!18 [sync] PR-17: fix CVE-2024-31744

From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
fix CVE-2024-31744
2024-04-28 05:39:57 +00:00 · 2024-04-28 12:04:43 +08:00 · 2024-03-27 07:46:43 +00:00 · 2024-03-27 15:23:29 +08:00 · 2024-03-25 11:22:04 +00:00 · 2024-03-25 16:42:33 +08:00
19 changed files with 172 additions and 485 deletions
--- a/CVE-2018-18873.patch
+++ b/CVE-2018-18873.patch
@ -1,30 +0,0 @@
-From 12db8078ba17a8ffc5cc2429fb506988f0f11b44 Mon Sep 17 00:00:00 2001
-From: Max Kellermann <max.kellermann@gmail.com>
-Date: Sun, 28 Jun 2020 13:25:12 +0200
-Subject: [PATCH] ras_enc: check components for RGB, fixes NULL pointer
- dereference
-
-Fixes CVE-2018-18873
-
-Closes https://github.com/jasper-maint/jasper/issues/15
-Closes https://github.com/mdadams/jasper/issues/184
---
- src/libjasper/ras/ras_enc.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/libjasper/ras/ras_enc.c b/src/libjasper/ras/ras_enc.c
-index 85ff9a3..dc4f151 100644
--- a/src/libjasper/ras/ras_enc.c
-+++ b/src/libjasper/ras/ras_enc.c
-@@ -232,6 +232,11 @@ static int ras_putdatastd(jas_stream_t *out, ras_hdr_t *hdr, jas_image_t *image,
- 
- 	assert(numcmpts <= 3);
- 
-+	if (RAS_ISRGB(hdr) && numcmpts < 3) {
-+		/* need 3 components for RGB */
-+		return -1;
-+	}
-+
- 	for (i = 0; i < 3; ++i) {
- 		data[i] = 0;
- 	}
--- a/CVE-2018-19139.patch
+++ b/CVE-2018-19139.patch
@ -1,28 +0,0 @@
-From 708871879b86443c28bcb5505d3fd04e8384f8aa Mon Sep 17 00:00:00 2001
-From: Max Kellermann <max.kellermann@gmail.com>
-Date: Wed, 24 Jun 2020 21:09:02 +0200
-Subject: [PATCH] jpc_cs: register jpc_unk_destroyparms() in all unknown
- segments
-
-Fixes CVE-2018-19139 (memory leak)
-
-Closes https://github.com/jasper-maint/jasper/issues/14
---
- src/libjasper/jpc/jpc_cs.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c
-index 8a2e0ab..6c61d44 100644
--- a/src/libjasper/jpc/jpc_cs.c
-+++ b/src/libjasper/jpc/jpc_cs.c
-@@ -190,8 +190,8 @@ static const jpc_mstabent_t jpc_mstab[] = {
- 	  jpc_qcc_putparms, jpc_qcc_dumpparms}},
- 	{JPC_MS_POC, "POC", {jpc_poc_destroyparms, jpc_poc_getparms,
- 	  jpc_poc_putparms, jpc_poc_dumpparms}},
-	{JPC_MS_TLM, "TLM", {0, jpc_unk_getparms, jpc_unk_putparms, 0}},
-	{JPC_MS_PLM, "PLM", {0, jpc_unk_getparms, jpc_unk_putparms, 0}},
-+	{JPC_MS_TLM, "TLM", {jpc_unk_destroyparms, jpc_unk_getparms, jpc_unk_putparms, 0}},
-+	{JPC_MS_PLM, "PLM", {jpc_unk_destroyparms, jpc_unk_getparms, jpc_unk_putparms, 0}},
- 	{JPC_MS_PPM, "PPM", {jpc_ppm_destroyparms, jpc_ppm_getparms,
- 	  jpc_ppm_putparms, jpc_ppm_dumpparms}},
- 	{JPC_MS_PPT, "PPT", {jpc_ppt_destroyparms, jpc_ppt_getparms,
--- a/CVE-2018-19539.patch
+++ b/CVE-2018-19539.patch
@ -1,14 +0,0 @@
-diff --git a/jasper-2.0.14/src/libjasper/base/jas_image.c b/jasper-2.0.14-edit/src/libjasper/base/jas_image.c
-index e71b86a..6aafc3a 100644
--- a/src/libjasper/base/jas_image.c
-+++ b/src/libjasper/base/jas_image.c
-@@ -553,6 +553,9 @@ int jas_image_writecmpt(jas_image_t *image, int cmptno, jas_image_coord_t x,
- 	  image, cmptno, JAS_CAST(long, x), JAS_CAST(long, y),
- 	  JAS_CAST(long, width), JAS_CAST(long, height), data));
- 
-+        if(data == NULL)
-+		return -1;
-+
- 	if (cmptno < 0 || cmptno >= image->numcmpts_) {
- 		return -1;
- 	}
--- a/CVE-2018-19540.patch
+++ b/CVE-2018-19540.patch
@ -1,13 +0,0 @@
-diff --git a/jasper-2.0.14/src/libjasper/base/jas_icc.c b/jasper-2.0.14-edit/src/libjasper/base/jas_icc.c
-index 4607930..762c0e8 100644
--- a/src/libjasper/base/jas_icc.c
-+++ b/src/libjasper/base/jas_icc.c
-@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
- 	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
- 	  JAS_CAST(int, txtdesc->asclen))
- 		goto error;
-+	if (txtdesc->asclen < 1)
-+		goto error;
- 	txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
- 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
- 	  jas_iccgetuint32(in, &txtdesc->uclen))
--- a/CVE-2018-19541.patch
+++ b/CVE-2018-19541.patch
@ -1,14 +0,0 @@
-diff --git a/jasper-2.0.14/src/libjasper/base/jas_image.c b/jasper-2.0.14-edit/src/libjasper/base/jas_image.c
-index 6aafc3a..31ddb4b 100644
--- a/src/libjasper/base/jas_image.c
-+++ b/src/libjasper/base/jas_image.c
-@@ -978,6 +978,9 @@ int jas_image_depalettize(jas_image_t *image, int cmptno, int numlutents,
- 	cmptparms.prec = JAS_IMAGE_CDT_GETPREC(dtype);
- 	cmptparms.sgnd = JAS_IMAGE_CDT_GETSGND(dtype);
- 
-+	if (numlutents < 1) {
-+		return -1;
-+	}
- 	if (jas_image_addcmpt(image, newcmptno, &cmptparms)) {
- 		return -1;
- 	}
--- a/CVE-2018-20570.patch
+++ b/CVE-2018-20570.patch
@ -1,47 +0,0 @@
-From 03db7c81f6a8a92d896249bc673877749987fd7a Mon Sep 17 00:00:00 2001
-From: Max Kellermann <max.kellermann@gmail.com>
-Date: Wed, 24 Jun 2020 21:26:10 +0200
-Subject: [PATCH] jp2_enc: check number of components before dereferencing them
-
-Fixes CVE-2018-20570
-
-Closes https://github.com/jasper-maint/jasper/issues/11
-Closes https://github.com/mdadams/jasper/issues/191
---
- src/libjasper/jp2/jp2_enc.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c
-index fd39a84..1b44c18 100644
--- a/src/libjasper/jp2/jp2_enc.c
-+++ b/src/libjasper/jp2/jp2_enc.c
-@@ -293,7 +293,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
- 	needcdef = 1;
- 	switch (jas_clrspc_fam(jas_image_clrspc(image))) {
- 	case JAS_CLRSPC_FAM_RGB:
-		if (jas_image_cmpttype(image, 0) ==
-+		if (jas_image_numcmpts(image) >= 3 &&
-+		  jas_image_cmpttype(image, 0) ==
- 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_R) &&
- 		  jas_image_cmpttype(image, 1) ==
- 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_G) &&
-@@ -302,7 +303,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
- 			needcdef = 0;
- 		break;
- 	case JAS_CLRSPC_FAM_YCBCR:
-		if (jas_image_cmpttype(image, 0) ==
-+		if (jas_image_numcmpts(image) >= 3 &&
-+		  jas_image_cmpttype(image, 0) ==
- 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_YCBCR_Y) &&
- 		  jas_image_cmpttype(image, 1) ==
- 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_YCBCR_CB) &&
-@@ -311,7 +313,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
- 			needcdef = 0;
- 		break;
- 	case JAS_CLRSPC_FAM_GRAY:
-		if (jas_image_cmpttype(image, 0) ==
-+		if (jas_image_numcmpts(image) >= 1 &&
-+		  jas_image_cmpttype(image, 0) ==
- 		  JAS_IMAGE_CT_COLOR(JAS_IMAGE_CT_GRAY_Y))
- 			needcdef = 0;
- 		break;
--- a/CVE-2018-20622.patch
+++ b/CVE-2018-20622.patch
@ -1,86 +0,0 @@
-From aa8516b28344aa1263ee538bb7366c4679a0e1a5 Mon Sep 17 00:00:00 2001
-From: Max Kellermann <max.kellermann@gmail.com>
-Date: Wed, 24 Jun 2020 21:41:24 +0200
-Subject: [PATCH] jpc_t2dec: fix various memory leaks in jpc_dec_decodepkt()
-
-Fixes CVE-2018-20622
-
-Closes https://github.com/jasper-maint/jasper/issues/12
-Closes https://github.com/mdadams/jasper/issues/193
---
- src/libjasper/jpc/jpc_t2dec.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
-index 81d1f61..e88ccb6 100644
--- a/src/libjasper/jpc/jpc_t2dec.c
-+++ b/src/libjasper/jpc/jpc_t2dec.c
-@@ -225,6 +225,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
- 	}
- 
- 	if ((present = jpc_bitstream_getbit(inb)) < 0) {
-+		jpc_bitstream_close(inb);
- 		return 1;
- 	}
- 	JAS_DBGLOG(10, ("\n", present));
-@@ -252,10 +253,12 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
- 				if (!cblk->numpasses) {
- 					leaf = jpc_tagtree_getleaf(prc->incltagtree, usedcblkcnt - 1);
- 					if ((included = jpc_tagtree_decode(prc->incltagtree, leaf, lyrno + 1, inb)) < 0) {
-+						jpc_bitstream_close(inb);
- 						return -1;
- 					}
- 				} else {
- 					if ((included = jpc_bitstream_getbit(inb)) < 0) {
-+						jpc_bitstream_close(inb);
- 						return -1;
- 					}
- 				}
-@@ -269,6 +272,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
- 					leaf = jpc_tagtree_getleaf(prc->numimsbstagtree, usedcblkcnt - 1);
- 					for (;;) {
- 						if ((ret = jpc_tagtree_decode(prc->numimsbstagtree, leaf, i, inb)) < 0) {
-+							jpc_bitstream_close(inb);
- 							return -1;
- 						}
- 						if (ret) {
-@@ -280,6 +284,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
- 					cblk->firstpassno = cblk->numimsbs * 3;
- 				}
- 				if ((numnewpasses = jpc_getnumnewpasses(inb)) < 0) {
-+					jpc_bitstream_close(inb);
- 					return -1;
- 				}
- 				JAS_DBGLOG(10, ("numnewpasses=%d ", numnewpasses));
-@@ -288,6 +293,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
- 				mycounter = 0;
- 				if (numnewpasses > 0) {
- 					if ((m = jpc_getcommacode(inb)) < 0) {
-+						jpc_bitstream_close(inb);
- 						return -1;
- 					}
- 					cblk->numlenbits += m;
-@@ -298,6 +304,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
- 						maxpasses = JPC_SEGPASSCNT(passno, cblk->firstpassno, 10000, (ccp->cblkctx & JPC_COX_LAZY) != 0, (ccp->cblkctx & JPC_COX_TERMALL) != 0);
- 						if (!discard && !seg) {
- 							if (!(seg = jpc_seg_alloc())) {
-+								jpc_bitstream_close(inb);
- 								return -1;
- 							}
- 							jpc_seglist_insert(&cblk->segs, cblk->segs.tail, seg);
-@@ -312,6 +319,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
- 						mycounter += n;
- 						numnewpasses -= n;
- 						if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
-+							jpc_bitstream_close(inb);
- 							return -1;
- 						}
- 						JAS_DBGLOG(10, ("len=%d ", len));
-@@ -333,6 +341,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
- 	} else {
- 		if (jpc_bitstream_inalign(inb, 0x7f, 0)) {
- 			jas_eprintf("alignment failed\n");
-+			jpc_bitstream_close(inb);
- 			return -1;
- 		}
- 	}
--- a/CVE-2018-9055.patch
+++ b/CVE-2018-9055.patch
@ -1,63 +0,0 @@
-From d4358fb62a01bd542146a1d25b8f6fd2a0b210fe Mon Sep 17 00:00:00 2001
-From: Michael Vetter <jubalh@iodoru.org>
-Date: Mon, 25 Mar 2019 12:20:26 +0100
-Subject: [PATCH] Fix integer width in jpc_math
-
-Fix denial of service via a reachable assertion in the function jpc_firstone in libjasper/jpc/jpc_math.c.
-
-Assigned CVE-2018-9055.
-Fixes https://github.com/mdadams/jasper/issues/172.
-
-Fix by Fridrich Strba <FStrba@suse.com>.
---
- src/libjasper/jpc/jpc_math.c | 4 ++--
- src/libjasper/jpc/jpc_math.h | 5 +++--
- 2 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/libjasper/jpc/jpc_math.c b/src/libjasper/jpc/jpc_math.c
-index 2b70844..1b18880 100644
--- a/src/libjasper/jpc/jpc_math.c
-+++ b/src/libjasper/jpc/jpc_math.c
-@@ -86,7 +86,7 @@
- 
- /* Calculate the integer quantity floor(log2(x)), where x is a positive
-   integer. */
-int jpc_floorlog2(int x)
-+int jpc_floorlog2(int_fast32_t x)
- {
- 	int y;
- 
-@@ -105,7 +105,7 @@ int jpc_floorlog2(int x)
-   integer. */
- /* This function is the basically the same as ceillog2(x), except that the
-   allowable range for x is slightly different. */
-int jpc_firstone(int x)
-+int jpc_firstone(int_fast32_t x)
- {
- 	int n;
- 
-diff --git a/src/libjasper/jpc/jpc_math.h b/src/libjasper/jpc/jpc_math.h
-index e8e0978..bd80d51 100644
--- a/src/libjasper/jpc/jpc_math.h
-+++ b/src/libjasper/jpc/jpc_math.h
-@@ -67,6 +67,7 @@
- \******************************************************************************/
- 
- #include	<assert.h>
-+#include	<stdint.h>
- 
- /******************************************************************************\
- * Macros
-@@ -90,10 +91,10 @@
- 
- /* Calculate the bit position of the first leading one in a nonnegative
-   integer. */
-int jpc_firstone(int x);
-+int jpc_firstone(int_fast32_t x);
- 
- /* Calculate the integer quantity floor(log2(x)), where x is a positive
-   integer. */
-int jpc_floorlog2(int x);
-+int jpc_floorlog2(int_fast32_t x);
- 
- #endif
--- a/CVE-2018-9154.patch
+++ b/CVE-2018-9154.patch
@ -1,40 +0,0 @@
-From fcbabdaaba217124c92dc29472596146756b968e Mon Sep 17 00:00:00 2001
-From: Michael Vetter <jubalh@iodoru.org>
-Date: Tue, 17 Mar 2020 13:32:11 +0100
-Subject: [PATCH] Use return in jpc_dec_process_sot() instead of abort
-
-We don't need to and should not abort here.
-
-Fix CVE-2018-9154.
-Fix https://github.com/mdadams/jasper/issues/215
-Fix https://github.com/mdadams/jasper/issues/166
-Fix https://github.com/mdadams/jasper/issues/175
-
-See: https://github.com/mdadams/jasper/pull/216
-Fix https://github.com/jasper-maint/jasper/issues/8
---
- src/libjasper/jpc/jpc_dec.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c
-index 6d40786..817009e 100644
--- a/src/libjasper/jpc/jpc_dec.c
-+++ b/src/libjasper/jpc/jpc_dec.c
-@@ -485,7 +485,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_t *ms)
- 
- 		if (!(compinfos = jas_alloc2(dec->numcomps,
- 		  sizeof(jas_image_cmptparm_t)))) {
-			abort();
-+			return -1;
- 		}
- 		for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
- 		  cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
-@@ -512,7 +512,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_t *ms)
- 			/* Convert the PPM marker segment data into a collection of streams
- 			  (one stream per tile-part). */
- 			if (!(dec->pkthdrstreams = jpc_ppmstabtostreams(dec->ppmstab))) {
-				abort();
-+				return -1;
- 			}
- 			jpc_ppxstab_destroy(dec->ppmstab);
- 			dec->ppmstab = 0;
--- a/CVE-2018-9252.patch
+++ b/CVE-2018-9252.patch
@ -1,76 +0,0 @@
-From 6cd1e1d8aff56d0d86d4e7d1e7e3e4dd1c64b55d Mon Sep 17 00:00:00 2001
-From: Max Kellermann <max.kellermann@gmail.com>
-Date: Wed, 24 Jun 2020 19:01:35 +0200
-Subject: [PATCH] jpc_enc: jpc_abstorelstepsize() returns error instead of
- aborting
-
-Fixes CVE-2018-9252
-
-Closes https://github.com/jasper-maint/jasper/issues/16
---
- src/libjasper/jpc/jpc_enc.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
-index a779645..b11a450 100644
--- a/src/libjasper/jpc/jpc_enc.c
-+++ b/src/libjasper/jpc/jpc_enc.c
-@@ -165,6 +165,9 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image);
- void jpc_enc_cp_destroy(jpc_enc_cp_t *cp);
- static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn);
- 
-+/**
-+ * @return UINT_FAST32_MAX on error
-+ */
- static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
- {
- 	int p;
-@@ -173,7 +176,7 @@ static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
- 	int n;
- 
- 	if (absdelta < 0) {
-		abort();
-+		return UINT_FAST32_MAX;
- 	}
- 
- 	p = jpc_firstone(absdelta) - JPC_FIX_FRACBITS;
-@@ -179,8 +182,10 @@ static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
- 	mant = ((n < 0) ? (absdelta >> (-n)) : (absdelta << n)) & 0x7ff;
- 	expn = scaleexpn - p;
- 	if (scaleexpn < p) {
-		abort();
-+		return UINT_FAST32_MAX;
- 	}
-+	if (expn >= 0x1f)
-+		return UINT_FAST32_MAX;
- 	return JPC_QCX_EXPN(expn) | JPC_QCX_MANT(mant);
- }
- 
-@@ -991,9 +996,12 @@ startoff = jas_stream_getrwcount(enc->out);
- 			} else {
- 				absstepsize = jpc_inttofix(1);
- 			}	
-			cp->ccps[cmptno].stepsizes[bandno] =
-+			const uint_fast32_t stepsize =
- 			  jpc_abstorelstepsize(absstepsize,
- 			  cp->ccps[cmptno].prec + analgain);
-+			if (stepsize == UINT_FAST32_MAX)
-+				return -1;
-+			cp->ccps[cmptno].stepsizes[bandno] = stepsize;
- 		}
- 		cp->ccps[cmptno].numstepsizes = numbands;
- 	}
-@@ -1234,9 +1242,12 @@ jas_eprintf("%d %d mag=%d actual=%d numgbits=%d\n", cp->ccps[cmptno].prec, band-
- 					} else {
- 						band->absstepsize = jpc_inttofix(1);
- 					}
-					band->stepsize = jpc_abstorelstepsize(
-+					const uint_fast32_t stepsize = jpc_abstorelstepsize(
- 					  band->absstepsize, cp->ccps[cmptno].prec +
- 					  band->analgain);
-+					if (stepsize == UINT_FAST32_MAX)
-+						return -1;
-+					band->stepsize = stepsize;
- 					band->numbps = cp->tccp.numgbits +
- 					  JPC_QCX_GETEXPN(band->stepsize) - 1;
- 
--- a/CVE-2021-27845.patch
+++ b/CVE-2021-27845.patch
@ -1,26 +0,0 @@
-From fd564ee3377d9fc2484c657e4f464a3fb9764d31 Mon Sep 17 00:00:00 2001
-From: Max Kellermann <max.kellermann@gmail.com>
-Date: Mon, 29 Jun 2020 13:47:09 +0200
-Subject: [PATCH] jpc_enc: validate raw_size, prevent division by zero in
- cp_create()
-
-Closes https://github.com/mdadams/jasper/issues/194 (part 1)
---
- src/libjasper/jpc/jpc_enc.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
-index d60a4471..3b6b1e81 100644
--- a/src/libjasper/jpc/jpc_enc.c
-+++ b/src/libjasper/jpc/jpc_enc.c
-@@ -428,6 +428,10 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image)
- 	}
- 
- 	cp->rawsize = jas_image_rawsize(image);
-+	if (cp->rawsize == 0) {
-+		/* prevent division by zero in cp_create() */
-+		goto error;
-+	}
- 	cp->totalsize = UINT_FAST32_MAX;
- 
- 	tcp = &cp->tcp;
--- a/backport_CVE-2023-51257.patch
+++ b/backport_CVE-2023-51257.patch
@ -0,0 +1,90 @@
+From aeef5293c978158255ad4f127089644745602f2a Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Thu, 14 Dec 2023 19:04:19 -0800
+Subject: [PATCH] Fixes #367.
+
+Fixed an integer-overflow bug in the ICC profile parsing code.
+Added another invalid image to the test set.
+---
+ data/test/bad/367-PoC.jp2    | Bin 0 -> 2916 bytes
+ src/libjasper/base/jas_icc.c |  10 ++++++++++
+ 2 files changed, 10 insertions(+)
+ create mode 100644 data/test/bad/367-PoC.jp2
+
+diff --git a/data/test/bad/367-PoC.jp2 b/data/test/bad/367-PoC.jp2
+new file mode 100644
+index 0000000000000000000000000000000000000000..96e73789bd0e8983367d447b5084ed739479b0bf
+GIT binary patch
+literal 2916
+zcma)84OCO-8Gdi>O~NqTsa3Gp;YF=QB`k>!NLx|<3?RcS{HVxALvr&Ymn7c&Ac`)<
+zt<`NF@u$aQtF2m@o8qRe?pTXetOwoJ8cVg4BZGCV73x;1uCB^l_I?Q@(8JkwZ|?n`
+z?|q-|eV_0BzI$%~K(R{CadELP#sa`3i>JZ0%BA5DL%5BJ!`6n~c)QIkVmm%`F>*PD
+zK>nu5DToq8Ape!o<q{+uK%K)Q8gx0_@)ebwybC1oIE;ft7-uxOUD<klF<}!fX-6OT
+zKLQdJK2(nFAI<(oZ=9KToBTk<pxtS9o9Y0lH2_k<<PtpqvQN<-Q}1yhmOp`bl86Ek
+zs|dD+aUQ`nVZ1!VDKq3EhiGL@HlrDFBjVJW5q9ecOf;aM9FugsgBR^4j?_XgIxTjA
+z4}1O}_Xy^HgLQ&;IA0R-6z<y6CD^8rx!c47!w}wQGUk^eo{9ELE>8}z&qDk+Z*6%t
+z;yD14i578jd6+MGcCD>!8RB@fo9&*$vLX9gM@`96#5h)Rpw_vB#37tZCU-8@5~d^W
+zvGIjujZqH`W<D<;aVp{@o3~&nK3(MYl@fa>&RSb;31W;xi>r)9dc=u{H;GOI$%UHf
+z1H7OkxiCK6;qvH*G|+txp@ihZ`7$i;4$To`(tRFVSwVO#lkO4AhQ>0L7W?ADA%3Gv
+z2<=7G#vByA2BHn)Ggpjaz78?QVeayda#A<M(kW(R9;s~_;w-43jKG5vYVd9X2Rs4}
+z44{J?Y+WFt#{zZ`(88maM~j_`gIctW&C`cC;W1H$H8i@9jK(ZubHW+=hd53qfl)E@
+z@Op+RW)?7+j21X%A+w0dV)D?cWuA#B(2vl`fff2uX*kYm@M317qXKf86TK;sF<g^a
+zZ8rtBeu-+LvvfxN7$-7g)a)Et0dQjlhG(Z7S*MGQZBrs1?izEd>O;lFMp*j4>MQ+J
+z+9$n+_bzF7biDM2v>VSZ$i@{ALW=58l|8f)?g&pgY7Xtl^nelXA0y9+T8EX6T2YIm
+zIWg)XmEd12xnBZJsZp!yPpZGGuBrB`4ytaC$`Oq?s!H?@`XqgZev3X$zXu$Bj&7&V
+z(jD|~>9->>$6otzl*rnL=1Xj3wqzBC^Np-E4+5LRPGx7XdF(XyNwzq`;@AXM%@(jv
+zp=WAj-Gr!r)LiVa0&6u~)v<GtC%_KnsKgHS$Q7}wq{0qpz^EgilOd%{5~F4czp-mG
+z$zC2-A<LKL$+Cfy&5>zkYFQD%!%v><DfDUao*z*kesUs=Q8VC2u&^qTILgqjBYTyM
+z_MvV8b@Lv64SqWSa-FUQ(QdVQIE_k`!DZv8jOPj+rnFSfC<t80<>o}*&5J(XoCf4O
+zNX7x&GlafxRD2+6^L!s*!58?>x)QZjdI4J9015M>wiJ9PPJRvGRJzG4`oi&mqTUB^
+zTjps(eM*so@1~w$@E*Re<l6xrZ3_km4+MjcUdQ;|0OthcO*ff&3ozjk_==VwqVST0
+z5RE7nwR6}`#Mbl#2mdCQgz(6p0#k5l@COji82&Rr9N}YhpOI5k<QFu60!b7lWiWTJ
+z3T8~NPx5_^XPXnBHpgGB#dw<aG@kj(I`K3H&G2oYmKbY|X0Othk)}aI6&kQtY;52~
+zWue33e3}!S)@seVJYMh^m3b-d)n22>o0YsMI>p)F4V#NoY8pJed-nQNZWzWY)mlxO
+zDwX3h(=_~Cl_oaW4CGG`NXmf<?l>nI4}O2(szTBo>&N5bImL#3`t^TVBw=>N@ZtU<
+z*C6;AW;H7f1g<76<Qg7s1lGKFOQ&!CxI?|Inxoe7?sqCJ`$(Lm4g0<vZ1=O%i>oKr
+z?@*K+erWhe72EXZ+X11sx#dA@piTd+0mXy5qd(fc`YY<ro5trCUHy)^J~91l*RQ7q
+z)2p7mkhMhp`A<)_X>ILOUi!o3(<Kx4ADmErq$H<qfiFL6jo;tfyl3#jt)7|5&BtT9
+zU!8p-|MyA0%M+Bop4tr{ZCrlvP~Xv*f7}Q(zx=|?8!3AznQ`io4?1>Nyu9!YzeJb0
+ztv%3ocYUAwev)51zPe>lQ?E%e{Jb)`^JlSzrlQ>~eepd(oA%x3f2iA(v$$~k^=y;#
+z`g5BeewJvJS|1)$)Mb1;-?#Qyf6<1j$=YXcUb(P0P`c?cW5U@cm1<|)+tUU!=T`cP
+zSN6Bu+H&`eU%a$&<C&*_vSEiWeNFE=NqupPP;~oW9dVD?*6R5E8Kp-ub??5qdwYD!
+z*1BaKD~@-zmd#jMw)K_oWo=eJXiK?1XQ#Ta?XxfbnX5kk<ALT*T^3ayKajlYu`DeX
+zy6yb>o5$}@h79*!m8~J6VDq704t(|cnZyU{3ckKsk^Ih0?sEF9qaPH!b^edCEnlZz
+zZmc?cg6*Pn3tA@}JG}q>Tc<bQfyKR7FU411IKHhu=DAsW<$T8{bFa4z6eT-LUn$J<
+z9e$xq&89wHaqn8DBGG!|Jzev_Yx8!^-yBRhnVa8qsziQg=gQ7qC-(gAlZ5`?1iStN
+DxIx@F
+
+literal 0
+HcmV?d00001
+
+diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
+index f3ffcef..eb25929 100644
+--- a/src/libjasper/base/jas_icc.c
+++ b/src/libjasper/base/jas_icc.c
+@@ -1324,12 +1324,22 @@ static int jas_icctxt_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+ {
+ 	jas_icctxt_t *txt = &attrval->data.txt;
+ 	txt->string = 0;
+	/* The string must at least contain a single null character. */
+	if (cnt < 1) {
+		goto error;
+	}
+ 	if (!(txt->string = jas_malloc(cnt))) {
+ 		goto error;
+ 	}
+ 	if (jas_stream_read(in, txt->string, cnt) != cnt) {
+ 		goto error;
+ 	}
+	/* Ensure that the string is null terminated. */
+	if (txt->string[cnt - 1] != '\0') {
+		goto error;
+	}
+	/* The following line is redundant, unless we do not enforce that
+	  the last character must be null. */
+ 	txt->string[cnt - 1] = '\0';
+ 	if (strlen(txt->string) + 1 != cnt) {
+ 		goto error;
+-- 
+2.40.1
+
--- a/backport_CVE-2024-31744.patch
+++ b/backport_CVE-2024-31744.patch
@ -0,0 +1,43 @@
+From 6d084c53a77762f41bb5310713a5f1872fef55f5 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sun, 28 Apr 2024 10:43:08 +0800
+Subject: [PATCH] Fixes #381.
+Added a missing check to the jpc_dec_process_sod function of the JPC codec.
+Added another image to the test set.
+---
+ data/test/bad/318.jpc       | Bin 0 -> 320 bytes
+ src/libjasper/jpc/jpc_dec.c |   4 +++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+ create mode 100644 data/test/bad/318.jpc
+
+diff --git a/data/test/bad/318.jpc b/data/test/bad/318.jpc
+new file mode 100644
+index 0000000000000000000000000000000000000000..8446ccb36b5a6ab04b1d7621ff2f9ae9980cd047
+GIT binary patch
+literal 320
+zcmezG|38pHp8*88fLIdDf)F4+2txoPJ0leRPhj8yiLw6w_lAM-e+&b!gM)`h00jL{
+zXHbRe08yxBFeA(e0-M3ez|6veX+{dr3`Xao)Wnk16osTpg*X41fXW!aR`GdwxI?Xq
+z11d`bD=P#m^Djt!=M|9Ru27a*RGgWgr(mRKqG#}b0@N33K#L~dhdB<YIL|A<6{@%g
+ySuqm>1LGZ#;^SAiPO>wqbm$)~zU%$&Nbbcrw#w=D+^b5y{E|Ib&pabRX%_&AicE?C
+
+literal 0
+HcmV?d00001
+
+diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c
+index e76aa40..125a29b 100644
+--- a/src/libjasper/jpc/jpc_dec.c
+++ b/src/libjasper/jpc/jpc_dec.c
+@@ -611,7 +611,9 @@ static int jpc_dec_process_sod(jpc_dec_t *dec, jpc_ms_t *ms)
+ 	if (dec->pkthdrstreams) {
+ 		/* Get the stream containing the packet header data for this
+ 		  tile-part. */
+-		if (!(tile->pkthdrstream = jpc_streamlist_remove(dec->pkthdrstreams, 0))) {
+		if (jpc_streamlist_numstreams(dec->pkthdrstreams) != 0 &&
+		  !(tile->pkthdrstream = jpc_streamlist_remove(dec->pkthdrstreams,
+		  0))) {
+ 			return -1;
+ 		}
+ 	}
+-- 
+2.23.0
+
--- a/jasper-2.0.14-CVE-2016-9396.patch
+++ b/jasper-2.0.14-CVE-2016-9396.patch
@ -1,13 +0,0 @@
-diff -urNp old/src/libjasper/jpc/jpc_cs.c new/src/libjasper/jpc/jpc_cs.c
--- old/src/libjasper/jpc/jpc_cs.c	2018-05-30 09:01:54.160406645 +0200
-+++ new/src/libjasper/jpc/jpc_cs.c	2018-05-30 09:05:24.527094308 +0200
-@@ -795,6 +795,9 @@ static int jpc_cox_getcompparms(jpc_ms_t
- 	if (compparms->numdlvls > 32) {
- 		goto error;
- 	}
-+	if (compparms->qmfbid != JPC_COX_INS &&
-+	    compparms->qmfbid != JPC_COX_RFT)
-+		goto error;
- 	compparms->numrlvls = compparms->numdlvls + 1;
- 	if (compparms->numrlvls > JPC_MAXRLVLS) {
- 		goto error;
--- a/jasper-2.0.14-rpath.patch
+++ b/jasper-2.0.14-rpath.patch
@ -1,12 +0,0 @@
-diff -up jasper-2.0.14/CMakeLists.txt.rpath jasper-2.0.14/CMakeLists.txt
--- jasper-2.0.14/CMakeLists.txt.rpath	2017-09-14 18:20:10.000000000 -0500
-+++ jasper-2.0.14/CMakeLists.txt	2018-07-19 09:48:53.035815377 -0500
-@@ -347,7 +347,7 @@ if (JAS_ENABLE_SHARED)
- 	# (but later on when installing)
- 	set(CMAKE_BUILD_WITH_INSTALL_RPATH FALSE) 
- 
-	set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
-+	#set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
- 
- 	# add the automatically determined parts of the RPATH
- 	# which point to directories outside the build tree to the install RPATH
--- a/jasper-2.0.14.tar.gz
+++ b/jasper-2.0.14.tar.gz
--- a/jasper-4.1.0-rpath.patch
+++ b/jasper-4.1.0-rpath.patch
@ -0,0 +1,12 @@
+diff -urNp a/CMakeLists.txt b/CMakeLists.txt
+--- a/CMakeLists.txt	2023-11-08 10:45:01.610146140 +0100
+++ b/CMakeLists.txt	2023-11-08 10:46:18.131824994 +0100
+@@ -804,7 +804,7 @@ if(JAS_ENABLE_SHARED)
+ 	# (but later on when installing)
+ 	set(CMAKE_BUILD_WITH_INSTALL_RPATH FALSE)
+ 
+-	set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
+	#set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
+ 
+ 	# add the automatically determined parts of the RPATH
+ 	# which point to directories outside the build tree to the install RPATH
--- a/jasper.spec
+++ b/jasper.spec
@ -1,27 +1,17 @@
 Name:                jasper
-Version:             2.0.14
-Release:             10
+Version:             4.1.0
+Release:             4
 Summary:             Reference implementation of the codec specified in the JPEG-2000 standard, Part 1
-License:             JasPer
+License:             JasPer-2.0
 URL:                 http://www.ece.uvic.ca/~frodo/jasper/
-Source0:             http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.tar.gz
+Source0:             https://github.com/jasper-software/%{name}/archive/refs/tags/version-%{version}.tar.gz

-Patch0001:           jasper-2.0.14-CVE-2016-9396.patch
-Patch0002:           jasper-2.0.14-rpath.patch
-Patch0003:           CVE-2018-9055.patch
-Patch0004:           CVE-2018-9154.patch
-Patch0005:           CVE-2018-9252.patch
-Patch0006:           CVE-2018-18873.patch
-Patch0007:           CVE-2018-19139.patch
-Patch0008:           CVE-2018-19539.patch
-Patch0009:           CVE-2018-19540.patch
-Patch0010:           CVE-2018-19541.patch
-Patch0011:           CVE-2018-20570.patch
-Patch0012:           CVE-2018-20622.patch
-Patch0013:           CVE-2021-27845.patch
+Patch0001:           jasper-4.1.0-rpath.patch
+Patch0002:           backport_CVE-2023-51257.patch
+Patch0003:           backport_CVE-2024-31744.patch

 BuildRequires:       cmake freeglut-devel libGLU-devel libjpeg-devel libXmu-devel libXi-devel
-BuildRequires:       pkgconfig doxygen mesa-libGL-devel
+BuildRequires:       pkgconfig doxygen mesa-libGL-devel git

 Provides:            jasper-libs = %{version}-%{release}
 Obsoletes:           jasper-libs < %{version}-%{release}
@ -53,7 +43,7 @@ Summary:             Help documents for jasper
 Help documents for jasper.

 %prep
-%autosetup -n %{name}-%{version} -p1 -S git
+%autosetup -n  %{name}-version-%{version} -p1 -S git

 %build
 install -d builder
@ -76,28 +66,42 @@ make test -C builder
 /sbin/ldconfig

 %files
-%doc COPYRIGHT LICENSE
+%doc COPYRIGHT.txt LICENSE.txt
 %{_bindir}/imgcmp
 %{_bindir}/imginfo
 %{_bindir}/jasper
 %{_docdir}/JasPer/*
-%{_libdir}/libjasper.so.4*
+%{_libdir}/libjasper.so.7*

 %files devel
 %doc doc/*
 %{_includedir}/jasper/
 %{_libdir}/pkgconfig/jasper.pc
 %{_libdir}/libjasper.so
-%exclude %{_docdir}/README

 %files utils
 %{_bindir}/jiv

 %files help
 %{_mandir}/man1/*
-%doc README
+%doc README.md

 %changelog
+* Sun Apr 28 2024 cenhuilin <cenhuilin@kylinos.cn> - 4.1.0-4
+- fix CVE-2024-31744
+
+* Wed Mar 27 2024 panchenbo <panchenbo@kylinsec.com.cn> - 4.1.0-3
+- fix rpmbuild build error : add BuildRequires: git
+
+* Mon Mar 25 2024 licihua <licihua@huawei.com> - 4.1.0-2
+- Fix CVE-2023-51257
+
+* Wed Feb 7 2024 Dongxing Wang <dongxing.wang_a@thundersoft.com> - 4.1.0-1
+- Upgrade to version 4.1.0
+
+* Mon Feb 5 2024 Dongxing Wang <dongxing.wang_a@thundersoft.com> - 2.0.14-11
+- Fix obs compile failure
+
 * Wed Sep 8 2021 liwu <liwu13@huawei.com> - 2.0.14-10
 - fix CVE-2021-27845

--- a/version-4.1.0.tar.gz
+++ b/version-4.1.0.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	b9e4608aa9	!18 [sync] PR-17: fix CVE-2024-31744 From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-04-28 05:39:57 +00:00
cenhuilin	93286572ff	fix CVE-2024-31744 (cherry picked from commit 3503859d50c1fd22b72b549c6984b586d8cfa753)	2024-04-28 12:04:43 +08:00
openeuler-ci-bot	a338365797	!15 fix rpmbuild build error : add BuildRequires: git From: @panchenbo Reviewed-by: @desert-sailor Signed-off-by: @desert-sailor	2024-03-27 07:46:43 +00:00
panchenbo	021fe72dcc	fix rpmbuild build error : add BuildRequires: git	2024-03-27 15:23:29 +08:00
openeuler-ci-bot	92d3be3f30	!13 fix CVE-2023-51257 From: @licihua Reviewed-by: @overweight Signed-off-by: @overweight	2024-03-25 11:22:04 +00:00
licihua	b9e62da295	fix CVE-2023-51257	2024-03-25 16:42:33 +08:00
openeuler-ci-bot	129790d06b	!11 Upgrade package with versio 4.1.0 From: @desert-sailor Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-02-08 02:54:09 +00:00
desert-sailor	c472949009	Init package with versio 4.1.0	2024-02-07 17:25:29 +08:00
openeuler-ci-bot	d650143d1d	!10 Fix obs compile failure From: @desert-sailor Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-02-07 06:29:15 +00:00
desert-sailor	5147093907	Fix obs compile failure	2024-02-06 17:04:13 +08:00