diff options
| -rw-r--r-- | .SRCINFO | 6 | ||||
| -rw-r--r-- | PKGBUILD | 9 | ||||
| -rw-r--r-- | jasper-1.900.1-CVE-2015-5203.patch | 197 |
3 files changed, 207 insertions, 5 deletions
@@ -1,9 +1,9 @@ # Generated by mksrcinfo v8 -# Mon Sep 26 04:26:51 UTC 2016 +# Mon Sep 26 04:26:52 UTC 2016 pkgbase = jasper pkgdesc = A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard pkgver = 1.900.1 - pkgrel = 13 + pkgrel = 14 url = http://www.ece.uvic.ca/~mdadams/jasper/ arch = i686 arch = x86_64 @@ -27,6 +27,7 @@ pkgbase = jasper source = jasper-1.900.1-fix-filename-buffer-overflow.patch source = jasper-1.900.1-CVE-2014-8157.patch source = jasper-1.900.1-CVE-2014-8158.patch + source = jasper-1.900.1-CVE-2015-5203.patch sha1sums = 9c5735f773922e580bf98c7c7dfda9bbed4c5191 sha1sums = f298566fef08c8a589d072582112cd51c72c3983 sha1sums = 2483dba925670bf29f531d85d73c4e5ada513b01 @@ -40,6 +41,7 @@ pkgbase = jasper sha1sums = 577dfce40da75818c4d32eb1c4532b1370950bee sha1sums = aaf96946073d2ece35f3695e8cc7956b5cad9a1d sha1sums = e69b339de43d1dc2fbb98368cee3d20f76d35941 + sha1sums = b28a15079e6c5dd4cde8d63c21763c8abb9d187c pkgname = jasper @@ -3,7 +3,7 @@ pkgname=jasper pkgver=1.900.1 -pkgrel=13 +pkgrel=14 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard" arch=('i686' 'x86_64') url="http://www.ece.uvic.ca/~mdadams/jasper/" @@ -19,7 +19,8 @@ source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver} jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch jasper-1.900.1-fix-filename-buffer-overflow.patch jasper-1.900.1-CVE-2014-8157.patch - jasper-1.900.1-CVE-2014-8158.patch) + jasper-1.900.1-CVE-2014-8158.patch + jasper-1.900.1-CVE-2015-5203.patch) sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191' 'f298566fef08c8a589d072582112cd51c72c3983' '2483dba925670bf29f531d85d73c4e5ada513b01' @@ -32,7 +33,8 @@ sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191' '3bfb37a4c732caa824563bad2603fcf5f2acf7f7' '577dfce40da75818c4d32eb1c4532b1370950bee' 'aaf96946073d2ece35f3695e8cc7956b5cad9a1d' - 'e69b339de43d1dc2fbb98368cee3d20f76d35941') + 'e69b339de43d1dc2fbb98368cee3d20f76d35941' + 'b28a15079e6c5dd4cde8d63c21763c8abb9d187c') prepare() { cd ${pkgname}-${pkgver} @@ -48,6 +50,7 @@ prepare() { patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch" patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8157.patch" patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8158.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2015-5203.patch" } build() { diff --git a/jasper-1.900.1-CVE-2015-5203.patch b/jasper-1.900.1-CVE-2015-5203.patch new file mode 100644 index 000000000000..c4b9b649c4e3 --- /dev/null +++ b/jasper-1.900.1-CVE-2015-5203.patch @@ -0,0 +1,197 @@ +From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Mon, 17 Aug 2015 +Subject: CVE-2015-5203 + +Prevent integer conversion errors. + +jasper is vulnerable to integer conversion errors that can be leveraged, +via crafted input, to trigger faults such as double free's. This patch +addresses that by using size_t for buffer sizes. + +--- + src/libjasper/base/jas_stream.c | 10 +++++----- + src/libjasper/include/jasper/jas_stream.h | 8 ++++---- + src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++-------- + src/libjasper/mif/mif_cod.c | 4 ++-- + 4 files changed, 19 insertions(+), 19 deletions(-) + +--- a/src/libjasper/include/jasper/jas_stream.h ++++ b/src/libjasper/include/jasper/jas_stream.h +@@ -215,7 +215,7 @@ typedef struct { + uchar *bufstart_; + + /* The buffer size. */ +- int bufsize_; ++ size_t bufsize_; + + /* The current position in the buffer. */ + uchar *ptr_; +@@ -267,7 +267,7 @@ typedef struct { + uchar *buf_; + + /* The allocated size of the buffer for holding file data. */ +- int bufsize_; ++ size_t bufsize_; + + /* The length of the file. */ + int_fast32_t len_; +@@ -291,7 +291,7 @@ typedef struct { + jas_stream_t *jas_stream_fopen(const char *filename, const char *mode); + + /* Open a memory buffer as a stream. */ +-jas_stream_t *jas_stream_memopen(char *buf, int bufsize); ++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize); + + /* Open a file descriptor as a stream. */ + jas_stream_t *jas_stream_fdopen(int fd, const char *mode); +@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre + int jas_stream_puts(jas_stream_t *stream, const char *s); + + /* Read a line of input from a stream. */ +-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize); ++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize); + + /* Look at the next character to be read from a stream without actually + removing it from the stream. */ +--- a/src/libjasper/base/jas_stream.c ++++ b/src/libjasper/base/jas_stream.c +@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char + static void jas_stream_destroy(jas_stream_t *stream); + static jas_stream_t *jas_stream_create(void); + static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, +- int bufsize); ++ size_t bufsize); + + static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt); + static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt); +@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create() + return stream; + } + +-jas_stream_t *jas_stream_memopen(char *buf, int bufsize) ++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize) + { + jas_stream_t *stream; + jas_stream_memobj_t *obj; +@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream + return 0; + } + +-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) ++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize) + { + int c; + char *bufptr; +@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea + \******************************************************************************/ + + static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, +- int bufsize) ++ size_t bufsize) + { + /* If this function is being called, the buffer should not have been + initialized yet. */ +@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob + return cnt; + } + +-static int mem_resize(jas_stream_memobj_t *m, int bufsize) ++static int mem_resize(jas_stream_memobj_t *m, size_t bufsize) + { + unsigned char *buf; + +--- a/src/libjasper/jpc/jpc_qmfb.c ++++ b/src/libjasper/jpc/jpc_qmfb.c +@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = { + void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numcols, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr;#if !defined(HAVE_VLA) +@@ -373,7 +373,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; +@@ -441,7 +441,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; +@@ -530,7 +530,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + int stride, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; +@@ -618,7 +618,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numcols, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; +@@ -683,7 +683,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; +@@ -748,7 +748,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; +@@ -834,7 +834,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + int stride, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; +--- a/src/libjasper/mif/mif_cod.c ++++ b/src/libjasper/mif/mif_cod.c +@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j + static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt); + static mif_cmpt_t *mif_cmpt_create(void); + static void mif_cmpt_destroy(mif_cmpt_t *cmpt); +-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize); ++static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize); + static int mif_getc(jas_stream_t *in); + static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image); + +@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t + * MIF parsing code. + \******************************************************************************/ + +-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize) ++static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize) + { + int c; + char *bufptr; |