From: Gustavo Zacarias Date: Wed, 17 Aug 2016 01:05:54 +0000 (-0300) Subject: jasper: add security patches X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=61e069e164a3727b7c3a6e5ee88b3340bed0a57f;p=buildroot.git jasper: add security patches Fixes: CVE-2016-2116 - Memory leak in jas_iccprof_createfrombuf causing memory consumption. CVE-2016-1577 - Double free vulnerability in jas_iccattrval_destroy. CVE-2016-1867 - out-of-bounds read in the jpc_pi_nextcprl() function. CVE-2015-5221 - Use-after-free and double-free flaws in Jasper JPEG-2000 library. CVE-2015-5203 - double free in jasper_image_stop_load() Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- diff --git a/package/jasper/0008-fix-CVE-2016-2116.patch b/package/jasper/0008-fix-CVE-2016-2116.patch new file mode 100644 index 0000000000..1ceb3952c7 --- /dev/null +++ b/package/jasper/0008-fix-CVE-2016-2116.patch @@ -0,0 +1,18 @@ +Description: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf() +Author: Tyler Hicks + +From: http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-2116.patch + +Signed-off-by: Gustavo Zacarias + +--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c ++++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c +@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf + jas_stream_close(in); + return prof; + error: ++ if (in) ++ jas_stream_close(in); + return 0; + } + diff --git a/package/jasper/0009-fix-CVE-2016-1577.patch b/package/jasper/0009-fix-CVE-2016-1577.patch new file mode 100644 index 0000000000..cfe8b45e30 --- /dev/null +++ b/package/jasper/0009-fix-CVE-2016-1577.patch @@ -0,0 +1,18 @@ +Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy() +Author: Tyler Hicks +Bug-Ubuntu: https://launchpad.net/bugs/1547865 + +From: http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-1577.patch + +Signed-off-by: Gustavo Zacarias + +--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c ++++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c +@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) + goto error; + jas_iccattrval_destroy(attrval); ++ attrval = 0; + } else { + #if 0 + jas_eprintf("warning: skipping unknown tag type\n"); diff --git a/package/jasper/0010-fix-CVE-2016-1867.patch b/package/jasper/0010-fix-CVE-2016-1867.patch new file mode 100644 index 0000000000..33f34c356a --- /dev/null +++ b/package/jasper/0010-fix-CVE-2016-1867.patch @@ -0,0 +1,16 @@ +From: http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/plain/jasper-CVE-2016-1867.patch + +Signed-off-by: Gustavo Zacarias + +diff -urNp jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2016-08-11 14:34:31.795661973 +0200 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c 2016-08-12 07:02:40.044860209 +0200 +@@ -429,7 +429,7 @@ static int jpc_pi_nextcprl(register jpc_ + } + + for (pi->compno = pchg->compnostart, pi->picomp = +- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, ++ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, + ++pi->picomp) { + pirlvl = pi->picomp->pirlvls; + pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + diff --git a/package/jasper/0011-fix-CVE-2015-5221.patch b/package/jasper/0011-fix-CVE-2015-5221.patch new file mode 100644 index 0000000000..7dcbdddd7b --- /dev/null +++ b/package/jasper/0011-fix-CVE-2015-5221.patch @@ -0,0 +1,23 @@ +From: http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/plain/jasper-CVE-2015-5221.patch + +Signed-off-by: Gustavo Zacarias + +diff -urNp jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1.new/src/libjasper/mif/mif_cod.c +--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2016-08-11 13:46:26.166415464 +0200 ++++ jasper-1.900.1.new/src/libjasper/mif/mif_cod.c 2016-08-11 14:17:20.507144931 +0200 +@@ -569,13 +569,13 @@ static int mif_process_cmpt(mif_hdr_t *h + break; + } + } +- jas_tvparser_destroy(tvp); + if (!cmpt->sampperx || !cmpt->samppery) { + goto error; + } + if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) { + goto error; + } ++ jas_tvparser_destroy(tvp); + return 0; + + error: + diff --git a/package/jasper/0012-fix-CVE-2015-5203.patch b/package/jasper/0012-fix-CVE-2015-5203.patch new file mode 100644 index 0000000000..50f0613cd8 --- /dev/null +++ b/package/jasper/0012-fix-CVE-2015-5203.patch @@ -0,0 +1,187 @@ +From: http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/plain/jasper-CVE-2015-5203.patch + +Signed-off-by: Gustavo Zacarias + +diff -urNp jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1.new/src/libjasper/base/jas_stream.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2016-08-11 13:35:09.160895769 +0200 ++++ jasper-1.900.1.new/src/libjasper/base/jas_stream.c 2016-08-11 13:39:33.800843489 +0200 +@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char + static void jas_stream_destroy(jas_stream_t *stream); + static jas_stream_t *jas_stream_create(void); + static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, +- int bufsize); ++ size_t bufsize); + + static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt); + static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt); +@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create() + return stream; + } + +-jas_stream_t *jas_stream_memopen(char *buf, int bufsize) ++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize) + { + jas_stream_t *stream; + jas_stream_memobj_t *obj; +@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream + return 0; + } + +-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) ++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize) + { + int c; + char *bufptr; +@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea + \******************************************************************************/ + + static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, +- int bufsize) ++ size_t bufsize) + { + /* If this function is being called, the buffer should not have been + initialized yet. */ +@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob + return cnt; + } + +-static int mem_resize(jas_stream_memobj_t *m, int bufsize) ++static int mem_resize(jas_stream_memobj_t *m, size_t bufsize) + { + unsigned char *buf; + +diff -urNp jasper-1.900.1.orig/src/libjasper/include/jasper/jas_stream.h jasper-1.900.1.new/src/libjasper/include/jasper/jas_stream.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_stream.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/include/jasper/jas_stream.h 2016-08-11 13:41:27.841153595 +0200 +@@ -215,7 +215,7 @@ typedef struct { + uchar *bufstart_; + + /* The buffer size. */ +- int bufsize_; ++ size_t bufsize_; + + /* The current position in the buffer. */ + uchar *ptr_; +@@ -267,7 +267,7 @@ typedef struct { + uchar *buf_; + + /* The allocated size of the buffer for holding file data. */ +- int bufsize_; ++ size_t bufsize_; + + /* The length of the file. */ + int_fast32_t len_; +@@ -291,7 +291,7 @@ typedef struct { + jas_stream_t *jas_stream_fopen(const char *filename, const char *mode); + + /* Open a memory buffer as a stream. */ +-jas_stream_t *jas_stream_memopen(char *buf, int bufsize); ++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize); + + /* Open a file descriptor as a stream. */ + jas_stream_t *jas_stream_fdopen(int fd, const char *mode); +@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre + int jas_stream_puts(jas_stream_t *stream, const char *s); + + /* Read a line of input from a stream. */ +-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize); ++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize); + + /* Look at the next character to be read from a stream without actually + removing it from the stream. */ +diff -urNp jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2016-08-11 13:35:09.170895681 +0200 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c 2016-08-11 13:45:20.847809678 +0200 +@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = { + void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numcols, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; +@@ -365,7 +365,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; +@@ -425,7 +425,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; +@@ -506,7 +506,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + int stride, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; +@@ -586,7 +586,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numcols, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; +@@ -643,7 +643,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; +@@ -700,7 +700,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; +@@ -778,7 +778,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + int stride, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; +diff -urNp jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1.new/src/libjasper/mif/mif_cod.c +--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2016-08-11 13:35:09.179895601 +0200 ++++ jasper-1.900.1.new/src/libjasper/mif/mif_cod.c 2016-08-11 13:46:26.166415464 +0200 +@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j + static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt); + static mif_cmpt_t *mif_cmpt_create(void); + static void mif_cmpt_destroy(mif_cmpt_t *cmpt); +-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize); ++static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize); + static int mif_getc(jas_stream_t *in); + static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image); + +@@ -657,7 +657,7 @@ static void mif_cmpt_destroy(mif_cmpt_t + * MIF parsing code. + \******************************************************************************/ + +-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize) ++static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize) + { + int c; + char *bufptr;