Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Feb 2016 20:22:24 +0000 (UTC)
From:      Mark Felder <feld@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r409480 - in branches/2016Q1/graphics/jasper: . files
Message-ID:  <201602242022.u1OKMOIK045563@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: feld
Date: Wed Feb 24 20:22:24 2016
New Revision: 409480
URL: https://svnweb.freebsd.org/changeset/ports/409480

Log:
  MFH: r409237
  
  - make option UUID default
  
  - fix double-free in in jas_iccattrval_destroy()
  Obtained from:	RedHat
  Security: CVE-2014-8137
  Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173157
  
  - fix heap overflow in jp2_decode()
  Obtained from:	RedHat
  Security: CVE-2014-8138
  Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173162
  
  - dec->numtiles off-by-one check in jpc_dec_process_sot()
  Obtained from:	RedHat, Fedora
  Security: CVE-2014-8157
  Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282
  
  - multiple stack-based buffer overflows
  Obtained from:	RedHat, Fedora
  Security: CVE-2014-8158
  Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282
  
  - fix Heap overflows in libjasper
  Obtained from:	RedHat
  Security: CVE-2014-9029
  Security: https://bugzilla.redhat.com/show_bug.cgi?id=1167537
  
  - fix Use-after-free (and double-free)
  Security: CVE-2015-5221
  Security: http://www.openwall.com/lists/oss-security/2015/08/20/4
  PR:		203504
  
  - patch (rows_ NULL check)
  Obtained from:	RedHat
  Security: CVE-2016-2089
  Security: https://bugzilla.redhat.com/show_bug.cgi?id=1302636
  
  Approved by:	ports-secteam (with hat)

Modified:
  branches/2016Q1/graphics/jasper/Makefile
  branches/2016Q1/graphics/jasper/files/patch-jas_icc.c
  branches/2016Q1/graphics/jasper/files/patch-jas_image.c
  branches/2016Q1/graphics/jasper/files/patch-jas_seq.c
  branches/2016Q1/graphics/jasper/files/patch-jas_types.h
  branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c
  branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c
  branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c
  branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c
  branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c
  branches/2016Q1/graphics/jasper/files/patch-mif_cod.c
Directory Properties:
  branches/2016Q1/   (props changed)

Modified: branches/2016Q1/graphics/jasper/Makefile
==============================================================================
--- branches/2016Q1/graphics/jasper/Makefile	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/Makefile	Wed Feb 24 20:22:24 2016	(r409480)
@@ -3,7 +3,7 @@
 
 PORTNAME=	jasper
 PORTVERSION=	1.900.1
-PORTREVISION=	15
+PORTREVISION=	16
 CATEGORIES=	graphics
 MASTER_SITES=	http://www.ece.uvic.ca/~mdadams/jasper/software/ \
 		ftp://ftp.imagemagick.org/pub/ImageMagick/delegates/
@@ -21,6 +21,7 @@ CONFIGURE_ARGS=	--enable-shared --enable
 USE_LDCONFIG=	yes
 
 OPTIONS_DEFINE=	OPENGL UUID DOCS
+OPTIONS_DEFAULT=UUID
 UUID_DESC=	UUID support (required by GDAL)
 
 .include <bsd.port.options.mk>

Modified: branches/2016Q1/graphics/jasper/files/patch-jas_icc.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jas_icc.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jas_icc.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,5 +1,5 @@
 --- src/libjasper/base/jas_icc.c.orig	2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/base/jas_icc.c	2013-04-17 22:32:23.000000000 +0200
++++ src/libjasper/base/jas_icc.c	2016-02-20 13:49:45.521860000 +0100
 @@ -373,7 +373,7 @@
  	jas_icctagtab_t *tagtab;
  
@@ -37,7 +37,15 @@
  		goto error;
  	for (i = 0; i < curv->numents; ++i) {
  		if (jas_iccgetuint16(in, &curv->ents[i]))
-@@ -1100,7 +1099,7 @@
+@@ -1011,7 +1010,6 @@
+ 	return 0;
+ 
+ error:
+-	jas_icccurv_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1100,7 +1098,7 @@
  	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
  	  jas_iccgetuint32(in, &txtdesc->uclen))
  		goto error;
@@ -46,7 +54,24 @@
  		goto error;
  	if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
  	  JAS_CAST(int, txtdesc->uclen * 2))
-@@ -1292,17 +1291,17 @@
+@@ -1129,7 +1127,6 @@
+ #endif
+ 	return 0;
+ error:
+-	jas_icctxtdesc_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1208,8 +1205,6 @@
+ 		goto error;
+ 	return 0;
+ error:
+-	if (txt->string)
+-		jas_free(txt->string);
+ 	return -1;
+ }
+ 
+@@ -1292,17 +1287,17 @@
  	  jas_iccgetuint16(in, &lut8->numouttabents))
  		goto error;
  	clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
@@ -71,7 +96,15 @@
  	  sizeof(jas_iccuint8_t *))))
  		goto error;
  	for (i = 0; i < lut8->numoutchans; ++i)
-@@ -1461,17 +1460,17 @@
+@@ -1330,7 +1325,6 @@
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut8_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1461,17 +1455,17 @@
  	  jas_iccgetuint16(in, &lut16->numouttabents))
  		goto error;
  	clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
@@ -96,3 +129,11 @@
  	  sizeof(jas_iccuint16_t *))))
  		goto error;
  	for (i = 0; i < lut16->numoutchans; ++i)
+@@ -1499,7 +1493,6 @@
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut16_destroy(attrval);
+ 	return -1;
+ }
+ 

Modified: branches/2016Q1/graphics/jasper/files/patch-jas_image.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jas_image.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jas_image.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,5 +1,5 @@
 --- src/libjasper/base/jas_image.c.orig	2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/base/jas_image.c	2013-04-17 22:32:23.000000000 +0200
++++ src/libjasper/base/jas_image.c	2016-02-20 13:59:00.999124000 +0100
 @@ -142,7 +142,7 @@
  	image->inmem_ = true;
  
@@ -9,7 +9,29 @@
  	  sizeof(jas_image_cmpt_t *)))) {
  		jas_image_destroy(image);
  		return 0;
-@@ -774,8 +774,7 @@
+@@ -426,6 +426,10 @@
+ 		return -1;
+ 	}
+ 
++	if (!data->rows_) {
++		return -1;
++	}
++
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		if (jas_matrix_resize(data, height, width)) {
+ 			return -1;
+@@ -479,6 +483,10 @@
+ 		return -1;
+ 	}
+ 
++	if (!data->rows_) {
++		return -1;
++	}
++
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		return -1;
+ 	}
+@@ -774,8 +782,7 @@
  	jas_image_cmpt_t **newcmpts;
  	int cmptno;
  

Modified: branches/2016Q1/graphics/jasper/files/patch-jas_seq.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jas_seq.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jas_seq.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,5 +1,5 @@
 --- src/libjasper/base/jas_seq.c.orig	2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/base/jas_seq.c	2013-04-17 22:32:23.000000000 +0200
++++ src/libjasper/base/jas_seq.c	2016-02-20 13:59:01.014091000 +0100
 @@ -114,7 +114,7 @@
  	matrix->datasize_ = numrows * numcols;
  
@@ -27,3 +27,58 @@
  	for (i = 0; i < mat0->numrows_; ++i) {
  		mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
  	}
+@@ -262,6 +262,10 @@
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -282,6 +286,10 @@
+ 	jas_seqent_t *data;
+ 	int rowstep;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -306,6 +314,10 @@
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	assert(n >= 0);
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -367,6 +383,10 @@
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {

Modified: branches/2016Q1/graphics/jasper/files/patch-jas_types.h
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jas_types.h	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jas_types.h	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,6 +1,6 @@
---- src/libjasper/include/jasper/jas_types.h	Sat Oct  4 12:57:58 2003
-+++ src/libjasper/include/jasper/jas_types.h	Wed Dec 17 10:29:46 2003
-@@ -223,13 +223,13 @@
+--- src/libjasper/include/jasper/jas_types.h.orig	2007-01-19 22:43:04.000000000 +0100
++++ src/libjasper/include/jasper/jas_types.h	2016-02-20 13:49:45.555375000 +0100
+@@ -179,13 +179,13 @@
  #endif
  /**********/
  #if !defined(INT_FAST64_MIN)

Modified: branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,6 +1,6 @@
---- src/libjasper/jp2/jp2_cod.c.orig	2013-04-17 22:32:23.000000000 +0200
-+++ src/libjasper/jp2/jp2_cod.c	2013-04-17 22:32:23.000000000 +0200
-@@ -255,7 +255,7 @@
+--- src/libjasper/jp2/jp2_cod.c.orig	2007-01-19 22:43:05.000000000 +0100
++++ src/libjasper/jp2/jp2_cod.c	2016-02-20 13:49:45.560559000 +0100
+@@ -247,7 +247,7 @@
  	box = 0;
  	tmpstream = 0;
  
@@ -9,7 +9,7 @@
  		goto error;
  	}
  	box->ops = &jp2_boxinfo_unk.ops;
-@@ -380,7 +380,7 @@
+@@ -372,7 +372,7 @@
  	jp2_bpcc_t *bpcc = &box->data.bpcc;
  	unsigned int i;
  	bpcc->numcmpts = box->datalen;
@@ -18,7 +18,7 @@
  		return -1;
  	}
  	for (i = 0; i < bpcc->numcmpts; ++i) {
-@@ -424,7 +424,7 @@
+@@ -416,7 +416,7 @@
  		break;
  	case JP2_COLR_ICC:
  		colr->iccplen = box->datalen - 3;
@@ -27,7 +27,7 @@
  			return -1;
  		}
  		if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
-@@ -461,7 +461,7 @@
+@@ -453,7 +453,7 @@
  	if (jp2_getuint16(in, &cdef->numchans)) {
  		return -1;
  	}
@@ -36,7 +36,7 @@
  		return -1;
  	}
  	for (channo = 0; channo < cdef->numchans; ++channo) {
-@@ -774,7 +774,7 @@
+@@ -766,7 +766,7 @@
  	unsigned int i;
  
  	cmap->numchans = (box->datalen) / 4;
@@ -45,7 +45,7 @@
  		return -1;
  	}
  	for (i = 0; i < cmap->numchans; ++i) {
-@@ -836,10 +836,10 @@
+@@ -828,10 +828,10 @@
  		return -1;
  	}
  	lutsize = pclr->numlutents * pclr->numchans;

Modified: branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,6 +1,18 @@
 --- src/libjasper/jp2/jp2_dec.c.orig	2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/jp2/jp2_dec.c	2013-04-17 22:32:23.000000000 +0200
-@@ -336,7 +336,7 @@
++++ src/libjasper/jp2/jp2_dec.c	2016-02-20 13:49:45.565514000 +0100
+@@ -291,7 +291,10 @@
+ 	case JP2_COLR_ICC:
+ 		iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ 		  dec->colr->data.colr.iccplen);
+-		assert(iccprof);
++		if (!iccprof) {
++			jas_eprintf("error: failed to parse ICC profile\n");
++			goto error;
++		}
+ 		jas_iccprof_gethdr(iccprof, &icchdr);
+ 		jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ 		jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
+@@ -336,7 +339,7 @@
  	}
  
  	/* Allocate space for the channel-number to component-number LUT. */
@@ -9,7 +21,7 @@
  		jas_eprintf("error: no memory\n");
  		goto error;
  	}
-@@ -354,7 +354,7 @@
+@@ -354,7 +357,7 @@
  			if (cmapent->map == JP2_CMAP_DIRECT) {
  				dec->chantocmptlut[channo] = channo;
  			} else if (cmapent->map == JP2_CMAP_PALETTE) {
@@ -18,3 +30,15 @@
  				for (i = 0; i < pclrd->numlutents; ++i) {
  					lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
  				}
+@@ -386,6 +389,11 @@
+ 	/* Determine the type of each component. */
+ 	if (dec->cdef) {
+ 		for (i = 0; i < dec->numchans; ++i) {
++			/* Is the channel number reasonable? */
++			if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++				jas_eprintf("error: invalid channel number in CDEF box\n");
++				goto error;
++			}
+ 			jas_image_setcmpttype(dec->image,
+ 			  dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ 			  jp2_getct(jas_image_clrspc(dec->image),

Modified: branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,6 +1,6 @@
---- src/libjasper/jp2/jp2_enc.c.orig	2013-04-17 22:32:23.000000000 +0200
-+++ src/libjasper/jp2/jp2_enc.c	2013-04-17 22:32:23.000000000 +0200
-@@ -194,7 +194,7 @@
+--- src/libjasper/jp2/jp2_enc.c.orig	2007-01-19 22:43:05.000000000 +0100
++++ src/libjasper/jp2/jp2_enc.c	2016-02-20 13:49:45.569962000 +0100
+@@ -191,7 +191,7 @@
  		}
  		bpcc = &box->data.bpcc;
  		bpcc->numcmpts = jas_image_numcmpts(image);
@@ -9,7 +9,7 @@
  		  sizeof(uint_fast8_t)))) {
  			goto error;
  		}
-@@ -288,7 +288,7 @@
+@@ -285,7 +285,7 @@
  		}
  		cdef = &box->data.cdef;
  		cdef->numchans = jas_image_numcmpts(image);

Modified: branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,5 +1,5 @@
 --- src/libjasper/jpc/jpc_dec.c.orig	2007-01-19 22:43:07.000000000 +0100
-+++ src/libjasper/jpc/jpc_dec.c	2013-04-17 22:29:42.000000000 +0200
++++ src/libjasper/jpc/jpc_dec.c	2016-02-20 13:49:45.581508000 +0100
 @@ -449,7 +449,7 @@
  
  	if (dec->state == JPC_MH) {
@@ -9,6 +9,15 @@
  		assert(compinfos);
  		for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
  		  cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -489,7 +489,7 @@
+ 		dec->curtileendoff = 0;
+ 	}
+ 
+-	if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++	if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ 		jas_eprintf("invalid tile number in SOT marker segment\n");
+ 		return -1;
+ 	}
 @@ -692,7 +692,7 @@
  			tile->realmode = 1;
  		}
@@ -87,6 +96,33 @@
  		  sizeof(jpc_dec_tcomp_t)))) {
  			return -1;
  		}
+@@ -1280,7 +1280,7 @@
+ 	jpc_coc_t *coc = &ms->parms.coc;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, coc->compno) > dec->numcomps) {
++	if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in COC marker segment\n");
+ 		return -1;
+ 	}
+@@ -1306,7 +1306,7 @@
+ 	jpc_rgn_t *rgn = &ms->parms.rgn;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
++	if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in RGN marker segment\n");
+ 		return -1;
+ 	}
+@@ -1355,7 +1355,7 @@
+ 	jpc_qcc_t *qcc = &ms->parms.qcc;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
++	if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in QCC marker segment\n");
+ 		return -1;
+ 	}
 @@ -1489,7 +1489,7 @@
  	cp->numlyrs = 0;
  	cp->mctid = 0;

Modified: branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,16 +1,24 @@
 --- src/libjasper/jpc/jpc_qmfb.c.orig	2007-01-19 22:43:07.000000000 +0100
-+++ src/libjasper/jpc/jpc_qmfb.c	2015-08-29 08:07:01.000000000 +0200
-@@ -305,7 +305,7 @@
++++ src/libjasper/jpc/jpc_qmfb.c	2016-02-20 13:56:19.711609000 +0100
+@@ -305,12 +305,8 @@
  void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
 +	size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
- #else
-@@ -321,7 +321,7 @@
- #if !defined(HAVE_VLA)
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+@@ -318,15 +314,13 @@
+ 	register int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
  	/* Get a buffer. */
  	if (bufsize > QMFB_SPLITBUFSIZE) {
 -		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -18,17 +26,43 @@
  			/* We have no choice but to commit suicide in this case. */
  			abort();
  		}
-@@ -373,7 +373,7 @@
+ 	}
+-#endif
+ 
+ 	if (numcols >= 2) {
+ 		hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -373,12 +365,8 @@
    int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
- #else
-@@ -389,7 +389,7 @@
- #if !defined(HAVE_VLA)
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+@@ -386,15 +374,13 @@
+ 	register int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
  	/* Get a buffer. */
  	if (bufsize > QMFB_SPLITBUFSIZE) {
 -		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -36,17 +70,43 @@
  			/* We have no choice but to commit suicide in this case. */
  			abort();
  		}
-@@ -441,7 +441,7 @@
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -441,12 +425,8 @@
    int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -460,7 +460,7 @@
- #if !defined(HAVE_VLA)
+-#else
+-	jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -457,15 +437,13 @@
+ 	int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
  	/* Get a buffer. */
  	if (bufsize > QMFB_SPLITBUFSIZE) {
 -		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -54,17 +114,43 @@
  			/* We have no choice but to commit suicide in this case. */
  			abort();
  		}
-@@ -530,7 +530,7 @@
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -530,12 +506,8 @@
    int stride, int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -549,7 +549,7 @@
- #if !defined(HAVE_VLA)
+-#else
+-	jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -546,15 +518,13 @@
+ 	int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
  	/* Get a buffer. */
  	if (bufsize > QMFB_SPLITBUFSIZE) {
 -		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -72,17 +158,41 @@
  			/* We have no choice but to commit suicide in this case. */
  			abort();
  		}
-@@ -618,7 +618,7 @@
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,39 +576,31 @@
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
  void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
 +	size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
- #else
-@@ -633,7 +633,7 @@
- #if !defined(HAVE_VLA)
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
  	/* Allocate memory for the join buffer from the heap. */
  	if (bufsize > QMFB_JOINBUFSIZE) {
 -		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -90,17 +200,42 @@
  			/* We have no choice but to commit suicide. */
  			abort();
  		}
-@@ -683,7 +683,7 @@
+ 	}
+-#endif
+ 
+ 	hstartcol = (numcols + 1 - parity) >> 1;
+ 
+@@ -670,12 +632,10 @@
+ 		++srcptr;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -683,27 +643,21 @@
    int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
- #else
-@@ -698,7 +698,7 @@
- #if !defined(HAVE_VLA)
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
  	/* Allocate memory for the join buffer from the heap. */
  	if (bufsize > QMFB_JOINBUFSIZE) {
 -		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
@@ -108,17 +243,43 @@
  			/* We have no choice but to commit suicide. */
  			abort();
  		}
-@@ -748,7 +748,7 @@
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -735,12 +689,10 @@
+ 		++srcptr;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -748,12 +700,8 @@
    int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -766,7 +766,7 @@
- #if !defined(HAVE_VLA)
+-#else
+-	jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -763,15 +711,13 @@
+ 	register int i;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
  	/* Allocate memory for the join buffer from the heap. */
  	if (bufsize > QMFB_JOINBUFSIZE) {
 -		if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
@@ -126,21 +287,65 @@
  			/* We have no choice but to commit suicide. */
  			abort();
  		}
-@@ -834,7 +834,7 @@
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -821,12 +767,10 @@
+ 		srcptr += JPC_QMFB_COLGRPSIZE;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -834,12 +778,8 @@
    int stride, int parity)
  {
  
 -	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
 +	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- #if !defined(HAVE_VLA)
  	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
- #else
-@@ -852,7 +852,7 @@
- #if !defined(HAVE_VLA)
+-#else
+-	jpc_fix_t joinbuf[bufsize * numcols];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -849,15 +789,13 @@
+ 	register int i;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
  	/* Allocate memory for the join buffer from the heap. */
  	if (bufsize > QMFB_JOINBUFSIZE) {
 -		if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
-+		if (!(buf = jas_malloc2(bufsize, numcols, sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_malloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
  			/* We have no choice but to commit suicide. */
  			abort();
  		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -907,12 +845,10 @@
+ 		srcptr += numcols;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 

Modified: branches/2016Q1/graphics/jasper/files/patch-mif_cod.c
==============================================================================
--- branches/2016Q1/graphics/jasper/files/patch-mif_cod.c	Wed Feb 24 19:44:45 2016	(r409479)
+++ branches/2016Q1/graphics/jasper/files/patch-mif_cod.c	Wed Feb 24 20:22:24 2016	(r409480)
@@ -1,5 +1,5 @@
 --- src/libjasper/mif/mif_cod.c.orig	2007-01-19 22:43:05.000000000 +0100
-+++ src/libjasper/mif/mif_cod.c	2015-08-29 08:07:01.000000000 +0200
++++ src/libjasper/mif/mif_cod.c	2016-02-20 14:19:34.799575000 +0100
 @@ -107,7 +107,7 @@
  static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
  static mif_cmpt_t *mif_cmpt_create(void);
@@ -19,7 +19,16 @@
  	if (!newcmpts) {
  		return -1;
  	}
-@@ -658,7 +657,7 @@
+@@ -571,6 +570,8 @@
+ 		}
+ 	}
+ 	jas_tvparser_destroy(tvp);
++	/* fix for CVE-2015-5221 */
++	tvp = NULL;
+ 	if (!cmpt->sampperx || !cmpt->samppery) {
+ 		goto error;
+ 	}
+@@ -658,7 +659,7 @@
  * MIF parsing code.
  \******************************************************************************/
  



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602242022.u1OKMOIK045563>