pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/graphics/jasper Add upstream patch for CVE-2016-8654.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/f7d34944abd4
branches:  trunk
changeset: 356033:f7d34944abd4
user:      dholland <dholland%pkgsrc.org@localhost>
date:      Sat Dec 17 23:02:51 2016 +0000

description:
Add upstream patch for CVE-2016-8654.

diffstat:

 graphics/jasper/Makefile                    |    3 +-
 graphics/jasper/distinfo                    |    3 +-
 graphics/jasper/patches/patch-CVE-2016-8654 |  117 ++++++++++++++++++++++++++++
 3 files changed, 121 insertions(+), 2 deletions(-)

diffs (148 lines):

diff -r 05fcab3c1565 -r f7d34944abd4 graphics/jasper/Makefile
--- a/graphics/jasper/Makefile  Sat Dec 17 20:45:42 2016 +0000
+++ b/graphics/jasper/Makefile  Sat Dec 17 23:02:51 2016 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.44 2016/12/16 09:44:44 he Exp $
+# $NetBSD: Makefile,v 1.45 2016/12/17 23:02:51 dholland Exp $
 
 DISTNAME=      jasper-1.900.29
+PKGREVISION=   1
 CATEGORIES=    graphics
 MASTER_SITES=  http://www.ece.uvic.ca/~mdadams/jasper/software/
 
diff -r 05fcab3c1565 -r f7d34944abd4 graphics/jasper/distinfo
--- a/graphics/jasper/distinfo  Sat Dec 17 20:45:42 2016 +0000
+++ b/graphics/jasper/distinfo  Sat Dec 17 23:02:51 2016 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.22 2016/12/16 13:05:58 he Exp $
+$NetBSD: distinfo,v 1.23 2016/12/17 23:02:51 dholland Exp $
 
 SHA1 (jasper-1.900.29.tar.gz) = 6d50e5ea9e822ad5f88f4451819acab2e3b47f8e
 RMD160 (jasper-1.900.29.tar.gz) = 4ae47353f3dc086b3a11eff86ec7fb57d598c6fb
 SHA512 (jasper-1.900.29.tar.gz) = fdf557889660b9068e3712ff809fe7d4ab0855e1afff9a39eb19763599b4e747472743e4c49a42f7d38beadc6a0aa7a7b402422422853e8bb6d683def81b1544
 Size (jasper-1.900.29.tar.gz) = 1746319 bytes
+SHA1 (patch-CVE-2016-8654) = 9b430a5f872fbd2d33486d7280eeec04b552ec6f
 SHA1 (patch-configure) = 14039911be04b88559e40f20a01bb46fd0db4488
 SHA1 (patch-src_libjasper_base_jas__seq.c) = a0208cd0271388ae0fdc2e359da3223a35a7ae14
 SHA1 (patch-src_libjasper_base_jas__stream.c) = 2e9ad538ab2c0191063fef06202949b435b0085e
diff -r 05fcab3c1565 -r f7d34944abd4 graphics/jasper/patches/patch-CVE-2016-8654
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/jasper/patches/patch-CVE-2016-8654       Sat Dec 17 23:02:51 2016 +0000
@@ -0,0 +1,117 @@
+From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams%ece.uvic.ca@localhost>
+Date: Sat, 26 Nov 2016 20:23:23 -0800
+Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC
+ codec that was caused by a buffer being allocated with a size that was too
+ small in some cases. Added a new regression test case.
+
+---
+ data/test/bad/PoC1.jpc       | Bin 0 -> 233 bytes
+ src/libjasper/jpc/jpc_qmfb.c |  28 +++++++++++++++-------------
+ 2 files changed, 15 insertions(+), 13 deletions(-)
+ create mode 100644 data/test/bad/PoC1.jpc
+
+# diff --git a/data/test/bad/PoC1.jpc b/data/test/bad/PoC1.jpc
+# new file mode 100644
+# index 0000000000000000000000000000000000000000..95239547c40ebd947169f8d87ec399759d1acd3f
+# GIT binary patch
+# literal 233
+# zcmezG|38pHlYx<efuVtcK><X=Km(8g!Vtj7&dB&bh=G@t0i>9PMS)TLe+&alg2Vq5
+# z23-b5=c3falKdho1;;R5FC%XSjbu#)BLf2i9Ux(-;Fy!1uMn15oSC2Ze*yy+*u*jh
+# z#{ZKa{p#MIIpO~#?i1JcuDH+a{XxR{o@qS)=2<S+_kGs5vcd1wR*^ZWYAZ`pBG>(V
+# z>o4CL(REnycXM0m>2?DJ+q$m14-a1!FY%njRQ9-BmDw#gXoZ8CkKEbRXJ=<JubTMl
+# Q@K-MmpN6@L&;H*808TDYDF6Tf
+#
+# literal 0
+# HcmV?d00001
+
+diff --git src/libjasper/jpc/jpc_qmfb.c src/libjasper/jpc/jpc_qmfb.c
+index 45be24e..f26070f 100644
+--- src/libjasper/jpc/jpc_qmfb.c
++++ src/libjasper/jpc/jpc_qmfb.c
+@@ -374,7 +374,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
+       register jpc_fix_t *dstptr;
+       register int n;
+       register int m;
+-      int hstartcol;
++      int hstartrow;
+ 
+       /* Get a buffer. */
+       if (bufsize > QMFB_SPLITBUFSIZE) {
+@@ -385,9 +385,9 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
+       }
+ 
+       if (numrows >= 2) {
+-              hstartcol = (numrows + 1 - parity) >> 1;
+-              // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
+-              m = numrows - hstartcol;
++              hstartrow = (numrows + 1 - parity) >> 1;
++              // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
++              m = numrows - hstartrow;
+ 
+               /* Save the samples destined for the highpass channel. */
+               n = m;
+@@ -408,7 +408,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
+                       srcptr += stride << 1;
+               }
+               /* Copy the saved samples into the highpass channel. */
+-              dstptr = &a[hstartcol * stride];
++              dstptr = &a[hstartrow * stride];
+               srcptr = buf;
+               n = m;
+               while (n-- > 0) {
+@@ -439,20 +439,21 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
+       register int n;
+       register int i;
+       int m;
+-      int hstartcol;
++      int hstartrow;
+ 
+       /* Get a buffer. */
+       if (bufsize > QMFB_SPLITBUFSIZE) {
+-              if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++              if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
++                sizeof(jpc_fix_t)))) {
+                       /* We have no choice but to commit suicide in this case. */
+                       abort();
+               }
+       }
+ 
+       if (numrows >= 2) {
+-              hstartcol = (numrows + 1 - parity) >> 1;
+-              // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
+-              m = numrows - hstartcol;
++              hstartrow = (numrows + 1 - parity) >> 1;
++              // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
++              m = numrows - hstartrow;
+ 
+               /* Save the samples destined for the highpass channel. */
+               n = m;
+@@ -485,7 +486,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
+                       srcptr += stride << 1;
+               }
+               /* Copy the saved samples into the highpass channel. */
+-              dstptr = &a[hstartcol * stride];
++              dstptr = &a[hstartrow * stride];
+               srcptr = buf;
+               n = m;
+               while (n-- > 0) {
+@@ -526,7 +527,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols,
+ 
+       /* Get a buffer. */
+       if (bufsize > QMFB_SPLITBUFSIZE) {
+-              if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++              if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+                       /* We have no choice but to commit suicide in this case. */
+                       abort();
+               }
+@@ -721,7 +722,8 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride,
+ 
+       /* Allocate memory for the join buffer from the heap. */
+       if (bufsize > QMFB_JOINBUFSIZE) {
+-              if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
++              if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
++                sizeof(jpc_fix_t)))) {
+                       /* We have no choice but to commit suicide. */
+                       abort();
+               }



Home | Main Index | Thread Index | Old Index