all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [v2 0/1] Jasper security fixes
@ 2016-02-04  8:12 Leo Famulari
  2016-02-04  8:12 ` [v2 1/1] gnu: jasper: Add fixes for several security flaws Leo Famulari
  2016-02-04 10:45 ` [v2 0/1] Jasper security fixes Andreas Enge
  0 siblings, 2 replies; 5+ messages in thread
From: Leo Famulari @ 2016-02-04  8:12 UTC (permalink / raw)
  To: guix-devel

This is the same code as before with minor changes:

1. I realized that the jasper-stepsizes-overflow.patch was btter named
jasper-CVE-2007-2721.patch and renamed it.

2. A whitespace fix.

3. I added my name in the copyright stanza.

If there are no comments I'll push today, or someone else may push.

Leo Famulari (1):
  gnu: jasper: Add fixes for several security flaws.

 gnu-system.am                                      |   9 +
 gnu/packages/image.scm                             |  14 +-
 gnu/packages/patches/jasper-CVE-2007-2721.patch    |  20 +
 gnu/packages/patches/jasper-CVE-2008-3520.patch    | 931 +++++++++++++++++++++
 .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch   |  31 +
 gnu/packages/patches/jasper-CVE-2014-8137.patch    |  64 ++
 gnu/packages/patches/jasper-CVE-2014-8138.patch    |  21 +
 gnu/packages/patches/jasper-CVE-2014-8157.patch    |  19 +
 gnu/packages/patches/jasper-CVE-2014-8158.patch    | 336 ++++++++
 gnu/packages/patches/jasper-CVE-2014-9029.patch    |  36 +
 gnu/packages/patches/jasper-CVE-2016-1867.patch    |  18 +
 11 files changed, 1498 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/jasper-CVE-2007-2721.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch

-- 
2.6.3

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [v2 1/1] gnu: jasper: Add fixes for several security flaws.
  2016-02-04  8:12 [v2 0/1] Jasper security fixes Leo Famulari
@ 2016-02-04  8:12 ` Leo Famulari
  2016-02-04 10:45 ` [v2 0/1] Jasper security fixes Andreas Enge
  1 sibling, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-02-04  8:12 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/patches/jasper-CVE-2007-2721.patch,
gnu/packages/patches/jasper-CVE-2008-3520.patch,
gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch,
gnu/packages/patches/jasper-CVE-2014-8137.patch,
gnu/packages/patches/jasper-CVE-2014-8138.patch,
gnu/packages/patches/jasper-CVE-2014-8157.patch,
gnu/packages/patches/jasper-CVE-2014-8158.patch,
gnu/packages/patches/jasper-CVE-2014-9029.patch,
gnu/packages/patches/jasper-CVE-2016-1867.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/image.scm (jasper)[source]: Add patches.
---
 gnu-system.am                                      |   9 +
 gnu/packages/image.scm                             |  14 +-
 gnu/packages/patches/jasper-CVE-2007-2721.patch    |  20 +
 gnu/packages/patches/jasper-CVE-2008-3520.patch    | 931 +++++++++++++++++++++
 .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch   |  31 +
 gnu/packages/patches/jasper-CVE-2014-8137.patch    |  64 ++
 gnu/packages/patches/jasper-CVE-2014-8138.patch    |  21 +
 gnu/packages/patches/jasper-CVE-2014-8157.patch    |  19 +
 gnu/packages/patches/jasper-CVE-2014-8158.patch    | 336 ++++++++
 gnu/packages/patches/jasper-CVE-2014-9029.patch    |  36 +
 gnu/packages/patches/jasper-CVE-2016-1867.patch    |  18 +
 11 files changed, 1498 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/jasper-CVE-2007-2721.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch

diff --git a/gnu-system.am b/gnu-system.am
index 87ce88a..04bd519 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -545,7 +545,16 @@ dist_patch_DATA =						\
   gnu/packages/patches/icu4c-CVE-2015-4760.patch		\
   gnu/packages/patches/imagemagick-test-segv.patch		\
   gnu/packages/patches/irrlicht-mesa-10.patch			\
+  gnu/packages/patches/jasper-CVE-2007-2721.patch		\
+  gnu/packages/patches/jasper-CVE-2008-3520.patch		\
   gnu/packages/patches/jasper-CVE-2008-3522.patch		\
+  gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch \
+  gnu/packages/patches/jasper-CVE-2014-8137.patch		\
+  gnu/packages/patches/jasper-CVE-2014-8138.patch		\
+  gnu/packages/patches/jasper-CVE-2014-8157.patch		\
+  gnu/packages/patches/jasper-CVE-2014-8158.patch		\
+  gnu/packages/patches/jasper-CVE-2014-9029.patch		\
+  gnu/packages/patches/jasper-CVE-2016-1867.patch		\
   gnu/packages/patches/jbig2dec-ignore-testtest.patch		\
   gnu/packages/patches/kmod-module-directory.patch		\
   gnu/packages/patches/ldc-disable-tests.patch			\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index bf120f0..f287054 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
 ;;; Copyright © 2015 Amirouche Boubekki <amirouche@hypermove.net>
 ;;; Copyright © 2014 John Darrington <jmd@gnu.org>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -719,7 +720,18 @@ convert, manipulate, filter and display a wide variety of image formats.")
               (sha256
                (base32
                 "154l7zk7yh3v8l2l6zm5s2alvd2fzkp6c9i18iajfbna5af5m43b"))
-              (patches (list (search-patch "jasper-CVE-2008-3522.patch")))))
+              (patches
+                (list
+                  (search-patch "jasper-CVE-2007-2721.patch")
+                  (search-patch "jasper-CVE-2008-3520.patch")
+                  (search-patch "jasper-CVE-2008-3522.patch")
+                  (search-patch "jasper-CVE-2011-4516-and-CVE-2011-4517.patch")
+                  (search-patch "jasper-CVE-2014-8137.patch")
+                  (search-patch "jasper-CVE-2014-8138.patch")
+                  (search-patch "jasper-CVE-2014-8157.patch")
+                  (search-patch "jasper-CVE-2014-8158.patch")
+                  (search-patch "jasper-CVE-2014-9029.patch")
+                  (search-patch "jasper-CVE-2016-1867.patch")))))
     (build-system gnu-build-system)
     (native-inputs
      `(("unzip" ,unzip)))
diff --git a/gnu/packages/patches/jasper-CVE-2007-2721.patch b/gnu/packages/patches/jasper-CVE-2007-2721.patch
new file mode 100644
index 0000000..9838247
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2007-2721.patch
@@ -0,0 +1,20 @@
+Fix CVE-2007-2721 (heap corruption in jpc_qcx_getcompparms()).
+
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/patch-libjasper-stepsizes-overflow.diff
+
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2007-04-06 01:29:02.000000000 +0200
+@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ 		compparms->numstepsizes = (len - n) / 2;
+ 		break;
+ 	}
+-	if (compparms->numstepsizes > 0) {
++	if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++		jpc_qcx_destroycompparms(compparms);
++                return -1;
++        } else if (compparms->numstepsizes > 0) {
+ 		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+ 		  sizeof(uint_fast16_t));
+ 		assert(compparms->stepsizes);
diff --git a/gnu/packages/patches/jasper-CVE-2008-3520.patch b/gnu/packages/patches/jasper-CVE-2008-3520.patch
new file mode 100644
index 0000000..6c87726
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2008-3520.patch
@@ -0,0 +1,931 @@
+Fix CVE-2008-3520 (multiple integer overflows in jas_alloc calls).
+
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-1.900.1-CVE-2008-3520.patch
+https://bugzilla.redhat.com/show_bug.cgi?id=461476
+
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_cm.c jasper-1.900.1/src/libjasper/base/jas_cm.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_cm.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_cm.c	2009-10-22 10:27:45.000000000 +0200
+@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm
+ {
+ 	jas_cmpxform_t **p;
+ 	assert(n >= pxformseq->numpxforms);
+-	p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) :
+-	  jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *));
++	p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *));
+ 	if (!p) {
+ 		return -1;
+ 	}
+@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ 	jas_cmshapmatlut_cleanup(lut);
+ 	if (curv->numents == 0) {
+ 		lut->size = 2;
+-		if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++		if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ 			goto error;
+ 		lut->data[0] = 0.0;
+ 		lut->data[1] = 1.0;
+ 	} else if (curv->numents == 1) {
+ 		lut->size = 256;
+-		if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++		if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ 			goto error;
+ 		gamma = curv->ents[0] / 256.0;
+ 		for (i = 0; i < lut->size; ++i) {
+@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ 		}
+ 	} else {
+ 		lut->size = curv->numents;
+-		if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++		if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ 			goto error;
+ 		for (i = 0; i < lut->size; ++i) {
+ 			lut->data[i] = curv->ents[i] / 65535.0;
+@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c
+ 			return -1;
+ 		}
+ 	}
+-	if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t))))
++	if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t))))
+ 		return -1;
+ 	invlut->size = n;
+ 	for (i = 0; i < invlut->size; ++i) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1/src/libjasper/base/jas_icc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c	2009-10-22 10:27:45.000000000 +0200
+@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof
+ 	jas_icctagtab_t *tagtab;
+ 
+ 	tagtab = &prof->tagtab;
+-	if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
++	if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
+ 	  sizeof(jas_icctagtabent_t))))
+ 		goto error;
+ 	tagtab->numents = prof->attrtab->numattrs;
+@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_str
+ 	}
+ 	if (jas_iccgetuint32(in, &tagtab->numents))
+ 		goto error;
+-	if (!(tagtab->ents = jas_malloc(tagtab->numents *
++	if (!(tagtab->ents = jas_alloc2(tagtab->numents,
+ 	  sizeof(jas_icctagtabent_t))))
+ 		goto error;
+ 	tagtabent = tagtab->ents;
+@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_icc
+ {
+ 	jas_iccattr_t *newattrs;
+ 	assert(maxents >= tab->numattrs);
+-	newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
+-	  sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
++	newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
+ 	if (!newattrs)
+ 		return -1;
+ 	tab->attrs = newattrs;
+@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattr
+ 
+ 	if (jas_iccgetuint32(in, &curv->numents))
+ 		goto error;
+-	if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
++	if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
+ 		goto error;
+ 	for (i = 0; i < curv->numents; ++i) {
+ 		if (jas_iccgetuint16(in, &curv->ents[i]))
+@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_icca
+ 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ 	  jas_iccgetuint32(in, &txtdesc->uclen))
+ 		goto error;
+-	if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
++	if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
+ 		goto error;
+ 	if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
+ 	  JAS_CAST(int, txtdesc->uclen * 2))
+@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattr
+ 	  jas_iccgetuint16(in, &lut8->numouttabents))
+ 		goto error;
+ 	clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
+-	if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
+-	  !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
+-	  lut8->numintabents * sizeof(jas_iccuint8_t))) ||
+-	  !(lut8->intabs = jas_malloc(lut8->numinchans *
++	if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
++	  !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
++	  lut8->numintabents, sizeof(jas_iccuint8_t))) ||
++	  !(lut8->intabs = jas_alloc2(lut8->numinchans,
+ 	  sizeof(jas_iccuint8_t *))))
+ 		goto error;
+ 	for (i = 0; i < lut8->numinchans; ++i)
+ 		lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
+-	if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
+-	  lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
+-	  !(lut8->outtabs = jas_malloc(lut8->numoutchans *
++	if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
++	  lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
++	  !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
+ 	  sizeof(jas_iccuint8_t *))))
+ 		goto error;
+ 	for (i = 0; i < lut8->numoutchans; ++i)
+@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccatt
+ 	  jas_iccgetuint16(in, &lut16->numouttabents))
+ 		goto error;
+ 	clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
+-	if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
+-	  !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
+-	  lut16->numintabents * sizeof(jas_iccuint16_t))) ||
+-	  !(lut16->intabs = jas_malloc(lut16->numinchans *
++	if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
++	  !(lut16->intabsbuf = jas_alloc3(lut16->numinchans,
++	  lut16->numintabents, sizeof(jas_iccuint16_t))) ||
++	  !(lut16->intabs = jas_alloc2(lut16->numinchans,
+ 	  sizeof(jas_iccuint16_t *))))
+ 		goto error;
+ 	for (i = 0; i < lut16->numinchans; ++i)
+ 		lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
+-	if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
+-	  lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
+-	  !(lut16->outtabs = jas_malloc(lut16->numoutchans *
++	if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
++	  lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
++	  !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
+ 	  sizeof(jas_iccuint16_t *))))
+ 		goto error;
+ 	for (i = 0; i < lut16->numoutchans; ++i)
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c	2009-10-22 10:27:45.000000000 +0200
+@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmp
+ 	image->inmem_ = true;
+ 
+ 	/* Allocate memory for the per-component information. */
+-	if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
++	if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
+ 	  sizeof(jas_image_cmpt_t *)))) {
+ 		jas_image_destroy(image);
+ 		return 0;
+@@ -774,8 +774,7 @@ static int jas_image_growcmpts(jas_image
+ 	jas_image_cmpt_t **newcmpts;
+ 	int cmptno;
+ 
+-	newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
+-	  jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
++	newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
+ 	if (!newcmpts) {
+ 		return -1;
+ 	}
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c jasper-1.900.1/src/libjasper/base/jas_malloc.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_malloc.c	2009-10-22 10:27:45.000000000 +0200
+@@ -76,6 +76,9 @@
+ 
+ /* We need the prototype for memset. */
+ #include <string.h>
++#include <limits.h>
++#include <errno.h>
++#include <stdint.h>
+ 
+ #include "jasper/jas_malloc.h"
+ 
+@@ -113,18 +116,50 @@ void jas_free(void *ptr)
+ 
+ void *jas_realloc(void *ptr, size_t size)
+ {
+-	return realloc(ptr, size);
++	return ptr ? realloc(ptr, size) : malloc(size);
+ }
+ 
+-void *jas_calloc(size_t nmemb, size_t size)
++void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
++{
++	if (!ptr)
++		return jas_alloc2(nmemb, size);
++	if (nmemb && SIZE_MAX / nmemb < size) {
++		errno = ENOMEM;
++		return NULL;
++	}
++	return jas_realloc(ptr, nmemb * size);
++
++}
++
++void *jas_alloc2(size_t nmemb, size_t size)
++{
++	if (nmemb && SIZE_MAX / nmemb < size) {
++		errno = ENOMEM;
++		return NULL;
++	}
++
++	return jas_malloc(nmemb * size);
++}
++
++void *jas_alloc3(size_t a, size_t b, size_t c)
+ {
+-	void *ptr;
+ 	size_t n;
+-	n = nmemb * size;
+-	if (!(ptr = jas_malloc(n * sizeof(char)))) {
+-		return 0;
++
++	if (a && SIZE_MAX / a < b) {
++		errno = ENOMEM;
++		return NULL;
+ 	}
+-	memset(ptr, 0, n);
++
++	return jas_alloc2(a*b, c);
++}
++
++void *jas_calloc(size_t nmemb, size_t size)
++{
++	void *ptr;
++
++	ptr = jas_alloc2(nmemb, size);
++	if (ptr)
++		memset(ptr, 0, nmemb*size);
+ 	return ptr;
+ }
+ 
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c	2009-10-22 10:27:45.000000000 +0200
+@@ -114,7 +114,7 @@ jas_matrix_t *jas_matrix_create(int numr
+ 	matrix->datasize_ = numrows * numcols;
+ 
+ 	if (matrix->maxrows_ > 0) {
+-		if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
++		if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ 		  sizeof(jas_seqent_t *)))) {
+ 			jas_matrix_destroy(matrix);
+ 			return 0;
+@@ -122,7 +122,7 @@ jas_matrix_t *jas_matrix_create(int numr
+ 	}
+ 
+ 	if (matrix->datasize_ > 0) {
+-		if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
++		if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ 		  sizeof(jas_seqent_t)))) {
+ 			jas_matrix_destroy(matrix);
+ 			return 0;
+@@ -220,7 +220,7 @@ void jas_matrix_bindsub(jas_matrix_t *ma
+ 	mat0->numrows_ = r1 - r0 + 1;
+ 	mat0->numcols_ = c1 - c0 + 1;
+ 	mat0->maxrows_ = mat0->numrows_;
+-	mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
++	mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
+ 	for (i = 0; i < mat0->numrows_; ++i) {
+ 		mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ 	}
+diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_stream.c	2009-10-22 10:27:45.000000000 +0200
+@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b
+ 	if (buf) {
+ 		obj->buf_ = (unsigned char *) buf;
+ 	} else {
+-		obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char));
++		obj->buf_ = jas_malloc(obj->bufsize_);
+ 		obj->myalloc_ = 1;
+ 	}
+ 	if (!obj->buf_) {
+@@ -992,7 +992,7 @@ static int mem_resize(jas_stream_memobj_
+ 	unsigned char *buf;
+ 
+ 	assert(m->buf_);
+-	if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) {
++	if (!(buf = jas_realloc(m->buf_, bufsize))) {
+ 		return -1;
+ 	}
+ 	m->buf_ = buf;
+diff -pruN jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c jasper-1.900.1/src/libjasper/bmp/bmp_dec.c
+--- jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/bmp/bmp_dec.c	2009-10-22 10:27:45.000000000 +0200
+@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea
+ 	}
+ 
+ 	if (info->numcolors > 0) {
+-		if (!(info->palents = jas_malloc(info->numcolors *
++		if (!(info->palents = jas_alloc2(info->numcolors,
+ 		  sizeof(bmp_palent_t)))) {
+ 			bmp_info_destroy(info);
+ 			return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h	2007-01-19 22:43:04.000000000 +0100
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_malloc.h	2009-10-22 10:27:45.000000000 +0200
+@@ -95,6 +95,9 @@ extern "C" {
+ #define	jas_free	MEMFREE
+ #define	jas_realloc	MEMREALLOC
+ #define	jas_calloc	MEMCALLOC
++#define jas_alloc2(a, b)	MEMALLOC((a)*(b))
++#define jas_alloc3(a, b, c)	MEMALLOC((a)*(b)*(c))
++#define jas_realloc2(p, a, b)	MEMREALLOC((p), (a)*(b))
+ #endif
+ 
+ /******************************************************************************\
+@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size
+ /* Allocate a block of memory and initialize the contents to zero. */
+ void *jas_calloc(size_t nmemb, size_t size);
+ 
++/* size-checked double allocation .*/
++void *jas_alloc2(size_t, size_t);
++
++void *jas_alloc3(size_t, size_t, size_t);
++
++void *jas_realloc2(void *, size_t, size_t);
+ #endif
+ 
+ #ifdef __cplusplus
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c	2009-10-22 10:30:24.000000000 +0200
+@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
+ 	box = 0;
+ 	tmpstream = 0;
+ 
+-	if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
++	if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
+ 		goto error;
+ 	}
+ 	box->ops = &jp2_boxinfo_unk.ops;
+@@ -372,7 +372,7 @@ static int jp2_bpcc_getdata(jp2_box_t *b
+ 	jp2_bpcc_t *bpcc = &box->data.bpcc;
+ 	unsigned int i;
+ 	bpcc->numcmpts = box->datalen;
+-	if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) {
++	if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
+ 		return -1;
+ 	}
+ 	for (i = 0; i < bpcc->numcmpts; ++i) {
+@@ -416,7 +416,7 @@ static int jp2_colr_getdata(jp2_box_t *b
+ 		break;
+ 	case JP2_COLR_ICC:
+ 		colr->iccplen = box->datalen - 3;
+-		if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) {
++		if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) {
+ 			return -1;
+ 		}
+ 		if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
+@@ -453,7 +453,7 @@ static int jp2_cdef_getdata(jp2_box_t *b
+ 	if (jp2_getuint16(in, &cdef->numchans)) {
+ 		return -1;
+ 	}
+-	if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) {
++	if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) {
+ 		return -1;
+ 	}
+ 	for (channo = 0; channo < cdef->numchans; ++channo) {
+@@ -766,7 +766,7 @@ static int jp2_cmap_getdata(jp2_box_t *b
+ 	unsigned int i;
+ 
+ 	cmap->numchans = (box->datalen) / 4;
+-	if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) {
++	if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
+ 		return -1;
+ 	}
+ 	for (i = 0; i < cmap->numchans; ++i) {
+@@ -828,10 +828,10 @@ static int jp2_pclr_getdata(jp2_box_t *b
+ 		return -1;
+ 	}
+ 	lutsize = pclr->numlutents * pclr->numchans;
+-	if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) {
++	if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ 		return -1;
+ 	}
+-	if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) {
++	if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) {
+ 		return -1;
+ 	}
+ 	for (i = 0; i < pclr->numchans; ++i) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c jasper-1.900.1/src/libjasper/jp2/jp2_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2009-10-22 10:27:45.000000000 +0200
+@@ -336,7 +336,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	}
+ 
+ 	/* Allocate space for the channel-number to component-number LUT. */
+-	if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
++	if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) {
+ 		jas_eprintf("error: no memory\n");
+ 		goto error;
+ 	}
+@@ -354,7 +354,7 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 			if (cmapent->map == JP2_CMAP_DIRECT) {
+ 				dec->chantocmptlut[channo] = channo;
+ 			} else if (cmapent->map == JP2_CMAP_PALETTE) {
+-				lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
++				lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t));
+ 				for (i = 0; i < pclrd->numlutents; ++i) {
+ 					lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
+ 				}
+diff -pruN jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c jasper-1.900.1/src/libjasper/jp2/jp2_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_enc.c	2009-10-22 10:27:45.000000000 +0200
+@@ -191,7 +191,7 @@ int sgnd;
+ 		}
+ 		bpcc = &box->data.bpcc;
+ 		bpcc->numcmpts = jas_image_numcmpts(image);
+-		if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts *
++		if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts,
+ 		  sizeof(uint_fast8_t)))) {
+ 			goto error;
+ 		}
+@@ -285,7 +285,7 @@ int sgnd;
+ 		}
+ 		cdef = &box->data.cdef;
+ 		cdef->numchans = jas_image_numcmpts(image);
+-		cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t));
++		cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t));
+ 		for (i = 0; i < jas_image_numcmpts(image); ++i) {
+ 			cdefchanent = &cdef->ents[i];
+ 			cdefchanent->channo = i;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c	2009-10-22 09:58:16.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2009-10-22 10:27:45.000000000 +0200
+@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms
+ 	  !siz->tileheight || !siz->numcomps) {
+ 		return -1;
+ 	}
+-	if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) {
++	if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
+ 		return -1;
+ 	}
+ 	for (i = 0; i < siz->numcomps; ++i) {
+@@ -986,7 +986,7 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+ 		jpc_qcx_destroycompparms(compparms);
+                 return -1;
+         } else if (compparms->numstepsizes > 0) {
+-		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
++		compparms->stepsizes = jas_alloc2(compparms->numstepsizes,
+ 		  sizeof(uint_fast16_t));
+ 		assert(compparms->stepsizes);
+ 		for (i = 0; i < compparms->numstepsizes; ++i) {
+@@ -1094,7 +1094,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms
+ 
+ 	ppm->len = ms->len - 1;
+ 	if (ppm->len > 0) {
+-		if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) {
++		if (!(ppm->data = jas_malloc(ppm->len))) {
+ 			goto error;
+ 		}
+ 		if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
+@@ -1163,7 +1163,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms
+ 	}
+ 	ppt->len = ms->len - 1;
+ 	if (ppt->len > 0) {
+-		if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) {
++		if (!(ppt->data = jas_malloc(ppt->len))) {
+ 			goto error;
+ 		}
+ 		if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
+@@ -1226,7 +1226,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms
+ 	uint_fast8_t tmp;
+ 	poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
+ 	  (ms->len / 7);
+-	if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) {
++	if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) {
+ 		goto error;
+ 	}
+ 	for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
+@@ -1331,7 +1331,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
+ 	jpc_crgcomp_t *comp;
+ 	uint_fast16_t compno;
+ 	crg->numcomps = cstate->numcomps;
+-	if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
++	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+ 		return -1;
+ 	}
+ 	for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
+@@ -1470,7 +1470,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms
+ 	cstate = 0;
+ 
+ 	if (ms->len > 0) {
+-		if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) {
++		if (!(unk->data = jas_malloc(ms->len))) {
+ 			return -1;
+ 		}
+ 		if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) {
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c	2009-10-22 09:58:16.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c	2009-10-22 10:30:50.000000000 +0200
+@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ 
+ 	if (dec->state == JPC_MH) {
+ 
+-		compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
++		compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
+ 		assert(compinfos);
+ 		for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
+ 		  cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *d
+ 			tile->realmode = 1;
+ 		}
+ 		tcomp->numrlvls = ccp->numrlvls;
+-		if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
++		if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
+ 		  sizeof(jpc_dec_rlvl_t)))) {
+ 			return -1;
+ 		}
+@@ -764,7 +764,7 @@ rlvl->bands = 0;
+ 			  rlvl->cbgheightexpn);
+ 
+ 			rlvl->numbands = (!rlvlno) ? 1 : 3;
+-			if (!(rlvl->bands = jas_malloc(rlvl->numbands *
++			if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
+ 			  sizeof(jpc_dec_band_t)))) {
+ 				return -1;
+ 			}
+@@ -797,7 +797,7 @@ rlvl->bands = 0;
+ 
+ 				assert(rlvl->numprcs);
+ 
+-				if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
++				if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
+ 					return -1;
+ 				}
+ 
+@@ -834,7 +834,7 @@ rlvl->bands = 0;
+ 			if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
+ 				return -1;
+ 			}
+-			if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
++			if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
+ 				return -1;
+ 			}
+ 
+@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ 		return -1;
+ 	}
+ 
+-	if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
++	if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
+ 		return -1;
+ 	}
+ 
+@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ 	dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ 	dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ 	dec->numtiles = dec->numhtiles * dec->numvtiles;
+-	if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
++	if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ 		return -1;
+ 	}
+ 
+@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+ 		tile->pkthdrstreampos = 0;
+ 		tile->pptstab = 0;
+ 		tile->cp = 0;
+-		if (!(tile->tcomps = jas_malloc(dec->numcomps *
++		if (!(tile->tcomps = jas_calloc(dec->numcomps,
+ 		  sizeof(jpc_dec_tcomp_t)))) {
+ 			return -1;
+ 		}
+@@ -1489,7 +1489,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u
+ 	cp->numlyrs = 0;
+ 	cp->mctid = 0;
+ 	cp->csty = 0;
+-	if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
++	if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
+ 		return 0;
+ 	}
+ 	if (!(cp->pchglist = jpc_pchglist_create())) {
+@@ -2048,7 +2048,7 @@ jpc_streamlist_t *jpc_streamlist_create(
+ 	}
+ 	streamlist->numstreams = 0;
+ 	streamlist->maxstreams = 100;
+-	if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
++	if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
+ 	  sizeof(jas_stream_t *)))) {
+ 		jas_free(streamlist);
+ 		return 0;
+@@ -2068,8 +2068,8 @@ int jpc_streamlist_insert(jpc_streamlist
+ 	/* Grow the array of streams if necessary. */
+ 	if (streamlist->numstreams >= streamlist->maxstreams) {
+ 		newmaxstreams = streamlist->maxstreams + 1024;
+-		if (!(newstreams = jas_realloc(streamlist->streams,
+-		  (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
++		if (!(newstreams = jas_realloc2(streamlist->streams,
++		  (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
+ 			return -1;
+ 		}
+ 		for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
+@@ -2155,8 +2155,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab,
+ {
+ 	jpc_ppxstabent_t **newents;
+ 	if (tab->maxents < maxents) {
+-		newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
+-		  sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
++		newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
+ 		if (!newents) {
+ 			return -1;
+ 		}
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c	2009-10-22 10:27:45.000000000 +0200
+@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+ 		vsteplcm *= jas_image_cmptvstep(image, cmptno);
+ 	}
+ 
+-	if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) {
++	if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) {
+ 		goto error;
+ 	}
+ 	for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno,
+@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+ 
+ 	if (ilyrrates && numilyrrates > 0) {
+ 		tcp->numlyrs = numilyrrates + 1;
+-		if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) *
++		if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1),
+ 		  sizeof(jpc_fix_t)))) {
+ 			goto error;
+ 		}
+@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ 	siz->tilewidth = cp->tilewidth;
+ 	siz->tileheight = cp->tileheight;
+ 	siz->numcomps = cp->numcmpts;
+-	siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t));
++	siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t));
+ 	assert(siz->comps);
+ 	for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) {
+ 		siz->comps[i].prec = cp->ccps[i].prec;
+@@ -977,7 +977,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ 		return -1;
+ 	}
+ 	crg = &enc->mrk->parms.crg;
+-	crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t));
++	crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t));
+ 	if (jpc_putms(enc->out, enc->cstate, enc->mrk)) {
+ 		jas_eprintf("cannot write CRG marker\n");
+ 		return -1;
+@@ -1955,7 +1955,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ 	tile->mctid = cp->tcp.mctid;
+ 
+ 	tile->numlyrs = cp->tcp.numlyrs;
+-	if (!(tile->lyrsizes = jas_malloc(tile->numlyrs *
++	if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs,
+ 	  sizeof(uint_fast32_t)))) {
+ 		goto error;
+ 	}
+@@ -1964,7 +1964,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ 	}
+ 
+ 	/* Allocate an array for the per-tile-component information. */
+-	if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) {
++	if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) {
+ 		goto error;
+ 	}
+ 	/* Initialize a few members critical for error recovery. */
+@@ -2110,7 +2110,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc
+ 	  jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data),
+ 	  jas_seq2d_yend(tcmpt->data), bandinfos);
+ 
+-	if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) {
++	if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) {
+ 		goto error;
+ 	}
+ 	for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls;
+@@ -2213,7 +2213,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e
+ 	rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn);
+ 	rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs;
+ 
+-	if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) {
++	if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) {
+ 		goto error;
+ 	}
+ 	for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands;
+@@ -2290,7 +2290,7 @@ if (bandinfo->xstart != bandinfo->xend &
+ 	band->synweight = bandinfo->synenergywt;
+ 
+ if (band->data) {
+-	if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) {
++	if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) {
+ 		goto error;
+ 	}
+ 	for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno,
+@@ -2422,7 +2422,7 @@ if (!rlvlno) {
+ 			goto error;
+ 		}
+ 
+-		if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) {
++		if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) {
+ 			goto error;
+ 		}
+ 		for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqdec.c	2009-10-22 10:27:45.000000000 +0200
+@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx
+ 	mqdec->in = in;
+ 	mqdec->maxctxs = maxctxs;
+ 	/* Allocate memory for the per-context state information. */
+-	if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) {
++	if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ 		goto error;
+ 	}
+ 	/* Set the current context to the first context. */
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_mqenc.c	2009-10-22 10:27:45.000000000 +0200
+@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx
+ 	mqenc->maxctxs = maxctxs;
+ 
+ 	/* Allocate memory for the per-context state information. */
+-	if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) {
++	if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ 		goto error;
+ 	}
+ 
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c	2009-10-22 10:27:45.000000000 +0200
+@@ -321,7 +321,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ #if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
+ 			abort();
+ 		}
+@@ -389,7 +389,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ #if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
+ 			abort();
+ 		}
+@@ -460,7 +460,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
+ 			abort();
+ 		}
+@@ -549,7 +549,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ #if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
+ 			abort();
+ 		}
+@@ -633,7 +633,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ #if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide. */
+ 			abort();
+ 		}
+@@ -698,7 +698,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ #if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide. */
+ 			abort();
+ 		}
+@@ -766,7 +766,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 
+ #if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+-		if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide. */
+ 			abort();
+ 		}
+@@ -852,7 +852,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 
+ #if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+-		if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
++		if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide. */
+ 			abort();
+ 		}
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t1enc.c	2009-10-22 10:27:45.000000000 +0200
+@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_
+ 
+ 	cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0;
+ 	if (cblk->numpasses > 0) {
+-		cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t));
++		cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t));
+ 		assert(cblk->passes);
+ 	} else {
+ 		cblk->passes = 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c	2009-10-22 10:27:45.000000000 +0200
+@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t *
+ 	}
+ 	if (pchglist->numpchgs >= pchglist->maxpchgs) {
+ 		newmaxpchgs = pchglist->maxpchgs + 128;
+-		if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) {
++		if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) {
+ 			return -1;
+ 		}
+ 		pchglist->maxpchgs = newmaxpchgs;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2dec.c	2009-10-22 10:27:45.000000000 +0200
+@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ 		return 0;
+ 	}
+ 	pi->numcomps = dec->numcomps;
+-	if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++	if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ 		jpc_pi_destroy(pi);
+ 		return 0;
+ 	}
+@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ 	for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
+ 	  compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ 		picomp->numrlvls = tcomp->numrlvls;
+-		if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++		if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ 		  sizeof(jpc_pirlvl_t)))) {
+ 			jpc_pi_destroy(pi);
+ 			return 0;
+@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ 		  rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
+ /* XXX sizeof(long) should be sizeof different type */
+ 			pirlvl->numprcs = rlvl->numprcs;
+-			if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++			if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ 			  sizeof(long)))) {
+ 				jpc_pi_destroy(pi);
+ 				return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2enc.c	2009-10-22 10:27:45.000000000 +0200
+@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ 	}
+ 	pi->pktno = -1;
+ 	pi->numcomps = cp->numcmpts;
+-	if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++	if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ 		jpc_pi_destroy(pi);
+ 		return 0;
+ 	}
+@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ 	for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
+ 	  compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ 		picomp->numrlvls = tcomp->numrlvls;
+-		if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++		if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ 		  sizeof(jpc_pirlvl_t)))) {
+ 			jpc_pi_destroy(pi);
+ 			return 0;
+@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ /* XXX sizeof(long) should be sizeof different type */
+ 			pirlvl->numprcs = rlvl->numprcs;
+ 			if (rlvl->numprcs) {
+-				if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++				if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ 				  sizeof(long)))) {
+ 					jpc_pi_destroy(pi);
+ 					return 0;
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c	2009-10-22 10:27:45.000000000 +0200
+@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
+ 		++numlvls;
+ 	} while (n > 1);
+ 
+-	if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) {
++	if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
+ 		return 0;
+ 	}
+ 
+diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c jasper-1.900.1/src/libjasper/jpc/jpc_util.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_util.c	2009-10-22 10:27:45.000000000 +0200
+@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d
+ 	}
+ 
+ 	if (n) {
+-		if (!(vs = jas_malloc(n * sizeof(double)))) {
++		if (!(vs = jas_alloc2(n, sizeof(double)))) {
+ 			return -1;
+ 		}
+ 
+diff -pruN jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1/src/libjasper/mif/mif_cod.c
+--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c	2007-01-19 22:43:05.000000000 +0100
++++ jasper-1.900.1/src/libjasper/mif/mif_cod.c	2009-10-22 10:27:45.000000000 +0200
+@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t *
+ 	int cmptno;
+ 	mif_cmpt_t **newcmpts;
+ 	assert(maxcmpts >= hdr->numcmpts);
+-	newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) :
+-	  jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *));
++	newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *));
+ 	if (!newcmpts) {
+ 		return -1;
+ 	}
diff --git a/gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch b/gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch
new file mode 100644
index 0000000..4b5917f
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch
@@ -0,0 +1,31 @@
+Fix CVE-2011-4516 and CVE-2011-4517 (heap buffer overflow flaws lead to
+arbitrary code execution).
+
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
+https://bugzilla.redhat.com/show_bug.cgi?id=747726
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409	2011-10-25 17:25:39.000000000 +0200
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2011-10-25 17:29:14.379371908 +0200
+@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t
+ 		return -1;
+ 	}
+ 	compparms->numrlvls = compparms->numdlvls + 1;
++	if (compparms->numrlvls > JPC_MAXRLVLS) {
++		jpc_cox_destroycompparms(compparms);
++		return -1;
++	}
+ 	if (prtflag) {
+ 		for (i = 0; i < compparms->numrlvls; ++i) {
+ 			if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
+ 	jpc_crgcomp_t *comp;
+ 	uint_fast16_t compno;
+ 	crg->numcomps = cstate->numcomps;
+-	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ 		return -1;
+ 	}
+ 	for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
diff --git a/gnu/packages/patches/jasper-CVE-2014-8137.patch b/gnu/packages/patches/jasper-CVE-2014-8137.patch
new file mode 100644
index 0000000..c411589
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2014-8137.patch
@@ -0,0 +1,64 @@
+Fix CVE-2014-8137 (double-free in jas_iccattrval_destroy()).
+
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-CVE-2014-8137.patch
+https://bugzilla.redhat.com/show_bug.cgi?id=1173157
+
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c	2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ 	return 0;
+ 
+ error:
+-	jas_icccurv_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ 	return 0;
+ error:
+-	jas_icctxtdesc_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ 		goto error;
+ 	return 0;
+ error:
+-	if (txt->string)
+-		jas_free(txt->string);
+ 	return -1;
+ }
+ 
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut8_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut16_destroy(attrval);
+ 	return -1;
+ }
+ 
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	case JP2_COLR_ICC:
+ 		iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ 		  dec->colr->data.colr.iccplen);
+-		assert(iccprof);
++		if (!iccprof) {
++			jas_eprintf("error: failed to parse ICC profile\n");
++			goto error;
++		}
+ 		jas_iccprof_gethdr(iccprof, &icchdr);
+ 		jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ 		jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
diff --git a/gnu/packages/patches/jasper-CVE-2014-8138.patch b/gnu/packages/patches/jasper-CVE-2014-8138.patch
new file mode 100644
index 0000000..0d9dc63
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2014-8138.patch
@@ -0,0 +1,21 @@
+Fix CVE-2014-8138 (heap overflow in jp2_decode()).
+
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-CVE-2014-8138.patch
+https://bugzilla.redhat.com/show_bug.cgi?id=1173162
+
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	/* Determine the type of each component. */
+ 	if (dec->cdef) {
+ 		for (i = 0; i < dec->numchans; ++i) {
++			/* Is the channel number reasonable? */
++			if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++				jas_eprintf("error: invalid channel number in CDEF box\n");
++				goto error;
++			}
+ 			jas_image_setcmpttype(dec->image,
+ 			  dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ 			  jp2_getct(jas_image_clrspc(dec->image),
diff --git a/gnu/packages/patches/jasper-CVE-2014-8157.patch b/gnu/packages/patches/jasper-CVE-2014-8157.patch
new file mode 100644
index 0000000..62f4a6b
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2014-8157.patch
@@ -0,0 +1,19 @@
+Fix CVE-2014-8157 (dec->numtiles off-by-one check in jpc_dec_process_sot()).
+
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-CVE-2014-8157.patch
+https://bugzilla.redhat.com/show_bug.cgi?id=1179282
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157	2015-01-19 16:59:36.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c	2015-01-19 17:07:41.609863268 +0100
+@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ 		dec->curtileendoff = 0;
+ 	}
+ 
+-	if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++	if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ 		jas_eprintf("invalid tile number in SOT marker segment\n");
+ 		return -1;
+ 	}
diff --git a/gnu/packages/patches/jasper-CVE-2014-8158.patch b/gnu/packages/patches/jasper-CVE-2014-8158.patch
new file mode 100644
index 0000000..cc54d8f
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2014-8158.patch
@@ -0,0 +1,336 @@
+Fix CVE-2014-8158 (unrestricted stack memory use in jpc_qmfb.c).
+
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-CVE-2014-8158.patch
+https://bugzilla.redhat.com/show_bug.cgi?id=1179298
+
+diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158	2015-01-19 17:25:28.730195502 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c	2015-01-19 17:27:20.214663127 +0100
+@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 	register int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numcols >= 2) {
+ 		hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 	register int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 	int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 	int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numcols + 1 - parity) >> 1;
+ 
+@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ 		++srcptr;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ 		++srcptr;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 	register int i;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 		srcptr += JPC_QMFB_COLGRPSIZE;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize * numcols];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 	register int i;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 		srcptr += numcols;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
diff --git a/gnu/packages/patches/jasper-CVE-2014-9029.patch b/gnu/packages/patches/jasper-CVE-2014-9029.patch
new file mode 100644
index 0000000..72b4cc2
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2014-9029.patch
@@ -0,0 +1,36 @@
+Fix CVE-2014-9029 (Heap overflows in libjasper).
+
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-CVE-2014-9029.patch
+https://bugzilla.redhat.com/show_bug.cgi?id=1167537
+
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c	2014-11-27 12:45:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c	2014-11-27 12:44:58.000000000 +0100
+@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
+ 	jpc_coc_t *coc = &ms->parms.coc;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, coc->compno) > dec->numcomps) {
++	if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in COC marker segment\n");
+ 		return -1;
+ 	}
+@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
+ 	jpc_rgn_t *rgn = &ms->parms.rgn;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
++	if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in RGN marker segment\n");
+ 		return -1;
+ 	}
+@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
+ 	jpc_qcc_t *qcc = &ms->parms.qcc;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
++	if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in QCC marker segment\n");
+ 		return -1;
+ 	}
diff --git a/gnu/packages/patches/jasper-CVE-2016-1867.patch b/gnu/packages/patches/jasper-CVE-2016-1867.patch
new file mode 100644
index 0000000..2d2ca6f
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2016-1867.patch
@@ -0,0 +1,18 @@
+Fix CVE-2016-1867 (Out-of-bounds read in jpc_pi_nextcprl()).
+
+Copied from SUSE.
+
+https://bugzilla.suse.com/show_bug.cgi?id=961886
+https://bugzilla.redhat.com/show_bug.cgi?id=1298135
+
+--- jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c	2016-01-14 14:22:24.569056412 +0100
+@@ -429,7 +429,7 @@
+ 	}
+ 
+ 	for (pi->compno = pchg->compnostart, pi->picomp =
+-	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
++	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+ 	  ++pi->picomp) {
+ 		pirlvl = pi->picomp->pirlvls;
+ 		pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
-- 
2.6.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [v2 0/1] Jasper security fixes
  2016-02-04  8:12 [v2 0/1] Jasper security fixes Leo Famulari
  2016-02-04  8:12 ` [v2 1/1] gnu: jasper: Add fixes for several security flaws Leo Famulari
@ 2016-02-04 10:45 ` Andreas Enge
  2016-02-04 20:16   ` Leo Famulari
  1 sibling, 1 reply; 5+ messages in thread
From: Andreas Enge @ 2016-02-04 10:45 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

It is a bit frightening that such a package with lots of CVE fixes apparently
is dead upstream (since the patches from 2008 have not been incorporated into
a new release). On the other hand, someone must have written the patches;
is there no new upstream who has taken over? If not, is the software still
useful and unique enough to keep it around?

Apart from these more fundamental questions, it looks good to push.

Andreas

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [v2 0/1] Jasper security fixes
  2016-02-04 10:45 ` [v2 0/1] Jasper security fixes Andreas Enge
@ 2016-02-04 20:16   ` Leo Famulari
  2016-02-04 21:20     ` Ludovic Courtès
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-02-04 20:16 UTC (permalink / raw)
  To: Andreas Enge; +Cc: guix-devel

On Thu, Feb 04, 2016 at 11:45:38AM +0100, Andreas Enge wrote:
> It is a bit frightening that such a package with lots of CVE fixes apparently
> is dead upstream (since the patches from 2008 have not been incorporated into
> a new release). On the other hand, someone must have written the patches;
> is there no new upstream who has taken over? If not, is the software still
> useful and unique enough to keep it around?

I agree. The upstream developers claims to be responsive [0] but its
hard to reconcile that with 9 years of unpatched CVEs. Especially when
many of these patches address potential untrusted remote code execution.

It seems that sometimes a distro adopts anothers distro's patch, or
sometimes writes their own. Every distro is maintaining their own patch
quilt. Not good!

I haven't found a new upstream for jasper.

Thankfully, only Kodi depends on jasper in our tree. I searched my store
for other software that might have bundled it and found nothing, but I
don't have many programs that would handle JPEGs installed. Perhaps it's
possible to use some other JPEG implementation in Kodi and drop jasper.

Sadly, there are many packages in our tree, with active upstreams, that
are probably just as vulnerable.

> 
> Apart from these more fundamental questions, it looks good to push.

Done.

[0]
http://www.ece.uvic.ca/~frodo/jasper/#faq

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [v2 0/1] Jasper security fixes
  2016-02-04 20:16   ` Leo Famulari
@ 2016-02-04 21:20     ` Ludovic Courtès
  0 siblings, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2016-02-04 21:20 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Thanks for taking care of it, Leo.

Ludo’.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-02-04 21:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-04  8:12 [v2 0/1] Jasper security fixes Leo Famulari
2016-02-04  8:12 ` [v2 1/1] gnu: jasper: Add fixes for several security flaws Leo Famulari
2016-02-04 10:45 ` [v2 0/1] Jasper security fixes Andreas Enge
2016-02-04 20:16   ` Leo Famulari
2016-02-04 21:20     ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.