graphics/jasper

- Security fixes
  Multiple integer overflows
  Buffer overflow in the jas_stream_printf
  execute arbitrary code on decodes images
Security: CVE-2008-3520
Security: CVE-2008-3522
Security: CVE-2011-4516
Security: CVE-2011-4517
PR:             163718
Obtained from:  Fedora
Feature safe: yes

1 files changed, 20 insertions, 0 deletions

diff --git a/graphics/jasper/files/patch-jp2_dec.c b/graphics/jasper/files/patch-jp2_dec.c
new file mode 100644
index 000000000000..0a847fd2f82f
--- /dev/null
+++ b/graphics/jasper/files/patch-jp2_dec.c
@@ -0,0 +1,20 @@
+--- src/libjasper/jp2/jp2_dec.c.orig	2007-01-19 22:43:05.000000000 +0100
++++ src/libjasper/jp2/jp2_dec.c	2013-04-17 22:32:23.000000000 +0200
+@@ -336,7 +336,7 @@
+ 	}
+ 
+ 	/* Allocate space for the channel-number to component-number LUT. */
+-	if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
++	if (!(dec->chantocmptlut = jas_malloc2(dec->numchans, sizeof(uint_fast16_t)))) {
+ 		jas_eprintf("error: no memory\n");
+ 		goto error;
+ 	}
+@@ -354,7 +354,7 @@
+ 			if (cmapent->map == JP2_CMAP_DIRECT) {
+ 				dec->chantocmptlut[channo] = channo;
+ 			} else if (cmapent->map == JP2_CMAP_PALETTE) {
+-				lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
++				lutents = jas_malloc2(pclrd->numlutents, sizeof(int_fast32_t));
+ 				for (i = 0; i < pclrd->numlutents; ++i) {
+ 					lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
+ 				}