[arch-commits] Commit in jasper/trunk (PKGBUILD jasper-1.900.1-CVE-2015-5203.patch)

Eric Bélanger eric at archlinux.org
Sat Aug 22 00:15:49 UTC 2015 

    Date: Saturday, August 22, 2015 @ 02:15:49
  Author: eric
Revision: 244482

upgpkg: jasper 1.900.1-14

Add security fix for CVE-2015-5203

Added:
  jasper/trunk/jasper-1.900.1-CVE-2015-5203.patch
Modified:
  jasper/trunk/PKGBUILD

------------------------------------+
 PKGBUILD                           |    9 +
 jasper-1.900.1-CVE-2015-5203.patch |  197 +++++++++++++++++++++++++++++++++++
 2 files changed, 203 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2015-08-21 23:21:58 UTC (rev 244481)
+++ PKGBUILD	2015-08-22 00:15:49 UTC (rev 244482)
@@ -3,7 +3,7 @@
 
 pkgname=jasper
 pkgver=1.900.1
-pkgrel=13
+pkgrel=14
 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
 arch=('i686' 'x86_64')
 url="http://www.ece.uvic.ca/~mdadams/jasper/"
@@ -19,7 +19,8 @@
 	jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
         jasper-1.900.1-fix-filename-buffer-overflow.patch
 	jasper-1.900.1-CVE-2014-8157.patch
-	jasper-1.900.1-CVE-2014-8158.patch)
+	jasper-1.900.1-CVE-2014-8158.patch
+        jasper-1.900.1-CVE-2015-5203.patch)
 sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191'
           'f298566fef08c8a589d072582112cd51c72c3983'
           '2483dba925670bf29f531d85d73c4e5ada513b01'
@@ -32,7 +33,8 @@
           '3bfb37a4c732caa824563bad2603fcf5f2acf7f7'
           '577dfce40da75818c4d32eb1c4532b1370950bee'
           'aaf96946073d2ece35f3695e8cc7956b5cad9a1d'
-          'e69b339de43d1dc2fbb98368cee3d20f76d35941')
+          'e69b339de43d1dc2fbb98368cee3d20f76d35941'
+          'b28a15079e6c5dd4cde8d63c21763c8abb9d187c')
 
 prepare() {
   cd ${pkgname}-${pkgver}
@@ -48,6 +50,7 @@
   patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
   patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8157.patch"
   patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8158.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2015-5203.patch"
 }
 
 build() {

Added: jasper-1.900.1-CVE-2015-5203.patch
===================================================================
--- jasper-1.900.1-CVE-2015-5203.patch	                        (rev 0)
+++ jasper-1.900.1-CVE-2015-5203.patch	2015-08-22 00:15:49 UTC (rev 244482)
@@ -0,0 +1,197 @@
+From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 17 Aug 2015
+Subject: CVE-2015-5203
+
+Prevent integer conversion errors.
+
+jasper is vulnerable to integer conversion errors that can be leveraged,
+via crafted input, to trigger faults such as double free's. This patch
+addresses that by using size_t for buffer sizes.
+
+---
+ src/libjasper/base/jas_stream.c           |   10 +++++-----
+ src/libjasper/include/jasper/jas_stream.h |    8 ++++----
+ src/libjasper/jpc/jpc_qmfb.c              |   16 ++++++++--------
+ src/libjasper/mif/mif_cod.c               |    4 ++--
+ 4 files changed, 19 insertions(+), 19 deletions(-)
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -215,7 +215,7 @@ typedef struct {
+ 	uchar *bufstart_;
+ 
+ 	/* The buffer size. */
+-	int bufsize_;
++	size_t bufsize_;
+ 
+ 	/* The current position in the buffer. */
+ 	uchar *ptr_;
+@@ -267,7 +267,7 @@ typedef struct {
+ 	uchar *buf_;
+ 
+ 	/* The allocated size of the buffer for holding file data. */
+-	int bufsize_;
++	size_t bufsize_;
+ 
+ 	/* The length of the file. */
+ 	int_fast32_t len_;
+@@ -291,7 +291,7 @@ typedef struct {
+ jas_stream_t *jas_stream_fopen(const char *filename, const char *mode);
+ 
+ /* Open a memory buffer as a stream. */
+-jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
+ 
+ /* Open a file descriptor as a stream. */
+ jas_stream_t *jas_stream_fdopen(int fd, const char *mode);
+@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre
+ int jas_stream_puts(jas_stream_t *stream, const char *s);
+ 
+ /* Read a line of input from a stream. */
+-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize);
++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize);
+ 
+ /* Look at the next character to be read from a stream without actually
+   removing it from the stream. */
+--- a/src/libjasper/base/jas_stream.c
++++ b/src/libjasper/base/jas_stream.c
+@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char
+ static void jas_stream_destroy(jas_stream_t *stream);
+ static jas_stream_t *jas_stream_create(void);
+ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
+-  int bufsize);
++  size_t bufsize);
+ 
+ static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt);
+ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt);
+@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create()
+ 	return stream;
+ }
+ 
+-jas_stream_t *jas_stream_memopen(char *buf, int bufsize)
++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize)
+ {
+ 	jas_stream_t *stream;
+ 	jas_stream_memobj_t *obj;
+@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream
+ 	return 0;
+ }
+ 
+-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize)
+ {
+ 	int c;
+ 	char *bufptr;
+@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea
+ \******************************************************************************/
+ 
+ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
+-  int bufsize)
++  size_t bufsize)
+ {
+ 	/* If this function is being called, the buffer should not have been
+ 	  initialized yet. */
+@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob
+ 	return cnt;
+ }
+ 
+-static int mem_resize(jas_stream_memobj_t *m, int bufsize)
++static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
+ {
+ 	unsigned char *buf;
+ 
+--- a/src/libjasper/jpc/jpc_qmfb.c
++++ b/src/libjasper/jpc/jpc_qmfb.c
+@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = {
+ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
+	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+	jpc_fix_t *buf = splitbuf;
+	register jpc_fix_t *srcptr;#if !defined(HAVE_VLA)
+@@ -373,7 +373,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+   int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -441,7 +441,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+   int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+@@ -530,7 +530,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+   int stride, int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+@@ -618,7 +618,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -683,7 +683,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+   int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+@@ -748,7 +748,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+   int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+@@ -834,7 +834,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+   int stride, int parity)
+ {
+ 
+-	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++	size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+--- a/src/libjasper/mif/mif_cod.c
++++ b/src/libjasper/mif/mif_cod.c
+@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
+ static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
+ static mif_cmpt_t *mif_cmpt_create(void);
+ static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
+-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
++static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
+ static int mif_getc(jas_stream_t *in);
+ static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
+ 
+@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
+ * MIF parsing code.
+ \******************************************************************************/
+ 
+-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
++static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
+ {
+ 	int c;
+ 	char *bufptr;

More information about the arch-commits mailing list