Fixed CVEs:
- CVE-2016-9387
- CVE-2016-9388
- CVE-2016-9389
- CVE-2016-9390
- CVE-2016-9391
- CVE-2016-9392
- CVE-2016-9393
- CVE-2016-9394
- CVE-2016-9395
- CVE-2016-9396
- CVE-2016-9397
- CVE-2016-9398
- CVE-2016-9399
- CVE-2016-9557
- CVE-2016-9560
Changes to jasper.mk:
- Switched site method to GitHub. 1.900.31 is not released as a tarball
in the official website.
- Autoreconf necessary since there isn't any configure script. We need
to generate it.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-8693: Double free vulnerability in mem_close
CVE-2016-8692: Divide by zero in jpc_dec_process_siz
CVE-2016-8691: Divide by zero in jpc_dec_process_siz
CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted
BMP image
CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
CVE-2016-8886: memory allocation failure in jas_malloc
CVE-2016-8887: Null pointer dereference in jp2_colr_destroy
CVE-2016-8884, CVE-2016-8885: Null pointer dereference in bmp_getdata
(incomplete fix for CVE-2016-8690)
CVE-2016-8880: Heap buffer overflow in jpc_dec_cp_setfromcox()
CVE-2016-8881: Heap buffer overflow in jpc_getuint16()
CVE-2016-8882: Null pointer access in jpc_pi_destroy
CVE-2016-8883: Assert in jpc_dec_tiledecode()
Drop upstream patches.
Change SITE to the official download location, since the current one does not
have the updated version. Unfortunately, the official site only offers tar.gz.
Fix license. It is "based on the MIT license", but not exactly the same
(http://www.ece.uvic.ca/~frodo/jasper/; under "Legal Issues").
Drop autoreconf; the autotools version has been updated since commit
324ccec90d (jasper: autoreconf to fix rpath issue) that introduced it.
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>