Date: Wed, 24 Feb 2016 20:22:24 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r409480 - in branches/2016Q1/graphics/jasper: . files Message-ID: <201602242022.u1OKMOIK045563@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Wed Feb 24 20:22:24 2016 New Revision: 409480 URL: https://svnweb.freebsd.org/changeset/ports/409480 Log: MFH: r409237 - make option UUID default - fix double-free in in jas_iccattrval_destroy() Obtained from: RedHat Security: CVE-2014-8137 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173157 - fix heap overflow in jp2_decode() Obtained from: RedHat Security: CVE-2014-8138 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1173162 - dec->numtiles off-by-one check in jpc_dec_process_sot() Obtained from: RedHat, Fedora Security: CVE-2014-8157 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - multiple stack-based buffer overflows Obtained from: RedHat, Fedora Security: CVE-2014-8158 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - fix Heap overflows in libjasper Obtained from: RedHat Security: CVE-2014-9029 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1167537 - fix Use-after-free (and double-free) Security: CVE-2015-5221 Security: http://www.openwall.com/lists/oss-security/2015/08/20/4 PR: 203504 - patch (rows_ NULL check) Obtained from: RedHat Security: CVE-2016-2089 Security: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 Approved by: ports-secteam (with hat) Modified: branches/2016Q1/graphics/jasper/Makefile branches/2016Q1/graphics/jasper/files/patch-jas_icc.c branches/2016Q1/graphics/jasper/files/patch-jas_image.c branches/2016Q1/graphics/jasper/files/patch-jas_seq.c branches/2016Q1/graphics/jasper/files/patch-jas_types.h branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c branches/2016Q1/graphics/jasper/files/patch-mif_cod.c Directory Properties: branches/2016Q1/ (props changed) Modified: branches/2016Q1/graphics/jasper/Makefile ============================================================================== --- branches/2016Q1/graphics/jasper/Makefile Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/Makefile Wed Feb 24 20:22:24 2016 (r409480) @@ -3,7 +3,7 @@ PORTNAME= jasper PORTVERSION= 1.900.1 -PORTREVISION= 15 +PORTREVISION= 16 CATEGORIES= graphics MASTER_SITES= http://www.ece.uvic.ca/~mdadams/jasper/software/ \ ftp://ftp.imagemagick.org/pub/ImageMagick/delegates/ @@ -21,6 +21,7 @@ CONFIGURE_ARGS= --enable-shared --enable USE_LDCONFIG= yes OPTIONS_DEFINE= OPENGL UUID DOCS +OPTIONS_DEFAULT=UUID UUID_DESC= UUID support (required by GDAL) .include <bsd.port.options.mk> Modified: branches/2016Q1/graphics/jasper/files/patch-jas_icc.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jas_icc.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jas_icc.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,5 +1,5 @@ --- src/libjasper/base/jas_icc.c.orig 2007-01-19 22:43:05.000000000 +0100 -+++ src/libjasper/base/jas_icc.c 2013-04-17 22:32:23.000000000 +0200 ++++ src/libjasper/base/jas_icc.c 2016-02-20 13:49:45.521860000 +0100 @@ -373,7 +373,7 @@ jas_icctagtab_t *tagtab; @@ -37,7 +37,15 @@ goto error; for (i = 0; i < curv->numents; ++i) { if (jas_iccgetuint16(in, &curv->ents[i])) -@@ -1100,7 +1099,7 @@ +@@ -1011,7 +1010,6 @@ + return 0; + + error: +- jas_icccurv_destroy(attrval); + return -1; + } + +@@ -1100,7 +1098,7 @@ if (jas_iccgetuint32(in, &txtdesc->uclangcode) || jas_iccgetuint32(in, &txtdesc->uclen)) goto error; @@ -46,7 +54,24 @@ goto error; if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != JAS_CAST(int, txtdesc->uclen * 2)) -@@ -1292,17 +1291,17 @@ +@@ -1129,7 +1127,6 @@ + #endif + return 0; + error: +- jas_icctxtdesc_destroy(attrval); + return -1; + } + +@@ -1208,8 +1205,6 @@ + goto error; + return 0; + error: +- if (txt->string) +- jas_free(txt->string); + return -1; + } + +@@ -1292,17 +1287,17 @@ jas_iccgetuint16(in, &lut8->numouttabents)) goto error; clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; @@ -71,7 +96,15 @@ sizeof(jas_iccuint8_t *)))) goto error; for (i = 0; i < lut8->numoutchans; ++i) -@@ -1461,17 +1460,17 @@ +@@ -1330,7 +1325,6 @@ + goto error; + return 0; + error: +- jas_icclut8_destroy(attrval); + return -1; + } + +@@ -1461,17 +1455,17 @@ jas_iccgetuint16(in, &lut16->numouttabents)) goto error; clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; @@ -96,3 +129,11 @@ sizeof(jas_iccuint16_t *)))) goto error; for (i = 0; i < lut16->numoutchans; ++i) +@@ -1499,7 +1493,6 @@ + goto error; + return 0; + error: +- jas_icclut16_destroy(attrval); + return -1; + } + Modified: branches/2016Q1/graphics/jasper/files/patch-jas_image.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jas_image.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jas_image.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,5 +1,5 @@ --- src/libjasper/base/jas_image.c.orig 2007-01-19 22:43:05.000000000 +0100 -+++ src/libjasper/base/jas_image.c 2013-04-17 22:32:23.000000000 +0200 ++++ src/libjasper/base/jas_image.c 2016-02-20 13:59:00.999124000 +0100 @@ -142,7 +142,7 @@ image->inmem_ = true; @@ -9,7 +9,29 @@ sizeof(jas_image_cmpt_t *)))) { jas_image_destroy(image); return 0; -@@ -774,8 +774,7 @@ +@@ -426,6 +426,10 @@ + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + if (jas_matrix_resize(data, height, width)) { + return -1; +@@ -479,6 +483,10 @@ + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + return -1; + } +@@ -774,8 +782,7 @@ jas_image_cmpt_t **newcmpts; int cmptno; Modified: branches/2016Q1/graphics/jasper/files/patch-jas_seq.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jas_seq.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jas_seq.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,5 +1,5 @@ --- src/libjasper/base/jas_seq.c.orig 2007-01-19 22:43:05.000000000 +0100 -+++ src/libjasper/base/jas_seq.c 2013-04-17 22:32:23.000000000 +0200 ++++ src/libjasper/base/jas_seq.c 2016-02-20 13:59:01.014091000 +0100 @@ -114,7 +114,7 @@ matrix->datasize_ = numrows * numcols; @@ -27,3 +27,58 @@ for (i = 0; i < mat0->numrows_; ++i) { mat0->rows_[i] = mat1->rows_[r0 + i] + c0; } +@@ -262,6 +262,10 @@ + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -282,6 +286,10 @@ + jas_seqent_t *data; + int rowstep; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -306,6 +314,10 @@ + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + assert(n >= 0); + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +@@ -325,6 +337,10 @@ + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -367,6 +383,10 @@ + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { Modified: branches/2016Q1/graphics/jasper/files/patch-jas_types.h ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jas_types.h Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jas_types.h Wed Feb 24 20:22:24 2016 (r409480) @@ -1,6 +1,6 @@ ---- src/libjasper/include/jasper/jas_types.h Sat Oct 4 12:57:58 2003 -+++ src/libjasper/include/jasper/jas_types.h Wed Dec 17 10:29:46 2003 -@@ -223,13 +223,13 @@ +--- src/libjasper/include/jasper/jas_types.h.orig 2007-01-19 22:43:04.000000000 +0100 ++++ src/libjasper/include/jasper/jas_types.h 2016-02-20 13:49:45.555375000 +0100 +@@ -179,13 +179,13 @@ #endif /**********/ #if !defined(INT_FAST64_MIN) Modified: branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jp2_cod.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,6 +1,6 @@ ---- src/libjasper/jp2/jp2_cod.c.orig 2013-04-17 22:32:23.000000000 +0200 -+++ src/libjasper/jp2/jp2_cod.c 2013-04-17 22:32:23.000000000 +0200 -@@ -255,7 +255,7 @@ +--- src/libjasper/jp2/jp2_cod.c.orig 2007-01-19 22:43:05.000000000 +0100 ++++ src/libjasper/jp2/jp2_cod.c 2016-02-20 13:49:45.560559000 +0100 +@@ -247,7 +247,7 @@ box = 0; tmpstream = 0; @@ -9,7 +9,7 @@ goto error; } box->ops = &jp2_boxinfo_unk.ops; -@@ -380,7 +380,7 @@ +@@ -372,7 +372,7 @@ jp2_bpcc_t *bpcc = &box->data.bpcc; unsigned int i; bpcc->numcmpts = box->datalen; @@ -18,7 +18,7 @@ return -1; } for (i = 0; i < bpcc->numcmpts; ++i) { -@@ -424,7 +424,7 @@ +@@ -416,7 +416,7 @@ break; case JP2_COLR_ICC: colr->iccplen = box->datalen - 3; @@ -27,7 +27,7 @@ return -1; } if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { -@@ -461,7 +461,7 @@ +@@ -453,7 +453,7 @@ if (jp2_getuint16(in, &cdef->numchans)) { return -1; } @@ -36,7 +36,7 @@ return -1; } for (channo = 0; channo < cdef->numchans; ++channo) { -@@ -774,7 +774,7 @@ +@@ -766,7 +766,7 @@ unsigned int i; cmap->numchans = (box->datalen) / 4; @@ -45,7 +45,7 @@ return -1; } for (i = 0; i < cmap->numchans; ++i) { -@@ -836,10 +836,10 @@ +@@ -828,10 +828,10 @@ return -1; } lutsize = pclr->numlutents * pclr->numchans; Modified: branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jp2_dec.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,6 +1,18 @@ --- src/libjasper/jp2/jp2_dec.c.orig 2007-01-19 22:43:05.000000000 +0100 -+++ src/libjasper/jp2/jp2_dec.c 2013-04-17 22:32:23.000000000 +0200 -@@ -336,7 +336,7 @@ ++++ src/libjasper/jp2/jp2_dec.c 2016-02-20 13:49:45.565514000 +0100 +@@ -291,7 +291,10 @@ + case JP2_COLR_ICC: + iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, + dec->colr->data.colr.iccplen); +- assert(iccprof); ++ if (!iccprof) { ++ jas_eprintf("error: failed to parse ICC profile\n"); ++ goto error; ++ } + jas_iccprof_gethdr(iccprof, &icchdr); + jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); +@@ -336,7 +339,7 @@ } /* Allocate space for the channel-number to component-number LUT. */ @@ -9,7 +21,7 @@ jas_eprintf("error: no memory\n"); goto error; } -@@ -354,7 +354,7 @@ +@@ -354,7 +357,7 @@ if (cmapent->map == JP2_CMAP_DIRECT) { dec->chantocmptlut[channo] = channo; } else if (cmapent->map == JP2_CMAP_PALETTE) { @@ -18,3 +30,15 @@ for (i = 0; i < pclrd->numlutents; ++i) { lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; } +@@ -386,6 +389,11 @@ + /* Determine the type of each component. */ + if (dec->cdef) { + for (i = 0; i < dec->numchans; ++i) { ++ /* Is the channel number reasonable? */ ++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { ++ jas_eprintf("error: invalid channel number in CDEF box\n"); ++ goto error; ++ } + jas_image_setcmpttype(dec->image, + dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], + jp2_getct(jas_image_clrspc(dec->image), Modified: branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jp2_enc.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,6 +1,6 @@ ---- src/libjasper/jp2/jp2_enc.c.orig 2013-04-17 22:32:23.000000000 +0200 -+++ src/libjasper/jp2/jp2_enc.c 2013-04-17 22:32:23.000000000 +0200 -@@ -194,7 +194,7 @@ +--- src/libjasper/jp2/jp2_enc.c.orig 2007-01-19 22:43:05.000000000 +0100 ++++ src/libjasper/jp2/jp2_enc.c 2016-02-20 13:49:45.569962000 +0100 +@@ -191,7 +191,7 @@ } bpcc = &box->data.bpcc; bpcc->numcmpts = jas_image_numcmpts(image); @@ -9,7 +9,7 @@ sizeof(uint_fast8_t)))) { goto error; } -@@ -288,7 +288,7 @@ +@@ -285,7 +285,7 @@ } cdef = &box->data.cdef; cdef->numchans = jas_image_numcmpts(image); Modified: branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jpc_dec.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,5 +1,5 @@ --- src/libjasper/jpc/jpc_dec.c.orig 2007-01-19 22:43:07.000000000 +0100 -+++ src/libjasper/jpc/jpc_dec.c 2013-04-17 22:29:42.000000000 +0200 ++++ src/libjasper/jpc/jpc_dec.c 2016-02-20 13:49:45.581508000 +0100 @@ -449,7 +449,7 @@ if (dec->state == JPC_MH) { @@ -9,6 +9,15 @@ assert(compinfos); for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { +@@ -489,7 +489,7 @@ + dec->curtileendoff = 0; + } + +- if (JAS_CAST(int, sot->tileno) > dec->numtiles) { ++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { + jas_eprintf("invalid tile number in SOT marker segment\n"); + return -1; + } @@ -692,7 +692,7 @@ tile->realmode = 1; } @@ -87,6 +96,33 @@ sizeof(jpc_dec_tcomp_t)))) { return -1; } +@@ -1280,7 +1280,7 @@ + jpc_coc_t *coc = &ms->parms.coc; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, coc->compno) > dec->numcomps) { ++ if (JAS_CAST(int, coc->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in COC marker segment\n"); + return -1; + } +@@ -1306,7 +1306,7 @@ + jpc_rgn_t *rgn = &ms->parms.rgn; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, rgn->compno) > dec->numcomps) { ++ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in RGN marker segment\n"); + return -1; + } +@@ -1355,7 +1355,7 @@ + jpc_qcc_t *qcc = &ms->parms.qcc; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, qcc->compno) > dec->numcomps) { ++ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in QCC marker segment\n"); + return -1; + } @@ -1489,7 +1489,7 @@ cp->numlyrs = 0; cp->mctid = 0; Modified: branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-jpc_qmfb.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,16 +1,24 @@ --- src/libjasper/jpc/jpc_qmfb.c.orig 2007-01-19 22:43:07.000000000 +0100 -+++ src/libjasper/jpc/jpc_qmfb.c 2015-08-29 08:07:01.000000000 +0200 -@@ -305,7 +305,7 @@ ++++ src/libjasper/jpc/jpc_qmfb.c 2016-02-20 13:56:19.711609000 +0100 +@@ -305,12 +305,8 @@ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) { - int bufsize = JPC_CEILDIVPOW2(numcols, 1); +-#if !defined(HAVE_VLA) + size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); - #if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; - #else -@@ -321,7 +321,7 @@ - #if !defined(HAVE_VLA) +-#else +- jpc_fix_t splitbuf[bufsize]; +-#endif + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; +@@ -318,15 +314,13 @@ + register int m; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -18,17 +26,43 @@ /* We have no choice but to commit suicide in this case. */ abort(); } -@@ -373,7 +373,7 @@ + } +-#endif + + if (numcols >= 2) { + hstartcol = (numcols + 1 - parity) >> 1; +@@ -360,12 +354,10 @@ + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -373,12 +365,8 @@ int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - #if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; - #else -@@ -389,7 +389,7 @@ - #if !defined(HAVE_VLA) +-#else +- jpc_fix_t splitbuf[bufsize]; +-#endif + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; +@@ -386,15 +374,13 @@ + register int m; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -36,17 +70,43 @@ /* We have no choice but to commit suicide in this case. */ abort(); } -@@ -441,7 +441,7 @@ + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -428,12 +414,10 @@ + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -441,12 +425,8 @@ int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - #if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; - #else -@@ -460,7 +460,7 @@ - #if !defined(HAVE_VLA) +-#else +- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; +-#endif + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -457,15 +437,13 @@ + int m; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -54,17 +114,43 @@ /* We have no choice but to commit suicide in this case. */ abort(); } -@@ -530,7 +530,7 @@ + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -517,12 +495,10 @@ + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -530,12 +506,8 @@ int stride, int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - #if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; - #else -@@ -549,7 +549,7 @@ - #if !defined(HAVE_VLA) +-#else +- jpc_fix_t splitbuf[bufsize * numcols]; +-#endif + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -546,15 +518,13 @@ + int m; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -72,17 +158,41 @@ /* We have no choice but to commit suicide in this case. */ abort(); } -@@ -618,7 +618,7 @@ + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -606,39 +576,31 @@ + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity) { - int bufsize = JPC_CEILDIVPOW2(numcols, 1); +-#if !defined(HAVE_VLA) + size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); - #if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; - #else -@@ -633,7 +633,7 @@ - #if !defined(HAVE_VLA) +-#else +- jpc_fix_t joinbuf[bufsize]; +-#endif + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; + register int n; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -90,17 +200,42 @@ /* We have no choice but to commit suicide. */ abort(); } -@@ -683,7 +683,7 @@ + } +-#endif + + hstartcol = (numcols + 1 - parity) >> 1; + +@@ -670,12 +632,10 @@ + ++srcptr; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -683,27 +643,21 @@ int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - #if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; - #else -@@ -698,7 +698,7 @@ - #if !defined(HAVE_VLA) +-#else +- jpc_fix_t joinbuf[bufsize]; +-#endif + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; + register int n; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -108,17 +243,43 @@ /* We have no choice but to commit suicide. */ abort(); } -@@ -748,7 +748,7 @@ + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -735,12 +689,10 @@ + ++srcptr; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -748,12 +700,8 @@ int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - #if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; - #else -@@ -766,7 +766,7 @@ - #if !defined(HAVE_VLA) +-#else +- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; +-#endif + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -763,15 +711,13 @@ + register int i; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { @@ -126,21 +287,65 @@ /* We have no choice but to commit suicide. */ abort(); } -@@ -834,7 +834,7 @@ + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -821,12 +767,10 @@ + srcptr += JPC_QMFB_COLGRPSIZE; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -834,12 +778,8 @@ int stride, int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - #if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; - #else -@@ -852,7 +852,7 @@ - #if !defined(HAVE_VLA) +-#else +- jpc_fix_t joinbuf[bufsize * numcols]; +-#endif + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -849,15 +789,13 @@ + register int i; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { -+ if (!(buf = jas_malloc2(bufsize, numcols, sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -907,12 +845,10 @@ + srcptr += numcols; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + Modified: branches/2016Q1/graphics/jasper/files/patch-mif_cod.c ============================================================================== --- branches/2016Q1/graphics/jasper/files/patch-mif_cod.c Wed Feb 24 19:44:45 2016 (r409479) +++ branches/2016Q1/graphics/jasper/files/patch-mif_cod.c Wed Feb 24 20:22:24 2016 (r409480) @@ -1,5 +1,5 @@ --- src/libjasper/mif/mif_cod.c.orig 2007-01-19 22:43:05.000000000 +0100 -+++ src/libjasper/mif/mif_cod.c 2015-08-29 08:07:01.000000000 +0200 ++++ src/libjasper/mif/mif_cod.c 2016-02-20 14:19:34.799575000 +0100 @@ -107,7 +107,7 @@ static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt); static mif_cmpt_t *mif_cmpt_create(void); @@ -19,7 +19,16 @@ if (!newcmpts) { return -1; } -@@ -658,7 +657,7 @@ +@@ -571,6 +570,8 @@ + } + } + jas_tvparser_destroy(tvp); ++ /* fix for CVE-2015-5221 */ ++ tvp = NULL; + if (!cmpt->sampperx || !cmpt->samppery) { + goto error; + } +@@ -658,7 +659,7 @@ * MIF parsing code. \******************************************************************************/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602242022.u1OKMOIK045563>