Package: jasper; Maintainer for jasper is Roland Stigge <stigge@antcom.de>;
Reported by: Nico Golde <nion@debian.org>
Date: Fri, 3 Oct 2008 12:24:01 UTC
Severity: grave
Tags: patch, security
Fixed in version jasper/1.900.1-5.1
Done: Pierre Habouzit <madcoder@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#501021; Package jasper.
(Fri, 03 Oct 2008 12:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Roland Stigge <stigge@antcom.de>.
(Fri, 03 Oct 2008 12:24:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: jasper Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for jasper. CVE-2008-3522[0]: | Buffer overflow in the jas_stream_printf function in | libjasper/base/jas_stream.c in JasPer 1.900.1 might allow | context-dependent attackers to have an unknown impact via vectors | related to the mif_hdr_put function and use of vsprintf. CVE-2008-3521[1]: | The jas_stream_tmpfile function in libjasper/base/jas_stream.c in | JasPer 1.900.1 allows local users to overwrite arbitrary files via a | symlink attack on a tmp.XXXXXXXXXX temporary file. CVE-2008-3520[2]: | Multiple integer overflows in JasPer 1.900.1 might allow | context-dependent attackers to have an unknown impact via a crafted | image file, related to integer multiplication for memory allocation. CVE-2008-3521 is not really important as the file is opened with O_EXCL but a patch for all these three issues is attached. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522 http://security-tracker.debian.net/tracker/CVE-2008-3522 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3521 http://security-tracker.debian.net/tracker/CVE-2008-3521 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520 http://security-tracker.debian.net/tracker/CVE-2008-3520 -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
[jasper.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#501021; Package jasper.
(Sun, 12 Oct 2008 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Sun, 12 Oct 2008 19:45:03 GMT) (full text, mbox, link).
Message #10 received at 501021@bugs.debian.org (full text, mbox, reply):
tags 501021 + patch thanks Dear maintainer, I've prepared an NMU for jasper (versioned as 1.900.1-5.1) and uploaded it to DELAYED/02. Regards. diff -u jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog --- jasper-1.900.1/debian/changelog +++ jasper-1.900.1/debian/changelog @@ -1,3 +1,13 @@ +jasper (1.900.1-5.1) unstable; urgency=low + + * Non-maintainer upload. + * add patches/02_security.dpatch to fix various CVEs (Closes: #501021): + + CVE-2008-3522[0]: Buffer overflow. + + CVE-2008-3521[1]: unsecure temporary files handling. + + CVE-2008-3520[2]: Multiple integer overflows. + + -- Pierre Habouzit <madcoder@debian.org> Sun, 12 Oct 2008 21:40:59 +0200 + jasper (1.900.1-5) unstable; urgency=low * Added GeoJP2 patch by Sven Geggus <sven.geggus@iitb.fraunhofer.de> diff -u jasper-1.900.1/debian/patches/00list jasper-1.900.1/debian/patches/00list --- jasper-1.900.1/debian/patches/00list +++ jasper-1.900.1/debian/patches/00list @@ -1,0 +2 @@ +02_security.dpatch only in patch4: unchanged: --- jasper-1.900.1.orig/debian/patches/02_security.dpatch +++ jasper-1.900.1/debian/patches/02_security.dpatch @@ -0,0 +1,983 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. + +@DPATCH@ + +diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_cm.c jasper-1.900.1.new/src/libjasper/base/jas_cm.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/base/jas_cm.c 2008-10-03 14:17:55.000000000 +0200 +@@ -704,8 +704,7 @@ + { + jas_cmpxform_t **p; + assert(n >= pxformseq->numpxforms); +- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) : +- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *)); ++ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *)); + if (!p) { + return -1; + } +@@ -889,13 +888,13 @@ + jas_cmshapmatlut_cleanup(lut); + if (curv->numents == 0) { + lut->size = 2; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + lut->data[0] = 0.0; + lut->data[1] = 1.0; + } else if (curv->numents == 1) { + lut->size = 256; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + gamma = curv->ents[0] / 256.0; + for (i = 0; i < lut->size; ++i) { +@@ -903,7 +902,7 @@ + } + } else { + lut->size = curv->numents; +- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) ++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) + goto error; + for (i = 0; i < lut->size; ++i) { + lut->data[i] = curv->ents[i] / 65535.0; +@@ -953,7 +952,7 @@ + return -1; + } + } +- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t)))) ++ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t)))) + return -1; + invlut->size = n; + for (i = 0; i < invlut->size; ++i) { +diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_icc.c jasper-1.900.1.new/src/libjasper/base/jas_icc.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/base/jas_icc.c 2008-10-03 14:17:55.000000000 +0200 +@@ -373,7 +373,7 @@ + jas_icctagtab_t *tagtab; + + tagtab = &prof->tagtab; +- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs * ++ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs, + sizeof(jas_icctagtabent_t)))) + goto error; + tagtab->numents = prof->attrtab->numattrs; +@@ -522,7 +522,7 @@ + } + if (jas_iccgetuint32(in, &tagtab->numents)) + goto error; +- if (!(tagtab->ents = jas_malloc(tagtab->numents * ++ if (!(tagtab->ents = jas_alloc2(tagtab->numents, + sizeof(jas_icctagtabent_t)))) + goto error; + tagtabent = tagtab->ents; +@@ -743,8 +743,7 @@ + { + jas_iccattr_t *newattrs; + assert(maxents >= tab->numattrs); +- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents * +- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t)); ++ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t)); + if (!newattrs) + return -1; + tab->attrs = newattrs; +@@ -999,7 +998,7 @@ + + if (jas_iccgetuint32(in, &curv->numents)) + goto error; +- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t)))) ++ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t)))) + goto error; + for (i = 0; i < curv->numents; ++i) { + if (jas_iccgetuint16(in, &curv->ents[i])) +@@ -1100,7 +1099,7 @@ + if (jas_iccgetuint32(in, &txtdesc->uclangcode) || + jas_iccgetuint32(in, &txtdesc->uclen)) + goto error; +- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2))) ++ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2))) + goto error; + if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != + JAS_CAST(int, txtdesc->uclen * 2)) +@@ -1292,17 +1291,17 @@ + jas_iccgetuint16(in, &lut8->numouttabents)) + goto error; + clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; +- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) || +- !(lut8->intabsbuf = jas_malloc(lut8->numinchans * +- lut8->numintabents * sizeof(jas_iccuint8_t))) || +- !(lut8->intabs = jas_malloc(lut8->numinchans * ++ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) || ++ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans, ++ lut8->numintabents, sizeof(jas_iccuint8_t))) || ++ !(lut8->intabs = jas_alloc2(lut8->numinchans, + sizeof(jas_iccuint8_t *)))) + goto error; + for (i = 0; i < lut8->numinchans; ++i) + lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents]; +- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans * +- lut8->numouttabents * sizeof(jas_iccuint8_t))) || +- !(lut8->outtabs = jas_malloc(lut8->numoutchans * ++ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans, ++ lut8->numouttabents, sizeof(jas_iccuint8_t))) || ++ !(lut8->outtabs = jas_alloc2(lut8->numoutchans, + sizeof(jas_iccuint8_t *)))) + goto error; + for (i = 0; i < lut8->numoutchans; ++i) +@@ -1461,17 +1460,17 @@ + jas_iccgetuint16(in, &lut16->numouttabents)) + goto error; + clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; +- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) || +- !(lut16->intabsbuf = jas_malloc(lut16->numinchans * +- lut16->numintabents * sizeof(jas_iccuint16_t))) || +- !(lut16->intabs = jas_malloc(lut16->numinchans * ++ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) || ++ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans, ++ lut16->numintabents, sizeof(jas_iccuint16_t))) || ++ !(lut16->intabs = jas_alloc2(lut16->numinchans, + sizeof(jas_iccuint16_t *)))) + goto error; + for (i = 0; i < lut16->numinchans; ++i) + lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents]; +- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans * +- lut16->numouttabents * sizeof(jas_iccuint16_t))) || +- !(lut16->outtabs = jas_malloc(lut16->numoutchans * ++ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans, ++ lut16->numouttabents, sizeof(jas_iccuint16_t))) || ++ !(lut16->outtabs = jas_alloc2(lut16->numoutchans, + sizeof(jas_iccuint16_t *)))) + goto error; + for (i = 0; i < lut16->numoutchans; ++i) +diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1.new/src/libjasper/base/jas_image.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/base/jas_image.c 2008-10-03 14:17:55.000000000 +0200 +@@ -142,7 +142,7 @@ + image->inmem_ = true; + + /* Allocate memory for the per-component information. */ +- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * ++ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, + sizeof(jas_image_cmpt_t *)))) { + jas_image_destroy(image); + return 0; +@@ -774,8 +774,7 @@ + jas_image_cmpt_t **newcmpts; + int cmptno; + +- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : +- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); ++ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); + if (!newcmpts) { + return -1; + } +diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c jasper-1.900.1.new/src/libjasper/base/jas_malloc.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/base/jas_malloc.c 2008-10-03 14:17:55.000000000 +0200 +@@ -76,6 +76,9 @@ + + /* We need the prototype for memset. */ + #include <string.h> ++#include <limits.h> ++#include <errno.h> ++#include <stdint.h> + + #include "jasper/jas_malloc.h" + +@@ -113,18 +116,50 @@ + + void *jas_realloc(void *ptr, size_t size) + { +- return realloc(ptr, size); ++ return ptr ? realloc(ptr, size) : malloc(size); + } + +-void *jas_calloc(size_t nmemb, size_t size) ++void *jas_realloc2(void *ptr, size_t nmemb, size_t size) ++{ ++ if (!ptr) ++ return jas_alloc2(nmemb, size); ++ if (nmemb && SIZE_MAX / nmemb < size) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ return jas_realloc(ptr, nmemb * size); ++ ++} ++ ++void *jas_alloc2(size_t nmemb, size_t size) ++{ ++ if (nmemb && SIZE_MAX / nmemb < size) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ ++ return jas_malloc(nmemb * size); ++} ++ ++void *jas_alloc3(size_t a, size_t b, size_t c) + { +- void *ptr; + size_t n; +- n = nmemb * size; +- if (!(ptr = jas_malloc(n * sizeof(char)))) { +- return 0; ++ ++ if (a && SIZE_MAX / a < b) { ++ errno = ENOMEM; ++ return NULL; + } +- memset(ptr, 0, n); ++ ++ return jas_alloc2(a*b, c); ++} ++ ++void *jas_calloc(size_t nmemb, size_t size) ++{ ++ void *ptr; ++ ++ ptr = jas_alloc2(nmemb, size); ++ if (ptr) ++ memset(ptr, 0, nmemb*size); + return ptr; + } + +diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1.new/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/base/jas_seq.c 2008-10-03 14:17:55.000000000 +0200 +@@ -114,7 +114,7 @@ + matrix->datasize_ = numrows * numcols; + + if (matrix->maxrows_ > 0) { +- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * ++ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, + sizeof(jas_seqent_t *)))) { + jas_matrix_destroy(matrix); + return 0; +@@ -122,7 +122,7 @@ + } + + if (matrix->datasize_ > 0) { +- if (!(matrix->data_ = jas_malloc(matrix->datasize_ * ++ if (!(matrix->data_ = jas_alloc2(matrix->datasize_, + sizeof(jas_seqent_t)))) { + jas_matrix_destroy(matrix); + return 0; +@@ -220,7 +220,7 @@ + mat0->numrows_ = r1 - r0 + 1; + mat0->numcols_ = c1 - c0 + 1; + mat0->maxrows_ = mat0->numrows_; +- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *)); ++ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); + for (i = 0; i < mat0->numrows_; ++i) { + mat0->rows_[i] = mat1->rows_[r0 + i] + c0; + } +diff -Nurad jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1.new/src/libjasper/base/jas_stream.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/base/jas_stream.c 2008-10-03 14:19:55.000000000 +0200 +@@ -212,7 +212,7 @@ + if (buf) { + obj->buf_ = (unsigned char *) buf; + } else { +- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char)); ++ obj->buf_ = jas_malloc(obj->bufsize_); + obj->myalloc_ = 1; + } + if (!obj->buf_) { +@@ -361,28 +361,22 @@ + } + obj->fd = -1; + obj->flags = 0; +- obj->pathname[0] = '\0'; + stream->obj_ = obj; + + /* Choose a file name. */ +- tmpnam(obj->pathname); ++ snprintf(obj->pathname, L_tmpnam, "%stmp.XXXXXXXXXX", P_tmpdir); + + /* Open the underlying file. */ +- if ((obj->fd = open(obj->pathname, O_CREAT | O_EXCL | O_RDWR | O_TRUNC | O_BINARY, +- JAS_STREAM_PERMS)) < 0) { ++ if ((obj->fd = mkstemp(obj->pathname)) < 0) { + jas_stream_destroy(stream); + return 0; + } + + /* Unlink the file so that it will disappear if the program + terminates abnormally. */ +- /* Under UNIX, one can unlink an open file and continue to do I/O +- on it. Not all operating systems support this functionality, however. +- For example, under Microsoft Windows the unlink operation will fail, +- since the file is open. */ + if (unlink(obj->pathname)) { +- /* We will try unlinking the file again after it is closed. */ +- obj->flags |= JAS_STREAM_FILEOBJ_DELONCLOSE; ++ jas_stream_destroy(stream); ++ return 0; + } + + /* Use full buffering. */ +@@ -553,7 +547,7 @@ + int ret; + + va_start(ap, fmt); +- ret = vsprintf(buf, fmt, ap); ++ ret = vsnprintf(buf, sizeof buf, fmt, ap); + jas_stream_puts(stream, buf); + va_end(ap); + return ret; +@@ -992,7 +986,7 @@ + unsigned char *buf; + + assert(m->buf_); +- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) { ++ if (!(buf = jas_realloc(m->buf_, bufsize))) { + return -1; + } + m->buf_ = buf; +diff -Nurad jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c jasper-1.900.1.new/src/libjasper/bmp/bmp_dec.c +--- jasper-1.900.1.orig/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/bmp/bmp_dec.c 2008-10-03 14:17:55.000000000 +0200 +@@ -283,7 +283,7 @@ + } + + if (info->numcolors > 0) { +- if (!(info->palents = jas_malloc(info->numcolors * ++ if (!(info->palents = jas_alloc2(info->numcolors, + sizeof(bmp_palent_t)))) { + bmp_info_destroy(info); + return 0; +diff -Nurad jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h jasper-1.900.1.new/src/libjasper/include/jasper/jas_malloc.h +--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/include/jasper/jas_malloc.h 2008-10-03 14:17:55.000000000 +0200 +@@ -95,6 +95,9 @@ + #define jas_free MEMFREE + #define jas_realloc MEMREALLOC + #define jas_calloc MEMCALLOC ++#define jas_alloc2(a, b) MEMALLOC((a)*(b)) ++#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c)) ++#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b)) + #endif + + /******************************************************************************\ +@@ -115,6 +118,12 @@ + /* Allocate a block of memory and initialize the contents to zero. */ + void *jas_calloc(size_t nmemb, size_t size); + ++/* size-checked double allocation .*/ ++void *jas_alloc2(size_t, size_t); ++ ++void *jas_alloc3(size_t, size_t, size_t); ++ ++void *jas_realloc2(void *, size_t, size_t); + #endif + + #ifdef __cplusplus +diff -Nurad jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1.new/src/libjasper/jp2/jp2_cod.c +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jp2/jp2_cod.c 2008-10-03 14:17:55.000000000 +0200 +@@ -372,7 +372,7 @@ + jp2_bpcc_t *bpcc = &box->data.bpcc; + unsigned int i; + bpcc->numcmpts = box->datalen; +- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) { ++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { + return -1; + } + for (i = 0; i < bpcc->numcmpts; ++i) { +@@ -416,7 +416,7 @@ + break; + case JP2_COLR_ICC: + colr->iccplen = box->datalen - 3; +- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) { ++ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) { + return -1; + } + if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { +@@ -453,7 +453,7 @@ + if (jp2_getuint16(in, &cdef->numchans)) { + return -1; + } +- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) { ++ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) { + return -1; + } + for (channo = 0; channo < cdef->numchans; ++channo) { +@@ -766,7 +766,7 @@ + unsigned int i; + + cmap->numchans = (box->datalen) / 4; +- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) { ++ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { + return -1; + } + for (i = 0; i < cmap->numchans; ++i) { +@@ -828,10 +828,10 @@ + return -1; + } + lutsize = pclr->numlutents * pclr->numchans; +- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) { ++ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) { + return -1; + } +- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) { ++ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) { + return -1; + } + for (i = 0; i < pclr->numchans; ++i) { +diff -Nurad jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c jasper-1.900.1.new/src/libjasper/jp2/jp2_dec.c +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jp2/jp2_dec.c 2008-10-03 14:17:55.000000000 +0200 +@@ -336,7 +336,7 @@ + } + + /* Allocate space for the channel-number to component-number LUT. */ +- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) { ++ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) { + jas_eprintf("error: no memory\n"); + goto error; + } +@@ -354,7 +354,7 @@ + if (cmapent->map == JP2_CMAP_DIRECT) { + dec->chantocmptlut[channo] = channo; + } else if (cmapent->map == JP2_CMAP_PALETTE) { +- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t)); ++ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t)); + for (i = 0; i < pclrd->numlutents; ++i) { + lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; + } +diff -Nurad jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c jasper-1.900.1.new/src/libjasper/jp2/jp2_enc.c +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jp2/jp2_enc.c 2008-10-03 14:17:55.000000000 +0200 +@@ -191,7 +191,7 @@ + } + bpcc = &box->data.bpcc; + bpcc->numcmpts = jas_image_numcmpts(image); +- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * ++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, + sizeof(uint_fast8_t)))) { + goto error; + } +@@ -285,7 +285,7 @@ + } + cdef = &box->data.cdef; + cdef->numchans = jas_image_numcmpts(image); +- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)); ++ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)); + for (i = 0; i < jas_image_numcmpts(image); ++i) { + cdefchanent = &cdef->ents[i]; + cdefchanent->channo = i; +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1.new/src/libjasper/jpc/jpc_cs.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_cs.c 2008-10-03 14:17:55.000000000 +0200 +@@ -502,7 +502,7 @@ + !siz->tileheight || !siz->numcomps) { + return -1; + } +- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) { ++ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { + return -1; + } + for (i = 0; i < siz->numcomps; ++i) { +@@ -982,8 +982,11 @@ + compparms->numstepsizes = (len - n) / 2; + break; + } +- if (compparms->numstepsizes > 0) { +- compparms->stepsizes = jas_malloc(compparms->numstepsizes * ++ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { ++ jpc_qcx_destroycompparms(compparms); ++ return -1; ++ } else if (compparms->numstepsizes > 0) { ++ compparms->stepsizes = jas_alloc2(compparms->numstepsizes, + sizeof(uint_fast16_t)); + assert(compparms->stepsizes); + for (i = 0; i < compparms->numstepsizes; ++i) { +@@ -1091,7 +1094,7 @@ + + ppm->len = ms->len - 1; + if (ppm->len > 0) { +- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) { ++ if (!(ppm->data = jas_malloc(ppm->len))) { + goto error; + } + if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) { +@@ -1160,7 +1163,7 @@ + } + ppt->len = ms->len - 1; + if (ppt->len > 0) { +- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) { ++ if (!(ppt->data = jas_malloc(ppt->len))) { + goto error; + } + if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) { +@@ -1223,7 +1226,7 @@ + uint_fast8_t tmp; + poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) : + (ms->len / 7); +- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) { ++ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) { + goto error; + } + for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno, +@@ -1328,7 +1331,7 @@ + jpc_crgcomp_t *comp; + uint_fast16_t compno; + crg->numcomps = cstate->numcomps; +- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { ++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { + return -1; + } + for (compno = 0, comp = crg->comps; compno < cstate->numcomps; +@@ -1467,7 +1470,7 @@ + cstate = 0; + + if (ms->len > 0) { +- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) { ++ if (!(unk->data = jas_malloc(ms->len))) { + return -1; + } + if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) { +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1.new/src/libjasper/jpc/jpc_dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_dec.c 2008-10-03 14:17:55.000000000 +0200 +@@ -449,7 +449,7 @@ + + if (dec->state == JPC_MH) { + +- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t)); ++ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t)); + assert(compinfos); + for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; + cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { +@@ -692,7 +692,7 @@ + tile->realmode = 1; + } + tcomp->numrlvls = ccp->numrlvls; +- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls * ++ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls, + sizeof(jpc_dec_rlvl_t)))) { + return -1; + } +@@ -764,7 +764,7 @@ + rlvl->cbgheightexpn); + + rlvl->numbands = (!rlvlno) ? 1 : 3; +- if (!(rlvl->bands = jas_malloc(rlvl->numbands * ++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, + sizeof(jpc_dec_band_t)))) { + return -1; + } +@@ -797,7 +797,7 @@ + + assert(rlvl->numprcs); + +- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) { ++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) { + return -1; + } + +@@ -834,7 +834,7 @@ + if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) { + return -1; + } +- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) { ++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) { + return -1; + } + +@@ -1069,12 +1069,12 @@ + /* Apply an inverse intercomponent transform if necessary. */ + switch (tile->cp->mctid) { + case JPC_MCT_RCT: +- assert(dec->numcomps == 3); ++ assert(dec->numcomps == 3 || dec->numcomps == 4); + jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; + case JPC_MCT_ICT: +- assert(dec->numcomps == 3); ++ assert(dec->numcomps == 3 || dec->numcomps == 4); + jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, + tile->tcomps[2].data); + break; +@@ -1181,7 +1181,7 @@ + return -1; + } + +- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) { ++ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) { + return -1; + } + +@@ -1204,7 +1204,7 @@ + dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); + dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); + dec->numtiles = dec->numhtiles * dec->numvtiles; +- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { ++ if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) { + return -1; + } + +@@ -1228,7 +1228,7 @@ + tile->pkthdrstreampos = 0; + tile->pptstab = 0; + tile->cp = 0; +- if (!(tile->tcomps = jas_malloc(dec->numcomps * ++ if (!(tile->tcomps = jas_alloc2(dec->numcomps, + sizeof(jpc_dec_tcomp_t)))) { + return -1; + } +@@ -1489,7 +1489,7 @@ + cp->numlyrs = 0; + cp->mctid = 0; + cp->csty = 0; +- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) { ++ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { + return 0; + } + if (!(cp->pchglist = jpc_pchglist_create())) { +@@ -2048,7 +2048,7 @@ + } + streamlist->numstreams = 0; + streamlist->maxstreams = 100; +- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams * ++ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams, + sizeof(jas_stream_t *)))) { + jas_free(streamlist); + return 0; +@@ -2068,8 +2068,8 @@ + /* Grow the array of streams if necessary. */ + if (streamlist->numstreams >= streamlist->maxstreams) { + newmaxstreams = streamlist->maxstreams + 1024; +- if (!(newstreams = jas_realloc(streamlist->streams, +- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) { ++ if (!(newstreams = jas_realloc2(streamlist->streams, ++ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) { + return -1; + } + for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) { +@@ -2155,8 +2155,7 @@ + { + jpc_ppxstabent_t **newents; + if (tab->maxents < maxents) { +- newents = (tab->ents) ? jas_realloc(tab->ents, maxents * +- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *)); ++ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *)); + if (!newents) { + return -1; + } +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1.new/src/libjasper/jpc/jpc_enc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_enc.c 2008-10-03 14:17:55.000000000 +0200 +@@ -403,7 +403,7 @@ + vsteplcm *= jas_image_cmptvstep(image, cmptno); + } + +- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) { ++ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) { + goto error; + } + for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno, +@@ -656,7 +656,7 @@ + + if (ilyrrates && numilyrrates > 0) { + tcp->numlyrs = numilyrrates + 1; +- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) * ++ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1), + sizeof(jpc_fix_t)))) { + goto error; + } +@@ -940,7 +940,7 @@ + siz->tilewidth = cp->tilewidth; + siz->tileheight = cp->tileheight; + siz->numcomps = cp->numcmpts; +- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)); ++ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)); + assert(siz->comps); + for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) { + siz->comps[i].prec = cp->ccps[i].prec; +@@ -977,7 +977,7 @@ + return -1; + } + crg = &enc->mrk->parms.crg; +- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t)); ++ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t)); + if (jpc_putms(enc->out, enc->cstate, enc->mrk)) { + jas_eprintf("cannot write CRG marker\n"); + return -1; +@@ -1955,7 +1955,7 @@ + tile->mctid = cp->tcp.mctid; + + tile->numlyrs = cp->tcp.numlyrs; +- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs * ++ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs, + sizeof(uint_fast32_t)))) { + goto error; + } +@@ -1964,7 +1964,7 @@ + } + + /* Allocate an array for the per-tile-component information. */ +- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) { ++ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) { + goto error; + } + /* Initialize a few members critical for error recovery. */ +@@ -2110,7 +2110,7 @@ + jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data), + jas_seq2d_yend(tcmpt->data), bandinfos); + +- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) { ++ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) { + goto error; + } + for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls; +@@ -2213,7 +2213,7 @@ + rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn); + rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs; + +- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) { ++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) { + goto error; + } + for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands; +@@ -2290,7 +2290,7 @@ + band->synweight = bandinfo->synenergywt; + + if (band->data) { +- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) { ++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) { + goto error; + } + for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno, +@@ -2422,7 +2422,7 @@ + goto error; + } + +- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) { ++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) { + goto error; + } + for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks; +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c jasper-1.900.1.new/src/libjasper/jpc/jpc_mqdec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_mqdec.c 2008-10-03 14:17:55.000000000 +0200 +@@ -118,7 +118,7 @@ + mqdec->in = in; + mqdec->maxctxs = maxctxs; + /* Allocate memory for the per-context state information. */ +- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) { ++ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) { + goto error; + } + /* Set the current context to the first context. */ +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c jasper-1.900.1.new/src/libjasper/jpc/jpc_mqenc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_mqenc.c 2008-10-03 14:17:55.000000000 +0200 +@@ -197,7 +197,7 @@ + mqenc->maxctxs = maxctxs; + + /* Allocate memory for the per-context state information. */ +- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) { ++ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) { + goto error; + } + +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_qmfb.c 2008-10-03 14:17:55.000000000 +0200 +@@ -321,7 +321,7 @@ + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -389,7 +389,7 @@ + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -460,7 +460,7 @@ + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -549,7 +549,7 @@ + #if !defined(HAVE_VLA) + /* Get a buffer. */ + if (bufsize > QMFB_SPLITBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide in this case. */ + abort(); + } +@@ -633,7 +633,7 @@ + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -698,7 +698,7 @@ + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -766,7 +766,7 @@ + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +@@ -852,7 +852,7 @@ + #if !defined(HAVE_VLA) + /* Allocate memory for the join buffer from the heap. */ + if (bufsize > QMFB_JOINBUFSIZE) { +- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { ++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { + /* We have no choice but to commit suicide. */ + abort(); + } +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t1enc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t1enc.c 2008-10-03 14:17:55.000000000 +0200 +@@ -219,7 +219,7 @@ + + cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0; + if (cblk->numpasses > 0) { +- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t)); ++ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t)); + assert(cblk->passes); + } else { + cblk->passes = 0; +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c 2008-10-03 14:17:55.000000000 +0200 +@@ -573,7 +573,7 @@ + } + if (pchglist->numpchgs >= pchglist->maxpchgs) { + newmaxpchgs = pchglist->maxpchgs + 128; +- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) { ++ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) { + return -1; + } + pchglist->maxpchgs = newmaxpchgs; +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2dec.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2dec.c 2008-10-03 14:17:55.000000000 +0200 +@@ -478,7 +478,7 @@ + return 0; + } + pi->numcomps = dec->numcomps; +- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { ++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { + jpc_pi_destroy(pi); + return 0; + } +@@ -490,7 +490,7 @@ + for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; + compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { + picomp->numrlvls = tcomp->numrlvls; +- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * ++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, + sizeof(jpc_pirlvl_t)))) { + jpc_pi_destroy(pi); + return 0; +@@ -503,7 +503,7 @@ + rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { + /* XXX sizeof(long) should be sizeof different type */ + pirlvl->numprcs = rlvl->numprcs; +- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * ++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, + sizeof(long)))) { + jpc_pi_destroy(pi); + return 0; +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2enc.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2enc.c 2008-10-03 14:17:55.000000000 +0200 +@@ -565,7 +565,7 @@ + } + pi->pktno = -1; + pi->numcomps = cp->numcmpts; +- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { ++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { + jpc_pi_destroy(pi); + return 0; + } +@@ -577,7 +577,7 @@ + for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps; + compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { + picomp->numrlvls = tcomp->numrlvls; +- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * ++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, + sizeof(jpc_pirlvl_t)))) { + jpc_pi_destroy(pi); + return 0; +@@ -591,7 +591,7 @@ + /* XXX sizeof(long) should be sizeof different type */ + pirlvl->numprcs = rlvl->numprcs; + if (rlvl->numprcs) { +- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * ++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, + sizeof(long)))) { + jpc_pi_destroy(pi); + return 0; +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c jasper-1.900.1.new/src/libjasper/jpc/jpc_tagtree.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_tagtree.c 2008-10-03 14:17:55.000000000 +0200 +@@ -125,7 +125,7 @@ + ++numlvls; + } while (n > 1); + +- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) { ++ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { + return 0; + } + +diff -Nurad jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c jasper-1.900.1.new/src/libjasper/jpc/jpc_util.c +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_util.c 2008-10-03 14:17:55.000000000 +0200 +@@ -109,7 +109,7 @@ + } + + if (n) { +- if (!(vs = jas_malloc(n * sizeof(double)))) { ++ if (!(vs = jas_alloc2(n, sizeof(double)))) { + return -1; + } + +diff -Nurad jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c jasper-1.900.1.new/src/libjasper/mif/mif_cod.c +--- jasper-1.900.1.orig/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100 ++++ jasper-1.900.1.new/src/libjasper/mif/mif_cod.c 2008-10-03 14:17:55.000000000 +0200 +@@ -438,8 +438,7 @@ + int cmptno; + mif_cmpt_t **newcmpts; + assert(maxcmpts >= hdr->numcmpts); +- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) : +- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *)); ++ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *)); + if (!newcmpts) { + return -1; + }
Tags added: patch
Request was from Pierre Habouzit <madcoder@debian.org>
to control@bugs.debian.org.
(Sun, 12 Oct 2008 19:45:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#501021; Package jasper.
(Sun, 12 Oct 2008 20:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>.
(Sun, 12 Oct 2008 20:03:07 GMT) (full text, mbox, link).
Message #17 received at 501021@bugs.debian.org (full text, mbox, reply):
Vulmon
tags 501021 + patch
thanks
Dear maintainer,
I've prepared an NMU for jasper (versioned as 1.900.1-5.1) and uploaded it
to DELAYED/02.
PS: for some reason the previous nmudiff was broken, here is the proper one.
Regards.
reverted:
--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c
@@ -982,10 +982,7 @@
compparms->numstepsizes = (len - n) / 2;
break;
}
+ if (compparms->numstepsizes > 0) {
- if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
- jpc_qcx_destroycompparms(compparms);
- return -1;
- } else if (compparms->numstepsizes > 0) {
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
sizeof(uint_fast16_t));
assert(compparms->stepsizes);
reverted:
--- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
+++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c
@@ -1069,12 +1069,12 @@
/* Apply an inverse intercomponent transform if necessary. */
switch (tile->cp->mctid) {
case JPC_MCT_RCT:
+ assert(dec->numcomps == 3);
- assert(dec->numcomps == 3 || dec->numcomps == 4);
jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data,
tile->tcomps[2].data);
break;
case JPC_MCT_ICT:
+ assert(dec->numcomps == 3);
- assert(dec->numcomps == 3 || dec->numcomps == 4);
jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
tile->tcomps[2].data);
break;
diff -u jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog
--- jasper-1.900.1/debian/changelog
+++ jasper-1.900.1/debian/changelog
@@ -1,3 +1,13 @@
+jasper (1.900.1-5.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * add patches/02_security.dpatch to fix various CVEs (Closes: #501021):
+ + CVE-2008-3522[0]: Buffer overflow.
+ + CVE-2008-3521[1]: unsecure temporary files handling.
+ + CVE-2008-3520[2]: Multiple integer overflows.
+
+ -- Pierre Habouzit <madcoder@debian.org> Sun, 12 Oct 2008 21:40:59 +0200
+
jasper (1.900.1-5) unstable; urgency=low
* Added GeoJP2 patch by Sven Geggus <sven.geggus@iitb.fraunhofer.de>
diff -u jasper-1.900.1/debian/patches/00list jasper-1.900.1/debian/patches/00list
--- jasper-1.900.1/debian/patches/00list
+++ jasper-1.900.1/debian/patches/00list
@@ -1,0 +2 @@
+02_security.dpatch
only in patch4:
unchanged:
--- jasper-1.900.1.orig/debian/patches/02_security.dpatch
+++ jasper-1.900.1/debian/patches/02_security.dpatch
@@ -0,0 +1,978 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+
+@DPATCH@
+
+diff --git a/src/libjasper/base/jas_cm.c b/src/libjasper/base/jas_cm.c
+index 77514dd..e63a6d2 100644
+--- a/src/libjasper/base/jas_cm.c
++++ b/src/libjasper/base/jas_cm.c
+@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cmpxformseq_t *pxformseq, int n)
+ {
+ jas_cmpxform_t **p;
+ assert(n >= pxformseq->numpxforms);
+- p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) :
+- jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *));
++ p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *));
+ if (!p) {
+ return -1;
+ }
+@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmshapmatlut_t *lut, jas_icccurv_t *curv)
+ jas_cmshapmatlut_cleanup(lut);
+ if (curv->numents == 0) {
+ lut->size = 2;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ lut->data[0] = 0.0;
+ lut->data[1] = 1.0;
+ } else if (curv->numents == 1) {
+ lut->size = 256;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ gamma = curv->ents[0] / 256.0;
+ for (i = 0; i < lut->size; ++i) {
+@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmshapmatlut_t *lut, jas_icccurv_t *curv)
+ }
+ } else {
+ lut->size = curv->numents;
+- if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
++ if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ goto error;
+ for (i = 0; i < lut->size; ++i) {
+ lut->data[i] = curv->ents[i] / 65535.0;
+@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_cmshapmatlut_t *invlut,
+ return -1;
+ }
+ }
+- if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t))))
++ if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t))))
+ return -1;
+ invlut->size = n;
+ for (i = 0; i < invlut->size; ++i) {
+diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
+index e5a0a2e..6fb2721 100644
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof, jas_stream_t *out)
+ jas_icctagtab_t *tagtab;
+
+ tagtab = &prof->tagtab;
+- if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
++ if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
+ sizeof(jas_icctagtabent_t))))
+ goto error;
+ tagtab->numents = prof->attrtab->numattrs;
+@@ -522,7 +522,7 @@ static int jas_iccprof_gettagtab(jas_stream_t *in, jas_icctagtab_t *tagtab)
+ }
+ if (jas_iccgetuint32(in, &tagtab->numents))
+ goto error;
+- if (!(tagtab->ents = jas_malloc(tagtab->numents *
++ if (!(tagtab->ents = jas_alloc2(tagtab->numents,
+ sizeof(jas_icctagtabent_t))))
+ goto error;
+ tagtabent = tagtab->ents;
+@@ -743,8 +743,7 @@ static int jas_iccattrtab_resize(jas_iccattrtab_t *tab, int maxents)
+ {
+ jas_iccattr_t *newattrs;
+ assert(maxents >= tab->numattrs);
+- newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
+- sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
++ newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
+ if (!newattrs)
+ return -1;
+ tab->attrs = newattrs;
+@@ -999,7 +998,7 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+
+ if (jas_iccgetuint32(in, &curv->numents))
+ goto error;
+- if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
++ if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
+ goto error;
+ for (i = 0; i < curv->numents; ++i) {
+ if (jas_iccgetuint16(in, &curv->ents[i]))
+@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+ if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ jas_iccgetuint32(in, &txtdesc->uclen))
+ goto error;
+- if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
++ if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
+ goto error;
+ if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
+ JAS_CAST(int, txtdesc->uclen * 2))
+@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+ jas_iccgetuint16(in, &lut8->numouttabents))
+ goto error;
+ clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
+- if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
+- !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
+- lut8->numintabents * sizeof(jas_iccuint8_t))) ||
+- !(lut8->intabs = jas_malloc(lut8->numinchans *
++ if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
++ !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
++ lut8->numintabents, sizeof(jas_iccuint8_t))) ||
++ !(lut8->intabs = jas_alloc2(lut8->numinchans,
+ sizeof(jas_iccuint8_t *))))
+ goto error;
+ for (i = 0; i < lut8->numinchans; ++i)
+ lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
+- if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
+- lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
+- !(lut8->outtabs = jas_malloc(lut8->numoutchans *
++ if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
++ lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
++ !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
+ sizeof(jas_iccuint8_t *))))
+ goto error;
+ for (i = 0; i < lut8->numoutchans; ++i)
+@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+ jas_iccgetuint16(in, &lut16->numouttabents))
+ goto error;
+ clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
+- if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
+- !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
+- lut16->numintabents * sizeof(jas_iccuint16_t))) ||
+- !(lut16->intabs = jas_malloc(lut16->numinchans *
++ if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
++ !(lut16->intabsbuf = jas_alloc3(lut16->numinchans,
++ lut16->numintabents, sizeof(jas_iccuint16_t))) ||
++ !(lut16->intabs = jas_alloc2(lut16->numinchans,
+ sizeof(jas_iccuint16_t *))))
+ goto error;
+ for (i = 0; i < lut16->numinchans; ++i)
+ lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
+- if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
+- lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
+- !(lut16->outtabs = jas_malloc(lut16->numoutchans *
++ if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
++ lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
++ !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
+ sizeof(jas_iccuint16_t *))))
+ goto error;
+ for (i = 0; i < lut16->numoutchans; ++i)
+diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c
+index 876debb..c09974b 100644
+--- a/src/libjasper/base/jas_image.c
++++ b/src/libjasper/base/jas_image.c
+@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmpts, jas_image_cmptparm_t *cmptparms,
+ image->inmem_ = true;
+
+ /* Allocate memory for the per-component information. */
+- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
++ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
+ sizeof(jas_image_cmpt_t *)))) {
+ jas_image_destroy(image);
+ return 0;
+@@ -774,8 +774,7 @@ static int jas_image_growcmpts(jas_image_t *image, int maxcmpts)
+ jas_image_cmpt_t **newcmpts;
+ int cmptno;
+
+- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
+- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
++ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
+ if (!newcmpts) {
+ return -1;
+ }
+diff --git a/src/libjasper/base/jas_malloc.c b/src/libjasper/base/jas_malloc.c
+index 13f7bc8..90658e8 100644
+--- a/src/libjasper/base/jas_malloc.c
++++ b/src/libjasper/base/jas_malloc.c
+@@ -76,6 +76,9 @@
+
+ /* We need the prototype for memset. */
+ #include <string.h>
++#include <limits.h>
++#include <errno.h>
++#include <stdint.h>
+
+ #include "jasper/jas_malloc.h"
+
+@@ -113,18 +116,50 @@ void jas_free(void *ptr)
+
+ void *jas_realloc(void *ptr, size_t size)
+ {
+- return realloc(ptr, size);
++ return ptr ? realloc(ptr, size) : malloc(size);
+ }
+
+-void *jas_calloc(size_t nmemb, size_t size)
++void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
++{
++ if (!ptr)
++ return jas_alloc2(nmemb, size);
++ if (nmemb && SIZE_MAX / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++ return jas_realloc(ptr, nmemb * size);
++
++}
++
++void *jas_alloc2(size_t nmemb, size_t size)
++{
++ if (nmemb && SIZE_MAX / nmemb < size) {
++ errno = ENOMEM;
++ return NULL;
++ }
++
++ return jas_malloc(nmemb * size);
++}
++
++void *jas_alloc3(size_t a, size_t b, size_t c)
+ {
+- void *ptr;
+ size_t n;
+- n = nmemb * size;
+- if (!(ptr = jas_malloc(n * sizeof(char)))) {
+- return 0;
++
++ if (a && SIZE_MAX / a < b) {
++ errno = ENOMEM;
++ return NULL;
+ }
+- memset(ptr, 0, n);
++
++ return jas_alloc2(a*b, c);
++}
++
++void *jas_calloc(size_t nmemb, size_t size)
++{
++ void *ptr;
++
++ ptr = jas_alloc2(nmemb, size);
++ if (ptr)
++ memset(ptr, 0, nmemb*size);
+ return ptr;
+ }
+
+diff --git a/src/libjasper/base/jas_seq.c b/src/libjasper/base/jas_seq.c
+index 16e1778..672b60f 100644
+--- a/src/libjasper/base/jas_seq.c
++++ b/src/libjasper/base/jas_seq.c
+@@ -114,7 +114,7 @@ jas_matrix_t *jas_matrix_create(int numrows, int numcols)
+ matrix->datasize_ = numrows * numcols;
+
+ if (matrix->maxrows_ > 0) {
+- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
++ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ sizeof(jas_seqent_t *)))) {
+ jas_matrix_destroy(matrix);
+ return 0;
+@@ -122,7 +122,7 @@ jas_matrix_t *jas_matrix_create(int numrows, int numcols)
+ }
+
+ if (matrix->datasize_ > 0) {
+- if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
++ if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ sizeof(jas_seqent_t)))) {
+ jas_matrix_destroy(matrix);
+ return 0;
+@@ -220,7 +220,7 @@ void jas_matrix_bindsub(jas_matrix_t *mat0, jas_matrix_t *mat1, int r0, int c0,
+ mat0->numrows_ = r1 - r0 + 1;
+ mat0->numcols_ = c1 - c0 + 1;
+ mat0->maxrows_ = mat0->numrows_;
+- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
++ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
+ for (i = 0; i < mat0->numrows_; ++i) {
+ mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ }
+diff --git a/src/libjasper/base/jas_stream.c b/src/libjasper/base/jas_stream.c
+index 9a88556..61fcc64 100644
+--- a/src/libjasper/base/jas_stream.c
++++ b/src/libjasper/base/jas_stream.c
+@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *buf, int bufsize)
+ if (buf) {
+ obj->buf_ = (unsigned char *) buf;
+ } else {
+- obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char));
++ obj->buf_ = jas_malloc(obj->bufsize_);
+ obj->myalloc_ = 1;
+ }
+ if (!obj->buf_) {
+@@ -361,28 +361,22 @@ jas_stream_t *jas_stream_tmpfile()
+ }
+ obj->fd = -1;
+ obj->flags = 0;
+- obj->pathname[0] = '\0';
+ stream->obj_ = obj;
+
+ /* Choose a file name. */
+- tmpnam(obj->pathname);
++ snprintf(obj->pathname, L_tmpnam, "%stmp.XXXXXXXXXX", P_tmpdir);
+
+ /* Open the underlying file. */
+- if ((obj->fd = open(obj->pathname, O_CREAT | O_EXCL | O_RDWR | O_TRUNC | O_BINARY,
+- JAS_STREAM_PERMS)) < 0) {
++ if ((obj->fd = mkstemp(obj->pathname)) < 0) {
+ jas_stream_destroy(stream);
+ return 0;
+ }
+
+ /* Unlink the file so that it will disappear if the program
+ terminates abnormally. */
+- /* Under UNIX, one can unlink an open file and continue to do I/O
+- on it. Not all operating systems support this functionality, however.
+- For example, under Microsoft Windows the unlink operation will fail,
+- since the file is open. */
+ if (unlink(obj->pathname)) {
+- /* We will try unlinking the file again after it is closed. */
+- obj->flags |= JAS_STREAM_FILEOBJ_DELONCLOSE;
++ jas_stream_destroy(stream);
++ return 0;
+ }
+
+ /* Use full buffering. */
+@@ -553,7 +547,7 @@ int jas_stream_printf(jas_stream_t *stream, const char *fmt, ...)
+ int ret;
+
+ va_start(ap, fmt);
+- ret = vsprintf(buf, fmt, ap);
++ ret = vsnprintf(buf, sizeof buf, fmt, ap);
+ jas_stream_puts(stream, buf);
+ va_end(ap);
+ return ret;
+@@ -992,7 +986,7 @@ static int mem_resize(jas_stream_memobj_t *m, int bufsize)
+ unsigned char *buf;
+
+ assert(m->buf_);
+- if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) {
++ if (!(buf = jas_realloc(m->buf_, bufsize))) {
+ return -1;
+ }
+ m->buf_ = buf;
+diff --git a/src/libjasper/bmp/bmp_dec.c b/src/libjasper/bmp/bmp_dec.c
+index 4cb0df3..7a6dcb1 100644
+--- a/src/libjasper/bmp/bmp_dec.c
++++ b/src/libjasper/bmp/bmp_dec.c
+@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_stream_t *in)
+ }
+
+ if (info->numcolors > 0) {
+- if (!(info->palents = jas_malloc(info->numcolors *
++ if (!(info->palents = jas_alloc2(info->numcolors,
+ sizeof(bmp_palent_t)))) {
+ bmp_info_destroy(info);
+ return 0;
+diff --git a/src/libjasper/include/jasper/jas_malloc.h b/src/libjasper/include/jasper/jas_malloc.h
+index f2a8f8b..258e4c7 100644
+--- a/src/libjasper/include/jasper/jas_malloc.h
++++ b/src/libjasper/include/jasper/jas_malloc.h
+@@ -95,6 +95,9 @@ extern "C" {
+ #define jas_free MEMFREE
+ #define jas_realloc MEMREALLOC
+ #define jas_calloc MEMCALLOC
++#define jas_alloc2(a, b) MEMALLOC((a)*(b))
++#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c))
++#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b))
+ #endif
+
+ /******************************************************************************\
+@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size);
+ /* Allocate a block of memory and initialize the contents to zero. */
+ void *jas_calloc(size_t nmemb, size_t size);
+
++/* size-checked double allocation .*/
++void *jas_alloc2(size_t, size_t);
++
++void *jas_alloc3(size_t, size_t, size_t);
++
++void *jas_realloc2(void *, size_t, size_t);
+ #endif
+
+ #ifdef __cplusplus
+diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
+index d0bf058..8edf453 100644
+--- a/src/libjasper/jp2/jp2_cod.c
++++ b/src/libjasper/jp2/jp2_cod.c
+@@ -380,7 +380,7 @@ static int jp2_bpcc_getdata(jp2_box_t *box, jas_stream_t *in)
+ jp2_bpcc_t *bpcc = &box->data.bpcc;
+ unsigned int i;
+ bpcc->numcmpts = box->datalen;
+- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) {
++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ for (i = 0; i < bpcc->numcmpts; ++i) {
+@@ -424,7 +424,7 @@ static int jp2_colr_getdata(jp2_box_t *box, jas_stream_t *in)
+ break;
+ case JP2_COLR_ICC:
+ colr->iccplen = box->datalen - 3;
+- if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) {
++ if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
+@@ -461,7 +461,7 @@ static int jp2_cdef_getdata(jp2_box_t *box, jas_stream_t *in)
+ if (jp2_getuint16(in, &cdef->numchans)) {
+ return -1;
+ }
+- if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) {
++ if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) {
+ return -1;
+ }
+ for (channo = 0; channo < cdef->numchans; ++channo) {
+@@ -774,7 +774,7 @@ static int jp2_cmap_getdata(jp2_box_t *box, jas_stream_t *in)
+ unsigned int i;
+
+ cmap->numchans = (box->datalen) / 4;
+- if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) {
++ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
+ return -1;
+ }
+ for (i = 0; i < cmap->numchans; ++i) {
+@@ -836,10 +836,10 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
+ return -1;
+ }
+ lutsize = pclr->numlutents * pclr->numchans;
+- if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) {
++ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ return -1;
+ }
+- if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) {
++ if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) {
+ return -1;
+ }
+ for (i = 0; i < pclr->numchans; ++i) {
+diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
+index 65772de..5f7be7e 100644
+--- a/src/libjasper/jp2/jp2_dec.c
++++ b/src/libjasper/jp2/jp2_dec.c
+@@ -336,7 +336,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr)
+ }
+
+ /* Allocate space for the channel-number to component-number LUT. */
+- if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
++ if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) {
+ jas_eprintf("error: no memory\n");
+ goto error;
+ }
+@@ -354,7 +354,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr)
+ if (cmapent->map == JP2_CMAP_DIRECT) {
+ dec->chantocmptlut[channo] = channo;
+ } else if (cmapent->map == JP2_CMAP_PALETTE) {
+- lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
++ lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t));
+ for (i = 0; i < pclrd->numlutents; ++i) {
+ lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
+ }
+diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c
+index d41392f..b837612 100644
+--- a/src/libjasper/jp2/jp2_enc.c
++++ b/src/libjasper/jp2/jp2_enc.c
+@@ -194,7 +194,7 @@ int sgnd;
+ }
+ bpcc = &box->data.bpcc;
+ bpcc->numcmpts = jas_image_numcmpts(image);
+- if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts *
++ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts,
+ sizeof(uint_fast8_t)))) {
+ goto error;
+ }
+@@ -288,7 +288,7 @@ int sgnd;
+ }
+ cdef = &box->data.cdef;
+ cdef->numchans = jas_image_numcmpts(image);
+- cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t));
++ cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t));
+ for (i = 0; i < jas_image_numcmpts(image); ++i) {
+ cdefchanent = &cdef->ents[i];
+ cdefchanent->channo = i;
+diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c
+index f076571..d1fe721 100644
+--- a/src/libjasper/jpc/jpc_cs.c
++++ b/src/libjasper/jpc/jpc_cs.c
+@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate,
+ !siz->tileheight || !siz->numcomps) {
+ return -1;
+ }
+- if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) {
++ if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
+ return -1;
+ }
+ for (i = 0; i < siz->numcomps; ++i) {
+@@ -1091,7 +1091,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in
+
+ ppm->len = ms->len - 1;
+ if (ppm->len > 0) {
+- if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) {
++ if (!(ppm->data = jas_malloc(ppm->len))) {
+ goto error;
+ }
+ if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
+@@ -1160,7 +1160,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in
+ }
+ ppt->len = ms->len - 1;
+ if (ppt->len > 0) {
+- if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) {
++ if (!(ppt->data = jas_malloc(ppt->len))) {
+ goto error;
+ }
+ if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
+@@ -1223,7 +1223,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in
+ uint_fast8_t tmp;
+ poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
+ (ms->len / 7);
+- if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) {
++ if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) {
+ goto error;
+ }
+ for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
+@@ -1328,7 +1328,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
+@@ -1467,7 +1467,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in
+ cstate = 0;
+
+ if (ms->len > 0) {
+- if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) {
++ if (!(unk->data = jas_malloc(ms->len))) {
+ return -1;
+ }
+ if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) {
+diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c
+index fa72a0e..b1ea056 100644
+--- a/src/libjasper/jpc/jpc_dec.c
++++ b/src/libjasper/jpc/jpc_dec.c
+@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_t *ms)
+
+ if (dec->state == JPC_MH) {
+
+- compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
++ compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
+ assert(compinfos);
+ for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
+ cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *dec, jpc_dec_tile_t *tile)
+ tile->realmode = 1;
+ }
+ tcomp->numrlvls = ccp->numrlvls;
+- if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
++ if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
+ sizeof(jpc_dec_rlvl_t)))) {
+ return -1;
+ }
+@@ -764,7 +764,7 @@ rlvl->bands = 0;
+ rlvl->cbgheightexpn);
+
+ rlvl->numbands = (!rlvlno) ? 1 : 3;
+- if (!(rlvl->bands = jas_malloc(rlvl->numbands *
++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
+ sizeof(jpc_dec_band_t)))) {
+ return -1;
+ }
+@@ -797,7 +797,7 @@ rlvl->bands = 0;
+
+ assert(rlvl->numprcs);
+
+- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
+ return -1;
+ }
+
+@@ -834,7 +834,7 @@ rlvl->bands = 0;
+ if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
+ return -1;
+ }
+- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
+ return -1;
+ }
+
+@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_t *ms)
+ return -1;
+ }
+
+- if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
++ if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
+ return -1;
+ }
+
+@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_t *ms)
+ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ dec->numtiles = dec->numhtiles * dec->numvtiles;
+- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
++ if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ return -1;
+ }
+
+@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_t *ms)
+ tile->pkthdrstreampos = 0;
+ tile->pptstab = 0;
+ tile->cp = 0;
+- if (!(tile->tcomps = jas_malloc(dec->numcomps *
++ if (!(tile->tcomps = jas_alloc2(dec->numcomps,
+ sizeof(jpc_dec_tcomp_t)))) {
+ return -1;
+ }
+@@ -1489,7 +1489,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(uint_fast16_t numcomps)
+ cp->numlyrs = 0;
+ cp->mctid = 0;
+ cp->csty = 0;
+- if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
++ if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
+ return 0;
+ }
+ if (!(cp->pchglist = jpc_pchglist_create())) {
+@@ -2048,7 +2048,7 @@ jpc_streamlist_t *jpc_streamlist_create()
+ }
+ streamlist->numstreams = 0;
+ streamlist->maxstreams = 100;
+- if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
++ if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
+ sizeof(jas_stream_t *)))) {
+ jas_free(streamlist);
+ return 0;
+@@ -2068,8 +2068,8 @@ int jpc_streamlist_insert(jpc_streamlist_t *streamlist, int streamno,
+ /* Grow the array of streams if necessary. */
+ if (streamlist->numstreams >= streamlist->maxstreams) {
+ newmaxstreams = streamlist->maxstreams + 1024;
+- if (!(newstreams = jas_realloc(streamlist->streams,
+- (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
++ if (!(newstreams = jas_realloc2(streamlist->streams,
++ (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
+ return -1;
+ }
+ for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
+@@ -2155,8 +2155,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab, int maxents)
+ {
+ jpc_ppxstabent_t **newents;
+ if (tab->maxents < maxents) {
+- newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
+- sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
++ newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
+ if (!newents) {
+ return -1;
+ }
+diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
+index bbe1ef2..6299ead 100644
+--- a/src/libjasper/jpc/jpc_enc.c
++++ b/src/libjasper/jpc/jpc_enc.c
+@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *optstr, jas_image_t *image)
+ vsteplcm *= jas_image_cmptvstep(image, cmptno);
+ }
+
+- if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) {
++ if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) {
+ goto error;
+ }
+ for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno,
+@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *optstr, jas_image_t *image)
+
+ if (ilyrrates && numilyrrates > 0) {
+ tcp->numlyrs = numilyrrates + 1;
+- if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) *
++ if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1),
+ sizeof(jpc_fix_t)))) {
+ goto error;
+ }
+@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->out);
+ siz->tilewidth = cp->tilewidth;
+ siz->tileheight = cp->tileheight;
+ siz->numcomps = cp->numcmpts;
+- siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t));
++ siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t));
+ assert(siz->comps);
+ for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) {
+ siz->comps[i].prec = cp->ccps[i].prec;
+@@ -977,7 +977,7 @@ startoff = jas_stream_getrwcount(enc->out);
+ return -1;
+ }
+ crg = &enc->mrk->parms.crg;
+- crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t));
++ crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t));
+ if (jpc_putms(enc->out, enc->cstate, enc->mrk)) {
+ jas_eprintf("cannot write CRG marker\n");
+ return -1;
+@@ -1955,7 +1955,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_enc_cp_t *cp, jas_image_t *image, int ti
+ tile->mctid = cp->tcp.mctid;
+
+ tile->numlyrs = cp->tcp.numlyrs;
+- if (!(tile->lyrsizes = jas_malloc(tile->numlyrs *
++ if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs,
+ sizeof(uint_fast32_t)))) {
+ goto error;
+ }
+@@ -1964,7 +1964,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_enc_cp_t *cp, jas_image_t *image, int ti
+ }
+
+ /* Allocate an array for the per-tile-component information. */
+- if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) {
++ if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) {
+ goto error;
+ }
+ /* Initialize a few members critical for error recovery. */
+@@ -2110,7 +2110,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp,
+ jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data),
+ jas_seq2d_yend(tcmpt->data), bandinfos);
+
+- if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) {
++ if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) {
+ goto error;
+ }
+ for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls;
+@@ -2213,7 +2213,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp,
+ rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn);
+ rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs;
+
+- if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) {
++ if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) {
+ goto error;
+ }
+ for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands;
+@@ -2290,7 +2290,7 @@ if (bandinfo->xstart != bandinfo->xend && bandinfo->ystart != bandinfo->yend) {
+ band->synweight = bandinfo->synenergywt;
+
+ if (band->data) {
+- if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) {
++ if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) {
+ goto error;
+ }
+ for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno,
+@@ -2422,7 +2422,7 @@ if (!rlvlno) {
+ goto error;
+ }
+
+- if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) {
++ if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) {
+ goto error;
+ }
+ for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks;
+diff --git a/src/libjasper/jpc/jpc_mqdec.c b/src/libjasper/jpc/jpc_mqdec.c
+index 4cc2f46..66a8581 100644
+--- a/src/libjasper/jpc/jpc_mqdec.c
++++ b/src/libjasper/jpc/jpc_mqdec.c
+@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctxs, jas_stream_t *in)
+ mqdec->in = in;
+ mqdec->maxctxs = maxctxs;
+ /* Allocate memory for the per-context state information. */
+- if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) {
++ if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ goto error;
+ }
+ /* Set the current context to the first context. */
+diff --git a/src/libjasper/jpc/jpc_mqenc.c b/src/libjasper/jpc/jpc_mqenc.c
+index 758b361..399581e 100644
+--- a/src/libjasper/jpc/jpc_mqenc.c
++++ b/src/libjasper/jpc/jpc_mqenc.c
+@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctxs, jas_stream_t *out)
+ mqenc->maxctxs = maxctxs;
+
+ /* Allocate memory for the per-context state information. */
+- if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) {
++ if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ goto error;
+ }
+
+diff --git a/src/libjasper/jpc/jpc_qmfb.c b/src/libjasper/jpc/jpc_qmfb.c
+index 00d406d..cf3320b 100644
+--- a/src/libjasper/jpc/jpc_qmfb.c
++++ b/src/libjasper/jpc/jpc_qmfb.c
+@@ -321,7 +321,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -389,7 +389,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -460,7 +460,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -549,7 +549,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols,
+ #if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+@@ -633,7 +633,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -698,7 +698,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int numrows, int stride,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -766,7 +766,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+@@ -852,7 +852,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, int numrows, int numcols,
+ #if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+- if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide. */
+ abort();
+ }
+diff --git a/src/libjasper/jpc/jpc_t1enc.c b/src/libjasper/jpc/jpc_t1enc.c
+index 3a5acea..c8bfd21 100644
+--- a/src/libjasper/jpc/jpc_t1enc.c
++++ b/src/libjasper/jpc/jpc_t1enc.c
+@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_stream_t *out, jpc_enc_tcmpt_t *tcmpt, j
+
+ cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0;
+ if (cblk->numpasses > 0) {
+- cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t));
++ cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t));
+ assert(cblk->passes);
+ } else {
+ cblk->passes = 0;
+diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c
+index e734900..f3d030a 100644
+--- a/src/libjasper/jpc/jpc_t2cod.c
++++ b/src/libjasper/jpc/jpc_t2cod.c
+@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t *pchglist, int pchgno, jpc_pchg_t *pchg)
+ }
+ if (pchglist->numpchgs >= pchglist->maxpchgs) {
+ newmaxpchgs = pchglist->maxpchgs + 128;
+- if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) {
++ if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) {
+ return -1;
+ }
+ pchglist->maxpchgs = newmaxpchgs;
+diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
+index 6d2cb72..8300f9b 100644
+--- a/src/libjasper/jpc/jpc_t2dec.c
++++ b/src/libjasper/jpc/jpc_t2dec.c
+@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *dec, jpc_dec_tile_t *tile)
+ return 0;
+ }
+ pi->numcomps = dec->numcomps;
+- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+ }
+@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *dec, jpc_dec_tile_t *tile)
+ for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
+ compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ picomp->numrlvls = tcomp->numrlvls;
+- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ sizeof(jpc_pirlvl_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *dec, jpc_dec_tile_t *tile)
+ rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
+ /* XXX sizeof(long) should be sizeof different type */
+ pirlvl->numprcs = rlvl->numprcs;
+- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ sizeof(long)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+diff --git a/src/libjasper/jpc/jpc_t2enc.c b/src/libjasper/jpc/jpc_t2enc.c
+index 9358a1c..d96066f 100644
+--- a/src/libjasper/jpc/jpc_t2enc.c
++++ b/src/libjasper/jpc/jpc_t2enc.c
+@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t *cp, jpc_enc_tile_t *tile)
+ }
+ pi->pktno = -1;
+ pi->numcomps = cp->numcmpts;
+- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
++ if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+ }
+@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t *cp, jpc_enc_tile_t *tile)
+ for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
+ compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ picomp->numrlvls = tcomp->numrlvls;
+- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
++ if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ sizeof(jpc_pirlvl_t)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t *cp, jpc_enc_tile_t *tile)
+ /* XXX sizeof(long) should be sizeof different type */
+ pirlvl->numprcs = rlvl->numprcs;
+ if (rlvl->numprcs) {
+- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
++ if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ sizeof(long)))) {
+ jpc_pi_destroy(pi);
+ return 0;
+diff --git a/src/libjasper/jpc/jpc_tagtree.c b/src/libjasper/jpc/jpc_tagtree.c
+index 06422d3..8dce000 100644
+--- a/src/libjasper/jpc/jpc_tagtree.c
++++ b/src/libjasper/jpc/jpc_tagtree.c
+@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int numleafsh, int numleafsv)
+ ++numlvls;
+ } while (n > 1);
+
+- if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) {
++ if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
+ return 0;
+ }
+
+diff --git a/src/libjasper/jpc/jpc_util.c b/src/libjasper/jpc/jpc_util.c
+index f53e248..6da1b66 100644
+--- a/src/libjasper/jpc/jpc_util.c
++++ b/src/libjasper/jpc/jpc_util.c
+@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, double **values)
+ }
+
+ if (n) {
+- if (!(vs = jas_malloc(n * sizeof(double)))) {
++ if (!(vs = jas_alloc2(n, sizeof(double)))) {
+ return -1;
+ }
+
+diff --git a/src/libjasper/mif/mif_cod.c b/src/libjasper/mif/mif_cod.c
+index 17506a1..a1b29dc 100644
+--- a/src/libjasper/mif/mif_cod.c
++++ b/src/libjasper/mif/mif_cod.c
+@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t *hdr, int maxcmpts)
+ int cmptno;
+ mif_cmpt_t **newcmpts;
+ assert(maxcmpts >= hdr->numcmpts);
+- newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) :
+- jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *));
++ newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *));
+ if (!newcmpts) {
+ return -1;
+ }
Tags added: patch
Request was from Pierre Habouzit <madcoder@debian.org>
to control@bugs.debian.org.
(Sun, 12 Oct 2008 20:03:09 GMT) (full text, mbox, link).
Reply sent
to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility.
(Tue, 14 Oct 2008 22:03:17 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Tue, 14 Oct 2008 22:03:18 GMT) (full text, mbox, link).
Message #24 received at 501021-close@bugs.debian.org (full text, mbox, reply):
Source: jasper Source-Version: 1.900.1-5.1 We believe that the bug you reported is fixed in the latest version of jasper, which is due to be installed in the Debian FTP archive: jasper_1.900.1-5.1.diff.gz to pool/main/j/jasper/jasper_1.900.1-5.1.diff.gz jasper_1.900.1-5.1.dsc to pool/main/j/jasper/jasper_1.900.1-5.1.dsc libjasper-dev_1.900.1-5.1_amd64.deb to pool/main/j/jasper/libjasper-dev_1.900.1-5.1_amd64.deb libjasper-runtime_1.900.1-5.1_amd64.deb to pool/main/j/jasper/libjasper-runtime_1.900.1-5.1_amd64.deb libjasper1_1.900.1-5.1_amd64.deb to pool/main/j/jasper/libjasper1_1.900.1-5.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 501021@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pierre Habouzit <madcoder@debian.org> (supplier of updated jasper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 12 Oct 2008 21:40:59 +0200 Source: jasper Binary: libjasper1 libjasper-dev libjasper-runtime Architecture: source amd64 Version: 1.900.1-5.1 Distribution: unstable Urgency: low Maintainer: Roland Stigge <stigge@antcom.de> Changed-By: Pierre Habouzit <madcoder@debian.org> Description: libjasper-dev - Development files for the JasPer JPEG-2000 library libjasper-runtime - Programs for manipulating JPEG-2000 files libjasper1 - The JasPer JPEG-2000 runtime library Closes: 501021 Changes: jasper (1.900.1-5.1) unstable; urgency=low . * Non-maintainer upload. * add patches/02_security.dpatch to fix various CVEs (Closes: #501021): + CVE-2008-3522[0]: Buffer overflow. + CVE-2008-3521[1]: unsecure temporary files handling. + CVE-2008-3520[2]: Multiple integer overflows. Checksums-Sha1: 3e685ca6968d53af74b69d5756fa1bbc18d264ef 1075 jasper_1.900.1-5.1.dsc 21ae9cfe449f702a5b728ae37729c2b3be19e5a4 38130 jasper_1.900.1-5.1.diff.gz addca5ace15eae26fbda8d84df618f355ab64314 154672 libjasper1_1.900.1-5.1_amd64.deb 7b4ff1a1b0dcf9515f0304ab947db6b25319c164 561204 libjasper-dev_1.900.1-5.1_amd64.deb a44990054971b7a3ba0f76aacfcc3a0c149c8ce5 25764 libjasper-runtime_1.900.1-5.1_amd64.deb Checksums-Sha256: 0f3b1d9e87d170b99f8065e781737fb08fb07bc3bd3c33d5a74767417de7f9fe 1075 jasper_1.900.1-5.1.dsc 7711d45a3fbf7c3cc33ccfe412b20ce96879402b88e924bec6af58d9d7963663 38130 jasper_1.900.1-5.1.diff.gz 8519043830ae889ec17b8ff3d1f9513a29b3deaff439ba096686a1d2fcb7aa8e 154672 libjasper1_1.900.1-5.1_amd64.deb f534ffb780523db1e90e0be0a8cdcd36856d65b4c5159ea04f8aa52225d3b6af 561204 libjasper-dev_1.900.1-5.1_amd64.deb dd383db420997babd1975105187ec82f706b198cf8a5730fb7b11894876ba219 25764 libjasper-runtime_1.900.1-5.1_amd64.deb Files: c25f6aa88120c2d5d7edf270ef2f824d 1075 graphics optional jasper_1.900.1-5.1.dsc 59db283db89575286272c42121dc1794 38130 graphics optional jasper_1.900.1-5.1.diff.gz 7db5018df734b17eb84d253ad592f7aa 154672 libs optional libjasper1_1.900.1-5.1_amd64.deb bbfe223db0d46d89d52992911b719e7b 561204 libdevel optional libjasper-dev_1.900.1-5.1_amd64.deb cbc7b67f4e62ff7c0c5357effdee9d53 25764 graphics optional libjasper-runtime_1.900.1-5.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjyVz4ACgkQvGr7W6HudhzQzQCfQBeiHg6dqaoHWZOx8n7dHn++ UZ8AmwS9Tht0oazGt1A8Q9TI3ATKLDTe =HmDb -----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Mar 2009 08:08:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.