From 9ad3263e802afd53731df2dce73199621e62ecde Mon Sep 17 00:00:00 2001 From: Dirk Meyer Date: Wed, 17 Apr 2013 21:25:47 +0000 Subject: graphics/jasper - Security fixes Multiple integer overflows Buffer overflow in the jas_stream_printf execute arbitrary code on decodes images Security: CVE-2008-3520 Security: CVE-2008-3522 Security: CVE-2011-4516 Security: CVE-2011-4517 PR: 163718 Obtained from: Fedora Feature safe: yes --- graphics/jasper/files/patch-jp2_dec.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 graphics/jasper/files/patch-jp2_dec.c (limited to 'graphics/jasper/files/patch-jp2_dec.c') diff --git a/graphics/jasper/files/patch-jp2_dec.c b/graphics/jasper/files/patch-jp2_dec.c new file mode 100644 index 000000000000..0a847fd2f82f --- /dev/null +++ b/graphics/jasper/files/patch-jp2_dec.c @@ -0,0 +1,20 @@ +--- src/libjasper/jp2/jp2_dec.c.orig 2007-01-19 22:43:05.000000000 +0100 ++++ src/libjasper/jp2/jp2_dec.c 2013-04-17 22:32:23.000000000 +0200 +@@ -336,7 +336,7 @@ + } + + /* Allocate space for the channel-number to component-number LUT. */ +- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) { ++ if (!(dec->chantocmptlut = jas_malloc2(dec->numchans, sizeof(uint_fast16_t)))) { + jas_eprintf("error: no memory\n"); + goto error; + } +@@ -354,7 +354,7 @@ + if (cmapent->map == JP2_CMAP_DIRECT) { + dec->chantocmptlut[channo] = channo; + } else if (cmapent->map == JP2_CMAP_PALETTE) { +- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t)); ++ lutents = jas_malloc2(pclrd->numlutents, sizeof(int_fast32_t)); + for (i = 0; i < pclrd->numlutents; ++i) { + lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; + } -- cgit v1.2.3