diff --git a/component/jasper/CVE-2011-4516-and-CVE-2011-4517.patch b/component/jasper/CVE-2011-4516-and-CVE-2011-4517.patch
deleted file mode 100644
index 774a06274e304e78658f5de69022787435c9dfc2..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2011-4516-and-CVE-2011-4517.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Description: Fix for CVE-2011-4516 and CVE-2011-4517
- This patch fixes a possible denial of service and code execution via
- heap-based buffer overflows.
-Author: Michael Gilbert <michael.s.gilbert@gmail.com>
-Origin: Patch thanks to Red Hat
-Bug-Debian: http://bugs.debian.org/652649
-
-Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
-===================================================================
---- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500
-+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500
-@@ -744,6 +744,10 @@
- return -1;
- }
- compparms->numrlvls = compparms->numdlvls + 1;
-+ if (compparms->numrlvls > JPC_MAXRLVLS) {
-+ jpc_cox_destroycompparms(compparms);
-+ return -1;
-+ }
- if (prtflag) {
- for (i = 0; i < compparms->numrlvls; ++i) {
- if (jpc_getuint8(in, &tmp)) {
-@@ -1331,7 +1335,7 @@
- jpc_crgcomp_t *comp;
- uint_fast16_t compno;
- crg->numcomps = cstate->numcomps;
-- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
-+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
- return -1;
- }
- for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
diff --git a/component/jasper/CVE-2014-8137.patch b/component/jasper/CVE-2014-8137.patch
deleted file mode 100644
index 4822a4ee100e4a3e98e40c3328017d03f1c8b250..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2014-8137.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy()
-Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283,
- https://bugzilla.redhat.com/attachment.cgi?id=967284
-Bug-Debian: https://bugs.debian.org/773463
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157
-Forwarded: no
-Author: Tomas Hoger <thoger@redhat.com>
-Last-Update: 2014-12-20
-
---- a/src/libjasper/base/jas_icc.c
-+++ b/src/libjasper/base/jas_icc.c
-@@ -1010,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattr
- return 0;
-
- error:
-- jas_icccurv_destroy(attrval);
- return -1;
- }
-
-@@ -1128,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_icca
- #endif
- return 0;
- error:
-- jas_icctxtdesc_destroy(attrval);
- return -1;
- }
-
-@@ -1207,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrv
- goto error;
- return 0;
- error:
-- if (txt->string)
-- jas_free(txt->string);
- return -1;
- }
-
-@@ -1329,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattr
- goto error;
- return 0;
- error:
-- jas_icclut8_destroy(attrval);
- return -1;
- }
-
-@@ -1498,7 +1493,6 @@ static int jas_icclut16_input(jas_iccatt
- goto error;
- return 0;
- error:
-- jas_icclut16_destroy(attrval);
- return -1;
- }
-
---- a/src/libjasper/jp2/jp2_dec.c
-+++ b/src/libjasper/jp2/jp2_dec.c
-@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
- case JP2_COLR_ICC:
- iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
- dec->colr->data.colr.iccplen);
-- assert(iccprof);
-+ if (!iccprof) {
-+ jas_eprintf("error: failed to parse ICC profile\n");
-+ goto error;
-+ }
- jas_iccprof_gethdr(iccprof, &icchdr);
- jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
- jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
diff --git a/component/jasper/CVE-2014-8138.patch b/component/jasper/CVE-2014-8138.patch
deleted file mode 100644
index 8223c4567a5b8ef10759f962967d500b01d68cd0..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2014-8138.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Description: CVE-2014-8138: heap overflow in jp2_decode()
-Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967280
-Bug-Debian: https://bugs.debian.org/773463
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173162
-Forwarded: no
-Author: Tomas Hoger <thoger@redhat.com>
-Last-Update: 2014-12-20
-
---- a/src/libjasper/jp2/jp2_dec.c
-+++ b/src/libjasper/jp2/jp2_dec.c
-@@ -389,6 +389,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
- /* Determine the type of each component. */
- if (dec->cdef) {
- for (i = 0; i < dec->numchans; ++i) {
-+ /* Is the channel number reasonable? */
-+ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
-+ jas_eprintf("error: invalid channel number in CDEF box\n");
-+ goto error;
-+ }
- jas_image_setcmpttype(dec->image,
- dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
- jp2_getct(jas_image_clrspc(dec->image),
diff --git a/component/jasper/CVE-2014-8157.patch b/component/jasper/CVE-2014-8157.patch
deleted file mode 100644
index a083e6ce64a31aa4d8cf1b4e41ed46f89a5bf2a7..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2014-8157.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Description: CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot()
-Origin: vendor, http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179282
-Bug-Debian: https://bugs.debian.org/775970
-Forwarded: not-needed
-Author: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2015-01-22
-
---- a/src/libjasper/jpc/jpc_dec.c
-+++ b/src/libjasper/jpc/jpc_dec.c
-@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
- dec->curtileendoff = 0;
- }
-
-- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
-+ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
- jas_eprintf("invalid tile number in SOT marker segment\n");
- return -1;
- }
diff --git a/component/jasper/CVE-2014-8158.patch b/component/jasper/CVE-2014-8158.patch
deleted file mode 100644
index af0f340bf1a97b9af8d88253e94d07cfca07f410..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2014-8158.patch
+++ /dev/null
@@ -1,336 +0,0 @@
-Description: CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c
-Origin: vendor, http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8158.patch
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179298
-Bug-Debian: https://bugs.debian.org/775970
-Forwarded: not-needed
-Author: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2015-01-22
-
---- a/src/libjasper/jpc/jpc_qmfb.c
-+++ b/src/libjasper/jpc/jpc_qmfb.c
-@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
- {
-
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
--#if !defined(HAVE_VLA)
- jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
--#else
-- jpc_fix_t splitbuf[bufsize];
--#endif
- jpc_fix_t *buf = splitbuf;
- register jpc_fix_t *srcptr;
- register jpc_fix_t *dstptr;
-@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
- register int m;
- int hstartcol;
-
--#if !defined(HAVE_VLA)
- /* Get a buffer. */
- if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
-@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
- abort();
- }
- }
--#endif
-
- if (numcols >= 2) {
- hstartcol = (numcols + 1 - parity) >> 1;
-@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
- }
- }
-
--#if !defined(HAVE_VLA)
- /* If the split buffer was allocated on the heap, free this memory. */
- if (buf != splitbuf) {
- jas_free(buf);
- }
--#endif
-
- }
-
-@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
- {
-
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
--#if !defined(HAVE_VLA)
- jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
--#else
-- jpc_fix_t splitbuf[bufsize];
--#endif
- jpc_fix_t *buf = splitbuf;
- register jpc_fix_t *srcptr;
- register jpc_fix_t *dstptr;
-@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
- register int m;
- int hstartcol;
-
--#if !defined(HAVE_VLA)
- /* Get a buffer. */
- if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
-@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
- abort();
- }
- }
--#endif
-
- if (numrows >= 2) {
- hstartcol = (numrows + 1 - parity) >> 1;
-@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
- }
- }
-
--#if !defined(HAVE_VLA)
- /* If the split buffer was allocated on the heap, free this memory. */
- if (buf != splitbuf) {
- jas_free(buf);
- }
--#endif
-
- }
-
-@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
- {
-
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
--#if !defined(HAVE_VLA)
- jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
--#else
-- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
--#endif
- jpc_fix_t *buf = splitbuf;
- jpc_fix_t *srcptr;
- jpc_fix_t *dstptr;
-@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
- int m;
- int hstartcol;
-
--#if !defined(HAVE_VLA)
- /* Get a buffer. */
- if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
-@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
- abort();
- }
- }
--#endif
-
- if (numrows >= 2) {
- hstartcol = (numrows + 1 - parity) >> 1;
-@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
- }
- }
-
--#if !defined(HAVE_VLA)
- /* If the split buffer was allocated on the heap, free this memory. */
- if (buf != splitbuf) {
- jas_free(buf);
- }
--#endif
-
- }
-
-@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
- {
-
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
--#if !defined(HAVE_VLA)
- jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
--#else
-- jpc_fix_t splitbuf[bufsize * numcols];
--#endif
- jpc_fix_t *buf = splitbuf;
- jpc_fix_t *srcptr;
- jpc_fix_t *dstptr;
-@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
- int m;
- int hstartcol;
-
--#if !defined(HAVE_VLA)
- /* Get a buffer. */
- if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
-@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
- abort();
- }
- }
--#endif
-
- if (numrows >= 2) {
- hstartcol = (numrows + 1 - parity) >> 1;
-@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
- }
- }
-
--#if !defined(HAVE_VLA)
- /* If the split buffer was allocated on the heap, free this memory. */
- if (buf != splitbuf) {
- jas_free(buf);
- }
--#endif
-
- }
-
-@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
- {
-
- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
--#if !defined(HAVE_VLA)
- jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
--#else
-- jpc_fix_t joinbuf[bufsize];
--#endif
- jpc_fix_t *buf = joinbuf;
- register jpc_fix_t *srcptr;
- register jpc_fix_t *dstptr;
- register int n;
- int hstartcol;
-
--#if !defined(HAVE_VLA)
- /* Allocate memory for the join buffer from the heap. */
- if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
-@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
- abort();
- }
- }
--#endif
-
- hstartcol = (numcols + 1 - parity) >> 1;
-
-@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
- ++srcptr;
- }
-
--#if !defined(HAVE_VLA)
- /* If the join buffer was allocated on the heap, free this memory. */
- if (buf != joinbuf) {
- jas_free(buf);
- }
--#endif
-
- }
-
-@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
- {
-
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
--#if !defined(HAVE_VLA)
- jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
--#else
-- jpc_fix_t joinbuf[bufsize];
--#endif
- jpc_fix_t *buf = joinbuf;
- register jpc_fix_t *srcptr;
- register jpc_fix_t *dstptr;
- register int n;
- int hstartcol;
-
--#if !defined(HAVE_VLA)
- /* Allocate memory for the join buffer from the heap. */
- if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
-@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
- abort();
- }
- }
--#endif
-
- hstartcol = (numrows + 1 - parity) >> 1;
-
-@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
- ++srcptr;
- }
-
--#if !defined(HAVE_VLA)
- /* If the join buffer was allocated on the heap, free this memory. */
- if (buf != joinbuf) {
- jas_free(buf);
- }
--#endif
-
- }
-
-@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
- {
-
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
--#if !defined(HAVE_VLA)
- jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
--#else
-- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
--#endif
- jpc_fix_t *buf = joinbuf;
- jpc_fix_t *srcptr;
- jpc_fix_t *dstptr;
-@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
- register int i;
- int hstartcol;
-
--#if !defined(HAVE_VLA)
- /* Allocate memory for the join buffer from the heap. */
- if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
-@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
- abort();
- }
- }
--#endif
-
- hstartcol = (numrows + 1 - parity) >> 1;
-
-@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
- srcptr += JPC_QMFB_COLGRPSIZE;
- }
-
--#if !defined(HAVE_VLA)
- /* If the join buffer was allocated on the heap, free this memory. */
- if (buf != joinbuf) {
- jas_free(buf);
- }
--#endif
-
- }
-
-@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
- {
-
- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
--#if !defined(HAVE_VLA)
- jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
--#else
-- jpc_fix_t joinbuf[bufsize * numcols];
--#endif
- jpc_fix_t *buf = joinbuf;
- jpc_fix_t *srcptr;
- jpc_fix_t *dstptr;
-@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
- register int i;
- int hstartcol;
-
--#if !defined(HAVE_VLA)
- /* Allocate memory for the join buffer from the heap. */
- if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
-@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
- abort();
- }
- }
--#endif
-
- hstartcol = (numrows + 1 - parity) >> 1;
-
-@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
- srcptr += numcols;
- }
-
--#if !defined(HAVE_VLA)
- /* If the join buffer was allocated on the heap, free this memory. */
- if (buf != joinbuf) {
- jas_free(buf);
- }
--#endif
-
- }
-
diff --git a/component/jasper/CVE-2014-9029.patch b/component/jasper/CVE-2014-9029.patch
deleted file mode 100644
index 80adb0d0bc3e8ee7db589c4178541e67e1fec57c..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2014-9029.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Description: CVE-2014-9029: Heap overflows in libjasper
-Origin: vendor
-Forwarded: no
-Author: Tomas Hoger <thoger@redhat.com>
-Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2014-11-28
-
---- a/src/libjasper/jpc/jpc_dec.c
-+++ b/src/libjasper/jpc/jpc_dec.c
-@@ -1280,7 +1280,7 @@ static int jpc_dec_process_coc(jpc_dec_t
- jpc_coc_t *coc = &ms->parms.coc;
- jpc_dec_tile_t *tile;
-
-- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
-+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
- jas_eprintf("invalid component number in COC marker segment\n");
- return -1;
- }
-@@ -1306,7 +1306,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
- jpc_rgn_t *rgn = &ms->parms.rgn;
- jpc_dec_tile_t *tile;
-
-- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
-+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
- jas_eprintf("invalid component number in RGN marker segment\n");
- return -1;
- }
-@@ -1355,7 +1355,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
- jpc_qcc_t *qcc = &ms->parms.qcc;
- jpc_dec_tile_t *tile;
-
-- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
-+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
- jas_eprintf("invalid component number in QCC marker segment\n");
- return -1;
- }
diff --git a/component/jasper/CVE-2016-1577.patch b/component/jasper/CVE-2016-1577.patch
deleted file mode 100644
index 75bbd526afb866c499ca56de11f1abd0d4467289..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2016-1577.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
-Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12
-Bug-Ubuntu: https://launchpad.net/bugs/1547865
-Bug-Debian: https://bugs.debian.org/816625
-Forwarded: not-needed
-Author: Tyler Hicks <tyhicks@canonical.com>
-Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2016-03-05
-
---- a/src/libjasper/base/jas_icc.c
-+++ b/src/libjasper/base/jas_icc.c
-@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
- if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
- goto error;
- jas_iccattrval_destroy(attrval);
-+ attrval = 0;
- } else {
- #if 0
- jas_eprintf("warning: skipping unknown tag type\n");
diff --git a/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch b/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch
deleted file mode 100644
index dd177643bb825dade47e246161dccb700a5658df..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c
---- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c 2017-02-07 22:46:28.000000000 +0100
-+++ jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c 2017-02-07 22:46:07.040456152 +0100
-@@ -985,8 +985,9 @@
- {
- unsigned char *buf;
-
-- assert(m->buf_);
-- if (!(buf = jas_realloc(m->buf_, bufsize))) {
-+ //assert(m->buf_);
-+ assert(bufsize >= 0);
-+ if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) {
- return -1;
- }
- m->buf_ = buf;
-diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c
---- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c 2017-02-07 22:46:28.000000000 +0100
-+++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c 2017-02-07 22:46:02.168382641 +0100
-@@ -512,6 +512,16 @@
- jas_free(siz->comps);
- return -1;
- }
-+ if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
-+ jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
-+ jas_free(siz->comps);
-+ return -1;
-+ }
-+ if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
-+ jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
-+ jas_free(siz->comps);
-+ return -1;
-+ }
- siz->comps[i].sgnd = (tmp >> 7) & 1;
- siz->comps[i].prec = (tmp & 0x7f) + 1;
- }
-diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c
---- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c 2017-02-07 22:46:28.000000000 +0100
-+++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c 2017-02-07 22:46:13.736555435 +0100
-@@ -674,7 +674,7 @@
- uint_fast32_t tmpxend;
- uint_fast32_t tmpyend;
- jpc_dec_cp_t *cp;
-- jpc_tsfb_band_t bnds[64];
-+ jpc_tsfb_band_t bnds[JPC_MAXBANDS];
- jpc_pchg_t *pchg;
- int pchgno;
- jpc_dec_cmpt_t *cmpt;
-@@ -989,23 +989,23 @@
- }
- if (tile->cp) {
- jpc_dec_cp_destroy(tile->cp);
-- tile->cp = 0;
-+ //tile->cp = 0;
- }
- if (tile->tcomps) {
- jas_free(tile->tcomps);
-- tile->tcomps = 0;
-+ //tile->tcomps = 0;
- }
- if (tile->pi) {
- jpc_pi_destroy(tile->pi);
-- tile->pi = 0;
-+ //tile->pi = 0;
- }
- if (tile->pkthdrstream) {
- jas_stream_close(tile->pkthdrstream);
-- tile->pkthdrstream = 0;
-+ //tile->pkthdrstream = 0;
- }
- if (tile->pptstab) {
- jpc_ppxstab_destroy(tile->pptstab);
-- tile->pptstab = 0;
-+ //tile->pptstab = 0;
- }
-
- tile->state = JPC_TILE_DONE;
-@@ -1148,7 +1148,11 @@
- return -1;
- }
- }
-- jpc_dec_tilefini(dec, tile);
-+ /* If the tile has not yet been finalized, finalize it. */
-+ // OLD CODE: jpc_dec_tilefini(dec, tile);
-+ if (tile->state != JPC_TILE_DONE) {
-+ jpc_dec_tilefini(dec, tile);
-+ }
- }
-
- /* We are done processing the code stream. */
-@@ -1204,6 +1208,8 @@
- dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
- dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
- dec->numtiles = dec->numhtiles * dec->numvtiles;
-+ JAS_DBGLOG(10, ("numtiles = %d; numhtiles = %d; numvtiles = %d;\n",
-+ dec->numtiles, dec->numhtiles, dec->numvtiles));
- if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
- return -1;
- }
-@@ -1228,6 +1234,7 @@
- tile->pkthdrstreampos = 0;
- tile->pptstab = 0;
- tile->cp = 0;
-+ tile->pi = 0;
- if (!(tile->tcomps = jas_alloc2(dec->numcomps,
- sizeof(jpc_dec_tcomp_t)))) {
- return -1;
-diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c
---- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c 2017-02-07 22:46:28.000000000 +0100
-+++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c 2017-02-07 22:45:59.328339293 +0100
-@@ -372,7 +372,7 @@
- register jpc_fix_t *dstptr;
- register int n;
- register int m;
-- int hstartcol;
-+ int hstartrow;
-
- /* Get a buffer. */
- if (bufsize > QMFB_SPLITBUFSIZE) {
-@@ -383,8 +383,9 @@
- }
-
- if (numrows >= 2) {
-- hstartcol = (numrows + 1 - parity) >> 1;
-- m = (parity) ? hstartcol : (numrows - hstartcol);
-+ hstartrow = (numrows + 1 - parity) >> 1;
-+ m = (parity) ? hstartrow : (numrows - hstartrow);
-+
- /* Save the samples destined for the highpass channel. */
- n = m;
- dstptr = buf;
-@@ -404,7 +405,7 @@
- srcptr += stride << 1;
- }
- /* Copy the saved samples into the highpass channel. */
-- dstptr = &a[hstartcol * stride];
-+ dstptr = &a[hstartrow * stride];
- srcptr = buf;
- n = m;
- while (n-- > 0) {
-@@ -435,19 +436,20 @@
- register int n;
- register int i;
- int m;
-- int hstartcol;
-+ int hstartrow;
-
- /* Get a buffer. */
- if (bufsize > QMFB_SPLITBUFSIZE) {
-- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
-+ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
- /* We have no choice but to commit suicide in this case. */
- abort();
- }
- }
-
- if (numrows >= 2) {
-- hstartcol = (numrows + 1 - parity) >> 1;
-- m = (parity) ? hstartcol : (numrows - hstartcol);
-+ hstartrow = (numrows + 1 - parity) >> 1;
-+ m = (parity) ? hstartrow : (numrows - hstartrow);
-+
- /* Save the samples destined for the highpass channel. */
- n = m;
- dstptr = buf;
-@@ -479,7 +481,7 @@
- srcptr += stride << 1;
- }
- /* Copy the saved samples into the highpass channel. */
-- dstptr = &a[hstartcol * stride];
-+ dstptr = &a[hstartrow * stride];
- srcptr = buf;
- n = m;
- while (n-- > 0) {
-@@ -520,7 +522,7 @@
-
- /* Get a buffer. */
- if (bufsize > QMFB_SPLITBUFSIZE) {
-- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
-+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
- /* We have no choice but to commit suicide in this case. */
- abort();
- }
-diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c
---- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c 2017-02-07 22:46:28.000000000 +0100
-+++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c 2017-02-07 22:45:54.464331040 +0100
-@@ -429,7 +429,7 @@
- }
-
- for (pi->compno = pchg->compnostart, pi->picomp =
-- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
-+ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
- ++pi->picomp) {
- pirlvl = pi->picomp->pirlvls;
- pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
diff --git a/component/jasper/CVE-2016-2089.patch b/component/jasper/CVE-2016-2089.patch
deleted file mode 100644
index 95d4b6111144aaf77d1935f5abcd10ce153c3007..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2016-2089.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
-Origin: vendor
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636
-Bug-Debian: https://bugs.debian.org/812978
-Forwarded: not-needed
-Author: Tomas Hoger <thoger@redhat.com>
-Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2016-03-05
-
---- a/src/libjasper/base/jas_image.c
-+++ b/src/libjasper/base/jas_image.c
-@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
- return -1;
- }
-
-+ if (!data->rows_) {
-+ return -1;
-+ }
-+
- if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
- if (jas_matrix_resize(data, height, width)) {
- return -1;
-@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
- return -1;
- }
-
-+ if (!data->rows_) {
-+ return -1;
-+ }
-+
- if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
- return -1;
- }
---- a/src/libjasper/base/jas_seq.c
-+++ b/src/libjasper/base/jas_seq.c
-@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
- int rowstep;
- jas_seqent_t *data;
-
-+ if (!matrix->rows_) {
-+ return;
-+ }
-+
- rowstep = jas_matrix_rowstep(matrix);
- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
- rowstart += rowstep) {
-@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
- jas_seqent_t *data;
- int rowstep;
-
-+ if (!matrix->rows_) {
-+ return;
-+ }
-+
- rowstep = jas_matrix_rowstep(matrix);
- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
- rowstart += rowstep) {
-@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
- int rowstep;
- jas_seqent_t *data;
-
-+ if (!matrix->rows_) {
-+ return;
-+ }
-+
- assert(n >= 0);
- rowstep = jas_matrix_rowstep(matrix);
- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
-@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
- int rowstep;
- jas_seqent_t *data;
-
-+ if (!matrix->rows_) {
-+ return;
-+ }
-+
- rowstep = jas_matrix_rowstep(matrix);
- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
- rowstart += rowstep) {
-@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
- int rowstep;
- jas_seqent_t *data;
-
-+ if (!matrix->rows_) {
-+ return;
-+ }
-+
- rowstep = jas_matrix_rowstep(matrix);
- for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
- rowstart += rowstep) {
diff --git a/component/jasper/CVE-2016-2116.patch b/component/jasper/CVE-2016-2116.patch
deleted file mode 100644
index cdb616fb6a926dc28ca546360fa04b9bbfec19cd..0000000000000000000000000000000000000000
--- a/component/jasper/CVE-2016-2116.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Description: CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf()
-Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12
-Bug-Debian: https://bugs.debian.org/816626
-Forwarded: not-needed
-Author: Tyler Hicks <tyhicks@canoonical.com>
-Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2016-03-05
-
---- a/src/libjasper/base/jas_icc.c
-+++ b/src/libjasper/base/jas_icc.c
-@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
- jas_stream_close(in);
- return prof;
- error:
-+ if (in)
-+ jas_stream_close(in);
- return 0;
- }
-
diff --git a/component/jasper/buildout.cfg b/component/jasper/buildout.cfg
index 48e82f482fe4d1873a93357f82586d0de2894612..1b1df580244f7442356cffbe9696bad946bf0b54 100644
--- a/component/jasper/buildout.cfg
+++ b/component/jasper/buildout.cfg
@@ -11,18 +11,7 @@ url = http://www.ece.uvic.ca/~mdadams/jasper/software/jasper-1.900.1.zip
md5sum = a342b2b4495b3e1394e161eb5d85d754
patch-options = -p1
patches =
- ${:_profile_base_location_}/misc-fixes.patch#1202be8418907dfe58f819f7b47da24f
- ${:_profile_base_location_}/fix-filename-buffer-overflow.patch#38403f9c82a18547beca16c9c6f4ce7a
- ${:_profile_base_location_}/CVE-2011-4516-and-CVE-2011-4517.patch#a9676718ed016f66a3c76acf764c9e72
- ${:_profile_base_location_}/CVE-2014-9029.patch#d69195cf17878f024cc0b580045ec314
- ${:_profile_base_location_}/CVE-2014-8137.patch#bc5103b9a33315538106bf6652383a10
- ${:_profile_base_location_}/CVE-2014-8138.patch#bfb9604fe84b6e686fea29bd760cf34d
- ${:_profile_base_location_}/CVE-2014-8157.patch#2fb5f62ba8a9f8afffc95a07d1194783
- ${:_profile_base_location_}/CVE-2014-8158.patch#9036077a1fab5de8819f210ea7b57a38
- ${:_profile_base_location_}/CVE-2016-1577.patch#bc970cf3e8535559454781ec54db2d15
- ${:_profile_base_location_}/CVE-2016-2089.patch#9b73eda015b04a6da493de89ce9b5685
- ${:_profile_base_location_}/CVE-2016-2116.patch#387df217963281827e006ab4f14f869a
- ${:_profile_base_location_}/CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch#0bcc58c823aa19ac4beef469d65dbb56
+ ${:_profile_base_location_}/jasper_1.900.1-debian1-2.4+deb8u3.patch#1cf61d1ebc87d355523d3484169671f7
configure-options =
--disable-static
--enable-shared
diff --git a/component/jasper/fix-filename-buffer-overflow.patch b/component/jasper/fix-filename-buffer-overflow.patch
deleted file mode 100644
index eba6cbe49a8b9236e31dcf183897eaa80ac24c48..0000000000000000000000000000000000000000
--- a/component/jasper/fix-filename-buffer-overflow.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Description: Filename buffer overflow fix
- This patch fixes a security hole by a bad buffer size handling.
-Author: Roland Stigge <stigge@antcom.de>
-Bug-Debian: http://bugs.debian.org/645118
-
---- a/src/libjasper/include/jasper/jas_stream.h
-+++ b/src/libjasper/include/jasper/jas_stream.h
-@@ -77,6 +77,7 @@
- #include <jasper/jas_config.h>
-
- #include <stdio.h>
-+#include <limits.h>
- #if defined(HAVE_FCNTL_H)
- #include <fcntl.h>
- #endif
-@@ -99,6 +100,12 @@ extern "C" {
- #define O_BINARY 0
- #endif
-
-+#ifdef PATH_MAX
-+#define JAS_PATH_MAX PATH_MAX
-+#else
-+#define JAS_PATH_MAX 4096
-+#endif
-+
- /*
- * Stream open flags.
- */
-@@ -251,7 +258,7 @@ typedef struct {
- typedef struct {
- int fd;
- int flags;
-- char pathname[L_tmpnam + 1];
-+ char pathname[JAS_PATH_MAX + 1];
- } jas_stream_fileobj_t;
-
- #define JAS_STREAM_FILEOBJ_DELONCLOSE 0x01
diff --git a/component/jasper/misc-fixes.patch b/component/jasper/jasper_1.900.1-debian1-2.4+deb8u3.patch
similarity index 71%
rename from component/jasper/misc-fixes.patch
rename to component/jasper/jasper_1.900.1-debian1-2.4+deb8u3.patch
index 1d27f81befa23031ec66b761a5af7d5f202da52f..08865995bf4a56b1ec6690c2baba0a55a46638e0 100644
--- a/component/jasper/misc-fixes.patch
+++ b/component/jasper/jasper_1.900.1-debian1-2.4+deb8u3.patch
@@ -3090,3 +3090,1323 @@ Author: Roland Stigge <stigge@antcom.de>
If the version you run ($0) is already up to date, please
send the following data and any information you think might be
+Description: Filename buffer overflow fix
+ This patch fixes a security hole by a bad buffer size handling.
+Author: Roland Stigge <stigge@antcom.de>
+Bug-Debian: http://bugs.debian.org/645118
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -77,6 +77,7 @@
+ #include <jasper/jas_config.h>
+
+ #include <stdio.h>
++#include <limits.h>
+ #if defined(HAVE_FCNTL_H)
+ #include <fcntl.h>
+ #endif
+@@ -99,6 +100,12 @@ extern "C" {
+ #define O_BINARY 0
+ #endif
+
++#ifdef PATH_MAX
++#define JAS_PATH_MAX PATH_MAX
++#else
++#define JAS_PATH_MAX 4096
++#endif
++
+ /*
+ * Stream open flags.
+ */
+@@ -251,7 +258,7 @@ typedef struct {
+ typedef struct {
+ int fd;
+ int flags;
+- char pathname[L_tmpnam + 1];
++ char pathname[JAS_PATH_MAX + 1];
+ } jas_stream_fileobj_t;
+
+ #define JAS_STREAM_FILEOBJ_DELONCLOSE 0x01
+Description: Fix for CVE-2011-4516 and CVE-2011-4517
+ This patch fixes a possible denial of service and code execution via
+ heap-based buffer overflows.
+Author: Michael Gilbert <michael.s.gilbert@gmail.com>
+Origin: Patch thanks to Red Hat
+Bug-Debian: http://bugs.debian.org/652649
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500
+@@ -744,6 +744,10 @@
+ return -1;
+ }
+ compparms->numrlvls = compparms->numdlvls + 1;
++ if (compparms->numrlvls > JPC_MAXRLVLS) {
++ jpc_cox_destroycompparms(compparms);
++ return -1;
++ }
+ if (prtflag) {
+ for (i = 0; i < compparms->numrlvls; ++i) {
+ if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
+Description: CVE-2014-9029: Heap overflows in libjasper
+Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=961994&action=diff
+Bug-Debian: https://bugs.debian.org/772036
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1167537
+Forwarded: no
+Author: Tomas Hoger <thoger@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-11-28
+
+--- a/src/libjasper/jpc/jpc_dec.c
++++ b/src/libjasper/jpc/jpc_dec.c
+@@ -1280,7 +1280,7 @@ static int jpc_dec_process_coc(jpc_dec_t
+ jpc_coc_t *coc = &ms->parms.coc;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
++ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in COC marker segment\n");
+ return -1;
+ }
+@@ -1306,7 +1306,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
+ jpc_rgn_t *rgn = &ms->parms.rgn;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
++ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in RGN marker segment\n");
+ return -1;
+ }
+@@ -1355,7 +1355,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
+ jpc_qcc_t *qcc = &ms->parms.qcc;
+ jpc_dec_tile_t *tile;
+
+- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
++ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
+ jas_eprintf("invalid component number in QCC marker segment\n");
+ return -1;
+ }
+Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy()
+Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283,
+ https://bugzilla.redhat.com/attachment.cgi?id=967284
+Bug-Debian: https://bugs.debian.org/773463
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157
+Forwarded: no
+Author: Tomas Hoger <thoger@redhat.com>
+Last-Update: 2014-12-20
+
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -1010,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattr
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1128,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1207,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrv
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1329,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattr
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1498,7 +1493,6 @@ static int jas_icclut16_input(jas_iccatt
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
+--- a/src/libjasper/jp2/jp2_dec.c
++++ b/src/libjasper/jp2/jp2_dec.c
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
+Description: CVE-2014-8138: heap overflow in jp2_decode()
+Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967280
+Bug-Debian: https://bugs.debian.org/773463
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173162
+Forwarded: no
+Author: Tomas Hoger <thoger@redhat.com>
+Last-Update: 2014-12-20
+
+--- a/src/libjasper/jp2/jp2_dec.c
++++ b/src/libjasper/jp2/jp2_dec.c
+@@ -389,6 +389,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ /* Determine the type of each component. */
+ if (dec->cdef) {
+ for (i = 0; i < dec->numchans; ++i) {
++ /* Is the channel number reasonable? */
++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++ jas_eprintf("error: invalid channel number in CDEF box\n");
++ goto error;
++ }
+ jas_image_setcmpttype(dec->image,
+ dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ jp2_getct(jas_image_clrspc(dec->image),
+Description: CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot()
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179282
+Bug-Debian: https://bugs.debian.org/775970
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-01-22
+
+--- a/src/libjasper/jpc/jpc_dec.c
++++ b/src/libjasper/jpc/jpc_dec.c
+@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ dec->curtileendoff = 0;
+ }
+
+- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ jas_eprintf("invalid tile number in SOT marker segment\n");
+ return -1;
+ }
+Description: CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8158.patch
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179298
+Bug-Debian: https://bugs.debian.org/775970
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-01-22
+
+--- a/src/libjasper/jpc/jpc_qmfb.c
++++ b/src/libjasper/jpc/jpc_qmfb.c
+@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ abort();
+ }
+ }
+-#endif
+
+ if (numcols >= 2) {
+ hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ register int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ int m;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ if (numrows >= 2) {
+ hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ }
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the split buffer was allocated on the heap, free this memory. */
+ if (buf != splitbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numcols + 1 - parity) >> 1;
+
+@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+ register jpc_fix_t *dstptr;
+ register int n;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ ++srcptr;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ register int i;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ srcptr += JPC_QMFB_COLGRPSIZE;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ {
+
+ int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+- jpc_fix_t joinbuf[bufsize * numcols];
+-#endif
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+ jpc_fix_t *dstptr;
+@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ register int i;
+ int hstartcol;
+
+-#if !defined(HAVE_VLA)
+ /* Allocate memory for the join buffer from the heap. */
+ if (bufsize > QMFB_JOINBUFSIZE) {
+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ abort();
+ }
+ }
+-#endif
+
+ hstartcol = (numrows + 1 - parity) >> 1;
+
+@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ srcptr += numcols;
+ }
+
+-#if !defined(HAVE_VLA)
+ /* If the join buffer was allocated on the heap, free this memory. */
+ if (buf != joinbuf) {
+ jas_free(buf);
+ }
+-#endif
+
+ }
+
+Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
+Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12
+Bug-Ubuntu: https://launchpad.net/bugs/1547865
+Bug-Debian: https://bugs.debian.org/816625
+Forwarded: not-needed
+Author: Tyler Hicks <tyhicks@canonical.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
+ goto error;
+ jas_iccattrval_destroy(attrval);
++ attrval = 0;
+ } else {
+ #if 0
+ jas_eprintf("warning: skipping unknown tag type\n");
+Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
+Origin: vendor
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636
+Bug-Debian: https://bugs.debian.org/812978
+Forwarded: not-needed
+Author: Tomas Hoger <thoger@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_image.c
++++ b/src/libjasper/base/jas_image.c
+@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ if (jas_matrix_resize(data, height, width)) {
+ return -1;
+@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ return -1;
+ }
+--- a/src/libjasper/base/jas_seq.c
++++ b/src/libjasper/base/jas_seq.c
+@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ jas_seqent_t *data;
+ int rowstep;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ assert(n >= 0);
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+Description: CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf()
+Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12
+Bug-Debian: https://bugs.debian.org/816626
+Forwarded: not-needed
+Author: Tyler Hicks <tyhicks@canoonical.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
+ jas_stream_close(in);
+ return prof;
+ error:
++ if (in)
++ jas_stream_close(in);
+ return 0;
+ }
+
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c 2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c 2017-02-07 22:46:07.040456152 +0100
+@@ -985,8 +985,9 @@
+ {
+ unsigned char *buf;
+
+- assert(m->buf_);
+- if (!(buf = jas_realloc(m->buf_, bufsize))) {
++ //assert(m->buf_);
++ assert(bufsize >= 0);
++ if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) {
+ return -1;
+ }
+ m->buf_ = buf;
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c 2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c 2017-02-07 22:46:02.168382641 +0100
+@@ -512,6 +512,16 @@
+ jas_free(siz->comps);
+ return -1;
+ }
++ if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
++ jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
++ jas_free(siz->comps);
++ return -1;
++ }
++ if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
++ jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
++ jas_free(siz->comps);
++ return -1;
++ }
+ siz->comps[i].sgnd = (tmp >> 7) & 1;
+ siz->comps[i].prec = (tmp & 0x7f) + 1;
+ }
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c 2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c 2017-02-07 22:46:13.736555435 +0100
+@@ -674,7 +674,7 @@
+ uint_fast32_t tmpxend;
+ uint_fast32_t tmpyend;
+ jpc_dec_cp_t *cp;
+- jpc_tsfb_band_t bnds[64];
++ jpc_tsfb_band_t bnds[JPC_MAXBANDS];
+ jpc_pchg_t *pchg;
+ int pchgno;
+ jpc_dec_cmpt_t *cmpt;
+@@ -989,23 +989,23 @@
+ }
+ if (tile->cp) {
+ jpc_dec_cp_destroy(tile->cp);
+- tile->cp = 0;
++ //tile->cp = 0;
+ }
+ if (tile->tcomps) {
+ jas_free(tile->tcomps);
+- tile->tcomps = 0;
++ //tile->tcomps = 0;
+ }
+ if (tile->pi) {
+ jpc_pi_destroy(tile->pi);
+- tile->pi = 0;
++ //tile->pi = 0;
+ }
+ if (tile->pkthdrstream) {
+ jas_stream_close(tile->pkthdrstream);
+- tile->pkthdrstream = 0;
++ //tile->pkthdrstream = 0;
+ }
+ if (tile->pptstab) {
+ jpc_ppxstab_destroy(tile->pptstab);
+- tile->pptstab = 0;
++ //tile->pptstab = 0;
+ }
+
+ tile->state = JPC_TILE_DONE;
+@@ -1148,7 +1148,11 @@
+ return -1;
+ }
+ }
+- jpc_dec_tilefini(dec, tile);
++ /* If the tile has not yet been finalized, finalize it. */
++ // OLD CODE: jpc_dec_tilefini(dec, tile);
++ if (tile->state != JPC_TILE_DONE) {
++ jpc_dec_tilefini(dec, tile);
++ }
+ }
+
+ /* We are done processing the code stream. */
+@@ -1204,6 +1208,8 @@
+ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ dec->numtiles = dec->numhtiles * dec->numvtiles;
++ JAS_DBGLOG(10, ("numtiles = %d; numhtiles = %d; numvtiles = %d;\n",
++ dec->numtiles, dec->numhtiles, dec->numvtiles));
+ if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ return -1;
+ }
+@@ -1228,6 +1234,7 @@
+ tile->pkthdrstreampos = 0;
+ tile->pptstab = 0;
+ tile->cp = 0;
++ tile->pi = 0;
+ if (!(tile->tcomps = jas_alloc2(dec->numcomps,
+ sizeof(jpc_dec_tcomp_t)))) {
+ return -1;
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c 2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c 2017-02-07 22:45:59.328339293 +0100
+@@ -372,7 +372,7 @@
+ register jpc_fix_t *dstptr;
+ register int n;
+ register int m;
+- int hstartcol;
++ int hstartrow;
+
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+@@ -383,8 +383,9 @@
+ }
+
+ if (numrows >= 2) {
+- hstartcol = (numrows + 1 - parity) >> 1;
+- m = (parity) ? hstartcol : (numrows - hstartcol);
++ hstartrow = (numrows + 1 - parity) >> 1;
++ m = (parity) ? hstartrow : (numrows - hstartrow);
++
+ /* Save the samples destined for the highpass channel. */
+ n = m;
+ dstptr = buf;
+@@ -404,7 +405,7 @@
+ srcptr += stride << 1;
+ }
+ /* Copy the saved samples into the highpass channel. */
+- dstptr = &a[hstartcol * stride];
++ dstptr = &a[hstartrow * stride];
+ srcptr = buf;
+ n = m;
+ while (n-- > 0) {
+@@ -435,19 +436,20 @@
+ register int n;
+ register int i;
+ int m;
+- int hstartcol;
++ int hstartrow;
+
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+ }
+
+ if (numrows >= 2) {
+- hstartcol = (numrows + 1 - parity) >> 1;
+- m = (parity) ? hstartcol : (numrows - hstartcol);
++ hstartrow = (numrows + 1 - parity) >> 1;
++ m = (parity) ? hstartrow : (numrows - hstartrow);
++
+ /* Save the samples destined for the highpass channel. */
+ n = m;
+ dstptr = buf;
+@@ -479,7 +481,7 @@
+ srcptr += stride << 1;
+ }
+ /* Copy the saved samples into the highpass channel. */
+- dstptr = &a[hstartcol * stride];
++ dstptr = &a[hstartrow * stride];
+ srcptr = buf;
+ n = m;
+ while (n-- > 0) {
+@@ -520,7 +522,7 @@
+
+ /* Get a buffer. */
+ if (bufsize > QMFB_SPLITBUFSIZE) {
+- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
++ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ /* We have no choice but to commit suicide in this case. */
+ abort();
+ }
+diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c 2017-02-07 22:46:28.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c 2017-02-07 22:45:54.464331040 +0100
+@@ -429,7 +429,7 @@
+ }
+
+ for (pi->compno = pchg->compnostart, pi->picomp =
+- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
++ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+ ++pi->picomp) {
+ pirlvl = pi->picomp->pirlvls;
+ pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
+From 03fe49ab96bf65fea784cdc256507ea88267fc7c Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Thu, 2 Mar 2017 08:07:04 -0800
+Subject: [PATCH] Fixed some potential double-free problems in the JPC codec.
+
+---
+ src/libjasper/jpc/jpc_enc.c | 75 +++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 62 insertions(+), 13 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
+index 03646d6..b8b47f1 100644
+--- a/src/libjasper/jpc/jpc_enc.c
++++ b/src/libjasper/jpc/jpc_enc.c
+@@ -1140,8 +1140,9 @@ static int jpc_enc_encodemainbody(jpc_enc_t *enc)
+ tilex = tileno % cp->numhtiles;
+ tiley = tileno / cp->numhtiles;
+
+- if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image, tileno))) {
+- abort();
++ if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image,
++ tileno))) {
++ return -1;
+ }
+
+ tile = enc->curtile;
+@@ -2036,6 +2037,8 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_enc_cp_t *cp, jas_image_t *image, int ti
+ return 0;
+ }
+
++/* Note: I don't think that it is necessary to marked destroyed subobjects
++as such in this function. */
+ void jpc_enc_tile_destroy(jpc_enc_tile_t *tile)
+ {
+ jpc_enc_tcmpt_t *tcmpt;
+@@ -2047,16 +2050,21 @@ void jpc_enc_tile_destroy(jpc_enc_tile_t *tile)
+ tcmpt_destroy(tcmpt);
+ }
+ jas_free(tile->tcmpts);
++ /* tile->tcmpts = NULL; */
+ }
+ if (tile->lyrsizes) {
+ jas_free(tile->lyrsizes);
++ /* tile->lyrsizes = NULL; */
+ }
+ if (tile->pi) {
+ jpc_pi_destroy(tile->pi);
++ /* tile->pi = NULL; */
+ }
+ jas_free(tile);
++ /* tile = NULL; */
+ }
+
++/* Note: This constructor creates the object in place. */
+ static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp,
+ jas_image_t *image, jpc_enc_tile_t *tile)
+ {
+@@ -2152,6 +2160,10 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp,
+
+ }
+
++/* Note: Since jpc_enc_tcmpt_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void tcmpt_destroy(jpc_enc_tcmpt_t *tcmpt)
+ {
+ jpc_enc_rlvl_t *rlvl;
+@@ -2163,16 +2175,20 @@ static void tcmpt_destroy(jpc_enc_tcmpt_t *tcmpt)
+ rlvl_destroy(rlvl);
+ }
+ jas_free(tcmpt->rlvls);
++ tcmpt->rlvls = NULL;
+ }
+
+ if (tcmpt->data) {
+ jas_seq2d_destroy(tcmpt->data);
++ tcmpt->data = NULL;
+ }
+ if (tcmpt->tsfb) {
+ jpc_tsfb_destroy(tcmpt->tsfb);
++ tcmpt->tsfb = NULL;
+ }
+ }
+
++/* Note: This constructor creates the object in place. */
+ static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp,
+ jpc_enc_tcmpt_t *tcmpt, jpc_tsfb_band_t *bandinfos)
+ {
+@@ -2254,6 +2270,10 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp,
+ return 0;
+ }
+
++/* Note: Since jpc_enc_rlvl_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void rlvl_destroy(jpc_enc_rlvl_t *rlvl)
+ {
+ jpc_enc_band_t *band;
+@@ -2265,9 +2285,11 @@ static void rlvl_destroy(jpc_enc_rlvl_t *rlvl)
+ band_destroy(band);
+ }
+ jas_free(rlvl->bands);
++ rlvl->bands = NULL;
+ }
+ }
+
++/* Note: This constructor creates the object in place. */
+ static jpc_enc_band_t *band_create(jpc_enc_band_t *band, jpc_enc_cp_t *cp,
+ jpc_enc_rlvl_t *rlvl, jpc_tsfb_band_t *bandinfos)
+ {
+@@ -2335,6 +2357,10 @@ if (band->data) {
+ return 0;
+ }
+
++/* Note: Since jpc_enc_band_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void band_destroy(jpc_enc_band_t *band)
+ {
+ jpc_enc_prc_t *prc;
+@@ -2348,12 +2374,15 @@ static void band_destroy(jpc_enc_band_t *band)
+ prc_destroy(prc);
+ }
+ jas_free(band->prcs);
++ band->prcs = NULL;
+ }
+ if (band->data) {
+ jas_seq2d_destroy(band->data);
++ band->data = NULL;
+ }
+ }
+
++/* Note: This constructor creates the object in place. */
+ static jpc_enc_prc_t *prc_create(jpc_enc_prc_t *prc, jpc_enc_cp_t *cp, jpc_enc_band_t *band)
+ {
+ uint_fast32_t prcno;
+@@ -2383,21 +2412,21 @@ static jpc_enc_prc_t *prc_create(jpc_enc_prc_t *prc, jpc_enc_cp_t *cp, jpc_enc_b
+
+ rlvl = band->rlvl;
+ tcmpt = rlvl->tcmpt;
+-rlvlno = rlvl - tcmpt->rlvls;
++ rlvlno = rlvl - tcmpt->rlvls;
+ prcno = prc - band->prcs;
+ prcxind = prcno % rlvl->numhprcs;
+ prcyind = prcno / rlvl->numhprcs;
+ prc->band = band;
+
+-tlprctlx = JPC_FLOORTOMULTPOW2(rlvl->tlx, rlvl->prcwidthexpn);
+-tlprctly = JPC_FLOORTOMULTPOW2(rlvl->tly, rlvl->prcheightexpn);
+-if (!rlvlno) {
+- tlcbgtlx = tlprctlx;
+- tlcbgtly = tlprctly;
+-} else {
+- tlcbgtlx = JPC_CEILDIVPOW2(tlprctlx, 1);
+- tlcbgtly = JPC_CEILDIVPOW2(tlprctly, 1);
+-}
++ tlprctlx = JPC_FLOORTOMULTPOW2(rlvl->tlx, rlvl->prcwidthexpn);
++ tlprctly = JPC_FLOORTOMULTPOW2(rlvl->tly, rlvl->prcheightexpn);
++ if (!rlvlno) {
++ tlcbgtlx = tlprctlx;
++ tlcbgtly = tlprctly;
++ } else {
++ tlcbgtlx = JPC_CEILDIVPOW2(tlprctlx, 1);
++ tlcbgtly = JPC_CEILDIVPOW2(tlprctly, 1);
++ }
+
+ /* Compute the coordinates of the top-left and bottom-right
+ corners of the precinct. */
+@@ -2479,6 +2508,10 @@ if (!rlvlno) {
+ return 0;
+ }
+
++/* Note: Since jpc_enc_prc_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void prc_destroy(jpc_enc_prc_t *prc)
+ {
+ jpc_enc_cblk_t *cblk;
+@@ -2490,22 +2523,29 @@ static void prc_destroy(jpc_enc_prc_t *prc)
+ cblk_destroy(cblk);
+ }
+ jas_free(prc->cblks);
++ prc->cblks = NULL;
+ }
+ if (prc->incltree) {
+ jpc_tagtree_destroy(prc->incltree);
++ prc->incltree = NULL;
+ }
+ if (prc->nlibtree) {
+ jpc_tagtree_destroy(prc->nlibtree);
++ prc->nlibtree = NULL;
+ }
+ if (prc->savincltree) {
+ jpc_tagtree_destroy(prc->savincltree);
++ prc->savincltree = NULL;
+ }
+ if (prc->savnlibtree) {
+ jpc_tagtree_destroy(prc->savnlibtree);
++ prc->savnlibtree = NULL;
+ }
+ }
+
+-static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, jpc_enc_prc_t *prc)
++/* Note: This constructor creates the object in place. */
++static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp,
++ jpc_enc_prc_t *prc)
+ {
+ jpc_enc_band_t *band;
+ uint_fast32_t cblktlx;
+@@ -2563,6 +2603,10 @@ static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, jpc_e
+ return 0;
+ }
+
++/* Note: Since jpc_enc_cblk_t objects are created in-place, they might
++potentially be destroyed multiple times at different levels in the call
++chain. So, destroyed subobjects must be marked as destroyed to prevent
++problems such as double frees. */
+ static void cblk_destroy(jpc_enc_cblk_t *cblk)
+ {
+ uint_fast16_t passno;
+@@ -2573,18 +2617,23 @@ static void cblk_destroy(jpc_enc_cblk_t *cblk)
+ pass_destroy(pass);
+ }
+ jas_free(cblk->passes);
++ cblk->passes = NULL;
+ }
+ if (cblk->stream) {
+ jas_stream_close(cblk->stream);
++ cblk->stream = NULL;
+ }
+ if (cblk->mqenc) {
+ jpc_mqenc_destroy(cblk->mqenc);
++ cblk->mqenc = NULL;
+ }
+ if (cblk->data) {
+ jas_seq2d_destroy(cblk->data);
++ cblk->data = NULL;
+ }
+ if (cblk->flags) {
+ jas_seq2d_destroy(cblk->flags);
++ cblk->flags = NULL;
+ }
+ }
+
+Backport of 988f8365f7d8ad8073b6786e433d34c553ecf568
+From: Michael Adams <mdadams@ece.uvic.ca>
+
+Also backport jas_safe_size_mul()
+
+diff -aur jasper-1.900.1-debian1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1-debian1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_seq.c 2017-03-15 16:30:46.000000000 +0100
++++ jasper-1.900.1-debian1/src/libjasper/base/jas_seq.c 2017-03-15 16:36:57.410704785 +0100
+@@ -101,9 +101,16 @@
+ {
+ jas_matrix_t *matrix;
+ int i;
++ size_t size;
+
++ matrix = 0;
++
++ if (numrows < 0 || numcols < 0) {
++ goto error;
++ }
++
+ if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
+- return 0;
++ goto error;
+ }
+ matrix->flags_ = 0;
+ matrix->numrows_ = numrows;
+@@ -111,21 +118,25 @@
+ matrix->rows_ = 0;
+ matrix->maxrows_ = numrows;
+ matrix->data_ = 0;
+- matrix->datasize_ = numrows * numcols;
++ matrix->datasize_ = 0;
++
++ // matrix->datasize_ = numrows * numcols;
++ if (!jas_safe_size_mul(numrows, numcols, &size)) {
++ goto error;
++ }
++ matrix->datasize_ = size;
+
+ if (matrix->maxrows_ > 0) {
+ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ sizeof(jas_seqent_t *)))) {
+- jas_matrix_destroy(matrix);
+- return 0;
++ goto error;
+ }
+ }
+
+ if (matrix->datasize_ > 0) {
+ if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ sizeof(jas_seqent_t)))) {
+- jas_matrix_destroy(matrix);
+- return 0;
++ goto error;
+ }
+ }
+
+@@ -143,6 +154,12 @@
+ matrix->yend_ = matrix->numrows_;
+
+ return matrix;
++
++error:
++ if (matrix) {
++ jas_matrix_destroy(matrix);
++ }
++ return 0;
+ }
+
+ void jas_matrix_destroy(jas_matrix_t *matrix)
+--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h 2016-11-30 15:16:36.376026487 +0100
++++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h 2016-11-30 15:17:11.011071690 +0100
+@@ -79,6 +79,7 @@
+ #include <assert.h>
+ #include <stdio.h>
+ #include <string.h>
++#include <stdint.h>
+
+ #ifdef __cplusplus
+ extern "C" {
+@@ -110,6 +111,19 @@
+ #define JAS_ONES(n) \
+ ((1 << (n)) - 1)
+
++inline static int jas_safe_size_mul(size_t x, size_t y, size_t *result)
++{
++ /* Check if overflow would occur */
++ if (x && y > SIZE_MAX / x) {
++ /* Overflow would occur. */
++ return 0;
++ }
++ if (result) {
++ *result = x * y;
++ }
++ return 1;
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
+From 1f0dfe5a42911b6880a1445f13f6d615ddb55387 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Fri, 4 Nov 2016 07:20:23 -0700
+Subject: [PATCH] Fixed an integer overflow problem in the JPC codec that later
+ resulted in the use of uninitialized data.
+
+---
+ src/libjasper/jpc/jpc_t2cod.c | 20 ++++++++++----------
+ src/libjasper/jpc/jpc_t2cod.h | 20 ++++++++++----------
+ 2 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c
+index 08315dd..174442a 100644
+--- a/src/libjasper/jpc/jpc_t2cod.c
++++ b/src/libjasper/jpc/jpc_t2cod.c
+@@ -432,18 +432,18 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi)
+ &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+ ++pi->picomp) {
+ pirlvl = pi->picomp->pirlvls;
+- pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
+- pi->picomp->numrlvls - 1));
+- pi->ystep = pi->picomp->vsamp * (1 << (pirlvl->prcheightexpn +
+- pi->picomp->numrlvls - 1));
++ pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
++ (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1));
++ pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
++ (pirlvl->prcheightexpn + pi->picomp->numrlvls - 1));
+ for (rlvlno = 1, pirlvl = &pi->picomp->pirlvls[1];
+ rlvlno < pi->picomp->numrlvls; ++rlvlno, ++pirlvl) {
+- pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * (1 <<
+- (pirlvl->prcwidthexpn + pi->picomp->numrlvls -
+- rlvlno - 1)));
+- pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * (1 <<
+- (pirlvl->prcheightexpn + pi->picomp->numrlvls -
+- rlvlno - 1)));
++ pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp *
++ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn +
++ pi->picomp->numrlvls - rlvlno - 1)));
++ pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp *
++ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcheightexpn +
++ pi->picomp->numrlvls - rlvlno - 1)));
+ }
+ for (pi->y = pi->ystart; pi->y < pi->yend;
+ pi->y += pi->ystep - (pi->y % pi->ystep)) {
+diff --git a/src/libjasper/jpc/jpc_t2cod.h b/src/libjasper/jpc/jpc_t2cod.h
+index 0a176c9..690e031 100644
+--- a/src/libjasper/jpc/jpc_t2cod.h
++++ b/src/libjasper/jpc/jpc_t2cod.h
+@@ -129,10 +129,10 @@ typedef struct {
+ jpc_pirlvl_t *pirlvls;
+
+ /* The horizontal sampling period. */
+- int hsamp;
++ uint_fast32_t hsamp;
+
+ /* The vertical sampling period. */
+- int vsamp;
++ uint_fast32_t vsamp;
+
+ } jpc_picomp_t;
+
+@@ -171,32 +171,32 @@ typedef struct {
+ int lyrno;
+
+ /* The x-coordinate of the current position. */
+- int x;
++ uint_fast32_t x;
+
+ /* The y-coordinate of the current position. */
+- int y;
++ uint_fast32_t y;
+
+ /* The horizontal step size. */
+- int xstep;
++ uint_fast32_t xstep;
+
+ /* The vertical step size. */
+- int ystep;
++ uint_fast32_t ystep;
+
+ /* The x-coordinate of the top-left corner of the tile on the reference
+ grid. */
+- int xstart;
++ uint_fast32_t xstart;
+
+ /* The y-coordinate of the top-left corner of the tile on the reference
+ grid. */
+- int ystart;
++ uint_fast32_t ystart;
+
+ /* The x-coordinate of the bottom-right corner of the tile on the
+ reference grid (plus one). */
+- int xend;
++ uint_fast32_t xend;
+
+ /* The y-coordinate of the bottom-right corner of the tile on the
+ reference grid (plus one). */
+- int yend;
++ uint_fast32_t yend;
+
+ /* The current progression change. */
+ jpc_pchg_t *pchg;