Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2017-03-31 15:01:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "jasper" Fri Mar 31 15:01:19 2017 rev:38 rq:483773 version:1.900.14 Changes: -------- --- /work/SRC/openSUSE:Factory/jasper/jasper.changes 2017-03-18 20:49:35.542022975 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2017-03-31 15:01:20.369498459 +0200 @@ -1,0 +2,20 @@ +Thu Mar 30 09:51:07 UTC 2017 - fstrba@suse.com + +- Modified patch: + * jasper-CVE-2016-9583.patch + + integrate upstream change + 99a50593254d1b53002719bbecfc946c84b23d27, which fixed a null + pointer dereferencing crash. + +------------------------------------------------------------------- +Wed Mar 22 09:30:41 UTC 2017 - fstrba@suse.com + +- Added patches: + * jasper-CVE-2016-9583.patch + - Out of bounds heap read in jpc_pi_nextpcrl() (bsc#1015400, + CVE-2016-9583) + * jasper-CVE-2017-6850.patch + - NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) + (bsc#1021868, CVE-2017-6850) + +------------------------------------------------------------------- New: ---- jasper-CVE-2016-9583.patch jasper-CVE-2017-6850.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jasper.spec ++++++ --- /var/tmp/diff_new_pack.CTR5x2/_old 2017-03-31 15:01:21.397353158 +0200 +++ /var/tmp/diff_new_pack.CTR5x2/_new 2017-03-31 15:01:21.397353158 +0200 @@ -34,6 +34,8 @@ Patch6: jasper-CVE-2016-10251.patch Patch7: jasper-CVE-2017-5498.patch Patch8: jasper-CVE-2016-9600.patch +Patch9: jasper-CVE-2016-9583.patch +Patch10: jasper-CVE-2017-6850.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ @@ -91,6 +93,8 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 %build libtoolize --force --copy --install ++++++ jasper-CVE-2016-9583.patch ++++++ --- jasper-1.900.14/src/libjasper/include/jasper/jas_types.h 2017-03-22 10:14:30.098037013 +0100 +++ jasper-1.900.14/src/libjasper/include/jasper/jas_types.h 2017-03-22 10:15:11.619685037 +0100 @@ -128,6 +128,10 @@ #define JAS_CAST(t, e) \ ((t) (e)) +/* The number of bits in the integeral type uint_fast32_t. */ +/* NOTE: This could underestimate the size on some exotic architectures. */ +#define JAS_UINTFAST32_NUMBITS (8 * sizeof(uint_fast32_t)) + #ifdef __cplusplus extern "C" { #endif --- jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c 2017-03-22 10:14:30.102037013 +0100 +++ jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c 2017-03-22 10:15:11.619685037 +0100 @@ -200,7 +200,8 @@ JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno]; pi->compno < pi->numcomps && - pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, ++pi->picomp) { + pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, + ++pi->picomp) { if (pi->rlvlno >= pi->picomp->numrlvls) { continue; } @@ -249,10 +250,17 @@ ++compno, ++picomp) { for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl) { - xstep = picomp->hsamp * (1 << (pirlvl->prcwidthexpn + - picomp->numrlvls - rlvlno - 1)); - ystep = picomp->vsamp * (1 << (pirlvl->prcheightexpn + - picomp->numrlvls - rlvlno - 1)); + // Check for the potential for overflow problems. + if (pirlvl->prcwidthexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2 || + pirlvl->prcheightexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2) { + return -1; + } + xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); + ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep); pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep); } @@ -282,21 +290,24 @@ rpy = r + pi->pirlvl->prcheightexpn; trx0 = JPC_CEILDIV(pi->xstart, pi->picomp->hsamp << r); try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); - if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) - || !(pi->x % (1 << rpx))) && - ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) - || !(pi->y % (1 << rpy)))) { - prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp - << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, - pi->pirlvl->prcwidthexpn); - prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp - << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, - pi->pirlvl->prcheightexpn); + if (((pi->x == pi->xstart && + ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) + || !(pi->x % (JAS_CAST(uint_fast32_t, 1) << rpx))) && + ((pi->y == pi->ystart && + ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) + || !(pi->y % (JAS_CAST(uint_fast32_t, 1) << rpy)))) { + prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, + pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - + JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); + prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, + pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - + JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; assert(pi->prcno < pi->pirlvl->numprcs); for (pi->lyrno = 0; pi->lyrno < - pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { + pi->numlyrs && pi->lyrno < JAS_CAST(int, + pchg->lyrnoend); ++pi->lyrno) { prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; if (pi->lyrno >= *prclyrno) { ++(*prclyrno); @@ -341,16 +352,19 @@ ++compno, ++picomp) { for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl) { - xstep = picomp->hsamp * (1 << - (pirlvl->prcwidthexpn + picomp->numrlvls - - rlvlno - 1)); - ystep = picomp->vsamp * (1 << - (pirlvl->prcheightexpn + picomp->numrlvls - - rlvlno - 1)); - pi->xstep = (!pi->xstep) ? xstep : - JAS_MIN(pi->xstep, xstep); - pi->ystep = (!pi->ystep) ? ystep : - JAS_MIN(pi->ystep, ystep); + // Check for the potential for overflow problems. + if (pirlvl->prcwidthexpn + picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2 || + pirlvl->prcheightexpn + picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2) { + return -1; + } + xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); + ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); + pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep); + pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep); } } pi->prgvolfirst = 0; @@ -377,20 +391,23 @@ try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); rpx = r + pi->pirlvl->prcwidthexpn; rpy = r + pi->pirlvl->prcheightexpn; - if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) || + if (((pi->x == pi->xstart && + ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) || !(pi->x % (pi->picomp->hsamp << rpx))) && - ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) || + ((pi->y == pi->ystart && + ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) || !(pi->y % (pi->picomp->vsamp << rpy)))) { - prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp - << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, - pi->pirlvl->prcwidthexpn); - prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp - << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, - pi->pirlvl->prcheightexpn); + prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, + pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - + JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); + prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, + pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - + JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; assert(pi->prcno < pi->pirlvl->numprcs); for (pi->lyrno = 0; pi->lyrno < pi->numlyrs && - pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { + pi->lyrno < JAS_CAST(int, pchg->lyrnoend); + ++pi->lyrno) { prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; if (pi->lyrno >= *prclyrno) { ++(*prclyrno); @@ -428,10 +445,17 @@ pi->prgvolfirst = 0; } - for (pi->compno = pchg->compnostart, pi->picomp = - &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, - ++pi->picomp) { + for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno]; + pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; + ++pi->compno, ++pi->picomp) { pirlvl = pi->picomp->pirlvls; + // Check for the potential for overflow problems. + if (pirlvl->prcwidthexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2 || + pirlvl->prcheightexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2) { + return -1; + } pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1)); pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << @@ -461,23 +485,23 @@ try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); rpx = r + pi->pirlvl->prcwidthexpn; rpy = r + pi->pirlvl->prcheightexpn; - if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) || + if (((pi->x == pi->xstart && + ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) || !(pi->x % (pi->picomp->hsamp << rpx))) && - ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) || + ((pi->y == pi->ystart && + ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) || !(pi->y % (pi->picomp->vsamp << rpy)))) { - prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp - << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, - pi->pirlvl->prcwidthexpn); - prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp - << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, - pi->pirlvl->prcheightexpn); - pi->prcno = prcvind * - pi->pirlvl->numhprcs + - prchind; - assert(pi->prcno < - pi->pirlvl->numprcs); - for (pi->lyrno = 0; pi->lyrno < - pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { + prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, + pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - + JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); + prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, + pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - + JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); + pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; + assert(pi->prcno < pi->pirlvl->numprcs); + for (pi->lyrno = 0; pi->lyrno < pi->numlyrs && + pi->lyrno < JAS_CAST(int, pchg->lyrnoend); + ++pi->lyrno) { prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; if (pi->lyrno >= *prclyrno) { ++(*prclyrno); --- jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c 2017-03-22 10:14:30.102037013 +0100 +++ jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c 2017-03-22 10:15:11.619685037 +0100 @@ -454,8 +454,8 @@ jas_stream_getrwcount(in), jpc_pi_prg(pi), jpc_pi_cmptno(pi), jpc_pi_rlvlno(pi), jpc_pi_prcno(pi), jpc_pi_lyrno(pi)); } - if (jpc_dec_decodepkt(dec, pkthdrstream, in, jpc_pi_cmptno(pi), jpc_pi_rlvlno(pi), - jpc_pi_prcno(pi), jpc_pi_lyrno(pi))) { + if (jpc_dec_decodepkt(dec, pkthdrstream, in, jpc_pi_cmptno(pi), + jpc_pi_rlvlno(pi), jpc_pi_prcno(pi), jpc_pi_lyrno(pi))) { return -1; } ++dec->numpkts; ++++++ jasper-CVE-2017-6850.patch ++++++ --- jasper-1.900.14/src/libjasper/base/jas_stream.c 2017-03-22 10:18:22.195685757 +0100 +++ jasper-1.900.14/src/libjasper/base/jas_stream.c 2017-03-22 10:20:15.366313051 +0100 @@ -507,6 +507,7 @@ return 0; } +/* FIXME integral type */ int jas_stream_read(jas_stream_t *stream, void *buf, int cnt) { int n; @@ -527,6 +528,7 @@ return n; } +/* FIXME integral type */ int jas_stream_write(jas_stream_t *stream, const void *buf, int cnt) { int n; @@ -573,6 +575,7 @@ return 0; } +/* FIXME integral type */ char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) { int c; @@ -594,6 +597,7 @@ return buf; } +/* FIXME integral type */ int jas_stream_gobble(jas_stream_t *stream, int n) { int m; @@ -606,6 +610,7 @@ return n; } +/* FIXME integral type */ int jas_stream_pad(jas_stream_t *stream, int n, int c) { int m; @@ -696,6 +701,7 @@ * Buffer initialization code. \******************************************************************************/ +/* FIXME integral type */ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, int bufsize) { @@ -871,6 +877,7 @@ return openmode; } +/* FIXME integral type */ int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n) { int all; @@ -896,6 +903,7 @@ return 0; } +/* FIXME integral type */ long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt) { int old; @@ -905,6 +913,7 @@ return old; } +/* FIXME integral type */ int jas_stream_display(jas_stream_t *stream, FILE *fp, int n) { unsigned char buf[16]; @@ -979,6 +988,7 @@ * Memory stream object. \******************************************************************************/ +/* FIXME integral type */ static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt) { int n; @@ -1007,6 +1017,7 @@ return 0; } +/* FIXME integral type */ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt) { int n; @@ -1054,6 +1065,7 @@ return ret; } +/* FIXME integral type */ static long mem_seek(jas_stream_obj_t *obj, long offset, int origin) { jas_stream_memobj_t *m = (jas_stream_memobj_t *)obj; @@ -1096,18 +1108,21 @@ * File stream object. \******************************************************************************/ +/* FIXME integral type */ static int file_read(jas_stream_obj_t *obj, char *buf, int cnt) { jas_stream_fileobj_t *fileobj = JAS_CAST(jas_stream_fileobj_t *, obj); return read(fileobj->fd, buf, cnt); } +/* FIXME integral type */ static int file_write(jas_stream_obj_t *obj, char *buf, int cnt) { jas_stream_fileobj_t *fileobj = JAS_CAST(jas_stream_fileobj_t *, obj); return write(fileobj->fd, buf, cnt); } +/* FIXME integral type */ static long file_seek(jas_stream_obj_t *obj, long offset, int origin) { jas_stream_fileobj_t *fileobj = JAS_CAST(jas_stream_fileobj_t *, obj); @@ -1130,6 +1145,7 @@ * Stdio file stream object. \******************************************************************************/ +/* FIXME integral type */ static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt) { FILE *fp; @@ -1144,6 +1160,7 @@ return result; } +/* FIXME integral type */ static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt) { FILE *fp; @@ -1153,6 +1170,7 @@ return (n != JAS_CAST(size_t, cnt)) ? (-1) : cnt; } +/* FIXME integral type */ static long sfile_seek(jas_stream_obj_t *obj, long offset, int origin) { FILE *fp; --- jasper-1.900.14/src/libjasper/jp2/jp2_cod.c 2017-03-22 10:18:22.191685757 +0100 +++ jasper-1.900.14/src/libjasper/jp2/jp2_cod.c 2017-03-22 10:20:15.366313051 +0100 @@ -183,15 +183,28 @@ * Box constructor. \******************************************************************************/ -jp2_box_t *jp2_box_create(int type) +jp2_box_t *jp2_box_create0() { jp2_box_t *box; - jp2_boxinfo_t *boxinfo; - if (!(box = jas_malloc(sizeof(jp2_box_t)))) { return 0; } memset(box, 0, sizeof(jp2_box_t)); + box->type = 0; + box->len = 0; + // Mark the box data as never having been constructed + // so that we will not errantly attempt to destroy it later. + box->ops = &jp2_boxinfo_unk.ops; + return box; +} + +jp2_box_t *jp2_box_create(int type) +{ + jp2_box_t *box; + jp2_boxinfo_t *boxinfo; + if (!(box = jp2_box_create0())) { + return 0; + } box->type = type; box->len = 0; if (!(boxinfo = jp2_boxinfolookup(type))) { @@ -248,14 +261,9 @@ box = 0; tmpstream = 0; - if (!(box = jas_malloc(sizeof(jp2_box_t)))) { + if (!(box = jp2_box_create0())) { goto error; } - - // Mark the box data as never having been constructed - // so that we will not errantly attempt to destroy it later. - box->ops = &jp2_boxinfo_unk.ops; - if (jp2_getuint32(in, &len) || jp2_getuint32(in, &box->type)) { goto error; } @@ -263,10 +271,12 @@ box->info = boxinfo; box->len = len; JAS_DBGLOG(10, ( - "preliminary processing of JP2 box: type=%c%s%c (0x%08x); length=%d\n", + "preliminary processing of JP2 box: " + "type=%c%s%c (0x%08x); length=%"PRIuFAST32"\n", '"', boxinfo->name, '"', box->type, box->len )); if (box->len == 1) { + JAS_DBGLOG(10, ("big length\n")); if (jp2_getuint64(in, &extlen)) { goto error; } @@ -382,6 +392,7 @@ { jp2_bpcc_t *bpcc = &box->data.bpcc; unsigned int i; + bpcc->bpcs = 0; bpcc->numcmpts = box->datalen; if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { return -1; @@ -462,6 +473,7 @@ jp2_cdef_t *cdef = &box->data.cdef; jp2_cdefchan_t *chan; unsigned int channo; + cdef->ents = 0; if (jp2_getuint16(in, &cdef->numchans)) { return -1; } @@ -518,7 +530,9 @@ } if (dataflag) { - if (jas_stream_copy(out, tmpstream, box->len - JP2_BOX_HDRLEN(false))) { + if (jas_stream_copy(out, tmpstream, box->len - + JP2_BOX_HDRLEN(false))) { + jas_eprintf("cannot copy box data\n"); goto error; } jas_stream_close(tmpstream); @@ -777,6 +791,7 @@ jp2_cmap_t *cmap = &box->data.cmap; jp2_cmapent_t *ent; unsigned int i; + cmap->ents = 0; cmap->numchans = (box->datalen) / 4; if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { @@ -835,6 +850,7 @@ int_fast32_t x; pclr->lutdata = 0; + pclr->bpc = 0; if (jp2_getuint16(in, &pclr->numlutents) || jp2_getuint8(in, &pclr->numchans)) {