~ubuntu-branches/ubuntu/lucid/ghostscript/lucid-updates

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-8137.dpatch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-01-22 13:09:28 UTC
  • Revision ID: package-import@ubuntu.com-20150122130928-xatzfph16hrp2bof
Tags: 8.71.dfsg.1-0ubuntu5.7
* SECURITY UPDATE: denial of service via crafted ICC color profile
  - debian/patches/CVE-2014-8137.dpatch: prevent double-free in
    jasper/src/libjasper/base/jas_icc.c, remove assert in
    jasper/src/libjasper/jp2/jp2_dec.c.
  - CVE-2014-8137
* SECURITY UPDATE: denial of service or code execution via invalid
  channel number
  - debian/patches/CVE-2014-8138.dpatch: validate channel number in
    jasper/src/libjasper/jp2/jp2_dec.c.
  - CVE-2014-8138
* SECURITY UPDATE: denial of service or code execution via off-by-one
  - debian/patches/CVE-2014-8157.dpatch: fix off-by-one in
    jasper/src/libjasper/jpc/jpc_dec.c.
  - CVE-2014-8157
* SECURITY UPDATE: denial of service or code execution via memory
  corruption
  - debian/patches/CVE-2014-8158.dpatch: remove HAVE_VLA to use more
    sensible buffer sizes in jasper/src/libjasper/jpc/jpc_qmfb.c.
  - CVE-2014-8158

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
#! /bin/sh /usr/share/dpatch/dpatch-run
 
2
# Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy()
 
3
# Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283,
 
4
#  https://bugzilla.redhat.com/attachment.cgi?id=967284
 
5
# Bug-Debian: https://bugs.debian.org/773463
 
6
# Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157
 
7
# Forwarded: no
 
8
# Author: Tomas Hoger <thoger@redhat.com>
 
9
# Last-Update: 2014-12-20
 
10
 
 
11
@DPATCH@
 
12
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' ghostscript-8.71.dfsg.1~/jasper/src/libjasper/base/jas_icc.c ghostscript-8.71.dfsg.1/jasper/src/libjasper/base/jas_icc.c
 
13
--- ghostscript-8.71.dfsg.1~/jasper/src/libjasper/base/jas_icc.c        2015-01-22 13:03:49.000000000 -0500
 
14
+++ ghostscript-8.71.dfsg.1/jasper/src/libjasper/base/jas_icc.c 2015-01-22 13:04:20.025580220 -0500
 
15
@@ -1023,7 +1023,6 @@
 
16
        return 0;
 
17
 
 
18
 error:
 
19
-       jas_icccurv_destroy(attrval);
 
20
        return -1;
 
21
 }
 
22
 
 
23
@@ -1143,7 +1142,6 @@
 
24
 #endif
 
25
        return 0;
 
26
 error:
 
27
-       jas_icctxtdesc_destroy(attrval);
 
28
        return -1;
 
29
 }
 
30
 
 
31
@@ -1222,8 +1220,6 @@
 
32
                goto error;
 
33
        return 0;
 
34
 error:
 
35
-       if (txt->string)
 
36
-               jas_free(txt->string);
 
37
        return -1;
 
38
 }
 
39
 
 
40
@@ -1348,7 +1344,6 @@
 
41
                goto error;
 
42
        return 0;
 
43
 error:
 
44
-       jas_icclut8_destroy(attrval);
 
45
        return -1;
 
46
 }
 
47
 
 
48
@@ -1519,7 +1514,6 @@
 
49
                goto error;
 
50
        return 0;
 
51
 error:
 
52
-       jas_icclut16_destroy(attrval);
 
53
        return -1;
 
54
 }
 
55
 
 
56
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' ghostscript-8.71.dfsg.1~/jasper/src/libjasper/jp2/jp2_dec.c ghostscript-8.71.dfsg.1/jasper/src/libjasper/jp2/jp2_dec.c
 
57
--- ghostscript-8.71.dfsg.1~/jasper/src/libjasper/jp2/jp2_dec.c 2015-01-22 13:03:49.000000000 -0500
 
58
+++ ghostscript-8.71.dfsg.1/jasper/src/libjasper/jp2/jp2_dec.c  2015-01-22 13:04:20.025580220 -0500
 
59
@@ -325,7 +325,10 @@
 
60
        case JP2_COLR_ICC:
 
61
                iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
 
62
                  dec->colr->data.colr.iccplen);
 
63
-               assert(iccprof);
 
64
+               if (!iccprof) {
 
65
+                       jas_eprintf("error: failed to parse ICC profile\n");
 
66
+                       goto error;
 
67
+               }
 
68
                jas_iccprof_gethdr(iccprof, &icchdr);
 
69
                if (jas_getdbglevel() >= 1) {
 
70
                        jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);