[pkgsrc/trunk]: pkgsrc/print/ghostscript-gpl add patches against CVE-2014-813...

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/93ad08a6f301
branches:  trunk
changeset: 648110:93ad08a6f301
user:      spz <spz%pkgsrc.org@localhost>
date:      Wed Mar 11 20:58:26 2015 +0000

description:
add patches against CVE-2014-8137 CVE-2014-8138 CVE-2014-8157 and
CVE-2014-8158 originating from the Fedora project

diffstat:

 print/ghostscript-gpl/Makefile                    |   4 +-
 print/ghostscript-gpl/distinfo                    |   6 +-
 print/ghostscript-gpl/patches/patch-CVE-2014-8137 |  62 +++++++++++++++
 print/ghostscript-gpl/patches/patch-CVE-2014-8138 |  16 +++
 print/ghostscript-gpl/patches/patch-CVE-2014-8157 |  16 +++
 print/ghostscript-gpl/patches/patch-CVE-2014-8158 |  93 +++++++++++++++++++++++
 6 files changed, 194 insertions(+), 3 deletions(-)

diffs (235 lines):

diff -r 8bb80232bb4f -r 93ad08a6f301 print/ghostscript-gpl/Makefile
--- a/print/ghostscript-gpl/Makefile    Wed Mar 11 20:46:09 2015 +0000
+++ b/print/ghostscript-gpl/Makefile    Wed Mar 11 20:58:26 2015 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.15 2014/12/30 07:52:41 dholland Exp $
+# $NetBSD: Makefile,v 1.16 2015/03/11 20:58:26 spz Exp $
 
 DISTNAME=      ghostscript-${GS_VERSION}
 PKGNAME=       ${DISTNAME:S/ghostscript/ghostscript-gpl/}
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    print
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=ghostscript/}
 MASTER_SITES+= http://ghostscript.com/releases/
diff -r 8bb80232bb4f -r 93ad08a6f301 print/ghostscript-gpl/distinfo
--- a/print/ghostscript-gpl/distinfo    Wed Mar 11 20:46:09 2015 +0000
+++ b/print/ghostscript-gpl/distinfo    Wed Mar 11 20:58:26 2015 +0000
@@ -1,9 +1,13 @@
-$NetBSD: distinfo,v 1.8 2015/02/24 08:21:07 markd Exp $
+$NetBSD: distinfo,v 1.9 2015/03/11 20:58:26 spz Exp $
 
 SHA1 (ghostscript-9.06.tar.bz2) = 4c1c2b4cddd16d86b21f36ad4fc15f6100162238
 RMD160 (ghostscript-9.06.tar.bz2) = 11ef74cf783ec5f7cde0ceaaf2823a1f62fb4d1d
 Size (ghostscript-9.06.tar.bz2) = 29246039 bytes
 SHA1 (patch-CVE-2012-4405) = 1dcb4cfeceb366c144e0a1337c6ccc2d8e13e4ca
+SHA1 (patch-CVE-2014-8137) = 5375f56f3d7cdfed0c9f900d291d75bbc3182b96
+SHA1 (patch-CVE-2014-8138) = be161051680e3c6c9246f31237019470a447ee49
+SHA1 (patch-CVE-2014-8157) = 18822069b9791fc3553e812878cfca483d881cd4
+SHA1 (patch-CVE-2014-8158) = 71387f152a205caaef0fcc518dbb0fbb7b78e531
 SHA1 (patch-CVE-2014-9029) = 9636c7d6909fc0dec7ad2102b59fb14d599bac6a
 SHA1 (patch-af) = 79af4d253001f879f1b5d3ef93584ae7300361de
 SHA1 (patch-ah) = 73a05ee51845ca70e1b18c50dee98d6799a46d52
diff -r 8bb80232bb4f -r 93ad08a6f301 print/ghostscript-gpl/patches/patch-CVE-2014-8137
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/ghostscript-gpl/patches/patch-CVE-2014-8137 Wed Mar 11 20:58:26 2015 +0000
@@ -0,0 +1,62 @@
+$NetBSD: patch-CVE-2014-8137,v 1.1 2015/03/11 20:58:26 spz Exp $
+
+patch for CVE-2014-8137 taken from
+http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8137.patch
+
+--- jasper/src/libjasper/base/jas_icc.c.orig   2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/base/jas_icc.c
+@@ -1024,7 +1024,6 @@ static int jas_icccurv_input(jas_iccattr
+       return 0;
+ 
+ error:
+-      jas_icccurv_destroy(attrval);
+       return -1;
+ }
+ 
+@@ -1144,7 +1143,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+       return 0;
+ error:
+-      jas_icctxtdesc_destroy(attrval);
+       return -1;
+ }
+ 
+@@ -1223,8 +1221,6 @@ static int jas_icctxt_input(jas_iccattrv
+               goto error;
+       return 0;
+ error:
+-      if (txt->string)
+-              jas_free(txt->string);
+       return -1;
+ }
+ 
+@@ -1349,7 +1345,6 @@ static int jas_icclut8_input(jas_iccattr
+               goto error;
+       return 0;
+ error:
+-      jas_icclut8_destroy(attrval);
+       return -1;
+ }
+ 
+@@ -1520,7 +1515,6 @@ static int jas_icclut16_input(jas_iccatt
+               goto error;
+       return 0;
+ error:
+-      jas_icclut16_destroy(attrval);
+       return -1;
+ }
+ 
+--- jasper/src/libjasper/jp2/jp2_dec.c.orig    2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/jp2/jp2_dec.c
+@@ -325,7 +325,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+       case JP2_COLR_ICC:
+               iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+                 dec->colr->data.colr.iccplen);
+-              assert(iccprof);
++              if (!iccprof) {
++                      jas_eprintf("error: failed to parse ICC profile\n");
++                      goto error;
++              }
+               jas_iccprof_gethdr(iccprof, &icchdr);
+               if (jas_getdbglevel() >= 1) {
+                       jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
diff -r 8bb80232bb4f -r 93ad08a6f301 print/ghostscript-gpl/patches/patch-CVE-2014-8138
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/ghostscript-gpl/patches/patch-CVE-2014-8138 Wed Mar 11 20:58:26 2015 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2014-8138,v 1.1 2015/03/11 20:58:26 spz Exp $
+
+--- jasper/src/libjasper/jp2/jp2_dec.c.orig    2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/jp2/jp2_dec.c
+@@ -444,6 +447,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+       /* Determine the type of each component. */
+       if (dec->cdef) {
+               for (i = 0; i < dec->numchans; ++i) {
++                      /* Is the channel number reasonable? */
++                      if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++                              jas_eprintf("error: invalid channel number in CDEF box\n");
++                              goto error;
++                      }
+                       jas_image_setcmpttype(dec->image,
+                         dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+                         jp2_getct(jas_image_clrspc(dec->image),
diff -r 8bb80232bb4f -r 93ad08a6f301 print/ghostscript-gpl/patches/patch-CVE-2014-8157
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/ghostscript-gpl/patches/patch-CVE-2014-8157 Wed Mar 11 20:58:26 2015 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2014-8157,v 1.1 2015/03/11 20:58:26 spz Exp $
+
+patch for CVE-2014-8157 from
+http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch
+
+--- jasper/src/libjasper/jpc/jpc_dec.c.orig    2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/jpc/jpc_dec.c
+@@ -496,7 +496,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+               dec->curtileendoff = 0;
+       }
+ 
+-      if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++      if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+               jas_eprintf("invalid tile number in SOT marker segment\n");
+               return -1;
+       }
diff -r 8bb80232bb4f -r 93ad08a6f301 print/ghostscript-gpl/patches/patch-CVE-2014-8158
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/ghostscript-gpl/patches/patch-CVE-2014-8158 Wed Mar 11 20:58:26 2015 +0000
@@ -0,0 +1,93 @@
+$NetBSD: patch-CVE-2014-8158,v 1.1 2015/03/11 20:58:26 spz Exp $
+
+patch for CVE-2014-8158 loosely based on
+http://pkgs.fedoraproject.org/cgit/jasper.git/plain/jasper-CVE-2014-8158.patch
+
+eradicate all code-paths activated by HAVE_VLA
+
+--- jasper/src/libjasper/jpc/jpc_qmfb.c.orig   2012-08-08 08:01:36.000000000 +0000
++++ jasper/src/libjasper/jpc/jpc_qmfb.c
+@@ -158,12 +158,8 @@ static void jpc_qmfb1d_split(jpc_fix_t *
+   jpc_fix_t *hstartptr, int hstartind, int hendind)
+ {
+       int bufsize = JPC_CEILDIVPOW2(endind - startind, 2);
+-#if !defined(HAVE_VLA)
+ #define QMFB_SPLITBUFSIZE 4096
+       jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-      jpc_fix_t splitbuf[bufsize];
+-#endif
+       jpc_fix_t *buf = splitbuf;
+       int llen;
+       int hlen;
+@@ -179,7 +175,6 @@ static void jpc_qmfb1d_split(jpc_fix_t *
+       llen = lendind - lstartind;
+       hlen = hendind - hstartind;
+ 
+-#if !defined(HAVE_VLA)
+       /* Get a buffer. */
+       if (bufsize > QMFB_SPLITBUFSIZE) {
+               if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -190,7 +185,6 @@ static void jpc_qmfb1d_split(jpc_fix_t *
+                       return;
+               }
+       }
+-#endif
+ 
+       if (hstartind < lstartind) {
+               /* The first sample in the input signal is to appear
+@@ -272,12 +266,10 @@ static void jpc_qmfb1d_split(jpc_fix_t *
+               }
+       }
+ 
+-#if !defined(HAVE_VLA)
+       /* If the split buffer was allocated on the heap, free this memory. */
+       if (buf != splitbuf) {
+               jas_free(buf);
+       }
+-#endif
+ }
+ 
+ static void jpc_qmfb1d_join(jpc_fix_t *startptr, int startind, int endind,
+@@ -285,12 +277,8 @@ static void jpc_qmfb1d_join(jpc_fix_t *s
+   jpc_fix_t *hstartptr, int hstartind, int hendind)
+ {
+       int bufsize = JPC_CEILDIVPOW2(endind - startind, 2);
+-#if !defined(HAVE_VLA)
+ #define       QMFB_JOINBUFSIZE        4096
+       jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-      jpc_fix_t joinbuf[bufsize];
+-#endif
+       jpc_fix_t *buf = joinbuf;
+       int llen;
+       int hlen;
+@@ -302,7 +290,6 @@ static void jpc_qmfb1d_join(jpc_fix_t *s
+       register int n;
+       int state;
+ 
+-#if !defined(HAVE_VLA)
+       /* Allocate memory for the join buffer from the heap. */
+       if (bufsize > QMFB_JOINBUFSIZE) {
+               if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+@@ -313,7 +300,6 @@ static void jpc_qmfb1d_join(jpc_fix_t *s
+                       return;
+               }
+       }
+-#endif
+ 
+       twostep = step << 1;
+       llen = lendind - lstartind;
+@@ -400,12 +386,10 @@ static void jpc_qmfb1d_join(jpc_fix_t *s
+               }
+       }
+ 
+-#if !defined(HAVE_VLA)
+       /* If the join buffer was allocated on the heap, free this memory. */
+       if (buf != joinbuf) {
+               jas_free(buf);
+       }
+-#endif
+ }
+ 
+ /******************************************************************************\