jasper: Patch for CVE-2014-8137 via RedHat.

4 files changed, 66 insertions, 2 deletions

diff --git a/pkgs/development/libraries/jasper/default.nix b/pkgs/development/libraries/jasper/default.nix
index fa332cc66d3c..38c53edb439b 100644
--- a/pkgs/development/libraries/jasper/default.nix
+++ b/pkgs/development/libraries/jasper/default.nix
@@ -8,7 +8,10 @@ stdenv.mkDerivation rec {
     sha256 = "154l7zk7yh3v8l2l6zm5s2alvd2fzkp6c9i18iajfbna5af5m43b";
   };
 
-  patches = [ ./jasper-CVE-2014-9029.diff ];
+  patches = [
+    ./jasper-CVE-2014-8137-variant2.diff ./jasper-CVE-2014-8137-noabort.diff
+    ./jasper-CVE-2014-9029.diff
+  ];
 
   nativeBuildInputs = [unzip];
   propagatedBuildInputs = [ libjpeg ];
diff --git a/pkgs/development/libraries/jasper/jasper-CVE-2014-8137-noabort.diff b/pkgs/development/libraries/jasper/jasper-CVE-2014-8137-noabort.diff
new file mode 100644
index 000000000000..47b57d5c8098
--- /dev/null
+++ b/pkgs/development/libraries/jasper/jasper-CVE-2014-8137-noabort.diff
@@ -0,0 +1,16 @@
+From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=967284&action=diff
+
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	case JP2_COLR_ICC:
+ 		iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ 		  dec->colr->data.colr.iccplen);
+-		assert(iccprof);
++		if (!iccprof) {
++			jas_eprintf("error: failed to parse ICC profile\n");
++			goto error;
++		}
+ 		jas_iccprof_gethdr(iccprof, &icchdr);
+ 		jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ 		jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
diff --git a/pkgs/development/libraries/jasper/jasper-CVE-2014-8137-variant2.diff b/pkgs/development/libraries/jasper/jasper-CVE-2014-8137-variant2.diff
new file mode 100644
index 000000000000..243300dd70ee
--- /dev/null
+++ b/pkgs/development/libraries/jasper/jasper-CVE-2014-8137-variant2.diff
@@ -0,0 +1,45 @@
+From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=967283&action=diff
+
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c	2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ 	return 0;
+ 
+ error:
+-	jas_icccurv_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ 	return 0;
+ error:
+-	jas_icctxtdesc_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ 		goto error;
+ 	return 0;
+ error:
+-	if (txt->string)
+-		jas_free(txt->string);
+ 	return -1;
+ }
+ 
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut8_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut16_destroy(attrval);
+ 	return -1;
+ }
+ 
diff --git a/pkgs/development/libraries/jasper/jasper-CVE-2014-9029.diff b/pkgs/development/libraries/jasper/jasper-CVE-2014-9029.diff
index aa01324dba72..01db7f03cdf8 100644
--- a/pkgs/development/libraries/jasper/jasper-CVE-2014-9029.diff
+++ b/pkgs/development/libraries/jasper/jasper-CVE-2014-9029.diff
@@ -1,4 +1,4 @@
-(From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=961994&action=diff)
+From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=961994&action=diff
 
 --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c	2014-11-27 12:45:44.000000000 +0100
 +++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c	2014-11-27 12:44:58.000000000 +0100