From 9ad3263e802afd53731df2dce73199621e62ecde Mon Sep 17 00:00:00 2001 From: Dirk Meyer Date: Wed, 17 Apr 2013 21:25:47 +0000 Subject: graphics/jasper - Security fixes Multiple integer overflows Buffer overflow in the jas_stream_printf execute arbitrary code on decodes images Security: CVE-2008-3520 Security: CVE-2008-3522 Security: CVE-2011-4516 Security: CVE-2011-4517 PR: 163718 Obtained from: Fedora Feature safe: yes --- graphics/jasper/files/patch-jpc_t2dec.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 graphics/jasper/files/patch-jpc_t2dec.c (limited to 'graphics/jasper/files/patch-jpc_t2dec.c') diff --git a/graphics/jasper/files/patch-jpc_t2dec.c b/graphics/jasper/files/patch-jpc_t2dec.c new file mode 100644 index 000000000000..6076d3afee68 --- /dev/null +++ b/graphics/jasper/files/patch-jpc_t2dec.c @@ -0,0 +1,29 @@ +--- src/libjasper/jpc/jpc_t2dec.c.orig 2007-01-19 22:43:07.000000000 +0100 ++++ src/libjasper/jpc/jpc_t2dec.c 2013-04-17 22:32:23.000000000 +0200 +@@ -478,7 +478,7 @@ + return 0; + } + pi->numcomps = dec->numcomps; +- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { ++ if (!(pi->picomps = jas_malloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { + jpc_pi_destroy(pi); + return 0; + } +@@ -490,7 +490,7 @@ + for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; + compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { + picomp->numrlvls = tcomp->numrlvls; +- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * ++ if (!(picomp->pirlvls = jas_malloc2(picomp->numrlvls, + sizeof(jpc_pirlvl_t)))) { + jpc_pi_destroy(pi); + return 0; +@@ -503,7 +503,7 @@ + rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { + /* XXX sizeof(long) should be sizeof different type */ + pirlvl->numprcs = rlvl->numprcs; +- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * ++ if (!(pirlvl->prclyrnos = jas_malloc2(pirlvl->numprcs, + sizeof(long)))) { + jpc_pi_destroy(pi); + return 0; -- cgit v1.2.3