rdieter pushed to jasper (el5). "1.900.1-15 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Apr 24 16:22:39 UTC 2015
>From aeb865e924f4d80cf4ee62a041920ce037d70712 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter at math.unl.edu>
Date: Fri, 24 Apr 2015 11:22:29 -0500
Subject: 1.900.1-15 CVE-2014-8157 - dec->numtiles off-by-one check in
jpc_dec_process_sot() (#1184752,#1179282) CVE-2014-8158 - unrestricted stack
memory use in jpc_qmfb.c (#1184752,#1179298) CVE-2014-8137 - double-free in
jas_iccattrval_destroy() (oCERT-2014-012) (#1175763,#1173157) CVE-2014-8138 -
heap overflow in jp2_decode() (oCERT-2014-012) (#1175763,#1173162)
CVE-2014-9029 - incorrect component number check in COC, RGN and QCC marker
segment decoders (#1167537,#1170654)
diff --git a/jasper-1.900.1-Coverity-BAD_SIZEOF.patch b/jasper-1.900.1-Coverity-BAD_SIZEOF.patch
new file mode 100644
index 0000000..1977400
--- /dev/null
+++ b/jasper-1.900.1-Coverity-BAD_SIZEOF.patch
@@ -0,0 +1,17 @@
+Error: BAD_SIZEOF
+jpc/jpc_enc.c:2105: bad_sizeof: Taking the size of binary expression "tcmpt->numstepsizes * sizeof (uint_fast16_t) /*8*/" is suspicious.
+ Did you intend "sizeof(tcmpt->numstepsizes) * sizeof (uint_fast16_t) /*8*/"?
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.bad_sizeof jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.bad_sizeof 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2011-06-23 17:28:17.085690561 +0200
+@@ -2102,8 +2102,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc
+
+ tcmpt->numstepsizes = tcmpt->numbands;
+ assert(tcmpt->numstepsizes <= JPC_MAXBANDS);
+- memset(tcmpt->stepsizes, 0, sizeof(tcmpt->numstepsizes *
+- sizeof(uint_fast16_t)));
++ memset(tcmpt->stepsizes, 0, tcmpt->numstepsizes * sizeof(uint_fast16_t));
+
+ /* Retrieve information about the various bands. */
+ jpc_tsfb_getbands(tcmpt->tsfb, jas_seq2d_xstart(tcmpt->data),
diff --git a/jasper-1.900.1-Coverity-CHECKED_RETURN.patch b/jasper-1.900.1-Coverity-CHECKED_RETURN.patch
new file mode 100644
index 0000000..ea330f2
--- /dev/null
+++ b/jasper-1.900.1-Coverity-CHECKED_RETURN.patch
@@ -0,0 +1,141 @@
+Error: CHECKED_RETURN
+jpc/jpc_cs.c:924: check_return: Calling function "jpc_putuint16" without checking return value (as is done elsewhere 11 out of 13 times).
+jpc/jpc_cs.c:924: unchecked_value: No check of the return value of "jpc_putuint16(out, qcc->compno)".
+
+jpc/jpc_cs.c:1021: check_return: Calling function "jpc_putuint16" without checking return value (as is done elsewhere 11 out of 13 times).
+jpc/jpc_cs.c:1021: unchecked_value: No check of the return value of "jpc_putuint16(out, compparms->stepsizes[i])".
+
+jpc/jpc_cs.c:994: check_return: Calling function "jpc_getuint16" without checking return value (as is done elsewhere 14 out of 16 times).
+jpc/jpc_cs.c:994: unchecked_value: No check of the return value of "jpc_getuint16(in, compparms->stepsizes + i)".
+
+jpc/jpc_cs.c:905: check_return: Calling function "jpc_getuint16" without checking return value (as is done elsewhere 14 out of 16 times).
+jpc/jpc_cs.c:905: unchecked_value: No check of the return value of "jpc_getuint16(in, &qcc->compno)".
+
+jpc/jpc_cs.c:969: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times).
+jpc/jpc_cs.c:969: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)".
+
+jpc/jpc_cs.c:991: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times).
+jpc/jpc_cs.c:991: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)".
+
+jpc/jpc_cs.c:901: check_return: Calling function "jpc_getuint8" without checking return value (as is done elsewhere 17 out of 20 times).
+jpc/jpc_cs.c:901: unchecked_value: No check of the return value of "jpc_getuint8(in, &tmp)".
+
+jpc/jpc_t2enc.c:338: check_return: Calling function "jpc_putms" without checking return value (as is done elsewhere 12 out of 13 times).
+jpc/jpc_t2enc.c:338: unchecked_value: No check of the return value of "jpc_putms(out, enc->cstate, ms)".
+
+ras/ras_enc.c:245: check_return: Calling function "jas_image_readcmpt" without checking return value (as is done elsewhere 9 out of 10 times).
+ras/ras_enc.c:245: unchecked_value: No check of the return value of "jas_image_readcmpt(image, cmpts[i], 0L, y, image->brx_ - image->tlx_, 1L, data[i])".
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.checked_return jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.checked_return 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-06-24 13:52:25.636551844 +0200
+@@ -898,11 +898,15 @@ static int jpc_qcc_getparms(jpc_ms_t *ms
+ int len;
+ len = ms->len;
+ if (cstate->numcomps <= 256) {
+- jpc_getuint8(in, &tmp);
++ if (jpc_getuint8(in, &tmp)) {
++ return -1;
++ }
+ qcc->compno = tmp;
+ --len;
+ } else {
+- jpc_getuint16(in, &qcc->compno);
++ if (jpc_getuint16(in, &qcc->compno)) {
++ return -1;
++ }
+ len -= 2;
+ }
+ if (jpc_qcx_getcompparms(&qcc->compparms, cstate, in, len)) {
+@@ -919,9 +923,13 @@ static int jpc_qcc_putparms(jpc_ms_t *ms
+ {
+ jpc_qcc_t *qcc = &ms->parms.qcc;
+ if (cstate->numcomps <= 256) {
+- jpc_putuint8(out, qcc->compno);
++ if (jpc_putuint8(out, qcc->compno)) {
++ return -1;
++ }
+ } else {
+- jpc_putuint16(out, qcc->compno);
++ if (jpc_putuint16(out, qcc->compno)) {
++ return -1;
++ }
+ }
+ if (jpc_qcx_putcompparms(&qcc->compparms, cstate, out)) {
+ return -1;
+@@ -966,7 +974,9 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ cstate = 0;
+
+ n = 0;
+- jpc_getuint8(in, &tmp);
++ if (jpc_getuint8(in, &tmp)) {
++ return -1;
++ }
+ ++n;
+ compparms->qntsty = tmp & 0x1f;
+ compparms->numguard = (tmp >> 5) & 7;
+@@ -988,10 +998,14 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ assert(compparms->stepsizes);
+ for (i = 0; i < compparms->numstepsizes; ++i) {
+ if (compparms->qntsty == JPC_QCX_NOQNT) {
+- jpc_getuint8(in, &tmp);
++ if (jpc_getuint8(in, &tmp)) {
++ return -1;
++ }
+ compparms->stepsizes[i] = JPC_QCX_EXPN(tmp >> 3);
+ } else {
+- jpc_getuint16(in, &compparms->stepsizes[i]);
++ if (jpc_getuint16(in, &compparms->stepsizes[i])) {
++ return -1;
++ }
+ }
+ }
+ } else {
+@@ -1015,10 +1029,14 @@ static int jpc_qcx_putcompparms(jpc_qcxc
+ jpc_putuint8(out, ((compparms->numguard & 7) << 5) | compparms->qntsty);
+ for (i = 0; i < compparms->numstepsizes; ++i) {
+ if (compparms->qntsty == JPC_QCX_NOQNT) {
+- jpc_putuint8(out, JPC_QCX_GETEXPN(
+- compparms->stepsizes[i]) << 3);
++ if (jpc_putuint8(out, JPC_QCX_GETEXPN(
++ compparms->stepsizes[i]) << 3)) {
++ return -1;
++ }
+ } else {
+- jpc_putuint16(out, compparms->stepsizes[i]);
++ if (jpc_putuint16(out, compparms->stepsizes[i])) {
++ return -1;
++ }
+ }
+ }
+ return 0;
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c.checked_return jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c.checked_return 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c 2011-06-24 12:29:32.069578992 +0200
+@@ -335,7 +335,9 @@ assert(jpc_firstone(datalen) < cblk->num
+ if (!(ms = jpc_ms_create(JPC_MS_EPH))) {
+ return -1;
+ }
+- jpc_putms(out, enc->cstate, ms);
++ if (jpc_putms(out, enc->cstate, ms)) {
++ return -1;
++ }
+ jpc_ms_destroy(ms);
+ }
+
+diff -up jasper-1.900.1/src/libjasper/ras/ras_enc.c.checked_return jasper-1.900.1/src/libjasper/ras/ras_enc.c
+--- jasper-1.900.1/src/libjasper/ras/ras_enc.c.checked_return 2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/ras/ras_enc.c 2011-06-24 14:05:31.233482612 +0200
+@@ -242,8 +242,10 @@ static int ras_putdatastd(jas_stream_t *
+
+ for (y = 0; y < hdr->height; y++) {
+ for (i = 0; i < numcmpts; ++i) {
+- jas_image_readcmpt(image, cmpts[i], 0, y, jas_image_width(image),
+- 1, data[i]);
++ if (jas_image_readcmpt(image, cmpts[i], 0, y,
++ jas_image_width(image), 1, data[i])) {
++ return -1;
++ }
+ }
+ z = 0;
+ nz = 0;
diff --git a/jasper-1.900.1-Coverity-FORWARD_NULL.patch b/jasper-1.900.1-Coverity-FORWARD_NULL.patch
new file mode 100644
index 0000000..ff526b4
--- /dev/null
+++ b/jasper-1.900.1-Coverity-FORWARD_NULL.patch
@@ -0,0 +1,44 @@
+Error: FORWARD_NULL
+jpc/jpc_dec.c:2207: var_compare_op: Comparing "streams" to null implies that "streams" might be null.
+jpc/jpc_dec.c:2270: var_deref_model: Passing null variable "streams" to function "jpc_streamlist_destroy", which dereferences it.
+jpc/jpc_dec.c:2108: deref_parm: Directly dereferencing parameter "streamlist".
+
+jpc/jpc_t1enc.c:225: assign_zero: Assigning: "cblk->passes" = 0.
+jpc/jpc_t1enc.c:228: alias_transfer: Assigning null: "pass" = "cblk->passes".
+jpc/jpc_t1enc.c:229: var_deref_op: Dereferencing null variable "pass".
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.forward_null jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.forward_null 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-06-24 15:01:39.200600146 +0200
+@@ -2267,7 +2267,9 @@ jpc_streamlist_t *jpc_ppmstabtostreams(j
+ return streams;
+
+ error:
+- jpc_streamlist_destroy(streams);
++ if (streams) {
++ jpc_streamlist_destroy(streams);
++ }
+ return 0;
+ }
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c.forward_null jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c.forward_null 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c 2011-06-24 14:58:33.061248133 +0200
+@@ -224,7 +224,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_
+ } else {
+ cblk->passes = 0;
+ }
+- endpasses = &cblk->passes[cblk->numpasses];
++ endpasses = (cblk->passes) ? &cblk->passes[cblk->numpasses] : 0;
+ for (pass = cblk->passes; pass != endpasses; ++pass) {
+ pass->start = 0;
+ pass->end = 0;
+@@ -352,7 +352,7 @@ dump_passes(cblk->passes, cblk->numpasse
+ #endif
+
+ n = 0;
+- endpasses = &cblk->passes[cblk->numpasses];
++ endpasses = (cblk->passes) ? &cblk->passes[cblk->numpasses] : 0;
+ for (pass = cblk->passes; pass != endpasses; ++pass) {
+ if (pass->start < n) {
+ pass->start = n;
diff --git a/jasper-1.900.1-Coverity-NULL_RETURNS.patch b/jasper-1.900.1-Coverity-NULL_RETURNS.patch
new file mode 100644
index 0000000..4c72270
--- /dev/null
+++ b/jasper-1.900.1-Coverity-NULL_RETURNS.patch
@@ -0,0 +1,61 @@
+Error: NULL_RETURNS
+base/jas_image.c:213: returned_null: Function "jas_image_create0" returns null (checked 6 out of 7 times).
+base/jas_image.c:213: var_assigned: Assigning: "newimage" = null return value from "jas_image_create0".
+base/jas_image.c:214: dereference: Dereferencing a pointer that might be null "newimage" when calling "jas_image_growcmpts".
+base/jas_image.c:777: deref_parm: Directly dereferencing parameter "image".
+
+base/jas_seq.c:223: returned_null: Function "jas_malloc" returns null (checked 110 out of 119 times).
+base/jas_seq.c:223: var_assigned: Assigning: "mat0->rows_" = null return value from "jas_malloc".
+base/jas_seq.c:225: dereference: Dereferencing a null pointer "mat0->rows_".
+
+jp2/jp2_cod.c:484: returned_null: Function "jas_stream_memopen" returns null (checked 12 out of 15 times).
+jp2/jp2_cod.c:484: var_assigned: Assigning: "tmpstream" = null return value from "jas_stream_memopen".
+jp2/jp2_cod.c:490: dereference: Dereferencing a pointer that might be null "tmpstream" when calling "jas_stream_tell".
+base/jas_stream.c:677: deref_parm: Directly dereferencing parameter "stream".
+
+
+diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS 2011-12-08 14:00:05.350020869 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:00:06.638004766 +0100
+@@ -210,7 +210,10 @@ jas_image_t *jas_image_copy(jas_image_t
+ jas_image_t *newimage;
+ int cmptno;
+
+- newimage = jas_image_create0();
++ if (!(newimage = jas_image_create0())) {
++ goto error;
++ }
++
+ if (jas_image_growcmpts(newimage, image->numcmpts_)) {
+ goto error;
+ }
+diff -up jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS 2011-12-08 14:00:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2011-12-08 14:15:12.449680562 +0100
+@@ -220,7 +220,11 @@ void jas_matrix_bindsub(jas_matrix_t *ma
+ mat0->numrows_ = r1 - r0 + 1;
+ mat0->numcols_ = c1 - c0 + 1;
+ mat0->maxrows_ = mat0->numrows_;
+- mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
++ if (!(mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)))) {
++ jas_matrix_destroy(mat0);
++ return;
++ }
++
+ for (i = 0; i < mat0->numrows_; ++i) {
+ mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ }
+diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
+--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS 2011-12-08 14:00:05.633017331 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-12-08 14:00:06.677004279 +0100
+@@ -481,7 +481,9 @@ int jp2_box_put(jp2_box_t *box, jas_stre
+ dataflag = !(box->info->flags & (JP2_BOX_SUPER | JP2_BOX_NODATA));
+
+ if (dataflag) {
+- tmpstream = jas_stream_memopen(0, 0);
++ if (!(tmpstream = jas_stream_memopen(0, 0))) {
++ goto error;
++ }
+ if (box->ops->putdata) {
+ if ((*box->ops->putdata)(box, tmpstream)) {
+ goto error;
diff --git a/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch b/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
new file mode 100644
index 0000000..76f5da7
--- /dev/null
+++ b/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
@@ -0,0 +1,202 @@
+Error: RESOURCE_LEAK
+src/appl/imgcmp.c:504: var_assign: Assigning: "diffimage" = storage returned from "jas_image_create(3, compparms, 1025)".
+src/appl/imgcmp.c:511: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to.
+src/appl/imgcmp.c:537: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to.
+
+base/jas_image.c:254: var_assign: Assigning: "newcmpt" = storage returned from "jas_image_cmpt_create0()".
+base/jas_image.c:268: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
+base/jas_image.c:271: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
+base/jas_image.c:274: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
+base/jas_image.c:277: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to.
+
+base/jas_cm.c:611: var_assign: Assigning: "newpxformseq" = storage returned from "jas_cmpxformseq_create()".
+base/jas_cm.c:617: leaked_storage: Variable "newpxformseq" going out of scope leaks the storage it points to.
+
+base/jas_cm.c:343: var_assign: Assigning: "newprof" = storage returned from "jas_cmprof_create()".
+base/jas_cm.c:358: leaked_storage: Variable "newprof" going out of scope leaks the storage it points to.
+
+base/jas_cm.c:380: var_assign: Assigning: "xform" = storage returned from "jas_malloc(sizeof (jas_cmxform_t) /*16*/)".
+base/jas_cm.c:461: leaked_storage: Variable "xform" going out of scope leaks the storage it points to.
+
+base/jas_image.c:1379: var_assign: Assigning: "xform" = storage returned from "jas_cmxform_create(inprof, outprof, NULL, 0, intent, 0)".
+base/jas_image.c:1444: leaked_storage: Variable "xform" going out of scope leaks the storage it points to.
+
+base/jas_image.c:1306: var_assign: Assigning: "inimage" = storage returned from "jas_image_copy(image)".
+base/jas_image.c:1444: leaked_storage: Variable "inimage" going out of scope leaks the storage it points to.
+
+base/jas_image.c:1345: var_assign: Assigning: "outimage" = storage returned from "jas_image_create0()".
+base/jas_image.c:1444: leaked_storage: Variable "outimage" going out of scope leaks the storage it points to.
+
+bmp/bmp_enc.c:187: var_assign: Assigning: "info" = storage returned from "bmp_info_create()".
+bmp/bmp_enc.c:208: leaked_storage: Variable "info" going out of scope leaks the storage it points to.
+
+jpc/jpc_tagtree.c:111: var_assign: Assigning: "tree" = storage returned from "jpc_tagtree_alloc()".
+jpc/jpc_tagtree.c:129: leaked_storage: Variable "tree" going out of scope leaks the storage it points to.
+
+jpc/jpc_dec.c:452: var_assign: Assigning: "compinfos" = storage returned from "jas_malloc(dec->numcomps * sizeof (jas_image_cmptparm_t) /*56*/)".
+jpc/jpc_dec.c:468: leaked_storage: Variable "compinfos" going out of scope leaks the storage it points to.
+
+jpc/jpc_dec.c:1483: var_assign: Assigning: "cp" = storage returned from "jas_malloc(sizeof (jpc_dec_cp_t) /*48*/)".
+jpc/jpc_dec.c:1493: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
+jpc/jpc_dec.c:1497: leaked_storage: Variable "cp" going out of scope leaks the storage it points to.
+
+mif/mif_cod.c:523: var_assign: Assigning: "cmpt" = storage returned from "mif_cmpt_create()".
+mif/mif_cod.c:568: leaked_storage: Variable "cmpt" going out of scope leaks the storage it points to.
+
+mif/mif_cod.c:568: leaked_storage: Variable "tvp" going out of scope leaks the storage it points to.
+
+
+diff -up jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK jasper-1.900.1/src/appl/imgcmp.c
+--- jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK 2007-01-19 22:43:08.000000000 +0100
++++ jasper-1.900.1/src/appl/imgcmp.c 2011-12-08 14:16:04.727027007 +0100
+@@ -507,6 +507,7 @@ jas_image_t *makediffimage(jas_matrix_t
+
+ for (i = 0; i < 3; ++i) {
+ if (!(diffdata[i] = jas_matrix_create(height, width))) {
++ jas_image_destroy(diffimage);
+ fprintf(stderr, "internal error\n");
+ return 0;
+ }
+@@ -534,6 +535,7 @@ jas_image_t *makediffimage(jas_matrix_t
+
+ for (i = 0; i < 3; ++i) {
+ if (jas_image_writecmpt(diffimage, i, 0, 0, width, height, diffdata[i])) {
++ jas_image_destroy(diffimage);
+ return 0;
+ }
+ }
+diff -up jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_cm.c
+--- jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK 2011-12-08 14:16:03.387043758 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2011-12-08 14:16:04.728026994 +0100
+@@ -355,6 +355,8 @@ jas_cmprof_t *jas_cmprof_copy(jas_cmprof
+ }
+ return newprof;
+ error:
++ if (newprof)
++ jas_cmprof_destroy(newprof);
+ return 0;
+ }
+
+@@ -458,6 +460,8 @@ jas_cmxform_t *jas_cmxform_create(jas_cm
+ }
+ return xform;
+ error:
++ if (xform)
++ jas_cmxform_destroy(xform);
+ return 0;
+ }
+
+@@ -614,6 +618,8 @@ static jas_cmpxformseq_t *jas_cmpxformse
+ goto error;
+ return newpxformseq;
+ error:
++ if (newpxformseq)
++ jas_cmpxformseq_destroy(newpxformseq);
+ return 0;
+ }
+
+diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK 2011-12-08 14:16:04.635028156 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:16:04.776026394 +0100
+@@ -268,15 +268,19 @@ static jas_image_cmpt_t *jas_image_cmpt_
+ newcmpt->cps_ = cmpt->cps_;
+ newcmpt->type_ = cmpt->type_;
+ if (!(newcmpt->stream_ = jas_stream_memopen(0, 0))) {
++ jas_image_cmpt_destroy(newcmpt);
+ return 0;
+ }
+ if (jas_stream_seek(cmpt->stream_, 0, SEEK_SET)) {
++ jas_image_cmpt_destroy(newcmpt);
+ return 0;
+ }
+ if (jas_stream_copy(newcmpt->stream_, cmpt->stream_, -1)) {
++ jas_image_cmpt_destroy(newcmpt);
+ return 0;
+ }
+ if (jas_stream_seek(newcmpt->stream_, 0, SEEK_SET)) {
++ jas_image_cmpt_destroy(newcmpt);
+ return 0;
+ }
+ return newcmpt;
+@@ -1443,5 +1447,11 @@ jas_image_dump(outimage, stderr);
+ #endif
+ return outimage;
+ error:
++ if (xform)
++ jas_cmxform_destroy(xform);
++ if (inimage)
++ jas_image_destroy(inimage);
++ if (outimage)
++ jas_image_destroy(outimage);
+ return 0;
+ }
+diff -up jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/bmp/bmp_enc.c
+--- jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/bmp/bmp_enc.c 2011-12-08 14:16:04.826025768 +0100
+@@ -205,16 +205,19 @@ int bmp_encode(jas_image_t *image, jas_s
+
+ /* Write the bitmap header. */
+ if (bmp_puthdr(out, &hdr)) {
++ bmp_info_destroy(info);
+ return -1;
+ }
+
+ /* Write the bitmap information. */
+ if (bmp_putinfo(out, info)) {
++ bmp_info_destroy(info);
+ return -1;
+ }
+
+ /* Write the bitmap data. */
+ if (bmp_putdata(out, info, image, enc->cmpts)) {
++ bmp_info_destroy(info);
+ return -1;
+ }
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK 2011-12-08 14:16:04.594028668 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-12-08 14:17:25.677014992 +0100
+@@ -465,6 +465,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+
+ if (!(dec->image = jas_image_create(dec->numcomps, compinfos,
+ JAS_CLRSPC_UNKNOWN))) {
++ jas_free(compinfos);
+ return -1;
+ }
+ jas_free(compinfos);
+@@ -1490,10 +1491,11 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
+ cp->mctid = 0;
+ cp->csty = 0;
+ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
++ jpc_dec_cp_destroy(cp);
+ return 0;
+ }
+ if (!(cp->pchglist = jpc_pchglist_create())) {
+- jas_free(cp->ccps);
++ jpc_dec_cp_destroy(cp);
+ return 0;
+ }
+ for (compno = 0, ccp = cp->ccps; compno < cp->numcomps;
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK 2011-12-08 14:16:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2011-12-08 14:17:55.905637082 +0100
+@@ -126,6 +126,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
+ } while (n > 1);
+
+ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
++ jpc_tagtree_destroy(tree);
+ return 0;
+ }
+
+diff -up jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/mif/mif_cod.c
+--- jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK 2011-12-08 14:16:04.250032970 +0100
++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2011-12-08 14:16:04.967024005 +0100
+@@ -564,7 +564,7 @@ static int mif_process_cmpt(mif_hdr_t *h
+ break;
+ case MIF_DATA:
+ if (!(cmpt->data = jas_strdup(jas_tvparser_getval(tvp)))) {
+- return -1;
++ goto error;
+ }
+ break;
+ }
diff --git a/jasper-1.900.1-Coverity-UNREACHABLE.patch b/jasper-1.900.1-Coverity-UNREACHABLE.patch
new file mode 100644
index 0000000..3cae294
--- /dev/null
+++ b/jasper-1.900.1-Coverity-UNREACHABLE.patch
@@ -0,0 +1,37 @@
+Error: UNREACHABLE
+jp2/jp2_cod.c:304: unreachable: This code cannot be reached: "abort();".
+
+jp2/jp2_cod.c:514: unreachable: This code cannot be reached: "abort();".
+
+jp2/jp2_enc.c:354: unreachable: This code cannot be reached: "abort();".
+
+diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.unreachable jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
+--- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.unreachable 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-06-27 15:28:13.083137952 +0200
+@@ -301,7 +301,6 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
+ }
+
+ return box;
+- abort();
+
+ error:
+ if (box) {
+@@ -511,7 +510,6 @@ int jp2_box_put(jp2_box_t *box, jas_stre
+ }
+
+ return 0;
+- abort();
+
+ error:
+
+diff -up jasper-1.900.1/src/libjasper/jp2/jp2_enc.c.unreachable jasper-1.900.1/src/libjasper/jp2/jp2_enc.c
+--- jasper-1.900.1/src/libjasper/jp2/jp2_enc.c.unreachable 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c 2011-06-27 15:27:58.858353979 +0200
+@@ -351,7 +351,6 @@ int sgnd;
+ }
+
+ return 0;
+- abort();
+
+ error:
+
diff --git a/jasper-1.900.1-Coverity-UNUSED_VALUE.patch b/jasper-1.900.1-Coverity-UNUSED_VALUE.patch
new file mode 100644
index 0000000..e7d4cb5
--- /dev/null
+++ b/jasper-1.900.1-Coverity-UNUSED_VALUE.patch
@@ -0,0 +1,41 @@
+Error: UNUSED_VALUE
+base/jas_icc.c:328: returned_pointer: Pointer "attrvalinfo" returned by "jas_iccattrvalinfo_lookup(type)" is never used.
+
+jpc/jpc_enc.c:788: returned_pointer: Pointer "cp" returned by "strchr(s, 66)" is never used.
+
+diff -up jasper-1.900.1/src/libjasper/base/jas_icc.c.unused_value jasper-1.900.1/src/libjasper/base/jas_icc.c
+--- jasper-1.900.1/src/libjasper/base/jas_icc.c.unused_value 2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2011-06-27 15:35:52.815263000 +0200
+@@ -266,7 +266,6 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ jas_iccattrval_t *attrval;
+ jas_iccattrval_t *prevattrval;
+ jas_icctagtabent_t *tagtabent;
+- jas_iccattrvalinfo_t *attrvalinfo;
+ int i;
+ int len;
+
+@@ -325,7 +324,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ goto error;
+ }
+ curoff += 8;
+- if (!(attrvalinfo = jas_iccattrvalinfo_lookup(type))) {
++ if (!jas_iccattrvalinfo_lookup(type)) {
+ #if 0
+ jas_eprintf("warning: skipping unknown tag type\n");
+ #endif
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.unused_value jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_enc.c.unused_value 2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2011-06-27 15:36:17.437900180 +0200
+@@ -781,11 +781,10 @@ void jpc_enc_cp_destroy(jpc_enc_cp_t *cp
+
+ int ratestrtosize(char *s, uint_fast32_t rawsize, uint_fast32_t *size)
+ {
+- char *cp;
+ jpc_flt_t f;
+
+ /* Note: This function must not modify output size on failure. */
+- if ((cp = strchr(s, 'B'))) {
++ if (strchr(s, 'B')) {
+ *size = atoi(s);
+ } else {
+ f = atof(s);
diff --git a/jasper-CVE-2014-8137.patch b/jasper-CVE-2014-8137.patch
new file mode 100644
index 0000000..9600cd3
--- /dev/null
+++ b/jasper-CVE-2014-8137.patch
@@ -0,0 +1,57 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
diff --git a/jasper-CVE-2014-8138.patch b/jasper-CVE-2014-8138.patch
new file mode 100644
index 0000000..5aaf8ab
--- /dev/null
+++ b/jasper-CVE-2014-8138.patch
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ /* Determine the type of each component. */
+ if (dec->cdef) {
+ for (i = 0; i < dec->numchans; ++i) {
++ /* Is the channel number reasonable? */
++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++ jas_eprintf("error: invalid channel number in CDEF box\n");
++ goto error;
++ }
+ jas_image_setcmpttype(dec->image,
+ dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ jp2_getct(jas_image_clrspc(dec->image),
diff --git a/jasper-CVE-2014-8157.patch b/jasper-CVE-2014-8157.patch
new file mode 100644
index 0000000..ebfc1b2
--- /dev/null
+++ b/jasper-CVE-2014-8157.patch
@@ -0,0 +1,12 @@
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100
+@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ dec->curtileendoff = 0;
+ }
+
+- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ jas_eprintf("invalid tile number in SOT marker segment\n");
+ return -1;
+ }
diff --git a/jasper-CVE-2014-8158.patch b/jasper-CVE-2014-8158.patch
new file mode 100644
index 0000000..ce9e4b4
--- /dev/null
+++ b/jasper-CVE-2014-8158.patch
@@ -0,0 +1,329 @@
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100
+@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ abort();
+ }
+ }
+-#endif
+
+ if (numcols >= 2) {
+ hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numcols + 1 - parity) >> 1;
+
+@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ register int i;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ srcptr += JPC_QMFB_COLGRPSIZE;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ register int i;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ srcptr += numcols;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
diff --git a/jasper-CVE-2014-9029.patch b/jasper-CVE-2014-9029.patch
new file mode 100644
index 0000000..98a2035
--- /dev/null
+++ b/jasper-CVE-2014-9029.patch
@@ -0,0 +1,29 @@
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:45:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:44:58.000000000 +0100
+@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
+ jpc_coc_t *coc = &ms->parms.coc;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
++ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in COC marker segment\n");
+ return -1;
+ }
+@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
+ jpc_rgn_t *rgn = &ms->parms.rgn;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
++ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in RGN marker segment\n");
+ return -1;
+ }
+@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
+ jpc_qcc_t *qcc = &ms->parms.qcc;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
++ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in QCC marker segment\n");
+ return -1;
+ }
diff --git a/jasper.spec b/jasper.spec
index 48df958..74e07fc 100644
--- a/jasper.spec
+++ b/jasper.spec
@@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1
Name: jasper
Group: System Environment/Libraries
Version: 1.900.1
-Release: 14%{?dist}
+Release: 15%{?dist}
License: JasPer
URL: http://www.ece.uvic.ca/~mdadams/jasper/
@@ -33,6 +33,21 @@ Patch6: jasper-1.900.1-CVE-2008-3522.patch
# lead to arbitrary code execution (CERT VU#887409) (#765662)
Patch7: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
+Patch9: jasper-CVE-2014-9029.patch
+Patch10: jasper-CVE-2014-8137.patch
+Patch11: jasper-CVE-2014-8138.patch
+Patch12: jasper-CVE-2014-8157.patch
+Patch13: jasper-CVE-2014-8158.patch
+
+# Issues found by static analysis of code
+Patch110: jasper-1.900.1-Coverity-BAD_SIZEOF.patch
+Patch111: jasper-1.900.1-Coverity-CHECKED_RETURN.patch
+Patch112: jasper-1.900.1-Coverity-FORWARD_NULL.patch
+Patch113: jasper-1.900.1-Coverity-NULL_RETURNS.patch
+Patch114: jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
+Patch115: jasper-1.900.1-Coverity-UNREACHABLE.patch
+Patch116: jasper-1.900.1-Coverity-UNUSED_VALUE.patch
+
BuildRequires: automake
BuildRequires: libjpeg-devel
BuildRequires: freeglut-devel
@@ -79,6 +94,19 @@ Requires: %{name} = %{version}-%{release}
%patch5 -p1 -b .CVE-2008-3520
%patch6 -p1 -b .CVE-2008-3522
%patch7 -p1 -b .CVE-2011-4516-4517
+%patch9 -p1 -b .CVE-2014-9029
+%patch10 -p1 -b .CVE-2014-8137-variant2
+%patch11 -p1 -b .CVE-2014-8138
+%patch12 -p1 -b .CVE-2014-8157
+%patch13 -p1 -b .CVE-2014-8158
+
+%patch110 -p1 -b .BAD_SIZEOF
+%patch111 -p1 -b .CHECKED_RETURN
+%patch112 -p1 -b .FORWARD_NULL
+%patch113 -p1 -b .NULL_RETURNS
+%patch114 -p1 -b .RESOURCE_LEAK
+%patch115 -p1 -b .UNREACHABLE
+%patch116 -p1 -b .UNUSED_VALUE
%build
@@ -139,6 +167,14 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Apr 24 2015 Rex Dieter <rdieter at fedoraproject.org>
+- 1.900.1-15
+- CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() (#1184752,#1179282)
+- CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c (#1184752,#1179298)
+- CVE-2014-8137 - double-free in jas_iccattrval_destroy() (oCERT-2014-012) (#1175763,#1173157)
+- CVE-2014-8138 - heap overflow in jp2_decode() (oCERT-2014-012) (#1175763,#1173162)
+- CVE-2014-9029 - incorrect component number check in COC, RGN and QCC marker segment decoders (#1167537,#1170654)
+
* Fri Dec 09 2011 Jiri Popelka <jpopelka at redhat.com> - 1.900.1-14
- CVE-2011-4516, CVE-2011-4517 jasper: heap buffer overflow flaws
lead to arbitrary code execution (CERT VU#887409) (#765662)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/jasper.git/commit/?h=el5&id=aeb865e924f4d80cf4ee62a041920ce037d70712
More information about the scm-commits
mailing list