$OpenBSD: patch-src_libjasper_base_jas_icc_c,v 1.3 2016/03/09 15:16:05 jasper Exp $

Security fix for CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
from https://launchpad.net/bugs/1547865

Security fix for CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf()

Security fix for CVE-2014-8137: double-free
from slackware

--- src/libjasper/base/jas_icc.c.orig	Fri Jan 19 22:43:05 2007
+++ src/libjasper/base/jas_icc.c	Wed Mar  9 16:11:14 2016
@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stream_t *in)
 				if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
 					goto error;
 				jas_iccattrval_destroy(attrval);
+				attrval = 0;
 			} else {
 #if 0
 				jas_eprintf("warning: skipping unknown tag type\n");
@@ -373,7 +374,7 @@ int jas_iccprof_save(jas_iccprof_t *prof, jas_stream_t
 	jas_icctagtab_t *tagtab;
 
 	tagtab = &prof->tagtab;
-	if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
+	if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
 	  sizeof(jas_icctagtabent_t))))
 		goto error;
 	tagtab->numents = prof->attrtab->numattrs;
@@ -522,7 +523,7 @@ static int jas_iccprof_gettagtab(jas_stream_t *in, jas
 	}
 	if (jas_iccgetuint32(in, &tagtab->numents))
 		goto error;
-	if (!(tagtab->ents = jas_malloc(tagtab->numents *
+	if (!(tagtab->ents = jas_alloc2(tagtab->numents,
 	  sizeof(jas_icctagtabent_t))))
 		goto error;
 	tagtabent = tagtab->ents;
@@ -743,8 +744,7 @@ static int jas_iccattrtab_resize(jas_iccattrtab_t *tab
 {
 	jas_iccattr_t *newattrs;
 	assert(maxents >= tab->numattrs);
-	newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
-	  sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
+	newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
 	if (!newattrs)
 		return -1;
 	tab->attrs = newattrs;
@@ -999,7 +999,7 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval
 
 	if (jas_iccgetuint32(in, &curv->numents))
 		goto error;
-	if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
+	if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
 		goto error;
 	for (i = 0; i < curv->numents; ++i) {
 		if (jas_iccgetuint16(in, &curv->ents[i]))
@@ -1011,7 +1011,6 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval
 	return 0;
 
 error:
-	jas_icccurv_destroy(attrval);
 	return -1;
 }
 
@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr
 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
 	  jas_iccgetuint32(in, &txtdesc->uclen))
 		goto error;
-	if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
+	if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
 		goto error;
 	if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
 	  JAS_CAST(int, txtdesc->uclen * 2))
@@ -1129,7 +1128,6 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr
 #endif
 	return 0;
 error:
-	jas_icctxtdesc_destroy(attrval);
 	return -1;
 }
 
@@ -1208,8 +1206,6 @@ static int jas_icctxt_input(jas_iccattrval_t *attrval,
 		goto error;
 	return 0;
 error:
-	if (txt->string)
-		jas_free(txt->string);
 	return -1;
 }
 
@@ -1292,17 +1288,17 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval
 	  jas_iccgetuint16(in, &lut8->numouttabents))
 		goto error;
 	clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
-	if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
-	  !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
-	  lut8->numintabents * sizeof(jas_iccuint8_t))) ||
-	  !(lut8->intabs = jas_malloc(lut8->numinchans *
+	if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
+	  !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
+	  lut8->numintabents, sizeof(jas_iccuint8_t))) ||
+	  !(lut8->intabs = jas_alloc2(lut8->numinchans,
 	  sizeof(jas_iccuint8_t *))))
 		goto error;
 	for (i = 0; i < lut8->numinchans; ++i)
 		lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
-	if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
-	  lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
-	  !(lut8->outtabs = jas_malloc(lut8->numoutchans *
+	if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
+	  lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
+	  !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
 	  sizeof(jas_iccuint8_t *))))
 		goto error;
 	for (i = 0; i < lut8->numoutchans; ++i)
@@ -1330,7 +1326,6 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval
 		goto error;
 	return 0;
 error:
-	jas_icclut8_destroy(attrval);
 	return -1;
 }
 
@@ -1461,17 +1456,17 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva
 	  jas_iccgetuint16(in, &lut16->numouttabents))
 		goto error;
 	clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
-	if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
+	if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
 	  !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
 	  lut16->numintabents * sizeof(jas_iccuint16_t))) ||
-	  !(lut16->intabs = jas_malloc(lut16->numinchans *
+	  !(lut16->intabs = jas_alloc2(lut16->numinchans,
 	  sizeof(jas_iccuint16_t *))))
 		goto error;
 	for (i = 0; i < lut16->numinchans; ++i)
 		lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
-	if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
-	  lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
-	  !(lut16->outtabs = jas_malloc(lut16->numoutchans *
+	if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
+	  lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
+	  !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
 	  sizeof(jas_iccuint16_t *))))
 		goto error;
 	for (i = 0; i < lut16->numoutchans; ++i)
@@ -1499,7 +1494,6 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva
 		goto error;
 	return 0;
 error:
-	jas_icclut16_destroy(attrval);
 	return -1;
 }
 
@@ -1699,6 +1693,9 @@ jas_iccprof_t *jas_iccprof_createfrombuf(uchar *buf, i
 	jas_stream_close(in);
 	return prof;
 error:
+	if (in)
+		jas_stream_close(in);
+
 	return 0;
 }
 
