gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch

   1 Fix CVE-2011-4516 and CVE-2011-4517 (heap buffer overflow flaws lead to
   2 arbitrary code execution).
   3
   4 Copied from Fedora.
   5
   6 http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
   7 https://bugzilla.redhat.com/show_bug.cgi?id=747726
   8
   9 diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
  10 --- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409    2011-10-25 17:25:39.000000000 +0200
  11 +++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c   2011-10-25 17:29:14.379371908 +0200
  12 @@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t
  13                 return -1;
  14         }
  15         compparms->numrlvls = compparms->numdlvls + 1;
  16 +       if (compparms->numrlvls > JPC_MAXRLVLS) {
  17 +               jpc_cox_destroycompparms(compparms);
  18 +               return -1;
  19 +       }
  20         if (prtflag) {
  21                 for (i = 0; i < compparms->numrlvls; ++i) {
  22                         if (jpc_getuint8(in, &tmp)) {
  23 @@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
  24         jpc_crgcomp_t *comp;
  25         uint_fast16_t compno;
  26         crg->numcomps = cstate->numcomps;
  27 -       if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
  28 +       if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
  29                 return -1;
  30         }
  31         for (compno = 0, comp = crg->comps; compno < cstate->numcomps;