644
--- a/graphics/jasper/files/patch-jp2_dec.c
+++ b/graphics/jasper/files/patch-jp2_dec.c
@@ -1,6 +1,18 @@
--- src/libjasper/jp2/jp2_dec.c.orig 2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/jp2/jp2_dec.c 2013-04-17 22:32:23.000000000 +0200
-@@ -336,7 +336,7 @@
++++ src/libjasper/jp2/jp2_dec.c 2016-02-20 13:49:45.565514000 +0100
+@@ -291,7 +291,10 @@
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
+@@ -336,7 +339,7 @@
}
/* Allocate space for the channel-number to component-number LUT. */
@@ -9,7 +21,7 @@
jas_eprintf("error: no memory\n");
goto error;
}
-@@ -354,7 +354,7 @@
+@@ -354,7 +357,7 @@
if (cmapent->map == JP2_CMAP_DIRECT) {
dec->chantocmptlut[channo] = channo;
} else if (cmapent->map == JP2_CMAP_PALETTE) {
@@ -18,3 +30,15 @@
for (i = 0; i < pclrd->numlutents; ++i) {
lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
}
+@@ -386,6 +389,11 @@
+ /* Determine the type of each component. */
+ if (dec->cdef) {
+ for (i = 0; i < dec->numchans; ++i) {
++ /* Is the channel number reasonable? */
++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++ jas_eprintf("error: invalid channel number in CDEF box\n");
++ goto error;
++ }
+ jas_image_setcmpttype(dec->image,
+ dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ jp2_getct(jas_image_clrspc(dec->image),
diff --git a/graphics/jasper/files/patch-jp2_enc.c b/graphics/jasper/files/patch-jp2_enc.c
index 2233d90..6351100 100644
--- a/graphics/jasper/files/patch-jp2_enc.c
+++ b/graphics/jasper/files/patch-jp2_enc.c
@@ -1,6 +1,6 @@
---- src/libjasper/jp2/jp2_enc.c.orig 2013-04-17 22:32:23.000000000 +0200
-+++ src/libjasper/jp2/jp2_enc.c 2013-04-17 22:32:23.000000000 +0200
-@@ -194,7 +194,7 @@
+--- src/libjasper/jp2/jp2_enc.c.orig 2007-01-19 22:43:05.000000000 +0100
++++ src/libjasper/jp2/jp2_enc.c 2016-02-20 13:49:45.569962000 +0100
+@@ -191,7 +191,7 @@
}
bpcc = &box->data.bpcc;
bpcc->numcmpts = jas_image_numcmpts(image);
@@ -9,7 +9,7 @@
sizeof(uint_fast8_t)))) {
goto error;
}
-@@ -288,7 +288,7 @@
+@@ -285,7 +285,7 @@
}
cdef = &box->data.cdef;
cdef->numchans = jas_image_numcmpts(image);
diff --git a/graphics/jasper/files/patch-jpc_dec.c b/graphics/jasper/files/patch-jpc_dec.c
index 8923447..2042a17 100644
--- a/graphics/jasper/files/patch-jpc_dec.c
+++ b/graphics/jasper/files/patch-jpc_dec.c
@@ -1,5 +1,5 @@
--- src/libjasper/jpc/jpc_dec.c.orig 2007-01-19 22:43:07.000000000 +0100
-+++ src/libjasper/jpc/jpc_dec.c 2013-04-17 22:29:42.000000000 +0200
++++ src/libjasper/jpc/jpc_dec.c 2016-02-20 13:49:45.581508000 +0100
@@ -449,7 +449,7 @@
if (dec->state == JPC_MH) {
@@ -9,6 +9,15 @@
assert(compinfos);
for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -489,7 +489,7 @@
+ dec->curtileendoff = 0;
+ }
+
+- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ jas_eprintf("invalid tile number in SOT marker segment\n");
+ return -1;
+ }
@@ -692,7 +692,7 @@
tile->realmode = 1;
}
@@ -87,6 +96,33 @@
sizeof(jpc_dec_tcomp_t)))) {
return -1;
}
+@@ -1280,7 +1280,7 @@
+ jpc_coc_t *coc = &ms->parms.coc;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
++ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in COC marker segment\n");
+ return -1;
+ }
+@@ -1306,7 +1306,7 @@
+ jpc_rgn_t *rgn = &ms->parms.rgn;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
++ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in RGN marker segment\n");
+ return -1;
+ }
+@@ -1355,7 +1355,7 @@
+ jpc_qcc_t *qcc = &ms->parms.qcc;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
++ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in QCC marker segment\n");
+ return -1;
+ }
@@ -1489,7 +1489,7 @@
cp->numlyrs = 0;
cp->mctid = 0;
diff --git a/graphics/jasper/files/patch-jpc_qmfb.c b/graphics/jasper/files/patch-jpc_qmfb.c
index b87d45e..86b6897 100644
--- a/graphics/jasper/files/patch-jpc_qmfb.c
+++ b/graphics/jasper/files/patch-jpc_qmfb.c
@@ -1,16 +1,24 @@
--- src/libjasper/jpc/jpc_qmfb.c.orig 2007-01-19 22:43:07.000000000 +0100
-+++ src/libjasper/jpc/jpc_qmfb.c 2015-08-29 08:07:01.000000000 +0200
-@@ -305,7 +305,7 @@
++++ src/libjasper/jpc/jpc_qmfb.c 2016-02-20 13:56:19.711609000 +0100
+@@ -305,12 +305,8 @@
void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
- #if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
- #else
-@@ -321,7 +321,7 @@
- #if !defined(HAVE_VLA)
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -318,15 +314,13 @@
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -18,17 +26,43 @@
/* We have no choice but to commit suicide in this case. */
abort();
}
-@@ -373,7 +373,7 @@
+ }
+-#endif
+
+ if (numcols >= 2) {
+ hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -373,12 +365,8 @@
int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
- #else
-@@ -389,7 +389,7 @@
- #if !defined(HAVE_VLA)
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -386,15 +374,13 @@
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -36,17 +70,43 @@
/* We have no choice but to commit suicide in this case. */
abort();
}
-@@ -441,7 +441,7 @@
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -441,12 +425,8 @@
int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -460,7 +460,7 @@
- #if !defined(HAVE_VLA)
+-#else
+- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -457,15 +437,13 @@
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -54,17 +114,43 @@
/* We have no choice but to commit suicide in this case. */
abort();
}
-@@ -530,7 +530,7 @@
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -530,12 +506,8 @@
int stride, int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -549,7 +549,7 @@
- #if !defined(HAVE_VLA)
+-#else
+- jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -546,15 +518,13 @@
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -72,17 +158,41 @@
/* We have no choice but to commit suicide in this case. */
abort();
}
-@@ -618,7 +618,7 @@
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,39 +576,31 @@
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
- #if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
- #else
-@@ -633,7 +633,7 @@
- #if !defined(HAVE_VLA)
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -90,17 +200,42 @@
/* We have no choice but to commit suicide. */
abort();
}
-@@ -683,7 +683,7 @@
+ }
+-#endif
+
+ hstartcol = (numcols + 1 - parity) >> 1;
+
+@@ -670,12 +632,10 @@
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -683,27 +643,21 @@
int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
- #else
-@@ -698,7 +698,7 @@
- #if !defined(HAVE_VLA)
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -108,17 +243,43 @@
/* We have no choice but to commit suicide. */
abort();
}
-@@ -748,7 +748,7 @@
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -735,12 +689,10 @@
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -748,12 +700,8 @@
int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -766,7 +766,7 @@
- #if !defined(HAVE_VLA)
+-#else
+- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -763,15 +711,13 @@
+ register int i;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
@@ -126,21 +287,65 @@
/* We have no choice but to commit suicide. */
abort();
}
-@@ -834,7 +834,7 @@
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -821,12 +767,10 @@
+ srcptr += JPC_QMFB_COLGRPSIZE;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -834,12 +778,8 @@
int stride, int parity)
{
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -852,7 +852,7 @@
- #if !defined(HAVE_VLA)
+-#else
+- jpc_fix_t joinbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -849,15 +789,13 @@
+ register int i;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
-+ if (!(buf = jas_malloc2(bufsize, numcols, sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_malloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide. */
abort();
}
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -907,12 +845,10 @@
+ srcptr += numcols;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
diff --git a/graphics/jasper/files/patch-mif_cod.c b/graphics/jasper/files/patch-mif_cod.c
index e2c308b..5e439b6 100644
--- a/graphics/jasper/files/patch-mif_cod.c
+++ b/graphics/jasper/files/patch-mif_cod.c
@@ -1,5 +1,5 @@
--- src/libjasper/mif/mif_cod.c.orig 2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/mif/mif_cod.c 2015-08-29 08:07:01.000000000 +0200
++++ src/libjasper/mif/mif_cod.c 2016-02-20 14:19:34.799575000 +0100
@@ -107,7 +107,7 @@
static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
static mif_cmpt_t *mif_cmpt_create(void);
@@ -19,7 +19,16 @@
if (!newcmpts) {
return -1;
}
-@@ -658,7 +657,7 @@
+@@ -571,6 +570,8 @@
+ }
+ }
+ jas_tvparser_destroy(tvp);
++ /* fix for CVE-2015-5221 */
++ tvp = NULL;
+ if (!cmpt->sampperx || !cmpt->samppery) {
+ goto error;
+ }
+@@ -658,7 +659,7 @@
* MIF parsing code.
\******************************************************************************/
OpenPOWER on IntegriCloud