From 74d775f0cd005441a6390ee8e1544e47cce1541f Mon Sep 17 00:00:00 2001
From: naddy <naddy@openbsd.org>
Date: Sat, 20 Apr 2013 15:25:35 +0000
Subject: [PATCH] Security: Fixes for heap overflows CVE-2011-4516,
 CVE-2011-4517.  From FreeBSD/Debian.

While here, trim DESCR, routine cleanups.
---
 graphics/jasper/Makefile                      |  6 ++--
 .../patches/patch-src_libjasper_jpc_jpc_cs_c  | 36 +++++++++++++------
 graphics/jasper/pkg/DESCR                     |  9 ++---
 graphics/jasper/pkg/PFRAG.shared              |  2 --
 graphics/jasper/pkg/PLIST                     | 12 +++----
 5 files changed, 37 insertions(+), 28 deletions(-)
 delete mode 100644 graphics/jasper/pkg/PFRAG.shared

diff --git a/graphics/jasper/Makefile b/graphics/jasper/Makefile
index 0e699b68149..210c52adab9 100644
--- a/graphics/jasper/Makefile
+++ b/graphics/jasper/Makefile
@@ -1,13 +1,13 @@
-# $OpenBSD: Makefile,v 1.16 2013/03/21 08:45:18 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.17 2013/04/20 15:25:35 naddy Exp $
 
 COMMENT =	reference implementation of JPEG-2000
 
 DISTNAME =	jasper-1.900.1
-REVISION =	1
+REVISION =	2
 SHARED_LIBS =	jasper		2.1
 
 CATEGORIES =	graphics
-MASTER_SITES =	${HOMEPAGE}software/
+MASTER_SITES =	http://www.ece.uvic.ca/~mdadams/jasper/software/
 EXTRACT_SUFX =	.zip
 
 HOMEPAGE =	http://www.ece.uvic.ca/~mdadams/jasper/
diff --git a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc_cs_c b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc_cs_c
index 7e4866586c8..f864a28ca1a 100644
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc_cs_c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc_cs_c
@@ -1,6 +1,6 @@
-$OpenBSD: patch-src_libjasper_jpc_jpc_cs_c,v 1.3 2008/05/17 09:32:16 espie Exp $
---- src/libjasper/jpc/jpc_cs.c.orig	Fri May 16 21:00:25 2008
-+++ src/libjasper/jpc/jpc_cs.c	Fri May 16 21:05:18 2008
+$OpenBSD: patch-src_libjasper_jpc_jpc_cs_c,v 1.4 2013/04/20 15:25:35 naddy Exp $
+--- src/libjasper/jpc/jpc_cs.c.orig	Fri Jan 19 22:43:07 2007
++++ src/libjasper/jpc/jpc_cs.c	Fri Apr 19 18:32:09 2013
 @@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t
  	  !siz->tileheight || !siz->numcomps) {
  		return -1;
@@ -10,16 +10,32 @@ $OpenBSD: patch-src_libjasper_jpc_jpc_cs_c,v 1.3 2008/05/17 09:32:16 espie Exp $
  		return -1;
  	}
  	for (i = 0; i < siz->numcomps; ++i) {
-@@ -983,7 +983,7 @@ static int jpc_qcx_getcompparms(jpc_qcxcp_t *compparms
+@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t *ms, jpc_csta
+ 		return -1;
+ 	}
+ 	compparms->numrlvls = compparms->numdlvls + 1;
++	if (compparms->numrlvls > JPC_MAXRLVLS) {
++		jpc_cox_destroycompparms(compparms);
++		return -1;
++	}
+ 	if (prtflag) {
+ 		for (i = 0; i < compparms->numrlvls; ++i) {
+ 			if (jpc_getuint8(in, &tmp)) {
+@@ -982,8 +986,12 @@ static int jpc_qcx_getcompparms(jpc_qcxcp_t *compparms
+ 		compparms->numstepsizes = (len - n) / 2;
  		break;
  	}
++	if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++		jpc_qcx_destroycompparms(compparms);
++		return -1;
++	}
  	if (compparms->numstepsizes > 0) {
 -		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
 +		compparms->stepsizes = jas_alloc2(compparms->numstepsizes,
  		  sizeof(uint_fast16_t));
  		assert(compparms->stepsizes);
  		for (i = 0; i < compparms->numstepsizes; ++i) {
-@@ -1091,7 +1091,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms, jpc_cstate_t
+@@ -1091,7 +1099,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms, jpc_cstate_t
  
  	ppm->len = ms->len - 1;
  	if (ppm->len > 0) {
@@ -28,7 +44,7 @@ $OpenBSD: patch-src_libjasper_jpc_jpc_cs_c,v 1.3 2008/05/17 09:32:16 espie Exp $
  			goto error;
  		}
  		if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
-@@ -1160,7 +1160,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms, jpc_cstate_t
+@@ -1160,7 +1168,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms, jpc_cstate_t
  	}
  	ppt->len = ms->len - 1;
  	if (ppt->len > 0) {
@@ -37,7 +53,7 @@ $OpenBSD: patch-src_libjasper_jpc_jpc_cs_c,v 1.3 2008/05/17 09:32:16 espie Exp $
  			goto error;
  		}
  		if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
-@@ -1223,7 +1223,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms, jpc_cstate_t
+@@ -1223,7 +1231,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms, jpc_cstate_t
  	uint_fast8_t tmp;
  	poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
  	  (ms->len / 7);
@@ -46,16 +62,16 @@ $OpenBSD: patch-src_libjasper_jpc_jpc_cs_c,v 1.3 2008/05/17 09:32:16 espie Exp $
  		goto error;
  	}
  	for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
-@@ -1328,7 +1328,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms, jpc_cstate_t
+@@ -1328,7 +1336,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms, jpc_cstate_t
  	jpc_crgcomp_t *comp;
  	uint_fast16_t compno;
  	crg->numcomps = cstate->numcomps;
 -	if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
-+	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
  		return -1;
  	}
  	for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
-@@ -1467,7 +1467,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms, jpc_cstate_t
+@@ -1467,7 +1475,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms, jpc_cstate_t
  	cstate = 0;
  
  	if (ms->len > 0) {
diff --git a/graphics/jasper/pkg/DESCR b/graphics/jasper/pkg/DESCR
index 0d0427436f0..927823ef0d1 100644
--- a/graphics/jasper/pkg/DESCR
+++ b/graphics/jasper/pkg/DESCR
@@ -1,7 +1,2 @@
-The JasPer Project is a collaborative effort between Image Power,
-Inc.  and the University of British Columbia. The objective of this
-project is to develop a software-based reference implementation of
-the codec specified in the JPEG-2000 Part-1 standard (i.e., ISO/IEC
-15444-1). This software has also been submitted to the ISO for
-inclusion in the JPEG-2000 Part-5 standard (as an official reference
-implementation).
+JasPer provides a reference implementation of the codec specified
+in the JPEG-2000 Part-1 standard (i.e., ISO/IEC 15444-1).
diff --git a/graphics/jasper/pkg/PFRAG.shared b/graphics/jasper/pkg/PFRAG.shared
deleted file mode 100644
index dfe8ad4b9cd..00000000000
--- a/graphics/jasper/pkg/PFRAG.shared
+++ /dev/null
@@ -1,2 +0,0 @@
-@comment $OpenBSD: PFRAG.shared,v 1.5 2007/03/29 13:43:53 jasper Exp $
-@lib lib/libjasper.so.${LIBjasper_VERSION}
diff --git a/graphics/jasper/pkg/PLIST b/graphics/jasper/pkg/PLIST
index f14c3b28300..65ec8ec416d 100644
--- a/graphics/jasper/pkg/PLIST
+++ b/graphics/jasper/pkg/PLIST
@@ -1,8 +1,8 @@
-@comment $OpenBSD: PLIST,v 1.3 2007/03/29 13:43:53 jasper Exp $
-bin/imgcmp
-bin/imginfo
-bin/jasper
-bin/tmrdemo
+@comment $OpenBSD: PLIST,v 1.4 2013/04/20 15:25:35 naddy Exp $
+@bin bin/imgcmp
+@bin bin/imginfo
+@bin bin/jasper
+@bin bin/tmrdemo
 include/jasper/
 include/jasper/jas_cm.h
 include/jasper/jas_config.h
@@ -25,7 +25,7 @@ include/jasper/jas_version.h
 include/jasper/jasper.h
 lib/libjasper.a
 lib/libjasper.la
-%%SHARED%%
+@lib lib/libjasper.so.${LIBjasper_VERSION}
 @man man/man1/imgcmp.1
 @man man/man1/imginfo.1
 @man man/man1/jasper.1