!18 [sync] PR-17: fix CVE-2024-31744

From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
fix CVE-2024-31744
2024-04-28 05:39:57 +00:00 · 2024-04-28 12:04:43 +08:00 · 2024-03-27 07:46:43 +00:00 · 2024-03-27 15:23:29 +08:00 · 2024-03-25 11:22:04 +00:00 · 2024-03-25 16:42:33 +08:00
19 changed files with 172 additions and 485 deletions
--- a/CVE-2018-18873.patch
+++ b/CVE-2018-18873.patch
@ -1,30 +0,0 @@
 From 12db8078ba17a8ffc5cc2429fb506988f0f11b44 Mon Sep 17 00:00:00 2001
 From: Max Kellermann <max.kellermann@gmail.com>
 Date: Sun, 28 Jun 2020 13:25:12 +0200
 Subject: [PATCH] ras_enc: check components for RGB, fixes NULL pointer
 dereference
 Fixes CVE-2018-18873
 Closes https://github.com/jasper-maint/jasper/issues/15
 Closes https://github.com/mdadams/jasper/issues/184
 ---
 src/libjasper/ras/ras_enc.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/libjasper/ras/ras_enc.c b/src/libjasper/ras/ras_enc.c
 index 85ff9a3..dc4f151 100644
 --- a/src/libjasper/ras/ras_enc.c
 +++ b/src/libjasper/ras/ras_enc.c
@@ -232,6 +232,11 @@ static int ras_putdatastd(jas_stream_t *out, ras_hdr_t *hdr, jas_image_t *image,
 	assert(numcmpts <= 3);
 +	if (RAS_ISRGB(hdr) && numcmpts < 3) {
 +		/* need 3 components for RGB */
 +		return -1;
 +	}
 +
 	for (i = 0; i < 3; ++i) {
 		data[i] = 0;
 	}
--- a/CVE-2018-19139.patch
+++ b/CVE-2018-19139.patch
@ -1,28 +0,0 @@
 From 708871879b86443c28bcb5505d3fd04e8384f8aa Mon Sep 17 00:00:00 2001
 From: Max Kellermann <max.kellermann@gmail.com>
 Date: Wed, 24 Jun 2020 21:09:02 +0200
 Subject: [PATCH] jpc_cs: register jpc_unk_destroyparms() in all unknown
 segments
 Fixes CVE-2018-19139 (memory leak)
 Closes https://github.com/jasper-maint/jasper/issues/14
 ---
 src/libjasper/jpc/jpc_cs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c
 index 8a2e0ab..6c61d44 100644
 --- a/src/libjasper/jpc/jpc_cs.c
 +++ b/src/libjasper/jpc/jpc_cs.c
@@ -190,8 +190,8 @@ static const jpc_mstabent_t jpc_mstab[] = {
 	  jpc_qcc_putparms, jpc_qcc_dumpparms}},
 	{JPC_MS_POC, "POC", {jpc_poc_destroyparms, jpc_poc_getparms,
 	  jpc_poc_putparms, jpc_poc_dumpparms}},
 -	{JPC_MS_TLM, "TLM", {0, jpc_unk_getparms, jpc_unk_putparms, 0}},
 -	{JPC_MS_PLM, "PLM", {0, jpc_unk_getparms, jpc_unk_putparms, 0}},
 +	{JPC_MS_TLM, "TLM", {jpc_unk_destroyparms, jpc_unk_getparms, jpc_unk_putparms, 0}},
 +	{JPC_MS_PLM, "PLM", {jpc_unk_destroyparms, jpc_unk_getparms, jpc_unk_putparms, 0}},
 	{JPC_MS_PPM, "PPM", {jpc_ppm_destroyparms, jpc_ppm_getparms,
 	  jpc_ppm_putparms, jpc_ppm_dumpparms}},
 	{JPC_MS_PPT, "PPT", {jpc_ppt_destroyparms, jpc_ppt_getparms,
--- a/CVE-2018-19539.patch
+++ b/CVE-2018-19539.patch
@ -1,14 +0,0 @@
 diff --git a/jasper-2.0.14/src/libjasper/base/jas_image.c b/jasper-2.0.14-edit/src/libjasper/base/jas_image.c
 index e71b86a..6aafc3a 100644
 --- a/src/libjasper/base/jas_image.c
 +++ b/src/libjasper/base/jas_image.c
@@ -553,6 +553,9 @@ int jas_image_writecmpt(jas_image_t *image, int cmptno, jas_image_coord_t x,
 	  image, cmptno, JAS_CAST(long, x), JAS_CAST(long, y),
 	  JAS_CAST(long, width), JAS_CAST(long, height), data));
 +        if(data == NULL)
 +		return -1;
 +
 	if (cmptno < 0 || cmptno >= image->numcmpts_) {
 		return -1;
 	}
--- a/CVE-2018-19540.patch
+++ b/CVE-2018-19540.patch
@ -1,13 +0,0 @@
 diff --git a/jasper-2.0.14/src/libjasper/base/jas_icc.c b/jasper-2.0.14-edit/src/libjasper/base/jas_icc.c
 index 4607930..762c0e8 100644
 --- a/src/libjasper/base/jas_icc.c
 +++ b/src/libjasper/base/jas_icc.c
@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
 	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
 	  JAS_CAST(int, txtdesc->asclen))
 		goto error;
 +	if (txtdesc->asclen < 1)
 +		goto error;
 	txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
 	  jas_iccgetuint32(in, &txtdesc->uclen))
--- a/CVE-2018-19541.patch
+++ b/CVE-2018-19541.patch
@ -1,14 +0,0 @@
 diff --git a/jasper-2.0.14/src/libjasper/base/jas_image.c b/jasper-2.0.14-edit/src/libjasper/base/jas_image.c
 index 6aafc3a..31ddb4b 100644
 --- a/src/libjasper/base/jas_image.c
 +++ b/src/libjasper/base/jas_image.c
@@ -978,6 +978,9 @@ int jas_image_depalettize(jas_image_t *image, int cmptno, int numlutents,
 	cmptparms.prec = JAS_IMAGE_CDT_GETPREC(dtype);
 	cmptparms.sgnd = JAS_IMAGE_CDT_GETSGND(dtype);
 +	if (numlutents < 1) {
 +		return -1;
 +	}
 	if (jas_image_addcmpt(image, newcmptno, &cmptparms)) {
 		return -1;
 	}
--- a/CVE-2018-20570.patch
+++ b/CVE-2018-20570.patch
@ -1,47 +0,0 @@
 From 03db7c81f6a8a92d896249bc673877749987fd7a Mon Sep 17 00:00:00 2001
 From: Max Kellermann <max.kellermann@gmail.com>
 Date: Wed, 24 Jun 2020 21:26:10 +0200
 Subject: [PATCH] jp2_enc: check number of components before dereferencing them
 Fixes CVE-2018-20570
 Closes https://github.com/jasper-maint/jasper/issues/11
 Closes https://github.com/mdadams/jasper/issues/191
 ---
 src/libjasper/jp2/jp2_enc.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c
 index fd39a84..1b44c18 100644
 --- a/src/libjasper/jp2/jp2_enc.c
 +++ b/src/libjasper/jp2/jp2_enc.c
@@ -293,7 +293,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
 	needcdef = 1;
 	switch (jas_clrspc_fam(jas_image_clrspc(image))) {
 	case JAS_CLRSPC_FAM_RGB:
 -		if (jas_image_cmpttype(image, 0) ==
 +		if (jas_image_numcmpts(image) >= 3 &&
 +		  jas_image_cmpttype(image, 0) ==
 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_R) &&
 		  jas_image_cmpttype(image, 1) ==
 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_G) &&
@@ -302,7 +303,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
 			needcdef = 0;
 		break;
 	case JAS_CLRSPC_FAM_YCBCR:
 -		if (jas_image_cmpttype(image, 0) ==
 +		if (jas_image_numcmpts(image) >= 3 &&
 +		  jas_image_cmpttype(image, 0) ==
 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_YCBCR_Y) &&
 		  jas_image_cmpttype(image, 1) ==
 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_YCBCR_CB) &&
@@ -311,7 +313,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
 			needcdef = 0;
 		break;
 	case JAS_CLRSPC_FAM_GRAY:
 -		if (jas_image_cmpttype(image, 0) ==
 +		if (jas_image_numcmpts(image) >= 1 &&
 +		  jas_image_cmpttype(image, 0) ==
 		  JAS_IMAGE_CT_COLOR(JAS_IMAGE_CT_GRAY_Y))
 			needcdef = 0;
 		break;
--- a/CVE-2018-20622.patch
+++ b/CVE-2018-20622.patch
@ -1,86 +0,0 @@
 From aa8516b28344aa1263ee538bb7366c4679a0e1a5 Mon Sep 17 00:00:00 2001
 From: Max Kellermann <max.kellermann@gmail.com>
 Date: Wed, 24 Jun 2020 21:41:24 +0200
 Subject: [PATCH] jpc_t2dec: fix various memory leaks in jpc_dec_decodepkt()
 Fixes CVE-2018-20622
 Closes https://github.com/jasper-maint/jasper/issues/12
 Closes https://github.com/mdadams/jasper/issues/193
 ---
 src/libjasper/jpc/jpc_t2dec.c | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
 index 81d1f61..e88ccb6 100644
 --- a/src/libjasper/jpc/jpc_t2dec.c
 +++ b/src/libjasper/jpc/jpc_t2dec.c
@@ -225,6 +225,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
 	}
 	if ((present = jpc_bitstream_getbit(inb)) < 0) {
 +		jpc_bitstream_close(inb);
 		return 1;
 	}
 	JAS_DBGLOG(10, ("\n", present));
@@ -252,10 +253,12 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
 				if (!cblk->numpasses) {
 					leaf = jpc_tagtree_getleaf(prc->incltagtree, usedcblkcnt - 1);
 					if ((included = jpc_tagtree_decode(prc->incltagtree, leaf, lyrno + 1, inb)) < 0) {
 +						jpc_bitstream_close(inb);
 						return -1;
 					}
 				} else {
 					if ((included = jpc_bitstream_getbit(inb)) < 0) {
 +						jpc_bitstream_close(inb);
 						return -1;
 					}
 				}
@@ -269,6 +272,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
 					leaf = jpc_tagtree_getleaf(prc->numimsbstagtree, usedcblkcnt - 1);
 					for (;;) {
 						if ((ret = jpc_tagtree_decode(prc->numimsbstagtree, leaf, i, inb)) < 0) {
 +							jpc_bitstream_close(inb);
 							return -1;
 						}
 						if (ret) {
@@ -280,6 +284,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
 					cblk->firstpassno = cblk->numimsbs * 3;
 				}
 				if ((numnewpasses = jpc_getnumnewpasses(inb)) < 0) {
 +					jpc_bitstream_close(inb);
 					return -1;
 				}
 				JAS_DBGLOG(10, ("numnewpasses=%d ", numnewpasses));
@@ -288,6 +293,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
 				mycounter = 0;
 				if (numnewpasses > 0) {
 					if ((m = jpc_getcommacode(inb)) < 0) {
 +						jpc_bitstream_close(inb);
 						return -1;
 					}
 					cblk->numlenbits += m;
@@ -298,6 +304,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
 						maxpasses = JPC_SEGPASSCNT(passno, cblk->firstpassno, 10000, (ccp->cblkctx & JPC_COX_LAZY) != 0, (ccp->cblkctx & JPC_COX_TERMALL) != 0);
 						if (!discard && !seg) {
 							if (!(seg = jpc_seg_alloc())) {
 +								jpc_bitstream_close(inb);
 								return -1;
 							}
 							jpc_seglist_insert(&cblk->segs, cblk->segs.tail, seg);
@@ -312,6 +319,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
 						mycounter += n;
 						numnewpasses -= n;
 						if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
 +							jpc_bitstream_close(inb);
 							return -1;
 						}
 						JAS_DBGLOG(10, ("len=%d ", len));
@@ -333,6 +341,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
 	} else {
 		if (jpc_bitstream_inalign(inb, 0x7f, 0)) {
 			jas_eprintf("alignment failed\n");
 +			jpc_bitstream_close(inb);
 			return -1;
 		}
 	}
--- a/CVE-2018-9055.patch
+++ b/CVE-2018-9055.patch
@ -1,63 +0,0 @@
 From d4358fb62a01bd542146a1d25b8f6fd2a0b210fe Mon Sep 17 00:00:00 2001
 From: Michael Vetter <jubalh@iodoru.org>
 Date: Mon, 25 Mar 2019 12:20:26 +0100
 Subject: [PATCH] Fix integer width in jpc_math
 Fix denial of service via a reachable assertion in the function jpc_firstone in libjasper/jpc/jpc_math.c.
 Assigned CVE-2018-9055.
 Fixes https://github.com/mdadams/jasper/issues/172.
 Fix by Fridrich Strba <FStrba@suse.com>.
 ---
 src/libjasper/jpc/jpc_math.c | 4 ++--
 src/libjasper/jpc/jpc_math.h | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)
 diff --git a/src/libjasper/jpc/jpc_math.c b/src/libjasper/jpc/jpc_math.c
 index 2b70844..1b18880 100644
 --- a/src/libjasper/jpc/jpc_math.c
 +++ b/src/libjasper/jpc/jpc_math.c
@@ -86,7 +86,7 @@
 /* Calculate the integer quantity floor(log2(x)), where x is a positive
   integer. */
 -int jpc_floorlog2(int x)
 +int jpc_floorlog2(int_fast32_t x)
 {
 	int y;
@@ -105,7 +105,7 @@ int jpc_floorlog2(int x)
   integer. */
 /* This function is the basically the same as ceillog2(x), except that the
   allowable range for x is slightly different. */
 -int jpc_firstone(int x)
 +int jpc_firstone(int_fast32_t x)
 {
 	int n;
 diff --git a/src/libjasper/jpc/jpc_math.h b/src/libjasper/jpc/jpc_math.h
 index e8e0978..bd80d51 100644
 --- a/src/libjasper/jpc/jpc_math.h
 +++ b/src/libjasper/jpc/jpc_math.h
@@ -67,6 +67,7 @@
 \******************************************************************************/
 #include	<assert.h>
 +#include	<stdint.h>
 /******************************************************************************\
 * Macros
@@ -90,10 +91,10 @@
 /* Calculate the bit position of the first leading one in a nonnegative
   integer. */
 -int jpc_firstone(int x);
 +int jpc_firstone(int_fast32_t x);
 /* Calculate the integer quantity floor(log2(x)), where x is a positive
   integer. */
 -int jpc_floorlog2(int x);
 +int jpc_floorlog2(int_fast32_t x);
 #endif
--- a/CVE-2018-9154.patch
+++ b/CVE-2018-9154.patch
@ -1,40 +0,0 @@
 From fcbabdaaba217124c92dc29472596146756b968e Mon Sep 17 00:00:00 2001
 From: Michael Vetter <jubalh@iodoru.org>
 Date: Tue, 17 Mar 2020 13:32:11 +0100
 Subject: [PATCH] Use return in jpc_dec_process_sot() instead of abort
 We don't need to and should not abort here.
 Fix CVE-2018-9154.
 Fix https://github.com/mdadams/jasper/issues/215
 Fix https://github.com/mdadams/jasper/issues/166
 Fix https://github.com/mdadams/jasper/issues/175
 See: https://github.com/mdadams/jasper/pull/216
 Fix https://github.com/jasper-maint/jasper/issues/8
 ---
 src/libjasper/jpc/jpc_dec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c
 index 6d40786..817009e 100644
 --- a/src/libjasper/jpc/jpc_dec.c
 +++ b/src/libjasper/jpc/jpc_dec.c
@@ -485,7 +485,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_t *ms)
 		if (!(compinfos = jas_alloc2(dec->numcomps,
 		  sizeof(jas_image_cmptparm_t)))) {
 -			abort();
 +			return -1;
 		}
 		for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
 		  cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
@@ -512,7 +512,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_t *ms)
 			/* Convert the PPM marker segment data into a collection of streams
 			  (one stream per tile-part). */
 			if (!(dec->pkthdrstreams = jpc_ppmstabtostreams(dec->ppmstab))) {
 -				abort();
 +				return -1;
 			}
 			jpc_ppxstab_destroy(dec->ppmstab);
 			dec->ppmstab = 0;
--- a/CVE-2018-9252.patch
+++ b/CVE-2018-9252.patch
@ -1,76 +0,0 @@
 From 6cd1e1d8aff56d0d86d4e7d1e7e3e4dd1c64b55d Mon Sep 17 00:00:00 2001
 From: Max Kellermann <max.kellermann@gmail.com>
 Date: Wed, 24 Jun 2020 19:01:35 +0200
 Subject: [PATCH] jpc_enc: jpc_abstorelstepsize() returns error instead of
 aborting
 Fixes CVE-2018-9252
 Closes https://github.com/jasper-maint/jasper/issues/16
 ---
 src/libjasper/jpc/jpc_enc.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)
 diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
 index a779645..b11a450 100644
 --- a/src/libjasper/jpc/jpc_enc.c
 +++ b/src/libjasper/jpc/jpc_enc.c
@@ -165,6 +165,9 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image);
 void jpc_enc_cp_destroy(jpc_enc_cp_t *cp);
 static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn);
 +/**
 + * @return UINT_FAST32_MAX on error
 + */
 static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
 {
 	int p;
@@ -173,7 +176,7 @@ static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
 	int n;
 	if (absdelta < 0) {
 -		abort();
 +		return UINT_FAST32_MAX;
 	}
 	p = jpc_firstone(absdelta) - JPC_FIX_FRACBITS;
@@ -179,8 +182,10 @@ static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
 	mant = ((n < 0) ? (absdelta >> (-n)) : (absdelta << n)) & 0x7ff;
 	expn = scaleexpn - p;
 	if (scaleexpn < p) {
 -		abort();
 +		return UINT_FAST32_MAX;
 	}
 +	if (expn >= 0x1f)
 +		return UINT_FAST32_MAX;
 	return JPC_QCX_EXPN(expn) | JPC_QCX_MANT(mant);
 }
@@ -991,9 +996,12 @@ startoff = jas_stream_getrwcount(enc->out);
 			} else {
 				absstepsize = jpc_inttofix(1);
 			}	
 -			cp->ccps[cmptno].stepsizes[bandno] =
 +			const uint_fast32_t stepsize =
 			  jpc_abstorelstepsize(absstepsize,
 			  cp->ccps[cmptno].prec + analgain);
 +			if (stepsize == UINT_FAST32_MAX)
 +				return -1;
 +			cp->ccps[cmptno].stepsizes[bandno] = stepsize;
 		}
 		cp->ccps[cmptno].numstepsizes = numbands;
 	}
@@ -1234,9 +1242,12 @@ jas_eprintf("%d %d mag=%d actual=%d numgbits=%d\n", cp->ccps[cmptno].prec, band-
 					} else {
 						band->absstepsize = jpc_inttofix(1);
 					}
 -					band->stepsize = jpc_abstorelstepsize(
 +					const uint_fast32_t stepsize = jpc_abstorelstepsize(
 					  band->absstepsize, cp->ccps[cmptno].prec +
 					  band->analgain);
 +					if (stepsize == UINT_FAST32_MAX)
 +						return -1;
 +					band->stepsize = stepsize;
 					band->numbps = cp->tccp.numgbits +
 					  JPC_QCX_GETEXPN(band->stepsize) - 1;
--- a/CVE-2021-27845.patch
+++ b/CVE-2021-27845.patch
@ -1,26 +0,0 @@
 From fd564ee3377d9fc2484c657e4f464a3fb9764d31 Mon Sep 17 00:00:00 2001
 From: Max Kellermann <max.kellermann@gmail.com>
 Date: Mon, 29 Jun 2020 13:47:09 +0200
 Subject: [PATCH] jpc_enc: validate raw_size, prevent division by zero in
 cp_create()
 Closes https://github.com/mdadams/jasper/issues/194 (part 1)
 ---
 src/libjasper/jpc/jpc_enc.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
 index d60a4471..3b6b1e81 100644
 --- a/src/libjasper/jpc/jpc_enc.c
 +++ b/src/libjasper/jpc/jpc_enc.c
@@ -428,6 +428,10 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image)
 	}
 	cp->rawsize = jas_image_rawsize(image);
 +	if (cp->rawsize == 0) {
 +		/* prevent division by zero in cp_create() */
 +		goto error;
 +	}
 	cp->totalsize = UINT_FAST32_MAX;
 	tcp = &cp->tcp;
--- a/backport_CVE-2023-51257.patch
+++ b/backport_CVE-2023-51257.patch
@ -0,0 +1,90 @@
 From aeef5293c978158255ad4f127089644745602f2a Mon Sep 17 00:00:00 2001
 From: Michael Adams <mdadams@ece.uvic.ca>
 Date: Thu, 14 Dec 2023 19:04:19 -0800
 Subject: [PATCH] Fixes #367.
 Fixed an integer-overflow bug in the ICC profile parsing code.
 Added another invalid image to the test set.
 ---
 data/test/bad/367-PoC.jp2    | Bin 0 -> 2916 bytes
 src/libjasper/base/jas_icc.c |  10 ++++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 data/test/bad/367-PoC.jp2
 diff --git a/data/test/bad/367-PoC.jp2 b/data/test/bad/367-PoC.jp2
 new file mode 100644
 index 0000000000000000000000000000000000000000..96e73789bd0e8983367d447b5084ed739479b0bf
 GIT binary patch
 literal 2916
 zcma)84OCO-8Gdi>O~NqTsa3Gp;YF=QB`k>!NLx|<3?RcS{HVxALvr&Ymn7c&Ac`)<
 zt<`NF@u$aQtF2m@o8qRe?pTXetOwoJ8cVg4BZGCV73x;1uCB^l_I?Q@(8JkwZ|?n`
 z?|q-|eV_0BzI$%~K(R{CadELP#sa`3i>JZ0%BA5DL%5BJ!`6n~c)QIkVmm%`F>*PD
 zK>nu5DToq8Ape!o<q{+uK%K)Q8gx0_@)ebwybC1oIE;ft7-uxOUD<klF<}!fX-6OT
 zKLQdJK2(nFAI<(oZ=9KToBTk<pxtS9o9Y0lH2_k<<PtpqvQN<-Q}1yhmOp`bl86Ek
 zs|dD+aUQ`nVZ1!VDKq3EhiGL@HlrDFBjVJW5q9ecOf;aM9FugsgBR^4j?_XgIxTjA
 z4}1O}_Xy^HgLQ&;IA0R-6z<y6CD^8rx!c47!w}wQGUk^eo{9ELE>8}z&qDk+Z*6%t
 z;yD14i578jd6+MGcCD>!8RB@fo9&*$vLX9gM@`96#5h)Rpw_vB#37tZCU-8@5~d^W
 zvGIjujZqH`W<D<;aVp{@o3~&nK3(MYl@fa>&RSb;31W;xi>r)9dc=u{H;GOI$%UHf
 z1H7OkxiCK6;qvH*G|+txp@ihZ`7$i;4$To`(tRFVSwVO#lkO4AhQ>0L7W?ADA%3Gv
 z2<=7G#vByA2BHn)Ggpjaz78?QVeayda#A<M(kW(R9;s~_;w-43jKG5vYVd9X2Rs4}
 z44{J?Y+WFt#{zZ`(88maM~j_`gIctW&C`cC;W1H$H8i@9jK(ZubHW+=hd53qfl)E@
 z@Op+RW)?7+j21X%A+w0dV)D?cWuA#B(2vl`fff2uX*kYm@M317qXKf86TK;sF<g^a
 zZ8rtBeu-+LvvfxN7$-7g)a)Et0dQjlhG(Z7S*MGQZBrs1?izEd>O;lFMp*j4>MQ+J
 z+9$n+_bzF7biDM2v>VSZ$i@{ALW=58l|8f)?g&pgY7Xtl^nelXA0y9+T8EX6T2YIm
 zIWg)XmEd12xnBZJsZp!yPpZGGuBrB`4ytaC$`Oq?s!H?@`XqgZev3X$zXu$Bj&7&V
 z(jD|~>9->>$6otzl*rnL=1Xj3wqzBC^Np-E4+5LRPGx7XdF(XyNwzq`;@AXM%@(jv
 zp=WAj-Gr!r)LiVa0&6u~)v<GtC%_KnsKgHS$Q7}wq{0qpz^EgilOd%{5~F4czp-mG
 z$zC2-A<LKL$+Cfy&5>zkYFQD%!%v><DfDUao*z*kesUs=Q8VC2u&^qTILgqjBYTyM
 z_MvV8b@Lv64SqWSa-FUQ(QdVQIE_k`!DZv8jOPj+rnFSfC<t80<>o}*&5J(XoCf4O
 zNX7x&GlafxRD2+6^L!s*!58?>x)QZjdI4J9015M>wiJ9PPJRvGRJzG4`oi&mqTUB^
 zTjps(eM*so@1~w$@E*Re<l6xrZ3_km4+MjcUdQ;|0OthcO*ff&3ozjk_==VwqVST0
 z5RE7nwR6}`#Mbl#2mdCQgz(6p0#k5l@COji82&Rr9N}YhpOI5k<QFu60!b7lWiWTJ
 z3T8~NPx5_^XPXnBHpgGB#dw<aG@kj(I`K3H&G2oYmKbY|X0Othk)}aI6&kQtY;52~
 zWue33e3}!S)@seVJYMh^m3b-d)n22>o0YsMI>p)F4V#NoY8pJed-nQNZWzWY)mlxO
 zDwX3h(=_~Cl_oaW4CGG`NXmf<?l>nI4}O2(szTBo>&N5bImL#3`t^TVBw=>N@ZtU<
 z*C6;AW;H7f1g<76<Qg7s1lGKFOQ&!CxI?|Inxoe7?sqCJ`$(Lm4g0<vZ1=O%i>oKr
 z?@*K+erWhe72EXZ+X11sx#dA@piTd+0mXy5qd(fc`YY<ro5trCUHy)^J~91l*RQ7q
 z)2p7mkhMhp`A<)_X>ILOUi!o3(<Kx4ADmErq$H<qfiFL6jo;tfyl3#jt)7|5&BtT9
 zU!8p-|MyA0%M+Bop4tr{ZCrlvP~Xv*f7}Q(zx=|?8!3AznQ`io4?1>Nyu9!YzeJb0
 ztv%3ocYUAwev)51zPe>lQ?E%e{Jb)`^JlSzrlQ>~eepd(oA%x3f2iA(v$$~k^=y;#
 z`g5BeewJvJS|1)$)Mb1;-?#Qyf6<1j$=YXcUb(P0P`c?cW5U@cm1<|)+tUU!=T`cP
 zSN6Bu+H&`eU%a$&<C&*_vSEiWeNFE=NqupPP;~oW9dVD?*6R5E8Kp-ub??5qdwYD!
 z*1BaKD~@-zmd#jMw)K_oWo=eJXiK?1XQ#Ta?XxfbnX5kk<ALT*T^3ayKajlYu`DeX
 zy6yb>o5$}@h79*!m8~J6VDq704t(|cnZyU{3ckKsk^Ih0?sEF9qaPH!b^edCEnlZz
 zZmc?cg6*Pn3tA@}JG}q>Tc<bQfyKR7FU411IKHhu=DAsW<$T8{bFa4z6eT-LUn$J<
 z9e$xq&89wHaqn8DBGG!|Jzev_Yx8!^-yBRhnVa8qsziQg=gQ7qC-(gAlZ5`?1iStN
 DxIx@F
 literal 0
 HcmV?d00001
 diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
 index f3ffcef..eb25929 100644
 --- a/src/libjasper/base/jas_icc.c
 +++ b/src/libjasper/base/jas_icc.c
@@ -1324,12 +1324,22 @@ static int jas_icctxt_input(jas_iccattrval_t *attrval, jas_stream_t *in,
 {
 	jas_icctxt_t *txt = &attrval->data.txt;
 	txt->string = 0;
 +	/* The string must at least contain a single null character. */
 +	if (cnt < 1) {
 +		goto error;
 +	}
 	if (!(txt->string = jas_malloc(cnt))) {
 		goto error;
 	}
 	if (jas_stream_read(in, txt->string, cnt) != cnt) {
 		goto error;
 	}
 +	/* Ensure that the string is null terminated. */
 +	if (txt->string[cnt - 1] != '\0') {
 +		goto error;
 +	}
 +	/* The following line is redundant, unless we do not enforce that
 +	  the last character must be null. */
 	txt->string[cnt - 1] = '\0';
 	if (strlen(txt->string) + 1 != cnt) {
 		goto error;
 -- 
 2.40.1
--- a/backport_CVE-2024-31744.patch
+++ b/backport_CVE-2024-31744.patch
@ -0,0 +1,43 @@
 From 6d084c53a77762f41bb5310713a5f1872fef55f5 Mon Sep 17 00:00:00 2001
 From: Michael Adams <mdadams@ece.uvic.ca>
 Date: Sun, 28 Apr 2024 10:43:08 +0800
 Subject: [PATCH] Fixes #381.
 Added a missing check to the jpc_dec_process_sod function of the JPC codec.
 Added another image to the test set.
 ---
 data/test/bad/318.jpc       | Bin 0 -> 320 bytes
 src/libjasper/jpc/jpc_dec.c |   4 +++-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 data/test/bad/318.jpc
 diff --git a/data/test/bad/318.jpc b/data/test/bad/318.jpc
 new file mode 100644
 index 0000000000000000000000000000000000000000..8446ccb36b5a6ab04b1d7621ff2f9ae9980cd047
 GIT binary patch
 literal 320
 zcmezG|38pHp8*88fLIdDf)F4+2txoPJ0leRPhj8yiLw6w_lAM-e+&b!gM)`h00jL{
 zXHbRe08yxBFeA(e0-M3ez|6veX+{dr3`Xao)Wnk16osTpg*X41fXW!aR`GdwxI?Xq
 z11d`bD=P#m^Djt!=M|9Ru27a*RGgWgr(mRKqG#}b0@N33K#L~dhdB<YIL|A<6{@%g
 ySuqm>1LGZ#;^SAiPO>wqbm$)~zU%$&Nbbcrw#w=D+^b5y{E|Ib&pabRX%_&AicE?C
 literal 0
 HcmV?d00001
 diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c
 index e76aa40..125a29b 100644
 --- a/src/libjasper/jpc/jpc_dec.c
 +++ b/src/libjasper/jpc/jpc_dec.c
@@ -611,7 +611,9 @@ static int jpc_dec_process_sod(jpc_dec_t *dec, jpc_ms_t *ms)
 	if (dec->pkthdrstreams) {
 		/* Get the stream containing the packet header data for this
 		  tile-part. */
 -		if (!(tile->pkthdrstream = jpc_streamlist_remove(dec->pkthdrstreams, 0))) {
 +		if (jpc_streamlist_numstreams(dec->pkthdrstreams) != 0 &&
 +		  !(tile->pkthdrstream = jpc_streamlist_remove(dec->pkthdrstreams,
 +		  0))) {
 			return -1;
 		}
 	}
 -- 
 2.23.0
--- a/jasper-2.0.14-CVE-2016-9396.patch
+++ b/jasper-2.0.14-CVE-2016-9396.patch
@ -1,13 +0,0 @@
 diff -urNp old/src/libjasper/jpc/jpc_cs.c new/src/libjasper/jpc/jpc_cs.c
 --- old/src/libjasper/jpc/jpc_cs.c	2018-05-30 09:01:54.160406645 +0200
 +++ new/src/libjasper/jpc/jpc_cs.c	2018-05-30 09:05:24.527094308 +0200
@@ -795,6 +795,9 @@ static int jpc_cox_getcompparms(jpc_ms_t
 	if (compparms->numdlvls > 32) {
 		goto error;
 	}
 +	if (compparms->qmfbid != JPC_COX_INS &&
 +	    compparms->qmfbid != JPC_COX_RFT)
 +		goto error;
 	compparms->numrlvls = compparms->numdlvls + 1;
 	if (compparms->numrlvls > JPC_MAXRLVLS) {
 		goto error;
--- a/jasper-2.0.14-rpath.patch
+++ b/jasper-2.0.14-rpath.patch
@ -1,12 +0,0 @@
 diff -up jasper-2.0.14/CMakeLists.txt.rpath jasper-2.0.14/CMakeLists.txt
 --- jasper-2.0.14/CMakeLists.txt.rpath	2017-09-14 18:20:10.000000000 -0500
 +++ jasper-2.0.14/CMakeLists.txt	2018-07-19 09:48:53.035815377 -0500
@@ -347,7 +347,7 @@ if (JAS_ENABLE_SHARED)
 	# (but later on when installing)
 	set(CMAKE_BUILD_WITH_INSTALL_RPATH FALSE) 
 -	set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
 +	#set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
 	# add the automatically determined parts of the RPATH
 	# which point to directories outside the build tree to the install RPATH
--- a/jasper-2.0.14.tar.gz
+++ b/jasper-2.0.14.tar.gz
--- a/jasper-4.1.0-rpath.patch
+++ b/jasper-4.1.0-rpath.patch
@ -0,0 +1,12 @@
 diff -urNp a/CMakeLists.txt b/CMakeLists.txt
 --- a/CMakeLists.txt	2023-11-08 10:45:01.610146140 +0100
 +++ b/CMakeLists.txt	2023-11-08 10:46:18.131824994 +0100
@@ -804,7 +804,7 @@ if(JAS_ENABLE_SHARED)
 	# (but later on when installing)
 	set(CMAKE_BUILD_WITH_INSTALL_RPATH FALSE)
 -	set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
 +	#set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
 	# add the automatically determined parts of the RPATH
 	# which point to directories outside the build tree to the install RPATH
--- a/jasper.spec
+++ b/jasper.spec
@ -1,27 +1,17 @@
 Name:                jasper
-Version:             2.0.14
+Version:             4.1.0
-Release:             10
+Release:             4
 Summary:             Reference implementation of the codec specified in the JPEG-2000 standard, Part 1
-License:             JasPer
+License:             JasPer-2.0
 URL:                 http://www.ece.uvic.ca/~frodo/jasper/
-Source0:             http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.tar.gz
+Source0:             https://github.com/jasper-software/%{name}/archive/refs/tags/version-%{version}.tar.gz
-Patch0001:           jasper-2.0.14-CVE-2016-9396.patch
+Patch0001:           jasper-4.1.0-rpath.patch
-Patch0002:           jasper-2.0.14-rpath.patch
+Patch0002:           backport_CVE-2023-51257.patch
-Patch0003:           CVE-2018-9055.patch
+Patch0003:           backport_CVE-2024-31744.patch
 Patch0004:           CVE-2018-9154.patch
 Patch0005:           CVE-2018-9252.patch
 Patch0006:           CVE-2018-18873.patch
 Patch0007:           CVE-2018-19139.patch
 Patch0008:           CVE-2018-19539.patch
 Patch0009:           CVE-2018-19540.patch
 Patch0010:           CVE-2018-19541.patch
 Patch0011:           CVE-2018-20570.patch
 Patch0012:           CVE-2018-20622.patch
 Patch0013:           CVE-2021-27845.patch
 BuildRequires:       cmake freeglut-devel libGLU-devel libjpeg-devel libXmu-devel libXi-devel
-BuildRequires:       pkgconfig doxygen mesa-libGL-devel
+BuildRequires:       pkgconfig doxygen mesa-libGL-devel git
 Provides:            jasper-libs = %{version}-%{release}
 Obsoletes:           jasper-libs < %{version}-%{release}
@ -53,7 +43,7 @@ Summary:             Help documents for jasper
 Help documents for jasper.
 %prep
-%autosetup -n %{name}-%{version} -p1 -S git
+%autosetup -n  %{name}-version-%{version} -p1 -S git
 %build
 install -d builder
@ -76,28 +66,42 @@ make test -C builder
 /sbin/ldconfig
 %files
-%doc COPYRIGHT LICENSE
+%doc COPYRIGHT.txt LICENSE.txt
 %{_bindir}/imgcmp
 %{_bindir}/imginfo
 %{_bindir}/jasper
 %{_docdir}/JasPer/*
-%{_libdir}/libjasper.so.4*
+%{_libdir}/libjasper.so.7*
 %files devel
 %doc doc/*
 %{_includedir}/jasper/
 %{_libdir}/pkgconfig/jasper.pc
 %{_libdir}/libjasper.so
 %exclude %{_docdir}/README
 %files utils
 %{_bindir}/jiv
 %files help
 %{_mandir}/man1/*
-%doc README
+%doc README.md
 %changelog
 * Sun Apr 28 2024 cenhuilin <cenhuilin@kylinos.cn> - 4.1.0-4
 - fix CVE-2024-31744
 * Wed Mar 27 2024 panchenbo <panchenbo@kylinsec.com.cn> - 4.1.0-3
 - fix rpmbuild build error : add BuildRequires: git
 * Mon Mar 25 2024 licihua <licihua@huawei.com> - 4.1.0-2
 - Fix CVE-2023-51257
 * Wed Feb 7 2024 Dongxing Wang <dongxing.wang_a@thundersoft.com> - 4.1.0-1
 - Upgrade to version 4.1.0
 * Mon Feb 5 2024 Dongxing Wang <dongxing.wang_a@thundersoft.com> - 2.0.14-11
 - Fix obs compile failure
 * Wed Sep 8 2021 liwu <liwu13@huawei.com> - 2.0.14-10
 - fix CVE-2021-27845
--- a/version-4.1.0.tar.gz
+++ b/version-4.1.0.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	b9e4608aa9	!18 [sync] PR-17: fix CVE-2024-31744 From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-04-28 05:39:57 +00:00
cenhuilin	93286572ff	fix CVE-2024-31744 (cherry picked from commit 3503859d50c1fd22b72b549c6984b586d8cfa753)	2024-04-28 12:04:43 +08:00
openeuler-ci-bot	a338365797	!15 fix rpmbuild build error : add BuildRequires: git From: @panchenbo Reviewed-by: @desert-sailor Signed-off-by: @desert-sailor	2024-03-27 07:46:43 +00:00
panchenbo	021fe72dcc	fix rpmbuild build error : add BuildRequires: git	2024-03-27 15:23:29 +08:00
openeuler-ci-bot	92d3be3f30	!13 fix CVE-2023-51257 From: @licihua Reviewed-by: @overweight Signed-off-by: @overweight	2024-03-25 11:22:04 +00:00
licihua	b9e62da295	fix CVE-2023-51257	2024-03-25 16:42:33 +08:00
openeuler-ci-bot	129790d06b	!11 Upgrade package with versio 4.1.0 From: @desert-sailor Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-02-08 02:54:09 +00:00
desert-sailor	c472949009	Init package with versio 4.1.0	2024-02-07 17:25:29 +08:00
openeuler-ci-bot	d650143d1d	!10 Fix obs compile failure From: @desert-sailor Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-02-07 06:29:15 +00:00
desert-sailor	5147093907	Fix obs compile failure	2024-02-06 17:04:13 +08:00