From: Michael Vetter Date: Mon, 2 Dec 2019 11:59:33 +0000 (+0100) Subject: package/jasper: Apply fix for CVE-2018-19542 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=61703b82cdcbd32dd27e8a8f2de31dfa45e6a2b1;p=buildroot.git package/jasper: Apply fix for CVE-2018-19542 Add 0002-check-null-in-jp2_decode.patch: Patch was proposed upstream[1] but upstream is very inactive. Linux distributions use the same fix to patch their packages. 1: https://github.com/mdadams/jasper/pull/200 Signed-off-by: Michael Vetter Signed-off-by: Peter Korsgaard --- diff --git a/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch b/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch new file mode 100644 index 0000000000..515a6162cd --- /dev/null +++ b/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch @@ -0,0 +1,24 @@ +From fc62d1b7164ded2405fd6a0604548b34a5a77462 Mon Sep 17 00:00:00 2001 +From: Timothy Lyanguzov +Date: Mon, 18 Mar 2019 16:46:24 +1300 +Subject: [PATCH] Fix CVE-2018-19542: Check for NULL pointer in jp2_decode + +Signed-off-by: Michael Vetter +--- + src/libjasper/jp2/jp2_dec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c +index 03b0eaf..a535c19 100644 +--- a/src/libjasper/jp2/jp2_dec.c ++++ b/src/libjasper/jp2/jp2_dec.c +@@ -388,6 +388,9 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr) + jas_image_setcmpttype(dec->image, newcmptno, jp2_getct(jas_image_clrspc(dec->image), 0, channo + 1)); + } + #endif ++ } else { ++ jas_eprintf("error: invalid MTYP in CMAP box\n"); ++ goto error; + } + } + }