search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
trinity: not available on musl
[buildroot-gz.git] / package / jasper / 0006-fix-CVE-2014-8158.patch
blob8413d2ef936360b31b077ed7d760e7548d8ed9ef
1 Fix CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c
2 From https://bugzilla.redhat.com/show_bug.cgi?id=1179298
3
4 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
5
6 diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
7 --- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100
8 +++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100
9 @@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
10 {
11
12 int bufsize = JPC_CEILDIVPOW2(numcols, 1);
13 -#if !defined(HAVE_VLA)
14 jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
15 -#else
16 - jpc_fix_t splitbuf[bufsize];
17 -#endif
18 jpc_fix_t *buf = splitbuf;
19 register jpc_fix_t *srcptr;
20 register jpc_fix_t *dstptr;
21 @@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
22 register int m;
23 int hstartcol;
24
25 -#if !defined(HAVE_VLA)
26 /* Get a buffer. */
27 if (bufsize > QMFB_SPLITBUFSIZE) {
28 if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
29 @@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
30 abort();
31 }
32 }
33 -#endif
34
35 if (numcols >= 2) {
36 hstartcol = (numcols + 1 - parity) >> 1;
37 @@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
38 }
39 }
40
41 -#if !defined(HAVE_VLA)
42 /* If the split buffer was allocated on the heap, free this memory. */
43 if (buf != splitbuf) {
44 jas_free(buf);
45 }
46 -#endif
47
48 }
49
50 @@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
51 {
52
53 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
54 -#if !defined(HAVE_VLA)
55 jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
56 -#else
57 - jpc_fix_t splitbuf[bufsize];
58 -#endif
59 jpc_fix_t *buf = splitbuf;
60 register jpc_fix_t *srcptr;
61 register jpc_fix_t *dstptr;
62 @@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
63 register int m;
64 int hstartcol;
65
66 -#if !defined(HAVE_VLA)
67 /* Get a buffer. */
68 if (bufsize > QMFB_SPLITBUFSIZE) {
69 if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
70 @@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
71 abort();
72 }
73 }
74 -#endif
75
76 if (numrows >= 2) {
77 hstartcol = (numrows + 1 - parity) >> 1;
78 @@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
79 }
80 }
81
82 -#if !defined(HAVE_VLA)
83 /* If the split buffer was allocated on the heap, free this memory. */
84 if (buf != splitbuf) {
85 jas_free(buf);
86 }
87 -#endif
88
89 }
90
91 @@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
92 {
93
94 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
95 -#if !defined(HAVE_VLA)
96 jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
97 -#else
98 - jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
99 -#endif
100 jpc_fix_t *buf = splitbuf;
101 jpc_fix_t *srcptr;
102 jpc_fix_t *dstptr;
103 @@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
104 int m;
105 int hstartcol;
106
107 -#if !defined(HAVE_VLA)
108 /* Get a buffer. */
109 if (bufsize > QMFB_SPLITBUFSIZE) {
110 if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
111 @@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
112 abort();
113 }
114 }
115 -#endif
116
117 if (numrows >= 2) {
118 hstartcol = (numrows + 1 - parity) >> 1;
119 @@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
120 }
121 }
122
123 -#if !defined(HAVE_VLA)
124 /* If the split buffer was allocated on the heap, free this memory. */
125 if (buf != splitbuf) {
126 jas_free(buf);
127 }
128 -#endif
129
130 }
131
132 @@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
133 {
134
135 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
136 -#if !defined(HAVE_VLA)
137 jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
138 -#else
139 - jpc_fix_t splitbuf[bufsize * numcols];
140 -#endif
141 jpc_fix_t *buf = splitbuf;
142 jpc_fix_t *srcptr;
143 jpc_fix_t *dstptr;
144 @@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
145 int m;
146 int hstartcol;
147
148 -#if !defined(HAVE_VLA)
149 /* Get a buffer. */
150 if (bufsize > QMFB_SPLITBUFSIZE) {
151 if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
152 @@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
153 abort();
154 }
155 }
156 -#endif
157
158 if (numrows >= 2) {
159 hstartcol = (numrows + 1 - parity) >> 1;
160 @@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
161 }
162 }
163
164 -#if !defined(HAVE_VLA)
165 /* If the split buffer was allocated on the heap, free this memory. */
166 if (buf != splitbuf) {
167 jas_free(buf);
168 }
169 -#endif
170
171 }
172
173 @@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
174 {
175
176 int bufsize = JPC_CEILDIVPOW2(numcols, 1);
177 -#if !defined(HAVE_VLA)
178 jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
179 -#else
180 - jpc_fix_t joinbuf[bufsize];
181 -#endif
182 jpc_fix_t *buf = joinbuf;
183 register jpc_fix_t *srcptr;
184 register jpc_fix_t *dstptr;
185 register int n;
186 int hstartcol;
187
188 -#if !defined(HAVE_VLA)
189 /* Allocate memory for the join buffer from the heap. */
190 if (bufsize > QMFB_JOINBUFSIZE) {
191 if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
192 @@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
193 abort();
194 }
195 }
196 -#endif
197
198 hstartcol = (numcols + 1 - parity) >> 1;
199
200 @@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
201 ++srcptr;
202 }
203
204 -#if !defined(HAVE_VLA)
205 /* If the join buffer was allocated on the heap, free this memory. */
206 if (buf != joinbuf) {
207 jas_free(buf);
208 }
209 -#endif
210
211 }
212
213 @@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
214 {
215
216 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
217 -#if !defined(HAVE_VLA)
218 jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
219 -#else
220 - jpc_fix_t joinbuf[bufsize];
221 -#endif
222 jpc_fix_t *buf = joinbuf;
223 register jpc_fix_t *srcptr;
224 register jpc_fix_t *dstptr;
225 register int n;
226 int hstartcol;
227
228 -#if !defined(HAVE_VLA)
229 /* Allocate memory for the join buffer from the heap. */
230 if (bufsize > QMFB_JOINBUFSIZE) {
231 if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
232 @@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
233 abort();
234 }
235 }
236 -#endif
237
238 hstartcol = (numrows + 1 - parity) >> 1;
239
240 @@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
241 ++srcptr;
242 }
243
244 -#if !defined(HAVE_VLA)
245 /* If the join buffer was allocated on the heap, free this memory. */
246 if (buf != joinbuf) {
247 jas_free(buf);
248 }
249 -#endif
250
251 }
252
253 @@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
254 {
255
256 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
257 -#if !defined(HAVE_VLA)
258 jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
259 -#else
260 - jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
261 -#endif
262 jpc_fix_t *buf = joinbuf;
263 jpc_fix_t *srcptr;
264 jpc_fix_t *dstptr;
265 @@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
266 register int i;
267 int hstartcol;
268
269 -#if !defined(HAVE_VLA)
270 /* Allocate memory for the join buffer from the heap. */
271 if (bufsize > QMFB_JOINBUFSIZE) {
272 if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
273 @@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
274 abort();
275 }
276 }
277 -#endif
278
279 hstartcol = (numrows + 1 - parity) >> 1;
280
281 @@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
282 srcptr += JPC_QMFB_COLGRPSIZE;
283 }
284
285 -#if !defined(HAVE_VLA)
286 /* If the join buffer was allocated on the heap, free this memory. */
287 if (buf != joinbuf) {
288 jas_free(buf);
289 }
290 -#endif
291
292 }
293
294 @@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
295 {
296
297 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
298 -#if !defined(HAVE_VLA)
299 jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
300 -#else
301 - jpc_fix_t joinbuf[bufsize * numcols];
302 -#endif
303 jpc_fix_t *buf = joinbuf;
304 jpc_fix_t *srcptr;
305 jpc_fix_t *dstptr;
306 @@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
307 register int i;
308 int hstartcol;
309
310 -#if !defined(HAVE_VLA)
311 /* Allocate memory for the join buffer from the heap. */
312 if (bufsize > QMFB_JOINBUFSIZE) {
313 if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
314 @@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
315 abort();
316 }
317 }
318 -#endif
319
320 hstartcol = (numrows + 1 - parity) >> 1;
321
322 @@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
323 srcptr += numcols;
324 }
325
326 -#if !defined(HAVE_VLA)
327 /* If the join buffer was allocated on the heap, free this memory. */
328 if (buf != joinbuf) {
329 jas_free(buf);
330 }
331 -#endif
332
333 }
334
My buildroot patches