From 7a21e6e9e3095197267d11c0844e94d648d5f379 Mon Sep 17 00:00:00 2001 From: Baruch Siach Date: Thu, 10 Nov 2016 19:54:39 +0200 Subject: [PATCH] jasper: security bump to version 1.900.22 Fixes: CVE-2016-8693: Double free vulnerability in mem_close CVE-2016-8692: Divide by zero in jpc_dec_process_siz CVE-2016-8691: Divide by zero in jpc_dec_process_siz CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted BMP image CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() CVE-2016-8886: memory allocation failure in jas_malloc CVE-2016-8887: Null pointer dereference in jp2_colr_destroy CVE-2016-8884, CVE-2016-8885: Null pointer dereference in bmp_getdata (incomplete fix for CVE-2016-8690) CVE-2016-8880: Heap buffer overflow in jpc_dec_cp_setfromcox() CVE-2016-8881: Heap buffer overflow in jpc_getuint16() CVE-2016-8882: Null pointer access in jpc_pi_destroy CVE-2016-8883: Assert in jpc_dec_tiledecode() Drop upstream patches. Change SITE to the official download location, since the current one does not have the updated version. Unfortunately, the official site only offers tar.gz. Fix license. It is "based on the MIT license", but not exactly the same (http://www.ece.uvic.ca/~frodo/jasper/; under "Legal Issues"). Drop autoreconf; the autotools version has been updated since commit 324ccec90d (jasper: autoreconf to fix rpath issue) that introduced it. Cc: Maxime Hadjinlian Signed-off-by: Baruch Siach Signed-off-by: Thomas Petazzoni --- package/jasper/0001-fix-CVE-2014-9029.patch | 36 -- package/jasper/0002-fix-CVE-2014-8138.patch | 18 - package/jasper/0003-fix-CVE-2014-8137-1.patch | 47 --- package/jasper/0004-fix-CVE-2014-8137-2.patch | 18 - package/jasper/0005-fix-CVE-2014-8157.patch | 17 - package/jasper/0006-fix-CVE-2014-8158.patch | 334 ------------------ package/jasper/0007-preserve-cflags.patch | 27 -- package/jasper/0008-fix-CVE-2016-2116.patch | 18 - package/jasper/0009-fix-CVE-2016-1577.patch | 18 - package/jasper/0010-fix-CVE-2016-1867.patch | 16 - package/jasper/0011-fix-CVE-2015-5221.patch | 23 -- package/jasper/0012-fix-CVE-2015-5203.patch | 187 ---------- package/jasper/jasper.hash | 2 +- package/jasper/jasper.mk | 9 +- 14 files changed, 4 insertions(+), 766 deletions(-) delete mode 100644 package/jasper/0001-fix-CVE-2014-9029.patch delete mode 100644 package/jasper/0002-fix-CVE-2014-8138.patch delete mode 100644 package/jasper/0003-fix-CVE-2014-8137-1.patch delete mode 100644 package/jasper/0004-fix-CVE-2014-8137-2.patch delete mode 100644 package/jasper/0005-fix-CVE-2014-8157.patch delete mode 100644 package/jasper/0006-fix-CVE-2014-8158.patch delete mode 100644 package/jasper/0007-preserve-cflags.patch delete mode 100644 package/jasper/0008-fix-CVE-2016-2116.patch delete mode 100644 package/jasper/0009-fix-CVE-2016-1577.patch delete mode 100644 package/jasper/0010-fix-CVE-2016-1867.patch delete mode 100644 package/jasper/0011-fix-CVE-2015-5221.patch delete mode 100644 package/jasper/0012-fix-CVE-2015-5203.patch diff --git a/package/jasper/0001-fix-CVE-2014-9029.patch b/package/jasper/0001-fix-CVE-2014-9029.patch deleted file mode 100644 index c2e95a8d14..0000000000 --- a/package/jasper/0001-fix-CVE-2014-9029.patch +++ /dev/null @@ -1,36 +0,0 @@ -Fix CVE-2014-9029 - -Patch taken from https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9029 - -Signed-off-by: Baruch Siach ---- - ---- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:45:44.000000000 +0100 -+++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:44:58.000000000 +0100 -@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t - jpc_coc_t *coc = &ms->parms.coc; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, coc->compno) > dec->numcomps) { -+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in COC marker segment\n"); - return -1; - } -@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t - jpc_rgn_t *rgn = &ms->parms.rgn; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, rgn->compno) > dec->numcomps) { -+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in RGN marker segment\n"); - return -1; - } -@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t - jpc_qcc_t *qcc = &ms->parms.qcc; - jpc_dec_tile_t *tile; - -- if (JAS_CAST(int, qcc->compno) > dec->numcomps) { -+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { - jas_eprintf("invalid component number in QCC marker segment\n"); - return -1; - } diff --git a/package/jasper/0002-fix-CVE-2014-8138.patch b/package/jasper/0002-fix-CVE-2014-8138.patch deleted file mode 100644 index e107123ce8..0000000000 --- a/package/jasper/0002-fix-CVE-2014-8138.patch +++ /dev/null @@ -1,18 +0,0 @@ -See https://bugzilla.redhat.com/show_bug.cgi?id=1173162 - -Signed-off-by: Gustavo Zacarias - ---- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100 -@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in - /* Determine the type of each component. */ - if (dec->cdef) { - for (i = 0; i < dec->numchans; ++i) { -+ /* Is the channel number reasonable? */ -+ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { -+ jas_eprintf("error: invalid channel number in CDEF box\n"); -+ goto error; -+ } - jas_image_setcmpttype(dec->image, - dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], - jp2_getct(jas_image_clrspc(dec->image), diff --git a/package/jasper/0003-fix-CVE-2014-8137-1.patch b/package/jasper/0003-fix-CVE-2014-8137-1.patch deleted file mode 100644 index 0253c62839..0000000000 --- a/package/jasper/0003-fix-CVE-2014-8137-1.patch +++ /dev/null @@ -1,47 +0,0 @@ -See https://bugzilla.redhat.com/show_bug.cgi?id=1173157 - -Signed-off-by: Gustavo Zacarias - ---- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100 -@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr - return 0; - - error: -- jas_icccurv_destroy(attrval); - return -1; - } - -@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca - #endif - return 0; - error: -- jas_icctxtdesc_destroy(attrval); - return -1; - } - -@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv - goto error; - return 0; - error: -- if (txt->string) -- jas_free(txt->string); - return -1; - } - -@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr - goto error; - return 0; - error: -- jas_icclut8_destroy(attrval); - return -1; - } - -@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt - goto error; - return 0; - error: -- jas_icclut16_destroy(attrval); - return -1; - } - diff --git a/package/jasper/0004-fix-CVE-2014-8137-2.patch b/package/jasper/0004-fix-CVE-2014-8137-2.patch deleted file mode 100644 index e052709d55..0000000000 --- a/package/jasper/0004-fix-CVE-2014-8137-2.patch +++ /dev/null @@ -1,18 +0,0 @@ -See https://bugzilla.redhat.com/show_bug.cgi?id=1173157 - -Signed-off-by: Gustavo Zacarias - ---- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100 -+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100 -@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in - case JP2_COLR_ICC: - iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, - dec->colr->data.colr.iccplen); -- assert(iccprof); -+ if (!iccprof) { -+ jas_eprintf("error: failed to parse ICC profile\n"); -+ goto error; -+ } - jas_iccprof_gethdr(iccprof, &icchdr); - jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); - jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); diff --git a/package/jasper/0005-fix-CVE-2014-8157.patch b/package/jasper/0005-fix-CVE-2014-8157.patch deleted file mode 100644 index ab81674f93..0000000000 --- a/package/jasper/0005-fix-CVE-2014-8157.patch +++ /dev/null @@ -1,17 +0,0 @@ -Fix CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() -From https://bugzilla.redhat.com/show_bug.cgi?id=1179282 - -Signed-off-by: Gustavo Zacarias - -diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c ---- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100 -@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t - dec->curtileendoff = 0; - } - -- if (JAS_CAST(int, sot->tileno) > dec->numtiles) { -+ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { - jas_eprintf("invalid tile number in SOT marker segment\n"); - return -1; - } diff --git a/package/jasper/0006-fix-CVE-2014-8158.patch b/package/jasper/0006-fix-CVE-2014-8158.patch deleted file mode 100644 index 8413d2ef93..0000000000 --- a/package/jasper/0006-fix-CVE-2014-8158.patch +++ /dev/null @@ -1,334 +0,0 @@ -Fix CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c -From https://bugzilla.redhat.com/show_bug.cgi?id=1179298 - -Signed-off-by: Gustavo Zacarias - -diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c ---- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100 -@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in - { - - int bufsize = JPC_CEILDIVPOW2(numcols, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; --#else -- jpc_fix_t splitbuf[bufsize]; --#endif - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; -@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in - register int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in - abort(); - } - } --#endif - - if (numcols >= 2) { - hstartcol = (numcols + 1 - parity) >> 1; -@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; --#else -- jpc_fix_t splitbuf[bufsize]; --#endif - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; -@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - register int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; --#endif - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t splitbuf[bufsize * numcols]; --#endif - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - int m; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Get a buffer. */ - if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - abort(); - } - } --#endif - - if (numrows >= 2) { - hstartcol = (numrows + 1 - parity) >> 1; -@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - } - } - --#if !defined(HAVE_VLA) - /* If the split buffer was allocated on the heap, free this memory. */ - if (buf != splitbuf) { - jas_free(buf); - } --#endif - - } - -@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int - { - - int bufsize = JPC_CEILDIVPOW2(numcols, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; --#else -- jpc_fix_t joinbuf[bufsize]; --#endif - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; - register int n; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int - abort(); - } - } --#endif - - hstartcol = (numcols + 1 - parity) >> 1; - -@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int - ++srcptr; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; --#else -- jpc_fix_t joinbuf[bufsize]; --#endif - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; - register jpc_fix_t *dstptr; - register int n; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { -@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int - ++srcptr; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; --#endif - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - register int i; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { -@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - srcptr += JPC_QMFB_COLGRPSIZE; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - -@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - { - - int bufsize = JPC_CEILDIVPOW2(numrows, 1); --#if !defined(HAVE_VLA) - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; --#else -- jpc_fix_t joinbuf[bufsize * numcols]; --#endif - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; - jpc_fix_t *dstptr; -@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - register int i; - int hstartcol; - --#if !defined(HAVE_VLA) - /* Allocate memory for the join buffer from the heap. */ - if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { -@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - abort(); - } - } --#endif - - hstartcol = (numrows + 1 - parity) >> 1; - -@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - srcptr += numcols; - } - --#if !defined(HAVE_VLA) - /* If the join buffer was allocated on the heap, free this memory. */ - if (buf != joinbuf) { - jas_free(buf); - } --#endif - - } - diff --git a/package/jasper/0007-preserve-cflags.patch b/package/jasper/0007-preserve-cflags.patch deleted file mode 100644 index 7e4c4a26f0..0000000000 --- a/package/jasper/0007-preserve-cflags.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Max Filippov -Subject: Don't overwrite CFLAGS when configured with --enable-debug - -This drops architecture-specific ABI flags, which may be important. - -Signded-off-by: Max Filippov - ---- jasper-1.900.1/configure.ac.orig 2015-05-18 22:27:53.057512760 +0300 -+++ jasper-1.900.1/configure.ac 2015-05-18 22:28:36.090415422 +0300 -@@ -327,7 +327,7 @@ - AC_DEFINE(DEBUG) - AC_DEFINE(DEBUG_OVERFLOW) - if test "$GCC" = yes; then -- CFLAGS="-g -O0" -+ CFLAGS="$CFLAGS -g -O0" - fi - ;; - no) -@@ -357,7 +357,7 @@ - case "${enableval}" in - yes) - if test "$GCC" = yes; then -- CFLAGS="-g -O0" -+ CFLAGS="$CFLAGS -g -O0" - fi - ;; - no) diff --git a/package/jasper/0008-fix-CVE-2016-2116.patch b/package/jasper/0008-fix-CVE-2016-2116.patch deleted file mode 100644 index 1ceb3952c7..0000000000 --- a/package/jasper/0008-fix-CVE-2016-2116.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf() -Author: Tyler Hicks - -From: http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-2116.patch - -Signed-off-by: Gustavo Zacarias - ---- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c -+++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c -@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf - jas_stream_close(in); - return prof; - error: -+ if (in) -+ jas_stream_close(in); - return 0; - } - diff --git a/package/jasper/0009-fix-CVE-2016-1577.patch b/package/jasper/0009-fix-CVE-2016-1577.patch deleted file mode 100644 index cfe8b45e30..0000000000 --- a/package/jasper/0009-fix-CVE-2016-1577.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy() -Author: Tyler Hicks -Bug-Ubuntu: https://launchpad.net/bugs/1547865 - -From: http://seclists.org/oss-sec/2016/q1/att-507/CVE-2016-1577.patch - -Signed-off-by: Gustavo Zacarias - ---- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c -+++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c -@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre - if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) - goto error; - jas_iccattrval_destroy(attrval); -+ attrval = 0; - } else { - #if 0 - jas_eprintf("warning: skipping unknown tag type\n"); diff --git a/package/jasper/0010-fix-CVE-2016-1867.patch b/package/jasper/0010-fix-CVE-2016-1867.patch deleted file mode 100644 index 33f34c356a..0000000000 --- a/package/jasper/0010-fix-CVE-2016-1867.patch +++ /dev/null @@ -1,16 +0,0 @@ -From: http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/plain/jasper-CVE-2016-1867.patch - -Signed-off-by: Gustavo Zacarias - -diff -urNp jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c ---- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2016-08-11 14:34:31.795661973 +0200 -+++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c 2016-08-12 07:02:40.044860209 +0200 -@@ -429,7 +429,7 @@ static int jpc_pi_nextcprl(register jpc_ - } - - for (pi->compno = pchg->compnostart, pi->picomp = -- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, -+ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, - ++pi->picomp) { - pirlvl = pi->picomp->pirlvls; - pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + diff --git a/package/jasper/0011-fix-CVE-2015-5221.patch b/package/jasper/0011-fix-CVE-2015-5221.patch deleted file mode 100644 index 7dcbdddd7b..0000000000 --- a/package/jasper/0011-fix-CVE-2015-5221.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/plain/jasper-CVE-2015-5221.patch - -Signed-off-by: Gustavo Zacarias - -diff -urNp jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1.new/src/libjasper/mif/mif_cod.c ---- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2016-08-11 13:46:26.166415464 +0200 -+++ jasper-1.900.1.new/src/libjasper/mif/mif_cod.c 2016-08-11 14:17:20.507144931 +0200 -@@ -569,13 +569,13 @@ static int mif_process_cmpt(mif_hdr_t *h - break; - } - } -- jas_tvparser_destroy(tvp); - if (!cmpt->sampperx || !cmpt->samppery) { - goto error; - } - if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) { - goto error; - } -+ jas_tvparser_destroy(tvp); - return 0; - - error: - diff --git a/package/jasper/0012-fix-CVE-2015-5203.patch b/package/jasper/0012-fix-CVE-2015-5203.patch deleted file mode 100644 index 50f0613cd8..0000000000 --- a/package/jasper/0012-fix-CVE-2015-5203.patch +++ /dev/null @@ -1,187 +0,0 @@ -From: http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/plain/jasper-CVE-2015-5203.patch - -Signed-off-by: Gustavo Zacarias - -diff -urNp jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1.new/src/libjasper/base/jas_stream.c ---- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2016-08-11 13:35:09.160895769 +0200 -+++ jasper-1.900.1.new/src/libjasper/base/jas_stream.c 2016-08-11 13:39:33.800843489 +0200 -@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char - static void jas_stream_destroy(jas_stream_t *stream); - static jas_stream_t *jas_stream_create(void); - static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, -- int bufsize); -+ size_t bufsize); - - static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt); - static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt); -@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create() - return stream; - } - --jas_stream_t *jas_stream_memopen(char *buf, int bufsize) -+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize) - { - jas_stream_t *stream; - jas_stream_memobj_t *obj; -@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream - return 0; - } - --char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) -+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize) - { - int c; - char *bufptr; -@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea - \******************************************************************************/ - - static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, -- int bufsize) -+ size_t bufsize) - { - /* If this function is being called, the buffer should not have been - initialized yet. */ -@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob - return cnt; - } - --static int mem_resize(jas_stream_memobj_t *m, int bufsize) -+static int mem_resize(jas_stream_memobj_t *m, size_t bufsize) - { - unsigned char *buf; - -diff -urNp jasper-1.900.1.orig/src/libjasper/include/jasper/jas_stream.h jasper-1.900.1.new/src/libjasper/include/jasper/jas_stream.h ---- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_stream.h 2007-01-19 22:43:04.000000000 +0100 -+++ jasper-1.900.1.new/src/libjasper/include/jasper/jas_stream.h 2016-08-11 13:41:27.841153595 +0200 -@@ -215,7 +215,7 @@ typedef struct { - uchar *bufstart_; - - /* The buffer size. */ -- int bufsize_; -+ size_t bufsize_; - - /* The current position in the buffer. */ - uchar *ptr_; -@@ -267,7 +267,7 @@ typedef struct { - uchar *buf_; - - /* The allocated size of the buffer for holding file data. */ -- int bufsize_; -+ size_t bufsize_; - - /* The length of the file. */ - int_fast32_t len_; -@@ -291,7 +291,7 @@ typedef struct { - jas_stream_t *jas_stream_fopen(const char *filename, const char *mode); - - /* Open a memory buffer as a stream. */ --jas_stream_t *jas_stream_memopen(char *buf, int bufsize); -+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize); - - /* Open a file descriptor as a stream. */ - jas_stream_t *jas_stream_fdopen(int fd, const char *mode); -@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre - int jas_stream_puts(jas_stream_t *stream, const char *s); - - /* Read a line of input from a stream. */ --char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize); -+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize); - - /* Look at the next character to be read from a stream without actually - removing it from the stream. */ -diff -urNp jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c ---- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2016-08-11 13:35:09.170895681 +0200 -+++ jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c 2016-08-11 13:45:20.847809678 +0200 -@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = { - void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numcols, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; -@@ -365,7 +365,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; -@@ -425,7 +425,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; -@@ -506,7 +506,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - int stride, int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; -@@ -586,7 +586,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numcols, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; -@@ -643,7 +643,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int - int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; -@@ -700,7 +700,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; -@@ -778,7 +778,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - int stride, int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; -diff -urNp jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1.new/src/libjasper/mif/mif_cod.c ---- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2016-08-11 13:35:09.179895601 +0200 -+++ jasper-1.900.1.new/src/libjasper/mif/mif_cod.c 2016-08-11 13:46:26.166415464 +0200 -@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j - static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt); - static mif_cmpt_t *mif_cmpt_create(void); - static void mif_cmpt_destroy(mif_cmpt_t *cmpt); --static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize); -+static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize); - static int mif_getc(jas_stream_t *in); - static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image); - -@@ -657,7 +657,7 @@ static void mif_cmpt_destroy(mif_cmpt_t - * MIF parsing code. - \******************************************************************************/ - --static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize) -+static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize) - { - int c; - char *bufptr; diff --git a/package/jasper/jasper.hash b/package/jasper/jasper.hash index 4d9ed7432a..fdadbb283d 100644 --- a/package/jasper/jasper.hash +++ b/package/jasper/jasper.hash @@ -1,2 +1,2 @@ # Locally calculated -sha256 6e9a959bf4f8cb02f77f42d1b9880b8e85d021ac51f43d8787b5438fd2b7a1c5 jasper-1.900.1.tar.bz2 +sha256 6c942ae79108cd6a359e5bc34ea03565bd33ac20f6814cb09c4f92298b6b1cb8 jasper-1.900.22.tar.gz diff --git a/package/jasper/jasper.mk b/package/jasper/jasper.mk index db86ae88e1..4616fed188 100644 --- a/package/jasper/jasper.mk +++ b/package/jasper/jasper.mk @@ -4,15 +4,12 @@ # ################################################################################ -JASPER_VERSION = 1.900.1 -JASPER_SITE = http://sources.openelec.tv/devel -JASPER_SOURCE = jasper-$(JASPER_VERSION).tar.bz2 +JASPER_VERSION = 1.900.22 +JASPER_SITE = http://www.ece.uvic.ca/~frodo/jasper/software JASPER_INSTALL_STAGING = YES JASPER_DEPENDENCIES = jpeg -JASPER_LICENSE = MIT +JASPER_LICENSE = JasPer License Version 2.0 JASPER_LICENSE_FILES = LICENSE -# needed to fix rpath issue (http://autobuild.buildroot.net/results/307/307cac65287420252a5bb64715d9a1edd90e72fa/) -JASPER_AUTORECONF = YES # Xtensa gcc is unable to generate correct code with -O0 enabled by # --enable-debug. Allow package build but disable debug. -- 2.30.2