add two CVE patches for jasper.

2617452b · Kazuhiko Shiozaki · 26ab9ede · 2617452b · 2617452b · 2617452b
Commit 2617452b authored Jan 22, 2015 by Kazuhiko Shiozaki
3 changed files
--- a/component/jasper/CVE-2014-8137.patch
+++ b/component/jasper/CVE-2014-8137.patch
+Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy()
+Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283,
+ https://bugzilla.redhat.com/attachment.cgi?id=967284
+Bug-Debian: https://bugs.debian.org/773463
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157
+Forwarded: no
+Author: Tomas Hoger <thoger@redhat.com>
+Last-Update: 2014-12-20
+
+--- a/src/libjasper/base/jas_icc.c
+++ b/src/libjasper/base/jas_icc.c
+@@ -1010,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattr
+ 	return 0;
+ 
+ error:
+-	jas_icccurv_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1128,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ 	return 0;
+ error:
+-	jas_icctxtdesc_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1207,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrv
+ 		goto error;
+ 	return 0;
+ error:
+-	if (txt->string)
+-		jas_free(txt->string);
+ 	return -1;
+ }
+ 
+@@ -1329,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattr
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut8_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1498,7 +1493,6 @@ static int jas_icclut16_input(jas_iccatt
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut16_destroy(attrval);
+ 	return -1;
+ }
+ 
+--- a/src/libjasper/jp2/jp2_dec.c
+++ b/src/libjasper/jp2/jp2_dec.c
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	case JP2_COLR_ICC:
+ 		iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ 		  dec->colr->data.colr.iccplen);
+-		assert(iccprof);
+		if (!iccprof) {
+			jas_eprintf("error: failed to parse ICC profile\n");
+			goto error;
+		}
+ 		jas_iccprof_gethdr(iccprof, &icchdr);
+ 		jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ 		jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
--- a/component/jasper/CVE-2014-8138.patch
+++ b/component/jasper/CVE-2014-8138.patch
+Description: CVE-2014-8138: heap overflow in jp2_decode()
+Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967280
+Bug-Debian: https://bugs.debian.org/773463
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173162
+Forwarded: no
+Author: Tomas Hoger <thoger@redhat.com>
+Last-Update: 2014-12-20
+
+--- a/src/libjasper/jp2/jp2_dec.c
+++ b/src/libjasper/jp2/jp2_dec.c
+@@ -389,6 +389,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	/* Determine the type of each component. */
+ 	if (dec->cdef) {
+ 		for (i = 0; i < dec->numchans; ++i) {
+			/* Is the channel number reasonable? */
+			if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
+				jas_eprintf("error: invalid channel number in CDEF box\n");
+				goto error;
+			}
+ 			jas_image_setcmpttype(dec->image,
+ 			  dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ 			  jp2_getct(jas_image_clrspc(dec->image),
--- a/component/jasper/buildout.cfg
+++ b/component/jasper/buildout.cfg
@@ -14,6 +14,8 @@ patches =
  ${:_profile_base_location_}/fix-filename-buffer-overflow.patch#38403f9c82a18547beca16c9c6f4ce7a
  ${:_profile_base_location_}/CVE-2011-4516-and-CVE-2011-4517.patch#a9676718ed016f66a3c76acf764c9e72
  ${:_profile_base_location_}/CVE-2014-9029.patch#d69195cf17878f024cc0b580045ec314
+  ${:_profile_base_location_}/CVE-2014-8137.patch#bc5103b9a33315538106bf6652383a10
+  ${:_profile_base_location_}/CVE-2014-8138.patch#bfb9604fe84b6e686fea29bd760cf34d
 # jasper configure script is not executable by default
 configure-command =
  /bin/sh ./configure --prefix=${buildout:parts-directory}/${:_buildout_section_name_} --disable-static --enable-shared --disable-opengl