From 3d021f52384f5d1dd94f8b73283e50cf180d783f Mon Sep 17 00:00:00 2001 From: lzq11122 Date: Fri, 19 Sep 2025 16:43:03 +0800 Subject: [PATCH 1/2] test Signed-off-by: lzq11122 --- 0002-CVE-2025-8835.patch | 176 +++++++++++++++++++++++++++++++++++++++ jasper.spec | 6 +- 2 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 0002-CVE-2025-8835.patch diff --git a/0002-CVE-2025-8835.patch b/0002-CVE-2025-8835.patch new file mode 100644 index 0000000..705b1f6 --- /dev/null +++ b/0002-CVE-2025-8835.patch @@ -0,0 +1,176 @@ +From 4bb4a8f16869bad93c71ad13eceff5e249f2dc77 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 19 Sep 2025 16:31:40 +0800 +Subject: [PATCH 1/1] Fix CVE-2025-8835 + +--- + data/test/other/poc_400.pnm | Bin + src/libjasper/base/jas_image.c | 74 ++++++++++++++++++++++++++++----- + 2 files changed, 63 insertions(+), 11 deletions(-) + create mode 100644 data/test/other/poc_400.pnm + +diff --git a/data/test/other/poc_400.pnm b/data/test/other/poc_400.pnm +new file mode 100644 +index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 +diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c +index 1ed0905..f54d9a7 100644 +--- a/src/libjasper/base/jas_image.c ++++ b/src/libjasper/base/jas_image.c +@@ -118,6 +118,8 @@ static void jas_image_calcbbox2(const jas_image_t *image, + jas_image_coord_t *bry); + static void jas_image_fmtinfo_init(jas_image_fmtinfo_t *fmtinfo); + static void jas_image_fmtinfo_cleanup(jas_image_fmtinfo_t *fmtinfo); ++static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n); ++static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n); + + /******************************************************************************\ + * Create and destroy operations. +@@ -413,6 +415,37 @@ static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt) + jas_free(cmpt); + } + ++static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n) ++{ ++ jas_cmcmptfmt_t* cmptfmts; ++ JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_create(%d)\n", n); ++ if (!(cmptfmts = jas_alloc2(n, sizeof(jas_cmcmptfmt_t)))) { ++ return 0; ++ } ++ for (int i = 0; i < n; ++i) { ++ cmptfmts[i].buf = 0; ++ } ++ JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_create(%d) returning %p\n", n, ++ JAS_CAST(void *, cmptfmts)); ++ return cmptfmts; ++} ++ ++static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n) ++{ ++ assert(cmptfmts); ++ assert(n > 0); ++ JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_destroy(%p, %d)\n", ++ JAS_CAST(void *, cmptfmts), n); ++ for (int i = 0; i < n; ++i) { ++ if (cmptfmts[i].buf) { ++ jas_free(cmptfmts[i].buf); ++ } ++ cmptfmts[i].buf = 0; ++ } ++ jas_free(cmptfmts); ++} ++ ++ + /******************************************************************************\ + * Load and save operations. + \******************************************************************************/ +@@ -1588,12 +1621,15 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, + jas_cmcmptfmt_t *incmptfmts; + jas_cmcmptfmt_t *outcmptfmts; + ++ assert(image); ++ assert(outprof); ++ + #if 0 + jas_eprintf("IMAGE\n"); + jas_image_dump(image, stderr); + #endif + +- if (image->numcmpts_ == 0) { ++ if (!jas_image_numcmpts(image)) { + /* + can't work with a file with no components; + continuing would crash because we'd attempt to +@@ -1604,6 +1640,8 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, + + outimage = 0; + xform = 0; ++ incmptfmts = 0; ++ outcmptfmts = 0; + if (!(inimage = jas_image_copy(image))) { + goto error; + } +@@ -1694,16 +1732,22 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, + } + + inpixmap.numcmpts = numinclrchans; +- if (!(incmptfmts = jas_alloc2(numinclrchans, sizeof(jas_cmcmptfmt_t)))) { ++ assert(numinclrchans != 0); ++ if (!(incmptfmts = jas_cmcmptfmt_array_create(numinclrchans))) { + // formerly call to abort() + goto error; + } + inpixmap.cmptfmts = incmptfmts; + for (unsigned i = 0; i < numinclrchans; ++i) { + const int j = jas_image_getcmptbytype(inimage, JAS_IMAGE_CT_COLOR(i)); ++ if (j < 0) { ++ jas_logerrorf("missing color component %d\n", i); ++ goto error; ++ } + if (!(incmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) { + goto error; + } ++ assert(j >= 0 && j < jas_image_numcmpts(inimage)); + incmptfmts[i].prec = jas_image_cmptprec(inimage, j); + incmptfmts[i].sgnd = jas_image_cmptsgnd(inimage, j); + incmptfmts[i].width = width; +@@ -1711,7 +1755,7 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, + } + + outpixmap.numcmpts = numoutclrchans; +- if (!(outcmptfmts = jas_alloc2(numoutclrchans, sizeof(jas_cmcmptfmt_t)))) { ++ if (!(outcmptfmts = jas_cmcmptfmt_array_create(numoutclrchans))) { + // formerly call to abort() + goto error; + } +@@ -1719,9 +1763,14 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, + + for (unsigned i = 0; i < numoutclrchans; ++i) { + const int j = jas_image_getcmptbytype(outimage, JAS_IMAGE_CT_COLOR(i)); ++ if (j < 0) { ++ jas_logerrorf("missing color component %d\n", i); ++ goto error; ++ } + if (!(outcmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) { + goto error; + } ++ assert(j >= 0 && j < jas_image_numcmpts(outimage)); + outcmptfmts[i].prec = jas_image_cmptprec(outimage, j); + outcmptfmts[i].sgnd = jas_image_cmptsgnd(outimage, j); + outcmptfmts[i].width = width; +@@ -1745,15 +1794,10 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, + } + } + } ++ + +- for (unsigned i = 0; i < numoutclrchans; ++i) { +- jas_free(outcmptfmts[i].buf); +- } +- jas_free(outcmptfmts); +- for (unsigned i = 0; i < numinclrchans; ++i) { +- jas_free(incmptfmts[i].buf); +- } +- jas_free(incmptfmts); ++ jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans); ++ jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans); + jas_cmxform_destroy(xform); + jas_image_destroy(inimage); + +@@ -1765,6 +1809,14 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, + #endif + return outimage; + error: ++ if (incmptfmts) { ++ assert(numinclrchans); ++ jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans); ++ } ++ if (outcmptfmts) { ++ assert(numoutclrchans); ++ jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans); ++ } + if (xform) { + jas_cmxform_destroy(xform); + } +-- +2.43.5 + diff --git a/jasper.spec b/jasper.spec index 111ff68..0a8e0a3 100644 --- a/jasper.spec +++ b/jasper.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper @@ -12,6 +12,7 @@ Source0: https://github.com/jasper-software/%{name}/archive/refs/tags/version-%{ # skip hard-coded prefix/lib rpath Patch1: jasper-4.1.0-rpath.patch Patch2: 0001-CVE-2023-51257.patch +Patch3: 0002-CVE-2025-8835.patch # autoreconf BuildRequires: cmake @@ -105,6 +106,9 @@ Requires: %{name}-libs = %{version}-%{release} %{_mandir}/man1/jiv.1* %changelog +* Fri Sep 19 2025 lzq11122 - 4.1.0.2 +- Fix CVE-2025-8835 + * Fri Feb 28 2025 Xiaoping Liu - 4.1.0-1 - update to 4.1.0 from 4.0.0 - Remove the patch because it does not affect the current version -- Gitee From e00239338d5ec0416afa91919548124d684c827b Mon Sep 17 00:00:00 2001 From: lzq11122 Date: Fri, 19 Sep 2025 17:30:05 +0800 Subject: [PATCH 2/2] test Signed-off-by: lzq11122 --- jasper.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jasper.spec b/jasper.spec index 0a8e0a3..8e8c806 100644 --- a/jasper.spec +++ b/jasper.spec @@ -106,7 +106,7 @@ Requires: %{name}-libs = %{version}-%{release} %{_mandir}/man1/jiv.1* %changelog -* Fri Sep 19 2025 lzq11122 - 4.1.0.2 +* Fri Sep 19 2025 lzq11122 - 4.1.0-2 - Fix CVE-2025-8835 * Fri Feb 28 2025 Xiaoping Liu - 4.1.0-1 -- Gitee