From 9ad3263e802afd53731df2dce73199621e62ecde Mon Sep 17 00:00:00 2001 From: Dirk Meyer Date: Wed, 17 Apr 2013 21:25:47 +0000 Subject: graphics/jasper - Security fixes Multiple integer overflows Buffer overflow in the jas_stream_printf execute arbitrary code on decodes images Security: CVE-2008-3520 Security: CVE-2008-3522 Security: CVE-2011-4516 Security: CVE-2011-4517 PR: 163718 Obtained from: Fedora Feature safe: yes --- graphics/jasper/files/patch-jpc_qmfb.c | 74 ++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 graphics/jasper/files/patch-jpc_qmfb.c (limited to 'graphics/jasper/files/patch-jpc_qmfb.c') diff --git a/graphics/jasper/files/patch-jpc_qmfb.c b/graphics/jasper/files/patch-jpc_qmfb.c new file mode 100644 index 000000000000..07e975922967 --- /dev/null +++ b/graphics/jasper/files/patch-jpc_qmfb.c @@ -0,0 +1,74 @@ +--- src/libjasper/jpc/jpc_qmfb.c.orig 2007-01-19 22:43:07.000000000 +0100 ++++ src/libjasper/jpc/jpc_qmfb.c 2013-04-17 22:32:23.000000000 +0200 +@@ -321,7 +321,7 @@ + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -389,7 +389,7 @@ + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -460,7 +460,7 @@ + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -549,7 +549,7 @@ + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -633,7 +633,7 @@ + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -698,7 +698,7 @@ + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -766,7 +766,7 @@ + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -852,7 +852,7 @@ + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_malloc2(bufsize, numcols, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } -- cgit v1.2.3