diff --git a/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch b/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd177643bb825dade47e246161dccb700a5658df --- /dev/null +++ b/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch @@ -0,0 +1,194 @@ +diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c +--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c 2017-02-07 22:46:28.000000000 +0100 ++++ jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c 2017-02-07 22:46:07.040456152 +0100 +@@ -985,8 +985,9 @@ + { + unsigned char *buf; + +- assert(m->buf_); +- if (!(buf = jas_realloc(m->buf_, bufsize))) { ++ //assert(m->buf_); ++ assert(bufsize >= 0); ++ if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) { + return -1; + } + m->buf_ = buf; +diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c 2017-02-07 22:46:28.000000000 +0100 ++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c 2017-02-07 22:46:02.168382641 +0100 +@@ -512,6 +512,16 @@ + jas_free(siz->comps); + return -1; + } ++ if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) { ++ jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp); ++ jas_free(siz->comps); ++ return -1; ++ } ++ if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) { ++ jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp); ++ jas_free(siz->comps); ++ return -1; ++ } + siz->comps[i].sgnd = (tmp >> 7) & 1; + siz->comps[i].prec = (tmp & 0x7f) + 1; + } +diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c 2017-02-07 22:46:28.000000000 +0100 ++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c 2017-02-07 22:46:13.736555435 +0100 +@@ -674,7 +674,7 @@ + uint_fast32_t tmpxend; + uint_fast32_t tmpyend; + jpc_dec_cp_t *cp; +- jpc_tsfb_band_t bnds[64]; ++ jpc_tsfb_band_t bnds[JPC_MAXBANDS]; + jpc_pchg_t *pchg; + int pchgno; + jpc_dec_cmpt_t *cmpt; +@@ -989,23 +989,23 @@ + } + if (tile->cp) { + jpc_dec_cp_destroy(tile->cp); +- tile->cp = 0; ++ //tile->cp = 0; + } + if (tile->tcomps) { + jas_free(tile->tcomps); +- tile->tcomps = 0; ++ //tile->tcomps = 0; + } + if (tile->pi) { + jpc_pi_destroy(tile->pi); +- tile->pi = 0; ++ //tile->pi = 0; + } + if (tile->pkthdrstream) { + jas_stream_close(tile->pkthdrstream); +- tile->pkthdrstream = 0; ++ //tile->pkthdrstream = 0; + } + if (tile->pptstab) { + jpc_ppxstab_destroy(tile->pptstab); +- tile->pptstab = 0; ++ //tile->pptstab = 0; + } + + tile->state = JPC_TILE_DONE; +@@ -1148,7 +1148,11 @@ + return -1; + } + } +- jpc_dec_tilefini(dec, tile); ++ /* If the tile has not yet been finalized, finalize it. */ ++ // OLD CODE: jpc_dec_tilefini(dec, tile); ++ if (tile->state != JPC_TILE_DONE) { ++ jpc_dec_tilefini(dec, tile); ++ } + } + + /* We are done processing the code stream. */ +@@ -1204,6 +1208,8 @@ + dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); + dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); + dec->numtiles = dec->numhtiles * dec->numvtiles; ++ JAS_DBGLOG(10, ("numtiles = %d; numhtiles = %d; numvtiles = %d;\n", ++ dec->numtiles, dec->numhtiles, dec->numvtiles)); + if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) { + return -1; + } +@@ -1228,6 +1234,7 @@ + tile->pkthdrstreampos = 0; + tile->pptstab = 0; + tile->cp = 0; ++ tile->pi = 0; + if (!(tile->tcomps = jas_alloc2(dec->numcomps, + sizeof(jpc_dec_tcomp_t)))) { + return -1; +diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c +--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c 2017-02-07 22:46:28.000000000 +0100 ++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c 2017-02-07 22:45:59.328339293 +0100 +@@ -372,7 +372,7 @@ + register jpc_fix_t *dstptr; + register int n; + register int m; +- int hstartcol; ++ int hstartrow; + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +@@ -383,8 +383,9 @@ + } + + if (numrows >= 2) { +- hstartcol = (numrows + 1 - parity) >> 1; +- m = (parity) ? hstartcol : (numrows - hstartcol); ++ hstartrow = (numrows + 1 - parity) >> 1; ++ m = (parity) ? hstartrow : (numrows - hstartrow); ++ + /* Save the samples destined for the highpass channel. */ + n = m; + dstptr = buf; +@@ -404,7 +405,7 @@ + srcptr += stride << 1; + } + /* Copy the saved samples into the highpass channel. */ +- dstptr = &a[hstartcol * stride]; ++ dstptr = &a[hstartrow * stride]; + srcptr = buf; + n = m; + while (n-- > 0) { +@@ -435,19 +436,20 @@ + register int n; + register int i; + int m; +- int hstartcol; ++ int hstartrow; + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } + } + + if (numrows >= 2) { +- hstartcol = (numrows + 1 - parity) >> 1; +- m = (parity) ? hstartcol : (numrows - hstartcol); ++ hstartrow = (numrows + 1 - parity) >> 1; ++ m = (parity) ? hstartrow : (numrows - hstartrow); ++ + /* Save the samples destined for the highpass channel. */ + n = m; + dstptr = buf; +@@ -479,7 +481,7 @@ + srcptr += stride << 1; + } + /* Copy the saved samples into the highpass channel. */ +- dstptr = &a[hstartcol * stride]; ++ dstptr = &a[hstartrow * stride]; + srcptr = buf; + n = m; + while (n-- > 0) { +@@ -520,7 +522,7 @@ + + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c +--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c 2017-02-07 22:46:28.000000000 +0100 ++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c 2017-02-07 22:45:54.464331040 +0100 +@@ -429,7 +429,7 @@ + } + + for (pi->compno = pchg->compnostart, pi->picomp = +- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, ++ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, + ++pi->picomp) { + pirlvl = pi->picomp->pirlvls; + pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + diff --git a/component/jasper/buildout.cfg b/component/jasper/buildout.cfg index 271c96c8859a30c9c1678319a21f0fbe8596da76..48e82f482fe4d1873a93357f82586d0de2894612 100644 --- a/component/jasper/buildout.cfg +++ b/component/jasper/buildout.cfg @@ -22,6 +22,7 @@ patches = ${:_profile_base_location_}/CVE-2016-1577.patch#bc970cf3e8535559454781ec54db2d15 ${:_profile_base_location_}/CVE-2016-2089.patch#9b73eda015b04a6da493de89ce9b5685 ${:_profile_base_location_}/CVE-2016-2116.patch#387df217963281827e006ab4f14f869a + ${:_profile_base_location_}/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch#0bcc58c823aa19ac4beef469d65dbb56 configure-options = --disable-static --enable-shared