head	1.3;
access;
symbols
	pkgsrc-2016Q4:1.2.0.2
	pkgsrc-2016Q4-base:1.2;
locks; strict;
comment	@# @;


1.3
date	2017.02.21.18.24.20;	author adam;	state dead;
branches;
next	1.2;
commitid	VSUIC85lQBP0FQGz;

1.2
date	2016.12.17.23.10.25;	author dholland;	state Exp;
branches;
next	1.1;
commitid	6wsDIZ4byQNDmoyz;

1.1
date	2016.12.17.23.02.51;	author dholland;	state Exp;
branches;
next	;
commitid	hrkfe8j30Mo9koyz;


desc
@@


1.3
log
@Changes 2.0.10:
Fixed a problem in the JP2 encoder that caused a null pointer dereference when no ICC profile data is available (e.g., in the case of an unknown color space).
@
text
@$NetBSD: patch-CVE-2016-8654,v 1.2 2016/12/17 23:10:25 dholland Exp $

From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001
From: Michael Adams <mdadams@@ece.uvic.ca>
Date: Sat, 26 Nov 2016 20:23:23 -0800
Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC
 codec that was caused by a buffer being allocated with a size that was too
 small in some cases. Added a new regression test case.

---
 data/test/bad/PoC1.jpc       | Bin 0 -> 233 bytes
 src/libjasper/jpc/jpc_qmfb.c |  28 +++++++++++++++-------------
 2 files changed, 15 insertions(+), 13 deletions(-)
 create mode 100644 data/test/bad/PoC1.jpc

# diff --git a/data/test/bad/PoC1.jpc b/data/test/bad/PoC1.jpc
# new file mode 100644
# index 0000000000000000000000000000000000000000..95239547c40ebd947169f8d87ec399759d1acd3f
# GIT binary patch
# literal 233
# zcmezG|38pHlYx<efuVtcK><X=Km(8g!Vtj7&dB&bh=G@@t0i>9PMS)TLe+&alg2Vq5
# z23-b5=c3falKdho1;;R5FC%XSjbu#)BLf2i9Ux(-;Fy!1uMn15oSC2Ze*yy+*u*jh
# z#{ZKa{p#MIIpO~#?i1JcuDH+a{XxR{o@@qS)=2<S+_kGs5vcd1wR*^ZWYAZ`pBG>(V
# z>o4CL(REnycXM0m>2?DJ+q$m14-a1!FY%njRQ9-BmDw#gXoZ8CkKEbRXJ=<JubTMl
# Q@@K-MmpN6@@L&;H*808TDYDF6Tf
#
# literal 0
# HcmV?d00001

diff --git src/libjasper/jpc/jpc_qmfb.c src/libjasper/jpc/jpc_qmfb.c
index 45be24e..f26070f 100644
--- src/libjasper/jpc/jpc_qmfb.c
+++ src/libjasper/jpc/jpc_qmfb.c
@@@@ -374,7 +374,7 @@@@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
 	register jpc_fix_t *dstptr;
 	register int n;
 	register int m;
-	int hstartcol;
+	int hstartrow;
 
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
@@@@ -385,9 +385,9 @@@@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
 	}
 
 	if (numrows >= 2) {
-		hstartcol = (numrows + 1 - parity) >> 1;
-		// ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
-		m = numrows - hstartcol;
+		hstartrow = (numrows + 1 - parity) >> 1;
+		// ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
+		m = numrows - hstartrow;
 
 		/* Save the samples destined for the highpass channel. */
 		n = m;
@@@@ -408,7 +408,7 @@@@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
 			srcptr += stride << 1;
 		}
 		/* Copy the saved samples into the highpass channel. */
-		dstptr = &a[hstartcol * stride];
+		dstptr = &a[hstartrow * stride];
 		srcptr = buf;
 		n = m;
 		while (n-- > 0) {
@@@@ -439,20 +439,21 @@@@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
 	register int n;
 	register int i;
 	int m;
-	int hstartcol;
+	int hstartrow;
 
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
-		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
+		  sizeof(jpc_fix_t)))) {
 			/* We have no choice but to commit suicide in this case. */
 			abort();
 		}
 	}
 
 	if (numrows >= 2) {
-		hstartcol = (numrows + 1 - parity) >> 1;
-		// ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
-		m = numrows - hstartcol;
+		hstartrow = (numrows + 1 - parity) >> 1;
+		// ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
+		m = numrows - hstartrow;
 
 		/* Save the samples destined for the highpass channel. */
 		n = m;
@@@@ -485,7 +486,7 @@@@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
 			srcptr += stride << 1;
 		}
 		/* Copy the saved samples into the highpass channel. */
-		dstptr = &a[hstartcol * stride];
+		dstptr = &a[hstartrow * stride];
 		srcptr = buf;
 		n = m;
 		while (n-- > 0) {
@@@@ -526,7 +527,7 @@@@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols,
 
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
-		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
 			/* We have no choice but to commit suicide in this case. */
 			abort();
 		}
@@@@ -721,7 +722,8 @@@@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride,
 
 	/* Allocate memory for the join buffer from the heap. */
 	if (bufsize > QMFB_JOINBUFSIZE) {
-		if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
+		  sizeof(jpc_fix_t)))) {
 			/* We have no choice but to commit suicide. */
 			abort();
 		}
@


1.2
log
@Insert rcsid header in patch file, which I dropped in almost verbatim
from upstream.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1
log
@Add upstream patch for CVE-2016-8654.
@
text
@d1 2
@