security fixes for CVE-2016-1577 CVE-2016-2116

2016-03-09 15:16:05 +00:00 · 2016-03-09 15:16:05 +00:00 · 76f4704b00
commit 76f4704b00
parent 31d184b04d
2 changed files with 42 additions and 19 deletions
--- a/graphics/jasper/Makefile
+++ b/graphics/jasper/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.19 2016/02/04 10:08:07 jasper Exp $
+# $OpenBSD: Makefile,v 1.20 2016/03/09 15:16:05 jasper Exp $

 COMMENT =	reference implementation of JPEG-2000

 DISTNAME =	jasper-1.900.1
-REVISION =	4
+REVISION =	5
 SHARED_LIBS =	jasper		2.1

 CATEGORIES =	graphics
--- a/graphics/jasper/patches/patch-src_libjasper_base_jas_icc_c
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas_icc_c
@ -1,11 +1,24 @@
-$OpenBSD: patch-src_libjasper_base_jas_icc_c,v 1.2 2015/11/06 22:28:29 sthen Exp $
+$OpenBSD: patch-src_libjasper_base_jas_icc_c,v 1.3 2016/03/09 15:16:05 jasper Exp $

-Security fix from Slackware:
-	CVE-2014-8137: double-free
+Security fix for CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
+from https://launchpad.net/bugs/1547865

--- src/libjasper/base/jas_icc.c.orig	Fri Jan 19 13:43:05 2007
-+++ src/libjasper/base/jas_icc.c	Thu Oct 29 22:03:25 2015
-@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof, jas_stream_t
+Security fix for CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf()
+
+Security fix for CVE-2014-8137: double-free
+from slackware
+
+--- src/libjasper/base/jas_icc.c.orig	Fri Jan 19 22:43:05 2007
+++ src/libjasper/base/jas_icc.c	Wed Mar  9 16:11:14 2016
+@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stream_t *in)
+ 				if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
+ 					goto error;
+ 				jas_iccattrval_destroy(attrval);
+				attrval = 0;
+ 			} else {
+ #if 0
+ 				jas_eprintf("warning: skipping unknown tag type\n");
+@@ -373,7 +374,7 @@ int jas_iccprof_save(jas_iccprof_t *prof, jas_stream_t
 	jas_icctagtab_t *tagtab;
 
 	tagtab = &prof->tagtab;
@ -14,7 +27,7 @@ Security fix from Slackware:
 	  sizeof(jas_icctagtabent_t))))
 		goto error;
 	tagtab->numents = prof->attrtab->numattrs;
-@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_stream_t *in, jas
+@@ -522,7 +523,7 @@ static int jas_iccprof_gettagtab(jas_stream_t *in, jas
 	}
 	if (jas_iccgetuint32(in, &tagtab->numents))
 		goto error;
@ -23,7 +36,7 @@ Security fix from Slackware:
 	  sizeof(jas_icctagtabent_t))))
 		goto error;
 	tagtabent = tagtab->ents;
-@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_iccattrtab_t *tab
+@@ -743,8 +744,7 @@ static int jas_iccattrtab_resize(jas_iccattrtab_t *tab
 {
 	jas_iccattr_t *newattrs;
 	assert(maxents >= tab->numattrs);
@ -33,7 +46,7 @@ Security fix from Slackware:
 	if (!newattrs)
 		return -1;
 	tab->attrs = newattrs;
-@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval
+@@ -999,7 +999,7 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval
 
 	if (jas_iccgetuint32(in, &curv->numents))
 		goto error;
@ -42,7 +55,7 @@ Security fix from Slackware:
 		goto error;
 	for (i = 0; i < curv->numents; ++i) {
 		if (jas_iccgetuint16(in, &curv->ents[i]))
-@@ -1011,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval
+@@ -1011,7 +1011,6 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval
 	return 0;
 
 error:
@ -50,7 +63,7 @@ Security fix from Slackware:
 	return -1;
 }
 
-@@ -1100,7 +1098,7 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr
+@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr
 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
 	  jas_iccgetuint32(in, &txtdesc->uclen))
 		goto error;
@ -59,7 +72,7 @@ Security fix from Slackware:
 		goto error;
 	if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
 	  JAS_CAST(int, txtdesc->uclen * 2))
-@@ -1129,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr
+@@ -1129,7 +1128,6 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr
 #endif
 	return 0;
 error:
@ -67,7 +80,7 @@ Security fix from Slackware:
 	return -1;
 }
 
-@@ -1208,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrval_t *attrval,
+@@ -1208,8 +1206,6 @@ static int jas_icctxt_input(jas_iccattrval_t *attrval,
 		goto error;
 	return 0;
 error:
@ -76,7 +89,7 @@ Security fix from Slackware:
 	return -1;
 }
 
-@@ -1292,17 +1287,17 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval
+@@ -1292,17 +1288,17 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval
 	  jas_iccgetuint16(in, &lut8->numouttabents))
 		goto error;
 	clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
@ -101,7 +114,7 @@ Security fix from Slackware:
 	  sizeof(jas_iccuint8_t *))))
 		goto error;
 	for (i = 0; i < lut8->numoutchans; ++i)
-@@ -1330,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval
+@@ -1330,7 +1326,6 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval
 		goto error;
 	return 0;
 error:
@ -109,7 +122,7 @@ Security fix from Slackware:
 	return -1;
 }
 
-@@ -1461,17 +1455,17 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva
+@@ -1461,17 +1456,17 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva
 	  jas_iccgetuint16(in, &lut16->numouttabents))
 		goto error;
 	clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
@ -132,7 +145,7 @@ Security fix from Slackware:
 	  sizeof(jas_iccuint16_t *))))
 		goto error;
 	for (i = 0; i < lut16->numoutchans; ++i)
-@@ -1499,7 +1493,6 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva
+@@ -1499,7 +1494,6 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva
 		goto error;
 	return 0;
 error:
@ -140,3 +153,13 @@ Security fix from Slackware:
 	return -1;
 }
 
+@@ -1699,6 +1693,9 @@ jas_iccprof_t *jas_iccprof_createfrombuf(uchar *buf, i
+ 	jas_stream_close(in);
+ 	return prof;
+ error:
+	if (in)
+		jas_stream_close(in);
+
+ 	return 0;
+ }
+