90bcecc568
* gnu/packages/patches/jasper-CVE-2007-2721.patch, gnu/packages/patches/jasper-CVE-2008-3520.patch, gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch, gnu/packages/patches/jasper-CVE-2014-8137.patch, gnu/packages/patches/jasper-CVE-2014-8138.patch, gnu/packages/patches/jasper-CVE-2014-8157.patch, gnu/packages/patches/jasper-CVE-2014-8158.patch, gnu/packages/patches/jasper-CVE-2014-9029.patch, gnu/packages/patches/jasper-CVE-2016-1867.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (jasper)[source]: Add patches.
20 lines
808 B
Diff
20 lines
808 B
Diff
Fix CVE-2007-2721 (heap corruption in jpc_qcx_getcompparms()).
|
|
|
|
Copied from Fedora.
|
|
|
|
http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/patch-libjasper-stepsizes-overflow.diff
|
|
|
|
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
|
|
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
|
|
@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
|
|
compparms->numstepsizes = (len - n) / 2;
|
|
break;
|
|
}
|
|
- if (compparms->numstepsizes > 0) {
|
|
+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
|
|
+ jpc_qcx_destroycompparms(compparms);
|
|
+ return -1;
|
|
+ } else if (compparms->numstepsizes > 0) {
|
|
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
|
|
sizeof(uint_fast16_t));
|
|
assert(compparms->stepsizes);
|