[arch-commits] Commit in jasper/repos (18 files)
Antonio Rojas
arojas at archlinux.org
Thu Oct 6 20:50:52 UTC 2016
Date: Thursday, October 6, 2016 @ 20:50:52
Author: arojas
Revision: 277857
archrelease: copy trunk to testing-i686, testing-x86_64
Added:
jasper/repos/testing-i686/
jasper/repos/testing-i686/PKGBUILD
(from rev 277856, jasper/trunk/PKGBUILD)
jasper/repos/testing-i686/jasper-1.900.1-CVE-2008-3520.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2008-3520.patch)
jasper/repos/testing-i686/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch)
jasper/repos/testing-i686/jasper-1.900.1-CVE-2014-8137.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2014-8137.patch)
jasper/repos/testing-i686/jasper-1.900.1-CVE-2016-2089.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2016-2089.patch)
jasper/repos/testing-i686/jasper-1.900.1-fix-filename-buffer-overflow.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-fix-filename-buffer-overflow.patch)
jasper/repos/testing-i686/jasper-avoid-assert-abort.diff
(from rev 277856, jasper/trunk/jasper-avoid-assert-abort.diff)
jasper/repos/testing-i686/patch-libjasper-stepsizes-overflow.diff
(from rev 277856, jasper/trunk/patch-libjasper-stepsizes-overflow.diff)
jasper/repos/testing-x86_64/
jasper/repos/testing-x86_64/PKGBUILD
(from rev 277856, jasper/trunk/PKGBUILD)
jasper/repos/testing-x86_64/jasper-1.900.1-CVE-2008-3520.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2008-3520.patch)
jasper/repos/testing-x86_64/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch)
jasper/repos/testing-x86_64/jasper-1.900.1-CVE-2014-8137.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2014-8137.patch)
jasper/repos/testing-x86_64/jasper-1.900.1-CVE-2016-2089.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2016-2089.patch)
jasper/repos/testing-x86_64/jasper-1.900.1-fix-filename-buffer-overflow.patch
(from rev 277856, jasper/trunk/jasper-1.900.1-fix-filename-buffer-overflow.patch)
jasper/repos/testing-x86_64/jasper-avoid-assert-abort.diff
(from rev 277856, jasper/trunk/jasper-avoid-assert-abort.diff)
jasper/repos/testing-x86_64/patch-libjasper-stepsizes-overflow.diff
(from rev 277856, jasper/trunk/patch-libjasper-stepsizes-overflow.diff)
---------------------------------------------------------------------+
testing-i686/PKGBUILD | 50
testing-i686/jasper-1.900.1-CVE-2008-3520.patch | 928 ++++++++++
testing-i686/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch | 30
testing-i686/jasper-1.900.1-CVE-2014-8137.patch | 43
testing-i686/jasper-1.900.1-CVE-2016-2089.patch | 90
testing-i686/jasper-1.900.1-fix-filename-buffer-overflow.patch | 37
testing-i686/jasper-avoid-assert-abort.diff | 14
testing-i686/patch-libjasper-stepsizes-overflow.diff | 14
testing-x86_64/PKGBUILD | 50
testing-x86_64/jasper-1.900.1-CVE-2008-3520.patch | 928 ++++++++++
testing-x86_64/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch | 30
testing-x86_64/jasper-1.900.1-CVE-2014-8137.patch | 43
testing-x86_64/jasper-1.900.1-CVE-2016-2089.patch | 90
testing-x86_64/jasper-1.900.1-fix-filename-buffer-overflow.patch | 37
testing-x86_64/jasper-avoid-assert-abort.diff | 14
testing-x86_64/patch-libjasper-stepsizes-overflow.diff | 14
16 files changed, 2412 insertions(+)
Copied: jasper/repos/testing-i686/PKGBUILD (from rev 277856, jasper/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD (rev 0)
+++ testing-i686/PKGBUILD 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,50 @@
+# $Id$
+# Maintainer: Eric Bélanger <eric at archlinux.org>
+
+pkgname=jasper
+pkgver=1.900.2
+pkgrel=1
+pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
+arch=('i686' 'x86_64')
+url="http://www.ece.uvic.ca/~mdadams/jasper/"
+license=('custom:JasPer2.0')
+depends=('libjpeg')
+makedepends=('freeglut' 'libxmu' 'glu')
+optdepends=('freeglut: for jiv support' 'glu: for jiv support')
+source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.tar.gz
+ patch-libjasper-stepsizes-overflow.diff jasper-1.900.1-CVE-2008-3520.patch
+ jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff
+ jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
+ jasper-1.900.1-fix-filename-buffer-overflow.patch
+ jasper-1.900.1-CVE-2016-2089.patch)
+sha1sums=('3b6bfa9876a88fbeb6fe5ad29437643c28fa4475'
+ 'f298566fef08c8a589d072582112cd51c72c3983'
+ '2483dba925670bf29f531d85d73c4e5ada513b01'
+ '437519aaaeff6076d11cdbea82125dbcac6f729b'
+ '98548b610a7319e569ee0425a32dc1d31a8771d2'
+ '3bfb37a4c732caa824563bad2603fcf5f2acf7f7'
+ '577dfce40da75818c4d32eb1c4532b1370950bee'
+ '06f89116508b1498e97a41ae07e15a4f049e671d')
+
+prepare() {
+ cd ${pkgname}-${pkgver}
+ patch -p1 -i "${srcdir}/patch-libjasper-stepsizes-overflow.diff"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8137.patch"
+ patch -p1 -i "${srcdir}/jasper-avoid-assert-abort.diff"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2016-2089.patch"
+}
+
+build() {
+ cd ${pkgname}-${pkgver}
+ ./configure --prefix=/usr --mandir=/usr/share/man --enable-shared
+ make
+}
+
+package() {
+ cd ${pkgname}-${pkgver}
+ make DESTDIR="${pkgdir}" install
+ install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+}
Copied: jasper/repos/testing-i686/jasper-1.900.1-CVE-2008-3520.patch (from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2008-3520.patch)
===================================================================
--- testing-i686/jasper-1.900.1-CVE-2008-3520.patch (rev 0)
+++ testing-i686/jasper-1.900.1-CVE-2008-3520.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,928 @@
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520
+
+OpenBSD jas_malloc hardening patches
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_cm.c jasper-1.900.1/src/libjasper/base/jas_cm.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2009-10-22 10:27:45.000000000 +0200
+@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm
+ {
+ jas_cmpxform_t **p;
+ assert(n >= pxformseq->numpxforms);
+- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) :
+- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *));
++ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *));
+ if (!p) {
+ return -1;
+ }
+@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ jas_cmshapmatlut_cleanup(lut);
+ if (curv->numents == 0) {
+ lut->size = 2;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ lut->data[0] = 0.0;
+ lut->data[1] = 1.0;
+ } else if (curv->numents == 1) {
+ lut->size = 256;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ gamma = curv->ents[0] / 256.0;
+ for (i = 0; i < lut->size; ++i) {
+@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ }
+ } else {
+ lut->size = curv->numents;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ for (i = 0; i < lut->size; ++i) {
+ lut->data[i] = curv->ents[i] / 65535.0;
+@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c
+ return -1;
+ }
+ }
+- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t))))
++ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t))))
+ return -1;
+ invlut->size = n;
+ for (i = 0; i < invlut->size; ++i) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof
+ jas_icctagtab_t *tagtab;
+
+ tagtab = &prof->tagtab;
+- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
++ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
+ sizeof(jas_icctagtabent_t))))
+ goto error;
+ tagtab->numents = prof->attrtab->numattrs;
+@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_str
+ }
+ if (jas_iccgetuint32(in, &tagtab->numents))
+ goto error;
+- if (!(tagtab->ents = jas_malloc(tagtab->numents *
++ if (!(tagtab->ents = jas_alloc2(tagtab->numents,
+ sizeof(jas_icctagtabent_t))))
+ goto error;
+ tagtabent = tagtab->ents;
+@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_icc
+ {
+ jas_iccattr_t *newattrs;
+ assert(maxents >= tab->numattrs);
+- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
+- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
++ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
+ if (!newattrs)
+ return -1;
+ tab->attrs = newattrs;
+@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattr
+
+ if (jas_iccgetuint32(in, &curv->numents))
+ goto error;
+- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
++ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
+ goto error;
+ for (i = 0; i < curv->numents; ++i) {
+ if (jas_iccgetuint16(in, &curv->ents[i]))
+@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_icca
+ if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ jas_iccgetuint32(in, &txtdesc->uclen))
+ goto error;
+- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
++ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
+ goto error;
+ if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
+ JAS_CAST(int, txtdesc->uclen * 2))
+@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattr
+ jas_iccgetuint16(in, &lut8->numouttabents))
+ goto error;
+ clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
+- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
+- !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
+- lut8->numintabents * sizeof(jas_iccuint8_t))) ||
+- !(lut8->intabs = jas_malloc(lut8->numinchans *
++ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
++ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
++ lut8->numintabents, sizeof(jas_iccuint8_t))) ||
++ !(lut8->intabs = jas_alloc2(lut8->numinchans,
+ sizeof(jas_iccuint8_t *))))
+ goto error;
+ for (i = 0; i < lut8->numinchans; ++i)
+ lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
+- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
+- lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
+- !(lut8->outtabs = jas_malloc(lut8->numoutchans *
++ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
++ lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
++ !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
+ sizeof(jas_iccuint8_t *))))
+ goto error;
+ for (i = 0; i < lut8->numoutchans; ++i)
+@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccatt
+ jas_iccgetuint16(in, &lut16->numouttabents))
+ goto error;
+ clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
+- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
+- !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
+- lut16->numintabents * sizeof(jas_iccuint16_t))) ||
+- !(lut16->intabs = jas_malloc(lut16->numinchans *
++ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
++ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans,
++ lut16->numintabents, sizeof(jas_iccuint16_t))) ||
++ !(lut16->intabs = jas_alloc2(lut16->numinchans,
+ sizeof(jas_iccuint16_t *))))
+ goto error;
+ for (i = 0; i < lut16->numinchans; ++i)
+ lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
+- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
+- lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
+- !(lut16->outtabs = jas_malloc(lut16->numoutchans *
++ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
++ lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
++ !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
+ sizeof(jas_iccuint16_t *))))
+ goto error;
+ for (i = 0; i < lut16->numoutchans; ++i)
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2009-10-22 10:27:45.000000000 +0200
+@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmp
+ image->inmem_ = true;
+
+ /* Allocate memory for the per-component information. */
+- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
++ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
+ sizeof(jas_image_cmpt_t *)))) {
+ jas_image_destroy(image);
+ return 0;
+@@ -774,8 +774,7 @@ static int jas_image_growcmpts(jas_image
+ jas_image_cmpt_t **newcmpts;
+ int cmptno;
+
+- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
+- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
++ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
+ if (!newcmpts) {
+ return -1;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c jasper-1.900.1/src/libjasper/base/jas_malloc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_malloc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -76,6 +76,9 @@
+
+ /* We need the prototype for memset. */
+ #include <string.h>
++#include <limits.h>
++#include <errno.h>
++#include <stdint.h>
+
+ #include "jasper/jas_malloc.h"
+
+@@ -113,18 +116,50 @@ void jas_free(void *ptr)
+
+ void *jas_realloc(void *ptr, size_t size)
+ {
+- return realloc(ptr, size);
++ return ptr ? realloc(ptr, size) : malloc(size);
+ }
+
+-void *jas_calloc(size_t nmemb, size_t size)
++void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
++{
++ if (!ptr)
++ return jas_alloc2(nmemb, size);
++ if (nmemb && SIZE_MAX / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++ return jas_realloc(ptr, nmemb * size);
++
++}
++
++void *jas_alloc2(size_t nmemb, size_t size)
++{
++ if (nmemb && SIZE_MAX / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++
++ return jas_malloc(nmemb * size);
++}
++
++void *jas_alloc3(size_t a, size_t b, size_t c)
+ {
+- void *ptr;
+ size_t n;
+- n = nmemb * size;
+- if (!(ptr = jas_malloc(n * sizeof(char)))) {
+- return 0;
++
++ if (a && SIZE_MAX / a < b) {
++ errno = ENOMEM;
++ return NULL;
+ }
+- memset(ptr, 0, n);
++
++ return jas_alloc2(a*b, c);
++}
++
++void *jas_calloc(size_t nmemb, size_t size)
++{
++ void *ptr;
++
++ ptr = jas_alloc2(nmemb, size);
++ if (ptr)
++ memset(ptr, 0, nmemb*size);
+ return ptr;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2009-10-22 10:27:45.000000000 +0200
+@@ -114,7 +114,7 @@ jas_matrix_t *jas_matrix_create(int numr
+ matrix->datasize_ = numrows * numcols;
+
+ if (matrix->maxrows_ > 0) {
+- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
++ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ sizeof(jas_seqent_t *)))) {
+ jas_matrix_destroy(matrix);
+ return 0;
+@@ -122,7 +122,7 @@ jas_matrix_t *jas_matrix_create(int numr
+ }
+
+ if (matrix->datasize_ > 0) {
+- if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
++ if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ sizeof(jas_seqent_t)))) {
+ jas_matrix_destroy(matrix);
+ return 0;
+@@ -220,7 +220,7 @@ void jas_matrix_bindsub(jas_matrix_t *ma
+ mat0->numrows_ = r1 - r0 + 1;
+ mat0->numcols_ = c1 - c0 + 1;
+ mat0->maxrows_ = mat0->numrows_;
+- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
++ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
+ for (i = 0; i < mat0->numrows_; ++i) {
+ mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200
+@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b
+ if (buf) {
+ obj->buf_ = (unsigned char *) buf;
+ } else {
+- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char));
++ obj->buf_ = jas_malloc(obj->bufsize_);
+ obj->myalloc_ = 1;
+ }
+ if (!obj->buf_) {
+@@ -992,7 +992,7 @@ static int mem_resize(jas_stream_memobj_
+ unsigned char *buf;
+
+ assert(m->buf_);
+- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) {
++ if (!(buf = jas_realloc(m->buf_, bufsize))) {
+ return -1;
+ }
+ m->buf_ = buf;
+diff -pruN jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c jasper-1.900.1/src/libjasper/bmp/bmp_dec.c
+--- jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/bmp/bmp_dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea
+ }
+
+ if (info->numcolors > 0) {
+- if (!(info->palents = jas_malloc(info->numcolors *
++ if (!(info->palents = jas_alloc2(info->numcolors,
+ sizeof(bmp_palent_t)))) {
+ bmp_info_destroy(info);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h 2009-10-22 10:27:45.000000000 +0200
+@@ -95,6 +95,9 @@ extern "C" {
+ #define jas_free MEMFREE
+ #define jas_realloc MEMREALLOC
+ #define jas_calloc MEMCALLOC
++#define jas_alloc2(a, b) MEMALLOC((a)*(b))
++#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c))
++#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b))
+ #endif
+
+ /******************************************************************************\
+@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size
+ /* Allocate a block of memory and initialize the contents to zero. */
+ void *jas_calloc(size_t nmemb, size_t size);
+
++/* size-checked double allocation .*/
++void *jas_alloc2(size_t, size_t);
++
++void *jas_alloc3(size_t, size_t, size_t);
++
++void *jas_realloc2(void *, size_t, size_t);
+ #endif
+
+ #ifdef __cplusplus
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2009-10-22 10:30:24.000000000 +0200
+@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
+ box = 0;
+ tmpstream = 0;
+
+- if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
++ if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
+ goto error;
+ }
+ box->ops = &jp2_boxinfo_unk.ops;
+@@ -372,7 +372,7 @@ static int jp2_bpcc_getdata(jp2_box_t *b
+ jp2_bpcc_t *bpcc = &box->data.bpcc;
+ unsigned int i;
+ bpcc->numcmpts = box->datalen;
+- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) {
++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ for (i = 0; i < bpcc->numcmpts; ++i) {
+@@ -416,7 +416,7 @@ static int jp2_colr_getdata(jp2_box_t *b
+ break;
+ case JP2_COLR_ICC:
+ colr->iccplen = box->datalen - 3;
+- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) {
++ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
+@@ -453,7 +453,7 @@ static int jp2_cdef_getdata(jp2_box_t *b
+ if (jp2_getuint16(in, &cdef->numchans)) {
+ return -1;
+ }
+- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) {
++ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) {
+ return -1;
+ }
+ for (channo = 0; channo < cdef->numchans; ++channo) {
+@@ -766,7 +766,7 @@ static int jp2_cmap_getdata(jp2_box_t *b
+ unsigned int i;
+
+ cmap->numchans = (box->datalen) / 4;
+- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) {
++ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
+ return -1;
+ }
+ for (i = 0; i < cmap->numchans; ++i) {
+@@ -828,10 +828,10 @@ static int jp2_pclr_getdata(jp2_box_t *b
+ return -1;
+ }
+ lutsize = pclr->numlutents * pclr->numchans;
+- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) {
++ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ return -1;
+ }
+- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) {
++ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ for (i = 0; i < pclr->numchans; ++i) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c jasper-1.900.1/src/libjasper/jp2/jp2_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -336,7 +336,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ }
+
+ /* Allocate space for the channel-number to component-number LUT. */
+- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
++ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) {
+ jas_eprintf("error: no memory\n");
+ goto error;
+ }
+@@ -354,7 +354,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ if (cmapent->map == JP2_CMAP_DIRECT) {
+ dec->chantocmptlut[channo] = channo;
+ } else if (cmapent->map == JP2_CMAP_PALETTE) {
+- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
++ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t));
+ for (i = 0; i < pclrd->numlutents; ++i) {
+ lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c jasper-1.900.1/src/libjasper/jp2/jp2_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -191,7 +191,7 @@ int sgnd;
+ }
+ bpcc = &box->data.bpcc;
+ bpcc->numcmpts = jas_image_numcmpts(image);
+- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts *
++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts,
+ sizeof(uint_fast8_t)))) {
+ goto error;
+ }
+@@ -285,7 +285,7 @@ int sgnd;
+ }
+ cdef = &box->data.cdef;
+ cdef->numchans = jas_image_numcmpts(image);
+- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t));
++ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t));
+ for (i = 0; i < jas_image_numcmpts(image); ++i) {
+ cdefchanent = &cdef->ents[i];
+ cdefchanent->channo = i;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2009-10-22 09:58:16.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2009-10-22 10:27:45.000000000 +0200
+@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms
+ !siz->tileheight || !siz->numcomps) {
+ return -1;
+ }
+- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) {
++ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
+ return -1;
+ }
+ for (i = 0; i < siz->numcomps; ++i) {
+@@ -986,7 +986,7 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
+- compparms->stepsizes = jas_malloc(compparms->numstepsizes *
++ compparms->stepsizes = jas_alloc2(compparms->numstepsizes,
+ sizeof(uint_fast16_t));
+ assert(compparms->stepsizes);
+ for (i = 0; i < compparms->numstepsizes; ++i) {
+@@ -1094,7 +1094,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms
+
+ ppm->len = ms->len - 1;
+ if (ppm->len > 0) {
+- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) {
++ if (!(ppm->data = jas_malloc(ppm->len))) {
+ goto error;
+ }
+ if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
+@@ -1163,7 +1163,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms
+ }
+ ppt->len = ms->len - 1;
+ if (ppt->len > 0) {
+- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) {
++ if (!(ppt->data = jas_malloc(ppt->len))) {
+ goto error;
+ }
+ if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
+@@ -1226,7 +1226,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms
+ uint_fast8_t tmp;
+ poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
+ (ms->len / 7);
+- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) {
++ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) {
+ goto error;
+ }
+ for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
+@@ -1331,7 +1331,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
+@@ -1470,7 +1470,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms
+ cstate = 0;
+
+ if (ms->len > 0) {
+- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) {
++ if (!(unk->data = jas_malloc(ms->len))) {
+ return -1;
+ }
+ if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2009-10-22 09:58:16.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2009-10-22 10:30:50.000000000 +0200
+@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+
+ if (dec->state == JPC_MH) {
+
+- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
++ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
+ assert(compinfos);
+ for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
+ cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d
+ tile->realmode = 1;
+ }
+ tcomp->numrlvls = ccp->numrlvls;
+- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
++ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
+ sizeof(jpc_dec_rlvl_t)))) {
+ return -1;
+ }
+@@ -764,7 +764,7 @@ rlvl->bands = 0;
+ rlvl->cbgheightexpn);
+
+ rlvl->numbands = (!rlvlno) ? 1 : 3;
+- if (!(rlvl->bands = jas_malloc(rlvl->numbands *
++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
+ sizeof(jpc_dec_band_t)))) {
+ return -1;
+ }
+@@ -797,7 +797,7 @@ rlvl->bands = 0;
+
+ assert(rlvl->numprcs);
+
+- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
+ return -1;
+ }
+
+@@ -834,7 +834,7 @@ rlvl->bands = 0;
+ if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
+ return -1;
+ }
+- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
+ return -1;
+ }
+
+@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ return -1;
+ }
+
+- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
++ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
+ return -1;
+ }
+
+@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ dec->numtiles = dec->numhtiles * dec->numvtiles;
+- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
++ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ return -1;
+ }
+
+@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ tile->pkthdrstreampos = 0;
+ tile->pptstab = 0;
+ tile->cp = 0;
+- if (!(tile->tcomps = jas_malloc(dec->numcomps *
++ if (!(tile->tcomps = jas_calloc(dec->numcomps,
+ sizeof(jpc_dec_tcomp_t)))) {
+ return -1;
+ }
+@@ -1489,7 +1489,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
+ cp->numlyrs = 0;
+ cp->mctid = 0;
+ cp->csty = 0;
+- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
++ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
+ return 0;
+ }
+ if (!(cp->pchglist = jpc_pchglist_create())) {
+@@ -2048,7 +2048,7 @@ jpc_streamlist_t *jpc_streamlist_create(
+ }
+ streamlist->numstreams = 0;
+ streamlist->maxstreams = 100;
+- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
++ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
+ sizeof(jas_stream_t *)))) {
+ jas_free(streamlist);
+ return 0;
+@@ -2068,8 +2068,8 @@ int jpc_streamlist_insert(jpc_streamlist
+ /* Grow the array of streams if necessary. */
+ if (streamlist->numstreams >= streamlist->maxstreams) {
+ newmaxstreams = streamlist->maxstreams + 1024;
+- if (!(newstreams = jas_realloc(streamlist->streams,
+- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
++ if (!(newstreams = jas_realloc2(streamlist->streams,
++ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
+ return -1;
+ }
+ for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
+@@ -2155,8 +2155,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab,
+ {
+ jpc_ppxstabent_t **newents;
+ if (tab->maxents < maxents) {
+- newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
+- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
++ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
+ if (!newents) {
+ return -1;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+ vsteplcm *= jas_image_cmptvstep(image, cmptno);
+ }
+
+- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) {
++ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) {
+ goto error;
+ }
+ for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno,
+@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+
+ if (ilyrrates && numilyrrates > 0) {
+ tcp->numlyrs = numilyrrates + 1;
+- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) *
++ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1),
+ sizeof(jpc_fix_t)))) {
+ goto error;
+ }
+@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ siz->tilewidth = cp->tilewidth;
+ siz->tileheight = cp->tileheight;
+ siz->numcomps = cp->numcmpts;
+- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t));
++ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t));
+ assert(siz->comps);
+ for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) {
+ siz->comps[i].prec = cp->ccps[i].prec;
+@@ -977,7 +977,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ return -1;
+ }
+ crg = &enc->mrk->parms.crg;
+- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t));
++ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t));
+ if (jpc_putms(enc->out, enc->cstate, enc->mrk)) {
+ jas_eprintf("cannot write CRG marker\n");
+ return -1;
+@@ -1955,7 +1955,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ tile->mctid = cp->tcp.mctid;
+
+ tile->numlyrs = cp->tcp.numlyrs;
+- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs *
++ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs,
+ sizeof(uint_fast32_t)))) {
+ goto error;
+ }
+@@ -1964,7 +1964,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ }
+
+ /* Allocate an array for the per-tile-component information. */
+- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) {
++ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) {
+ goto error;
+ }
+ /* Initialize a few members critical for error recovery. */
+@@ -2110,7 +2110,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc
+ jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data),
+ jas_seq2d_yend(tcmpt->data), bandinfos);
+
+- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) {
++ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) {
+ goto error;
+ }
+ for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls;
+@@ -2213,7 +2213,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e
+ rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn);
+ rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs;
+
+- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) {
++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) {
+ goto error;
+ }
+ for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands;
+@@ -2290,7 +2290,7 @@ if (bandinfo->xstart != bandinfo->xend &
+ band->synweight = bandinfo->synenergywt;
+
+ if (band->data) {
+- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) {
++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) {
+ goto error;
+ }
+ for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno,
+@@ -2422,7 +2422,7 @@ if (!rlvlno) {
+ goto error;
+ }
+
+- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) {
++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) {
+ goto error;
+ }
+ for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx
+ mqdec->in = in;
+ mqdec->maxctxs = maxctxs;
+ /* Allocate memory for the per-context state information. */
+- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) {
++ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ goto error;
+ }
+ /* Set the current context to the first context. */
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx
+ mqenc->maxctxs = maxctxs;
+
+ /* Allocate memory for the per-context state information. */
+- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) {
++ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ goto error;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2009-10-22 10:27:45.000000000 +0200
+@@ -321,7 +321,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -389,7 +389,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -460,7 +460,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -549,7 +549,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -633,7 +633,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -698,7 +698,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -766,7 +766,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -852,7 +852,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_
+
+ cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0;
+ if (cblk->numpasses > 0) {
+- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t));
++ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t));
+ assert(cblk->passes);
+ } else {
+ cblk->passes = 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c 2009-10-22 10:27:45.000000000 +0200
+@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t *
+ }
+ if (pchglist->numpchgs >= pchglist->maxpchgs) {
+ newmaxpchgs = pchglist->maxpchgs + 128;
+- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) {
++ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) {
+ return -1;
+ }
+ pchglist->maxpchgs = newmaxpchgs;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ return 0;
+ }
+ pi->numcomps = dec->numcomps;
+- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+ }
+@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
+ compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ picomp->numrlvls = tcomp->numrlvls;
+- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ sizeof(jpc_pirlvl_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
+ /* XXX sizeof(long) should be sizeof different type */
+ pirlvl->numprcs = rlvl->numprcs;
+- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ sizeof(long)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ }
+ pi->pktno = -1;
+ pi->numcomps = cp->numcmpts;
+- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+ }
+@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
+ compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ picomp->numrlvls = tcomp->numrlvls;
+- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ sizeof(jpc_pirlvl_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ /* XXX sizeof(long) should be sizeof different type */
+ pirlvl->numprcs = rlvl->numprcs;
+ if (rlvl->numprcs) {
+- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ sizeof(long)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2009-10-22 10:27:45.000000000 +0200
+@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
+ ++numlvls;
+ } while (n > 1);
+
+- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) {
++ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
+ return 0;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c jasper-1.900.1/src/libjasper/jpc/jpc_util.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_util.c 2009-10-22 10:27:45.000000000 +0200
+@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d
+ }
+
+ if (n) {
+- if (!(vs = jas_malloc(n * sizeof(double)))) {
++ if (!(vs = jas_alloc2(n, sizeof(double)))) {
+ return -1;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c
+--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2009-10-22 10:27:45.000000000 +0200
+@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t *
+ int cmptno;
+ mif_cmpt_t **newcmpts;
+ assert(maxcmpts >= hdr->numcmpts);
+- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) :
+- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *));
++ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *));
+ if (!newcmpts) {
+ return -1;
+ }
Copied: jasper/repos/testing-i686/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch (from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch)
===================================================================
--- testing-i686/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch (rev 0)
+++ testing-i686/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2011-4516 and CVE-2011-4517
+ This patch fixes a possible denial of service and code execution via
+ heap-based buffer overflows.
+Author: Michael Gilbert <michael.s.gilbert at gmail.com>
+Origin: Patch thanks to Red Hat
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500
+@@ -744,6 +744,10 @@
+ return -1;
+ }
+ compparms->numrlvls = compparms->numdlvls + 1;
++ if (compparms->numrlvls > JPC_MAXRLVLS) {
++ jpc_cox_destroycompparms(compparms);
++ return -1;
++ }
+ if (prtflag) {
+ for (i = 0; i < compparms->numrlvls; ++i) {
+ if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
Copied: jasper/repos/testing-i686/jasper-1.900.1-CVE-2014-8137.patch (from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2014-8137.patch)
===================================================================
--- testing-i686/jasper-1.900.1-CVE-2014-8137.patch (rev 0)
+++ testing-i686/jasper-1.900.1-CVE-2014-8137.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,43 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
Copied: jasper/repos/testing-i686/jasper-1.900.1-CVE-2016-2089.patch (from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2016-2089.patch)
===================================================================
--- testing-i686/jasper-1.900.1-CVE-2016-2089.patch (rev 0)
+++ testing-i686/jasper-1.900.1-CVE-2016-2089.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,90 @@
+Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
+Origin: vendor
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636
+Bug-Debian: https://bugs.debian.org/812978
+Forwarded: not-needed
+Author: Tomas Hoger <thoger at redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_image.c
++++ b/src/libjasper/base/jas_image.c
+@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ if (jas_matrix_resize(data, height, width)) {
+ return -1;
+@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ return -1;
+ }
+--- a/src/libjasper/base/jas_seq.c
++++ b/src/libjasper/base/jas_seq.c
+@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ jas_seqent_t *data;
+ int rowstep;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ assert(n >= 0);
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
Copied: jasper/repos/testing-i686/jasper-1.900.1-fix-filename-buffer-overflow.patch (from rev 277856, jasper/trunk/jasper-1.900.1-fix-filename-buffer-overflow.patch)
===================================================================
--- testing-i686/jasper-1.900.1-fix-filename-buffer-overflow.patch (rev 0)
+++ testing-i686/jasper-1.900.1-fix-filename-buffer-overflow.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,37 @@
+Description: Filename buffer overflow fix
+ This patch fixes a security hole by a bad buffer size handling.
+Author: Roland Stigge <stigge at antcom.de>
+Bug-Debian: http://bugs.debian.org/645118
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -77,6 +77,7 @@
+ #include <jasper/jas_config.h>
+
+ #include <stdio.h>
++#include <limits.h>
+ #if defined(HAVE_FCNTL_H)
+ #include <fcntl.h>
+ #endif
+@@ -99,6 +100,12 @@ extern "C" {
+ #define O_BINARY 0
+ #endif
+
++#ifdef PATH_MAX
++#define JAS_PATH_MAX PATH_MAX
++#else
++#define JAS_PATH_MAX 4096
++#endif
++
+ /*
+ * Stream open flags.
+ */
+@@ -251,7 +258,7 @@ typedef struct {
+ typedef struct {
+ int fd;
+ int flags;
+- char pathname[L_tmpnam + 1];
++ char pathname[JAS_PATH_MAX + 1];
+ } jas_stream_fileobj_t;
+
+ #define JAS_STREAM_FILEOBJ_DELONCLOSE 0x01
Copied: jasper/repos/testing-i686/jasper-avoid-assert-abort.diff (from rev 277856, jasper/trunk/jasper-avoid-assert-abort.diff)
===================================================================
--- testing-i686/jasper-avoid-assert-abort.diff (rev 0)
+++ testing-i686/jasper-avoid-assert-abort.diff 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
Copied: jasper/repos/testing-i686/patch-libjasper-stepsizes-overflow.diff (from rev 277856, jasper/trunk/patch-libjasper-stepsizes-overflow.diff)
===================================================================
--- testing-i686/patch-libjasper-stepsizes-overflow.diff (rev 0)
+++ testing-i686/patch-libjasper-stepsizes-overflow.diff 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
+@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ compparms->numstepsizes = (len - n) / 2;
+ break;
+ }
+- if (compparms->numstepsizes > 0) {
++ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++ jpc_qcx_destroycompparms(compparms);
++ return -1;
++ } else if (compparms->numstepsizes > 0) {
+ compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+ sizeof(uint_fast16_t));
+ assert(compparms->stepsizes);
Copied: jasper/repos/testing-x86_64/PKGBUILD (from rev 277856, jasper/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,50 @@
+# $Id$
+# Maintainer: Eric Bélanger <eric at archlinux.org>
+
+pkgname=jasper
+pkgver=1.900.2
+pkgrel=1
+pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
+arch=('i686' 'x86_64')
+url="http://www.ece.uvic.ca/~mdadams/jasper/"
+license=('custom:JasPer2.0')
+depends=('libjpeg')
+makedepends=('freeglut' 'libxmu' 'glu')
+optdepends=('freeglut: for jiv support' 'glu: for jiv support')
+source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.tar.gz
+ patch-libjasper-stepsizes-overflow.diff jasper-1.900.1-CVE-2008-3520.patch
+ jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff
+ jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
+ jasper-1.900.1-fix-filename-buffer-overflow.patch
+ jasper-1.900.1-CVE-2016-2089.patch)
+sha1sums=('3b6bfa9876a88fbeb6fe5ad29437643c28fa4475'
+ 'f298566fef08c8a589d072582112cd51c72c3983'
+ '2483dba925670bf29f531d85d73c4e5ada513b01'
+ '437519aaaeff6076d11cdbea82125dbcac6f729b'
+ '98548b610a7319e569ee0425a32dc1d31a8771d2'
+ '3bfb37a4c732caa824563bad2603fcf5f2acf7f7'
+ '577dfce40da75818c4d32eb1c4532b1370950bee'
+ '06f89116508b1498e97a41ae07e15a4f049e671d')
+
+prepare() {
+ cd ${pkgname}-${pkgver}
+ patch -p1 -i "${srcdir}/patch-libjasper-stepsizes-overflow.diff"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8137.patch"
+ patch -p1 -i "${srcdir}/jasper-avoid-assert-abort.diff"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2016-2089.patch"
+}
+
+build() {
+ cd ${pkgname}-${pkgver}
+ ./configure --prefix=/usr --mandir=/usr/share/man --enable-shared
+ make
+}
+
+package() {
+ cd ${pkgname}-${pkgver}
+ make DESTDIR="${pkgdir}" install
+ install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+}
Copied: jasper/repos/testing-x86_64/jasper-1.900.1-CVE-2008-3520.patch (from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2008-3520.patch)
===================================================================
--- testing-x86_64/jasper-1.900.1-CVE-2008-3520.patch (rev 0)
+++ testing-x86_64/jasper-1.900.1-CVE-2008-3520.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,928 @@
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520
+
+OpenBSD jas_malloc hardening patches
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_cm.c jasper-1.900.1/src/libjasper/base/jas_cm.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2009-10-22 10:27:45.000000000 +0200
+@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm
+ {
+ jas_cmpxform_t **p;
+ assert(n >= pxformseq->numpxforms);
+- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) :
+- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *));
++ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *));
+ if (!p) {
+ return -1;
+ }
+@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ jas_cmshapmatlut_cleanup(lut);
+ if (curv->numents == 0) {
+ lut->size = 2;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ lut->data[0] = 0.0;
+ lut->data[1] = 1.0;
+ } else if (curv->numents == 1) {
+ lut->size = 256;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ gamma = curv->ents[0] / 256.0;
+ for (i = 0; i < lut->size; ++i) {
+@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ }
+ } else {
+ lut->size = curv->numents;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ for (i = 0; i < lut->size; ++i) {
+ lut->data[i] = curv->ents[i] / 65535.0;
+@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c
+ return -1;
+ }
+ }
+- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t))))
++ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t))))
+ return -1;
+ invlut->size = n;
+ for (i = 0; i < invlut->size; ++i) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof
+ jas_icctagtab_t *tagtab;
+
+ tagtab = &prof->tagtab;
+- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
++ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
+ sizeof(jas_icctagtabent_t))))
+ goto error;
+ tagtab->numents = prof->attrtab->numattrs;
+@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_str
+ }
+ if (jas_iccgetuint32(in, &tagtab->numents))
+ goto error;
+- if (!(tagtab->ents = jas_malloc(tagtab->numents *
++ if (!(tagtab->ents = jas_alloc2(tagtab->numents,
+ sizeof(jas_icctagtabent_t))))
+ goto error;
+ tagtabent = tagtab->ents;
+@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_icc
+ {
+ jas_iccattr_t *newattrs;
+ assert(maxents >= tab->numattrs);
+- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
+- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
++ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
+ if (!newattrs)
+ return -1;
+ tab->attrs = newattrs;
+@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattr
+
+ if (jas_iccgetuint32(in, &curv->numents))
+ goto error;
+- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
++ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
+ goto error;
+ for (i = 0; i < curv->numents; ++i) {
+ if (jas_iccgetuint16(in, &curv->ents[i]))
+@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_icca
+ if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ jas_iccgetuint32(in, &txtdesc->uclen))
+ goto error;
+- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
++ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
+ goto error;
+ if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
+ JAS_CAST(int, txtdesc->uclen * 2))
+@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattr
+ jas_iccgetuint16(in, &lut8->numouttabents))
+ goto error;
+ clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
+- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
+- !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
+- lut8->numintabents * sizeof(jas_iccuint8_t))) ||
+- !(lut8->intabs = jas_malloc(lut8->numinchans *
++ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
++ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
++ lut8->numintabents, sizeof(jas_iccuint8_t))) ||
++ !(lut8->intabs = jas_alloc2(lut8->numinchans,
+ sizeof(jas_iccuint8_t *))))
+ goto error;
+ for (i = 0; i < lut8->numinchans; ++i)
+ lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
+- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
+- lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
+- !(lut8->outtabs = jas_malloc(lut8->numoutchans *
++ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
++ lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
++ !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
+ sizeof(jas_iccuint8_t *))))
+ goto error;
+ for (i = 0; i < lut8->numoutchans; ++i)
+@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccatt
+ jas_iccgetuint16(in, &lut16->numouttabents))
+ goto error;
+ clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
+- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
+- !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
+- lut16->numintabents * sizeof(jas_iccuint16_t))) ||
+- !(lut16->intabs = jas_malloc(lut16->numinchans *
++ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
++ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans,
++ lut16->numintabents, sizeof(jas_iccuint16_t))) ||
++ !(lut16->intabs = jas_alloc2(lut16->numinchans,
+ sizeof(jas_iccuint16_t *))))
+ goto error;
+ for (i = 0; i < lut16->numinchans; ++i)
+ lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
+- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
+- lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
+- !(lut16->outtabs = jas_malloc(lut16->numoutchans *
++ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
++ lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
++ !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
+ sizeof(jas_iccuint16_t *))))
+ goto error;
+ for (i = 0; i < lut16->numoutchans; ++i)
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2009-10-22 10:27:45.000000000 +0200
+@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmp
+ image->inmem_ = true;
+
+ /* Allocate memory for the per-component information. */
+- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
++ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
+ sizeof(jas_image_cmpt_t *)))) {
+ jas_image_destroy(image);
+ return 0;
+@@ -774,8 +774,7 @@ static int jas_image_growcmpts(jas_image
+ jas_image_cmpt_t **newcmpts;
+ int cmptno;
+
+- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
+- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
++ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
+ if (!newcmpts) {
+ return -1;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c jasper-1.900.1/src/libjasper/base/jas_malloc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_malloc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -76,6 +76,9 @@
+
+ /* We need the prototype for memset. */
+ #include <string.h>
++#include <limits.h>
++#include <errno.h>
++#include <stdint.h>
+
+ #include "jasper/jas_malloc.h"
+
+@@ -113,18 +116,50 @@ void jas_free(void *ptr)
+
+ void *jas_realloc(void *ptr, size_t size)
+ {
+- return realloc(ptr, size);
++ return ptr ? realloc(ptr, size) : malloc(size);
+ }
+
+-void *jas_calloc(size_t nmemb, size_t size)
++void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
++{
++ if (!ptr)
++ return jas_alloc2(nmemb, size);
++ if (nmemb && SIZE_MAX / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++ return jas_realloc(ptr, nmemb * size);
++
++}
++
++void *jas_alloc2(size_t nmemb, size_t size)
++{
++ if (nmemb && SIZE_MAX / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++
++ return jas_malloc(nmemb * size);
++}
++
++void *jas_alloc3(size_t a, size_t b, size_t c)
+ {
+- void *ptr;
+ size_t n;
+- n = nmemb * size;
+- if (!(ptr = jas_malloc(n * sizeof(char)))) {
+- return 0;
++
++ if (a && SIZE_MAX / a < b) {
++ errno = ENOMEM;
++ return NULL;
+ }
+- memset(ptr, 0, n);
++
++ return jas_alloc2(a*b, c);
++}
++
++void *jas_calloc(size_t nmemb, size_t size)
++{
++ void *ptr;
++
++ ptr = jas_alloc2(nmemb, size);
++ if (ptr)
++ memset(ptr, 0, nmemb*size);
+ return ptr;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2009-10-22 10:27:45.000000000 +0200
+@@ -114,7 +114,7 @@ jas_matrix_t *jas_matrix_create(int numr
+ matrix->datasize_ = numrows * numcols;
+
+ if (matrix->maxrows_ > 0) {
+- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
++ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ sizeof(jas_seqent_t *)))) {
+ jas_matrix_destroy(matrix);
+ return 0;
+@@ -122,7 +122,7 @@ jas_matrix_t *jas_matrix_create(int numr
+ }
+
+ if (matrix->datasize_ > 0) {
+- if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
++ if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ sizeof(jas_seqent_t)))) {
+ jas_matrix_destroy(matrix);
+ return 0;
+@@ -220,7 +220,7 @@ void jas_matrix_bindsub(jas_matrix_t *ma
+ mat0->numrows_ = r1 - r0 + 1;
+ mat0->numcols_ = c1 - c0 + 1;
+ mat0->maxrows_ = mat0->numrows_;
+- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
++ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
+ for (i = 0; i < mat0->numrows_; ++i) {
+ mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2009-10-22 10:27:45.000000000 +0200
+@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b
+ if (buf) {
+ obj->buf_ = (unsigned char *) buf;
+ } else {
+- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char));
++ obj->buf_ = jas_malloc(obj->bufsize_);
+ obj->myalloc_ = 1;
+ }
+ if (!obj->buf_) {
+@@ -992,7 +992,7 @@ static int mem_resize(jas_stream_memobj_
+ unsigned char *buf;
+
+ assert(m->buf_);
+- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) {
++ if (!(buf = jas_realloc(m->buf_, bufsize))) {
+ return -1;
+ }
+ m->buf_ = buf;
+diff -pruN jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c jasper-1.900.1/src/libjasper/bmp/bmp_dec.c
+--- jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/bmp/bmp_dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea
+ }
+
+ if (info->numcolors > 0) {
+- if (!(info->palents = jas_malloc(info->numcolors *
++ if (!(info->palents = jas_alloc2(info->numcolors,
+ sizeof(bmp_palent_t)))) {
+ bmp_info_destroy(info);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h 2009-10-22 10:27:45.000000000 +0200
+@@ -95,6 +95,9 @@ extern "C" {
+ #define jas_free MEMFREE
+ #define jas_realloc MEMREALLOC
+ #define jas_calloc MEMCALLOC
++#define jas_alloc2(a, b) MEMALLOC((a)*(b))
++#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c))
++#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b))
+ #endif
+
+ /******************************************************************************\
+@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size
+ /* Allocate a block of memory and initialize the contents to zero. */
+ void *jas_calloc(size_t nmemb, size_t size);
+
++/* size-checked double allocation .*/
++void *jas_alloc2(size_t, size_t);
++
++void *jas_alloc3(size_t, size_t, size_t);
++
++void *jas_realloc2(void *, size_t, size_t);
+ #endif
+
+ #ifdef __cplusplus
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2009-10-22 10:30:24.000000000 +0200
+@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
+ box = 0;
+ tmpstream = 0;
+
+- if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
++ if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
+ goto error;
+ }
+ box->ops = &jp2_boxinfo_unk.ops;
+@@ -372,7 +372,7 @@ static int jp2_bpcc_getdata(jp2_box_t *b
+ jp2_bpcc_t *bpcc = &box->data.bpcc;
+ unsigned int i;
+ bpcc->numcmpts = box->datalen;
+- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) {
++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ for (i = 0; i < bpcc->numcmpts; ++i) {
+@@ -416,7 +416,7 @@ static int jp2_colr_getdata(jp2_box_t *b
+ break;
+ case JP2_COLR_ICC:
+ colr->iccplen = box->datalen - 3;
+- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) {
++ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
+@@ -453,7 +453,7 @@ static int jp2_cdef_getdata(jp2_box_t *b
+ if (jp2_getuint16(in, &cdef->numchans)) {
+ return -1;
+ }
+- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) {
++ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) {
+ return -1;
+ }
+ for (channo = 0; channo < cdef->numchans; ++channo) {
+@@ -766,7 +766,7 @@ static int jp2_cmap_getdata(jp2_box_t *b
+ unsigned int i;
+
+ cmap->numchans = (box->datalen) / 4;
+- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) {
++ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
+ return -1;
+ }
+ for (i = 0; i < cmap->numchans; ++i) {
+@@ -828,10 +828,10 @@ static int jp2_pclr_getdata(jp2_box_t *b
+ return -1;
+ }
+ lutsize = pclr->numlutents * pclr->numchans;
+- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) {
++ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ return -1;
+ }
+- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) {
++ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ for (i = 0; i < pclr->numchans; ++i) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c jasper-1.900.1/src/libjasper/jp2/jp2_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -336,7 +336,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ }
+
+ /* Allocate space for the channel-number to component-number LUT. */
+- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
++ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) {
+ jas_eprintf("error: no memory\n");
+ goto error;
+ }
+@@ -354,7 +354,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ if (cmapent->map == JP2_CMAP_DIRECT) {
+ dec->chantocmptlut[channo] = channo;
+ } else if (cmapent->map == JP2_CMAP_PALETTE) {
+- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
++ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t));
+ for (i = 0; i < pclrd->numlutents; ++i) {
+ lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c jasper-1.900.1/src/libjasper/jp2/jp2_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -191,7 +191,7 @@ int sgnd;
+ }
+ bpcc = &box->data.bpcc;
+ bpcc->numcmpts = jas_image_numcmpts(image);
+- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts *
++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts,
+ sizeof(uint_fast8_t)))) {
+ goto error;
+ }
+@@ -285,7 +285,7 @@ int sgnd;
+ }
+ cdef = &box->data.cdef;
+ cdef->numchans = jas_image_numcmpts(image);
+- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t));
++ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t));
+ for (i = 0; i < jas_image_numcmpts(image); ++i) {
+ cdefchanent = &cdef->ents[i];
+ cdefchanent->channo = i;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2009-10-22 09:58:16.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2009-10-22 10:27:45.000000000 +0200
+@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms
+ !siz->tileheight || !siz->numcomps) {
+ return -1;
+ }
+- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) {
++ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
+ return -1;
+ }
+ for (i = 0; i < siz->numcomps; ++i) {
+@@ -986,7 +986,7 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
+- compparms->stepsizes = jas_malloc(compparms->numstepsizes *
++ compparms->stepsizes = jas_alloc2(compparms->numstepsizes,
+ sizeof(uint_fast16_t));
+ assert(compparms->stepsizes);
+ for (i = 0; i < compparms->numstepsizes; ++i) {
+@@ -1094,7 +1094,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms
+
+ ppm->len = ms->len - 1;
+ if (ppm->len > 0) {
+- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) {
++ if (!(ppm->data = jas_malloc(ppm->len))) {
+ goto error;
+ }
+ if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
+@@ -1163,7 +1163,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms
+ }
+ ppt->len = ms->len - 1;
+ if (ppt->len > 0) {
+- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) {
++ if (!(ppt->data = jas_malloc(ppt->len))) {
+ goto error;
+ }
+ if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
+@@ -1226,7 +1226,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms
+ uint_fast8_t tmp;
+ poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
+ (ms->len / 7);
+- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) {
++ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) {
+ goto error;
+ }
+ for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
+@@ -1331,7 +1331,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
+@@ -1470,7 +1470,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms
+ cstate = 0;
+
+ if (ms->len > 0) {
+- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) {
++ if (!(unk->data = jas_malloc(ms->len))) {
+ return -1;
+ }
+ if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2009-10-22 09:58:16.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2009-10-22 10:30:50.000000000 +0200
+@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+
+ if (dec->state == JPC_MH) {
+
+- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
++ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
+ assert(compinfos);
+ for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
+ cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d
+ tile->realmode = 1;
+ }
+ tcomp->numrlvls = ccp->numrlvls;
+- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
++ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
+ sizeof(jpc_dec_rlvl_t)))) {
+ return -1;
+ }
+@@ -764,7 +764,7 @@ rlvl->bands = 0;
+ rlvl->cbgheightexpn);
+
+ rlvl->numbands = (!rlvlno) ? 1 : 3;
+- if (!(rlvl->bands = jas_malloc(rlvl->numbands *
++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
+ sizeof(jpc_dec_band_t)))) {
+ return -1;
+ }
+@@ -797,7 +797,7 @@ rlvl->bands = 0;
+
+ assert(rlvl->numprcs);
+
+- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
+ return -1;
+ }
+
+@@ -834,7 +834,7 @@ rlvl->bands = 0;
+ if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
+ return -1;
+ }
+- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
+ return -1;
+ }
+
+@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ return -1;
+ }
+
+- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
++ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
+ return -1;
+ }
+
+@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ dec->numtiles = dec->numhtiles * dec->numvtiles;
+- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
++ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ return -1;
+ }
+
+@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ tile->pkthdrstreampos = 0;
+ tile->pptstab = 0;
+ tile->cp = 0;
+- if (!(tile->tcomps = jas_malloc(dec->numcomps *
++ if (!(tile->tcomps = jas_calloc(dec->numcomps,
+ sizeof(jpc_dec_tcomp_t)))) {
+ return -1;
+ }
+@@ -1489,7 +1489,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
+ cp->numlyrs = 0;
+ cp->mctid = 0;
+ cp->csty = 0;
+- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
++ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
+ return 0;
+ }
+ if (!(cp->pchglist = jpc_pchglist_create())) {
+@@ -2048,7 +2048,7 @@ jpc_streamlist_t *jpc_streamlist_create(
+ }
+ streamlist->numstreams = 0;
+ streamlist->maxstreams = 100;
+- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
++ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
+ sizeof(jas_stream_t *)))) {
+ jas_free(streamlist);
+ return 0;
+@@ -2068,8 +2068,8 @@ int jpc_streamlist_insert(jpc_streamlist
+ /* Grow the array of streams if necessary. */
+ if (streamlist->numstreams >= streamlist->maxstreams) {
+ newmaxstreams = streamlist->maxstreams + 1024;
+- if (!(newstreams = jas_realloc(streamlist->streams,
+- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
++ if (!(newstreams = jas_realloc2(streamlist->streams,
++ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
+ return -1;
+ }
+ for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
+@@ -2155,8 +2155,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab,
+ {
+ jpc_ppxstabent_t **newents;
+ if (tab->maxents < maxents) {
+- newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
+- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
++ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
+ if (!newents) {
+ return -1;
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+ vsteplcm *= jas_image_cmptvstep(image, cmptno);
+ }
+
+- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) {
++ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) {
+ goto error;
+ }
+ for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno,
+@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+
+ if (ilyrrates && numilyrrates > 0) {
+ tcp->numlyrs = numilyrrates + 1;
+- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) *
++ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1),
+ sizeof(jpc_fix_t)))) {
+ goto error;
+ }
+@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ siz->tilewidth = cp->tilewidth;
+ siz->tileheight = cp->tileheight;
+ siz->numcomps = cp->numcmpts;
+- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t));
++ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t));
+ assert(siz->comps);
+ for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) {
+ siz->comps[i].prec = cp->ccps[i].prec;
+@@ -977,7 +977,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ return -1;
+ }
+ crg = &enc->mrk->parms.crg;
+- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t));
++ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t));
+ if (jpc_putms(enc->out, enc->cstate, enc->mrk)) {
+ jas_eprintf("cannot write CRG marker\n");
+ return -1;
+@@ -1955,7 +1955,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ tile->mctid = cp->tcp.mctid;
+
+ tile->numlyrs = cp->tcp.numlyrs;
+- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs *
++ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs,
+ sizeof(uint_fast32_t)))) {
+ goto error;
+ }
+@@ -1964,7 +1964,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ }
+
+ /* Allocate an array for the per-tile-component information. */
+- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) {
++ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) {
+ goto error;
+ }
+ /* Initialize a few members critical for error recovery. */
+@@ -2110,7 +2110,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc
+ jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data),
+ jas_seq2d_yend(tcmpt->data), bandinfos);
+
+- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) {
++ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) {
+ goto error;
+ }
+ for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls;
+@@ -2213,7 +2213,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e
+ rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn);
+ rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs;
+
+- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) {
++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) {
+ goto error;
+ }
+ for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands;
+@@ -2290,7 +2290,7 @@ if (bandinfo->xstart != bandinfo->xend &
+ band->synweight = bandinfo->synenergywt;
+
+ if (band->data) {
+- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) {
++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) {
+ goto error;
+ }
+ for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno,
+@@ -2422,7 +2422,7 @@ if (!rlvlno) {
+ goto error;
+ }
+
+- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) {
++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) {
+ goto error;
+ }
+ for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx
+ mqdec->in = in;
+ mqdec->maxctxs = maxctxs;
+ /* Allocate memory for the per-context state information. */
+- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) {
++ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ goto error;
+ }
+ /* Set the current context to the first context. */
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx
+ mqenc->maxctxs = maxctxs;
+
+ /* Allocate memory for the per-context state information. */
+- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) {
++ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ goto error;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2009-10-22 10:27:45.000000000 +0200
+@@ -321,7 +321,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -389,7 +389,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -460,7 +460,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -549,7 +549,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -633,7 +633,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -698,7 +698,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -766,7 +766,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -852,7 +852,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_
+
+ cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0;
+ if (cblk->numpasses > 0) {
+- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t));
++ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t));
+ assert(cblk->passes);
+ } else {
+ cblk->passes = 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c 2009-10-22 10:27:45.000000000 +0200
+@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t *
+ }
+ if (pchglist->numpchgs >= pchglist->maxpchgs) {
+ newmaxpchgs = pchglist->maxpchgs + 128;
+- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) {
++ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) {
+ return -1;
+ }
+ pchglist->maxpchgs = newmaxpchgs;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c 2009-10-22 10:27:45.000000000 +0200
+@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ return 0;
+ }
+ pi->numcomps = dec->numcomps;
+- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+ }
+@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
+ compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ picomp->numrlvls = tcomp->numrlvls;
+- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ sizeof(jpc_pirlvl_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
+ /* XXX sizeof(long) should be sizeof different type */
+ pirlvl->numprcs = rlvl->numprcs;
+- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ sizeof(long)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2009-10-22 10:27:45.000000000 +0200
+@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ }
+ pi->pktno = -1;
+ pi->numcomps = cp->numcmpts;
+- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+ }
+@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
+ compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ picomp->numrlvls = tcomp->numrlvls;
+- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ sizeof(jpc_pirlvl_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ /* XXX sizeof(long) should be sizeof different type */
+ pirlvl->numprcs = rlvl->numprcs;
+ if (rlvl->numprcs) {
+- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ sizeof(long)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2009-10-22 10:27:45.000000000 +0200
+@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
+ ++numlvls;
+ } while (n > 1);
+
+- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) {
++ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
+ return 0;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c jasper-1.900.1/src/libjasper/jpc/jpc_util.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_util.c 2009-10-22 10:27:45.000000000 +0200
+@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d
+ }
+
+ if (n) {
+- if (!(vs = jas_malloc(n * sizeof(double)))) {
++ if (!(vs = jas_alloc2(n, sizeof(double)))) {
+ return -1;
+ }
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c
+--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2009-10-22 10:27:45.000000000 +0200
+@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t *
+ int cmptno;
+ mif_cmpt_t **newcmpts;
+ assert(maxcmpts >= hdr->numcmpts);
+- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) :
+- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *));
++ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *));
+ if (!newcmpts) {
+ return -1;
+ }
Copied: jasper/repos/testing-x86_64/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch (from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch)
===================================================================
--- testing-x86_64/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch (rev 0)
+++ testing-x86_64/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2011-4516 and CVE-2011-4517
+ This patch fixes a possible denial of service and code execution via
+ heap-based buffer overflows.
+Author: Michael Gilbert <michael.s.gilbert at gmail.com>
+Origin: Patch thanks to Red Hat
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500
+@@ -744,6 +744,10 @@
+ return -1;
+ }
+ compparms->numrlvls = compparms->numdlvls + 1;
++ if (compparms->numrlvls > JPC_MAXRLVLS) {
++ jpc_cox_destroycompparms(compparms);
++ return -1;
++ }
+ if (prtflag) {
+ for (i = 0; i < compparms->numrlvls; ++i) {
+ if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
Copied: jasper/repos/testing-x86_64/jasper-1.900.1-CVE-2014-8137.patch (from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2014-8137.patch)
===================================================================
--- testing-x86_64/jasper-1.900.1-CVE-2014-8137.patch (rev 0)
+++ testing-x86_64/jasper-1.900.1-CVE-2014-8137.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,43 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
Copied: jasper/repos/testing-x86_64/jasper-1.900.1-CVE-2016-2089.patch (from rev 277856, jasper/trunk/jasper-1.900.1-CVE-2016-2089.patch)
===================================================================
--- testing-x86_64/jasper-1.900.1-CVE-2016-2089.patch (rev 0)
+++ testing-x86_64/jasper-1.900.1-CVE-2016-2089.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,90 @@
+Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
+Origin: vendor
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636
+Bug-Debian: https://bugs.debian.org/812978
+Forwarded: not-needed
+Author: Tomas Hoger <thoger at redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_image.c
++++ b/src/libjasper/base/jas_image.c
+@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ if (jas_matrix_resize(data, height, width)) {
+ return -1;
+@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ return -1;
+ }
+--- a/src/libjasper/base/jas_seq.c
++++ b/src/libjasper/base/jas_seq.c
+@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ jas_seqent_t *data;
+ int rowstep;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ assert(n >= 0);
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
Copied: jasper/repos/testing-x86_64/jasper-1.900.1-fix-filename-buffer-overflow.patch (from rev 277856, jasper/trunk/jasper-1.900.1-fix-filename-buffer-overflow.patch)
===================================================================
--- testing-x86_64/jasper-1.900.1-fix-filename-buffer-overflow.patch (rev 0)
+++ testing-x86_64/jasper-1.900.1-fix-filename-buffer-overflow.patch 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,37 @@
+Description: Filename buffer overflow fix
+ This patch fixes a security hole by a bad buffer size handling.
+Author: Roland Stigge <stigge at antcom.de>
+Bug-Debian: http://bugs.debian.org/645118
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -77,6 +77,7 @@
+ #include <jasper/jas_config.h>
+
+ #include <stdio.h>
++#include <limits.h>
+ #if defined(HAVE_FCNTL_H)
+ #include <fcntl.h>
+ #endif
+@@ -99,6 +100,12 @@ extern "C" {
+ #define O_BINARY 0
+ #endif
+
++#ifdef PATH_MAX
++#define JAS_PATH_MAX PATH_MAX
++#else
++#define JAS_PATH_MAX 4096
++#endif
++
+ /*
+ * Stream open flags.
+ */
+@@ -251,7 +258,7 @@ typedef struct {
+ typedef struct {
+ int fd;
+ int flags;
+- char pathname[L_tmpnam + 1];
++ char pathname[JAS_PATH_MAX + 1];
+ } jas_stream_fileobj_t;
+
+ #define JAS_STREAM_FILEOBJ_DELONCLOSE 0x01
Copied: jasper/repos/testing-x86_64/jasper-avoid-assert-abort.diff (from rev 277856, jasper/trunk/jasper-avoid-assert-abort.diff)
===================================================================
--- testing-x86_64/jasper-avoid-assert-abort.diff (rev 0)
+++ testing-x86_64/jasper-avoid-assert-abort.diff 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
Copied: jasper/repos/testing-x86_64/patch-libjasper-stepsizes-overflow.diff (from rev 277856, jasper/trunk/patch-libjasper-stepsizes-overflow.diff)
===================================================================
--- testing-x86_64/patch-libjasper-stepsizes-overflow.diff (rev 0)
+++ testing-x86_64/patch-libjasper-stepsizes-overflow.diff 2016-10-06 20:50:52 UTC (rev 277857)
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
+@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ compparms->numstepsizes = (len - n) / 2;
+ break;
+ }
+- if (compparms->numstepsizes > 0) {
++ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++ jpc_qcx_destroycompparms(compparms);
++ return -1;
++ } else if (compparms->numstepsizes > 0) {
+ compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+ sizeof(uint_fast16_t));
+ assert(compparms->stepsizes);
More information about the arch-commits
mailing list