+5 -2

pkgs/development/libraries/jasper/default.nix

··· 1 1 - {stdenv, fetchurl, unzip, xlibs, libjpeg}: 1 1 + { stdenv, fetchurl, unzip, xlibs, libjpeg }: 2 2 3 3 stdenv.mkDerivation rec { 4 4 name = "jasper-1.900.1"; ··· 9 9 }; 10 10 11 11 patches = [ 12 12 - ./jasper-CVE-2014-8137-variant2.diff ./jasper-CVE-2014-8137-noabort.diff 12 12 + ./jasper-CVE-2014-8137-variant2.diff 13 13 + ./jasper-CVE-2014-8137-noabort.diff 13 14 ./jasper-CVE-2014-8138.diff 15 15 + ./jasper-CVE-2014-8157.diff 16 16 + ./jasper-CVE-2014-8158.diff 14 17 ./jasper-CVE-2014-9029.diff 15 18 ]; 16 19

+12

pkgs/development/libraries/jasper/jasper-CVE-2014-8157.diff

··· 1 1 + diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2 2 + --- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.CVE-2014-8157 2015-01-19 16:59:36.000000000 +0100 3 3 + +++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-19 17:07:41.609863268 +0100 4 4 + @@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t 5 5 + dec->curtileendoff = 0; 6 6 + } 7 7 + 8 8 + - if (JAS_CAST(int, sot->tileno) > dec->numtiles) { 9 9 + + if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { 10 10 + jas_eprintf("invalid tile number in SOT marker segment\n"); 11 11 + return -1; 12 12 + }

+329

pkgs/development/libraries/jasper/jasper-CVE-2014-8158.diff

··· 1 1 + diff -up jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2 2 + --- jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c.CVE-2014-8158 2015-01-19 17:25:28.730195502 +0100 3 3 + +++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-19 17:27:20.214663127 +0100 4 4 + @@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in 5 5 + { 6 6 + 7 7 + int bufsize = JPC_CEILDIVPOW2(numcols, 1); 8 8 + -#if !defined(HAVE_VLA) 9 9 + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; 10 10 + -#else 11 11 + - jpc_fix_t splitbuf[bufsize]; 12 12 + -#endif 13 13 + jpc_fix_t *buf = splitbuf; 14 14 + register jpc_fix_t *srcptr; 15 15 + register jpc_fix_t *dstptr; 16 16 + @@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in 17 17 + register int m; 18 18 + int hstartcol; 19 19 + 20 20 + -#if !defined(HAVE_VLA) 21 21 + /* Get a buffer. */ 22 22 + if (bufsize > QMFB_SPLITBUFSIZE) { 23 23 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { 24 24 + @@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in 25 25 + abort(); 26 26 + } 27 27 + } 28 28 + -#endif 29 29 + 30 30 + if (numcols >= 2) { 31 31 + hstartcol = (numcols + 1 - parity) >> 1; 32 32 + @@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in 33 33 + } 34 34 + } 35 35 + 36 36 + -#if !defined(HAVE_VLA) 37 37 + /* If the split buffer was allocated on the heap, free this memory. */ 38 38 + if (buf != splitbuf) { 39 39 + jas_free(buf); 40 40 + } 41 41 + -#endif 42 42 + 43 43 + } 44 44 + 45 45 + @@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in 46 46 + { 47 47 + 48 48 + int bufsize = JPC_CEILDIVPOW2(numrows, 1); 49 49 + -#if !defined(HAVE_VLA) 50 50 + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; 51 51 + -#else 52 52 + - jpc_fix_t splitbuf[bufsize]; 53 53 + -#endif 54 54 + jpc_fix_t *buf = splitbuf; 55 55 + register jpc_fix_t *srcptr; 56 56 + register jpc_fix_t *dstptr; 57 57 + @@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in 58 58 + register int m; 59 59 + int hstartcol; 60 60 + 61 61 + -#if !defined(HAVE_VLA) 62 62 + /* Get a buffer. */ 63 63 + if (bufsize > QMFB_SPLITBUFSIZE) { 64 64 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { 65 65 + @@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in 66 66 + abort(); 67 67 + } 68 68 + } 69 69 + -#endif 70 70 + 71 71 + if (numrows >= 2) { 72 72 + hstartcol = (numrows + 1 - parity) >> 1; 73 73 + @@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in 74 74 + } 75 75 + } 76 76 + 77 77 + -#if !defined(HAVE_VLA) 78 78 + /* If the split buffer was allocated on the heap, free this memory. */ 79 79 + if (buf != splitbuf) { 80 80 + jas_free(buf); 81 81 + } 82 82 + -#endif 83 83 + 84 84 + } 85 85 + 86 86 + @@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, 87 87 + { 88 88 + 89 89 + int bufsize = JPC_CEILDIVPOW2(numrows, 1); 90 90 + -#if !defined(HAVE_VLA) 91 91 + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; 92 92 + -#else 93 93 + - jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; 94 94 + -#endif 95 95 + jpc_fix_t *buf = splitbuf; 96 96 + jpc_fix_t *srcptr; 97 97 + jpc_fix_t *dstptr; 98 98 + @@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, 99 99 + int m; 100 100 + int hstartcol; 101 101 + 102 102 + -#if !defined(HAVE_VLA) 103 103 + /* Get a buffer. */ 104 104 + if (bufsize > QMFB_SPLITBUFSIZE) { 105 105 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { 106 106 + @@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, 107 107 + abort(); 108 108 + } 109 109 + } 110 110 + -#endif 111 111 + 112 112 + if (numrows >= 2) { 113 113 + hstartcol = (numrows + 1 - parity) >> 1; 114 114 + @@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, 115 115 + } 116 116 + } 117 117 + 118 118 + -#if !defined(HAVE_VLA) 119 119 + /* If the split buffer was allocated on the heap, free this memory. */ 120 120 + if (buf != splitbuf) { 121 121 + jas_free(buf); 122 122 + } 123 123 + -#endif 124 124 + 125 125 + } 126 126 + 127 127 + @@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, 128 128 + { 129 129 + 130 130 + int bufsize = JPC_CEILDIVPOW2(numrows, 1); 131 131 + -#if !defined(HAVE_VLA) 132 132 + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; 133 133 + -#else 134 134 + - jpc_fix_t splitbuf[bufsize * numcols]; 135 135 + -#endif 136 136 + jpc_fix_t *buf = splitbuf; 137 137 + jpc_fix_t *srcptr; 138 138 + jpc_fix_t *dstptr; 139 139 + @@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, 140 140 + int m; 141 141 + int hstartcol; 142 142 + 143 143 + -#if !defined(HAVE_VLA) 144 144 + /* Get a buffer. */ 145 145 + if (bufsize > QMFB_SPLITBUFSIZE) { 146 146 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { 147 147 + @@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, 148 148 + abort(); 149 149 + } 150 150 + } 151 151 + -#endif 152 152 + 153 153 + if (numrows >= 2) { 154 154 + hstartcol = (numrows + 1 - parity) >> 1; 155 155 + @@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, 156 156 + } 157 157 + } 158 158 + 159 159 + -#if !defined(HAVE_VLA) 160 160 + /* If the split buffer was allocated on the heap, free this memory. */ 161 161 + if (buf != splitbuf) { 162 162 + jas_free(buf); 163 163 + } 164 164 + -#endif 165 165 + 166 166 + } 167 167 + 168 168 + @@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int 169 169 + { 170 170 + 171 171 + int bufsize = JPC_CEILDIVPOW2(numcols, 1); 172 172 + -#if !defined(HAVE_VLA) 173 173 + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; 174 174 + -#else 175 175 + - jpc_fix_t joinbuf[bufsize]; 176 176 + -#endif 177 177 + jpc_fix_t *buf = joinbuf; 178 178 + register jpc_fix_t *srcptr; 179 179 + register jpc_fix_t *dstptr; 180 180 + register int n; 181 181 + int hstartcol; 182 182 + 183 183 + -#if !defined(HAVE_VLA) 184 184 + /* Allocate memory for the join buffer from the heap. */ 185 185 + if (bufsize > QMFB_JOINBUFSIZE) { 186 186 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { 187 187 + @@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int 188 188 + abort(); 189 189 + } 190 190 + } 191 191 + -#endif 192 192 + 193 193 + hstartcol = (numcols + 1 - parity) >> 1; 194 194 + 195 195 + @@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int 196 196 + ++srcptr; 197 197 + } 198 198 + 199 199 + -#if !defined(HAVE_VLA) 200 200 + /* If the join buffer was allocated on the heap, free this memory. */ 201 201 + if (buf != joinbuf) { 202 202 + jas_free(buf); 203 203 + } 204 204 + -#endif 205 205 + 206 206 + } 207 207 + 208 208 + @@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int 209 209 + { 210 210 + 211 211 + int bufsize = JPC_CEILDIVPOW2(numrows, 1); 212 212 + -#if !defined(HAVE_VLA) 213 213 + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; 214 214 + -#else 215 215 + - jpc_fix_t joinbuf[bufsize]; 216 216 + -#endif 217 217 + jpc_fix_t *buf = joinbuf; 218 218 + register jpc_fix_t *srcptr; 219 219 + register jpc_fix_t *dstptr; 220 220 + register int n; 221 221 + int hstartcol; 222 222 + 223 223 + -#if !defined(HAVE_VLA) 224 224 + /* Allocate memory for the join buffer from the heap. */ 225 225 + if (bufsize > QMFB_JOINBUFSIZE) { 226 226 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { 227 227 + @@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int 228 228 + abort(); 229 229 + } 230 230 + } 231 231 + -#endif 232 232 + 233 233 + hstartcol = (numrows + 1 - parity) >> 1; 234 234 + 235 235 + @@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int 236 236 + ++srcptr; 237 237 + } 238 238 + 239 239 + -#if !defined(HAVE_VLA) 240 240 + /* If the join buffer was allocated on the heap, free this memory. */ 241 241 + if (buf != joinbuf) { 242 242 + jas_free(buf); 243 243 + } 244 244 + -#endif 245 245 + 246 246 + } 247 247 + 248 248 + @@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 249 249 + { 250 250 + 251 251 + int bufsize = JPC_CEILDIVPOW2(numrows, 1); 252 252 + -#if !defined(HAVE_VLA) 253 253 + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; 254 254 + -#else 255 255 + - jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; 256 256 + -#endif 257 257 + jpc_fix_t *buf = joinbuf; 258 258 + jpc_fix_t *srcptr; 259 259 + jpc_fix_t *dstptr; 260 260 + @@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 261 261 + register int i; 262 262 + int hstartcol; 263 263 + 264 264 + -#if !defined(HAVE_VLA) 265 265 + /* Allocate memory for the join buffer from the heap. */ 266 266 + if (bufsize > QMFB_JOINBUFSIZE) { 267 267 + if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { 268 268 + @@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 269 269 + abort(); 270 270 + } 271 271 + } 272 272 + -#endif 273 273 + 274 274 + hstartcol = (numrows + 1 - parity) >> 1; 275 275 + 276 276 + @@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 277 277 + srcptr += JPC_QMFB_COLGRPSIZE; 278 278 + } 279 279 + 280 280 + -#if !defined(HAVE_VLA) 281 281 + /* If the join buffer was allocated on the heap, free this memory. */ 282 282 + if (buf != joinbuf) { 283 283 + jas_free(buf); 284 284 + } 285 285 + -#endif 286 286 + 287 287 + } 288 288 + 289 289 + @@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 290 290 + { 291 291 + 292 292 + int bufsize = JPC_CEILDIVPOW2(numrows, 1); 293 293 + -#if !defined(HAVE_VLA) 294 294 + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; 295 295 + -#else 296 296 + - jpc_fix_t joinbuf[bufsize * numcols]; 297 297 + -#endif 298 298 + jpc_fix_t *buf = joinbuf; 299 299 + jpc_fix_t *srcptr; 300 300 + jpc_fix_t *dstptr; 301 301 + @@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 302 302 + register int i; 303 303 + int hstartcol; 304 304 + 305 305 + -#if !defined(HAVE_VLA) 306 306 + /* Allocate memory for the join buffer from the heap. */ 307 307 + if (bufsize > QMFB_JOINBUFSIZE) { 308 308 + if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { 309 309 + @@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 310 310 + abort(); 311 311 + } 312 312 + } 313 313 + -#endif 314 314 + 315 315 + hstartcol = (numrows + 1 - parity) >> 1; 316 316 + 317 317 + @@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 318 318 + srcptr += numcols; 319 319 + } 320 320 + 321 321 + -#if !defined(HAVE_VLA) 322 322 + /* If the join buffer was allocated on the heap, free this memory. */ 323 323 + if (buf != joinbuf) { 324 324 + jas_free(buf); 325 325 + } 326 326 + -#endif 327 327 + 328 328 + } 329 329 +