graphics/jasper

- Security fixes
  Multiple integer overflows
  Buffer overflow in the jas_stream_printf
  execute arbitrary code on decodes images
Security: CVE-2008-3520
Security: CVE-2008-3522
Security: CVE-2011-4516
Security: CVE-2011-4517
PR:             163718
Obtained from:  Fedora
Feature safe: yes

1 files changed, 29 insertions, 0 deletions

diff --git a/graphics/jasper/files/patch-jpc_t2dec.c b/graphics/jasper/files/patch-jpc_t2dec.c
new file mode 100644
index 000000000000..6076d3afee68
--- /dev/null
+++ b/graphics/jasper/files/patch-jpc_t2dec.c
@@ -0,0 +1,29 @@
+--- src/libjasper/jpc/jpc_t2dec.c.orig	2007-01-19 22:43:07.000000000 +0100
++++ src/libjasper/jpc/jpc_t2dec.c	2013-04-17 22:32:23.000000000 +0200
+@@ -478,7 +478,7 @@
+ 		return 0;
+ 	}
+ 	pi->numcomps = dec->numcomps;
+-	if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++	if (!(pi->picomps = jas_malloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ 		jpc_pi_destroy(pi);
+ 		return 0;
+ 	}
+@@ -490,7 +490,7 @@
+ 	for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
+ 	  compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ 		picomp->numrlvls = tcomp->numrlvls;
+-		if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++		if (!(picomp->pirlvls = jas_malloc2(picomp->numrlvls,
+ 		  sizeof(jpc_pirlvl_t)))) {
+ 			jpc_pi_destroy(pi);
+ 			return 0;
+@@ -503,7 +503,7 @@
+ 		  rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
+ /* XXX sizeof(long) should be sizeof different type */
+ 			pirlvl->numprcs = rlvl->numprcs;
+-			if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++			if (!(pirlvl->prclyrnos = jas_malloc2(pirlvl->numprcs,
+ 			  sizeof(long)))) {
+ 				jpc_pi_destroy(pi);
+ 				return 0;