From 9ad3263e802afd53731df2dce73199621e62ecde Mon Sep 17 00:00:00 2001 From: Dirk Meyer Date: Wed, 17 Apr 2013 21:25:47 +0000 Subject: graphics/jasper - Security fixes Multiple integer overflows Buffer overflow in the jas_stream_printf execute arbitrary code on decodes images Security: CVE-2008-3520 Security: CVE-2008-3522 Security: CVE-2011-4516 Security: CVE-2011-4517 PR: 163718 Obtained from: Fedora Feature safe: yes --- graphics/jasper/files/patch-jas_image.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 graphics/jasper/files/patch-jas_image.c (limited to 'graphics/jasper/files/patch-jas_image.c') diff --git a/graphics/jasper/files/patch-jas_image.c b/graphics/jasper/files/patch-jas_image.c new file mode 100644 index 000000000000..43adc59e6922 --- /dev/null +++ b/graphics/jasper/files/patch-jas_image.c @@ -0,0 +1,21 @@ +--- src/libjasper/base/jas_image.c.orig 2007-01-19 22:43:05.000000000 +0100 ++++ src/libjasper/base/jas_image.c 2013-04-17 22:32:23.000000000 +0200 +@@ -142,7 +142,7 @@ + image->inmem_ = true; + + /* Allocate memory for the per-component information. */ +- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * ++ if (!(image->cmpts_ = jas_malloc2(image->maxcmpts_, + sizeof(jas_image_cmpt_t *)))) { + jas_image_destroy(image); + return 0; +@@ -774,8 +774,7 @@ + jas_image_cmpt_t **newcmpts; + int cmptno; + +- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : +- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); ++ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); + if (!newcmpts) { + return -1; + } -- cgit v1.2.3