~ubuntu-branches/ubuntu/maverick/ghostscript/maverick-security

Viewing changes to debian/patches/CVE-2011-451x.dpatch

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2011-12-20 14:09:50 UTC
Revision ID: package-import@ubuntu.com-20111220140950-6ua8uizk7kqzyguj

Tags: 8.71.dfsg.2-0ubuntu7.1

* SECURITY UPDATE: integer overflows via integer multiplication for
  memory allocation
  - debian/patches/CVE-2008-352x.dpatch: introduce new size-checked
    allocation functions and use them in:
    * jasper/src/libjasper/base/{jas_cm.c,jas_icc.c,jas_image.c,
      jas_malloc.c,jas_seq.c}
    * jasper/src/libjasper/bmp/bmp_dec.c
    * jasper/src/libjasper/include/jasper/jas_malloc.h
    * jasper/src/libjasper/jp2/{jp2_cod.c,jp2_dec.c,jp2_enc.c}
    * jasper/src/libjasper/jpc/{jpc_cs.c,jpc_dec.c,jpc_enc.c,jpc_mqdec.c,
      jpc_mqenc.c,jpc_qmfb.c,jpc_t1enc.c,jpc_t2cod.c,jpc_t2dec.c,
      jpc_t2enc.c,jpc_tagtree.c,jpc_util.c}
    * jasper/src/libjasper/mif/mif_cod.c
  - CVE-2008-3520
* SECURITY UPDATE: buffer overflow via vsprintf in jas_stream_printf()
  - debian/patches/CVE-2008-352x.dpatch: use vsnprintf() in
    jasper/src/libjasper/base/jas_stream.c
  - CVE-2008-3522
* SECURITY UPDATE: denial of service and possible code execution via
  heap-based buffer overflows.
  - debian/patches/CVE-2011-451x.dpatch: validate compparms->numrlvls
    and allocate proper size in jasper/src/libjasper/jpc/jpc_cs.c.
  - CVE-2011-4516
  - CVE-2011-4517

files added:
debian/patches/CVE-2008-352x.dpatch

debian/patches/CVE-2011-451x.dpatch

files modified:
debian/changelog

debian/control

debian/patches/00list

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2011-451x.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run

# Description: fix denial of service and possible code execution via

# heap-based buffer overflows.

# Origin: Patch thanks to Red Hat

@DPATCH@

diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' ghostscript-8.71.dfsg.2~/jasper/src/libjasper/jpc/jpc_cs.c ghostscript-8.71.dfsg.2/jasper/src/libjasper/jpc/jpc_cs.c

--- ghostscript-8.71.dfsg.2~/jasper/src/libjasper/jpc/jpc_cs.c 2011-12-20 15:23:10.354269070 -0500

+++ ghostscript-8.71.dfsg.2/jasper/src/libjasper/jpc/jpc_cs.c 2011-12-20 15:23:38.334269946 -0500

@@ -750,6 +750,10 @@

return -1;

}

compparms->numrlvls = compparms->numdlvls + 1;

+ if (compparms->numrlvls > JPC_MAXRLVLS) {

+ jpc_cox_destroycompparms(compparms);

+ return -1;

+ }

if (prtflag) {

for (i = 0; i < compparms->numrlvls; ++i) {

if (jpc_getuint8(in, &tmp)) {

@@ -1340,7 +1344,7 @@

jpc_crgcomp_t *comp;

uint_fast16_t compno;

crg->numcomps = cstate->numcomps;

- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {

+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {

return -1;

}

for (compno = 0, comp = crg->comps; compno < cstate->numcomps;

Older »