Slackware just notified of these: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
Summary: CVE-2014-8137: double-free CVE-2014-8138: heap-based buffer overflow CVE-2014-8157: off-by-one CVE-2014-8158: multiple stack-based buffer overflows CVE-2014-9029: multiple off-by-one Patches from Slackware are available off their ftp site: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/source/jasper/patches/ jasper-CVE-2014-8137.patch.gz 1 KB 09/03/15 18:54:00 jasper-CVE-2014-8138.patch.gz 1 KB 09/03/15 18:55:00 jasper-CVE-2014-8157.patch.gz 1 KB 09/03/15 18:55:00 jasper-CVE-2014-8158.patch.gz 2 KB 09/03/15 18:56:00 jasper-CVE-2014-9029.patch.gz 1 KB 09/03/15 18:57:00 Attached is my attempt to merge above Slackware patches, into our jasper port. Someone more familiar with jasper should double check that I didn't screw anything up. I have a question though, 'pkg_info jasper' claims gimp as a dependent, however, 'ldd gimp' doesn't show jasper in the list. What am I missing? Cheers, --patrick
Index: Makefile =================================================================== RCS file: /cvs/obsd/ports/graphics/jasper/Makefile,v retrieving revision 1.17 diff -u -p -u -p -r1.17 Makefile --- Makefile 20 Apr 2013 15:25:35 -0000 1.17 +++ Makefile 30 Oct 2015 05:37:32 -0000 @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.16 2013/03/21 08:45:18 ajacoutot Exp $ +# $OpenBSD: Makefile,v 1.17 2013/04/20 15:25:35 naddy Exp $ COMMENT = reference implementation of JPEG-2000 DISTNAME = jasper-1.900.1 -REVISION = 2 +REVISION = 3 SHARED_LIBS = jasper 2.1 CATEGORIES = graphics Index: patches/patch-src_libjasper_base_jas_icc_c =================================================================== RCS file: /cvs/obsd/ports/graphics/jasper/patches/patch-src_libjasper_base_jas_icc_c,v retrieving revision 1.1 diff -u -p -u -p -r1.1 patch-src_libjasper_base_jas_icc_c --- patches/patch-src_libjasper_base_jas_icc_c 17 May 2008 09:32:16 -0000 1.1 +++ patches/patch-src_libjasper_base_jas_icc_c 30 Oct 2015 05:37:32 -0000 @@ -1,6 +1,10 @@ $OpenBSD$ ---- src/libjasper/base/jas_icc.c.orig Fri Jan 19 22:43:05 2007 -+++ src/libjasper/base/jas_icc.c Fri May 16 21:38:46 2008 + +Security fix from Slackware: + CVE-2014-8137: double-free + +--- src/libjasper/base/jas_icc.c.orig Fri Jan 19 13:43:05 2007 ++++ src/libjasper/base/jas_icc.c Thu Oct 29 22:03:25 2015 @@ -373,7 +373,7 @@ int jas_iccprof_save(jas_iccprof_t *prof, jas_stream_t jas_icctagtab_t *tagtab; @@ -38,7 +42,15 @@ $OpenBSD$ goto error; for (i = 0; i < curv->numents; ++i) { if (jas_iccgetuint16(in, &curv->ents[i])) -@@ -1100,7 +1099,7 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr +@@ -1011,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattrval_t *attrval + return 0; + + error: +- jas_icccurv_destroy(attrval); + return -1; + } + +@@ -1100,7 +1098,7 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr if (jas_iccgetuint32(in, &txtdesc->uclangcode) || jas_iccgetuint32(in, &txtdesc->uclen)) goto error; @@ -47,7 +59,24 @@ $OpenBSD$ goto error; if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != JAS_CAST(int, txtdesc->uclen * 2)) -@@ -1292,17 +1291,17 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval +@@ -1129,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attr + #endif + return 0; + error: +- jas_icctxtdesc_destroy(attrval); + return -1; + } + +@@ -1208,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrval_t *attrval, + goto error; + return 0; + error: +- if (txt->string) +- jas_free(txt->string); + return -1; + } + +@@ -1292,17 +1287,17 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval jas_iccgetuint16(in, &lut8->numouttabents)) goto error; clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; @@ -72,7 +101,15 @@ $OpenBSD$ sizeof(jas_iccuint8_t *)))) goto error; for (i = 0; i < lut8->numoutchans; ++i) -@@ -1461,17 +1460,17 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva +@@ -1330,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattrval_t *attrval + goto error; + return 0; + error: +- jas_icclut8_destroy(attrval); + return -1; + } + +@@ -1461,17 +1455,17 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva jas_iccgetuint16(in, &lut16->numouttabents)) goto error; clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; @@ -95,3 +132,11 @@ $OpenBSD$ sizeof(jas_iccuint16_t *)))) goto error; for (i = 0; i < lut16->numoutchans; ++i) +@@ -1499,7 +1493,6 @@ static int jas_icclut16_input(jas_iccattrval_t *attrva + goto error; + return 0; + error: +- jas_icclut16_destroy(attrval); + return -1; + } + Index: patches/patch-src_libjasper_jp2_jp2_dec_c =================================================================== RCS file: /cvs/obsd/ports/graphics/jasper/patches/patch-src_libjasper_jp2_jp2_dec_c,v retrieving revision 1.2 diff -u -p -u -p -r1.2 patch-src_libjasper_jp2_jp2_dec_c --- patches/patch-src_libjasper_jp2_jp2_dec_c 17 May 2008 09:32:16 -0000 1.2 +++ patches/patch-src_libjasper_jp2_jp2_dec_c 30 Oct 2015 05:37:32 -0000 @@ -1,9 +1,20 @@ $OpenBSD: patch-src_libjasper_jp2_jp2_dec_c,v 1.1.1.1 2004/05/14 05:33:57 brad Exp $ ---- src/libjasper/jp2/jp2_dec.c.orig Fri Jan 19 22:43:05 2007 -+++ src/libjasper/jp2/jp2_dec.c Fri May 16 21:27:34 2008 -@@ -293,7 +293,9 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr + +Security fixes from Slackware: + CVE-2014-8137: double-free + CVE-2014-8138: heap-based buffer overflow + +--- src/libjasper/jp2/jp2_dec.c.orig Fri Jan 19 13:43:05 2007 ++++ src/libjasper/jp2/jp2_dec.c Thu Oct 29 22:04:41 2015 +@@ -291,9 +291,14 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr + case JP2_COLR_ICC: + iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, dec->colr->data.colr.iccplen); - assert(iccprof); +- assert(iccprof); ++ if (!iccprof) { ++ jas_eprintf("error: failed to parse ICC profile\n"); ++ goto error; ++ } jas_iccprof_gethdr(iccprof, &icchdr); - jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + if (jas_getdbglevel() >= 1) { @@ -12,7 +23,7 @@ $OpenBSD: patch-src_libjasper_jp2_jp2_de jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); dec->image->cmprof_ = jas_cmprof_createfromiccprof(iccprof); assert(dec->image->cmprof_); -@@ -336,7 +338,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr +@@ -336,7 +341,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr } /* Allocate space for the channel-number to component-number LUT. */ @@ -21,7 +32,7 @@ $OpenBSD: patch-src_libjasper_jp2_jp2_de jas_eprintf("error: no memory\n"); goto error; } -@@ -354,7 +356,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr +@@ -354,7 +359,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr if (cmapent->map == JP2_CMAP_DIRECT) { dec->chantocmptlut[channo] = channo; } else if (cmapent->map == JP2_CMAP_PALETTE) { @@ -30,3 +41,15 @@ $OpenBSD: patch-src_libjasper_jp2_jp2_de for (i = 0; i < pclrd->numlutents; ++i) { lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; } +@@ -386,6 +391,11 @@ jas_image_t *jp2_decode(jas_stream_t *in, char *optstr + /* Determine the type of each component. */ + if (dec->cdef) { + for (i = 0; i < dec->numchans; ++i) { ++ /* Is the channel number reasonable? */ ++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { ++ jas_eprintf("error: invalid channel number in CDEF box\n"); ++ goto error; ++ } + jas_image_setcmpttype(dec->image, + dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], + jp2_getct(jas_image_clrspc(dec->image), Index: patches/patch-src_libjasper_jpc_jpc_dec_c =================================================================== RCS file: /cvs/obsd/ports/graphics/jasper/patches/patch-src_libjasper_jpc_jpc_dec_c,v retrieving revision 1.3 diff -u -p -u -p -r1.3 patch-src_libjasper_jpc_jpc_dec_c --- patches/patch-src_libjasper_jpc_jpc_dec_c 17 May 2008 09:32:16 -0000 1.3 +++ patches/patch-src_libjasper_jpc_jpc_dec_c 30 Oct 2015 05:37:32 -0000 @@ -1,6 +1,11 @@ $OpenBSD: patch-src_libjasper_jpc_jpc_dec_c,v 1.2 2007/03/29 13:43:53 jasper Exp $ ---- src/libjasper/jpc/jpc_dec.c.orig Fri Jan 19 22:43:07 2007 -+++ src/libjasper/jpc/jpc_dec.c Fri May 16 21:35:28 2008 + +Security fixes from Slackware: + CVE-2014-8157: off-by-one + CVE-2014-9029: multiple off-by-one + +--- src/libjasper/jpc/jpc_dec.c.orig Fri Jan 19 13:43:07 2007 ++++ src/libjasper/jpc/jpc_dec.c Thu Oct 29 22:08:08 2015 @@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_ if (dec->state == JPC_MH) { @@ -10,6 +15,15 @@ $OpenBSD: patch-src_libjasper_jpc_jpc_de assert(compinfos); for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { +@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_ + dec->curtileendoff = 0; + } + +- if (JAS_CAST(int, sot->tileno) > dec->numtiles) { ++ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { + jas_eprintf("invalid tile number in SOT marker segment\n"); + return -1; + } @@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *dec, jpc_dec_ti tile->realmode = 1; } @@ -73,6 +87,33 @@ $OpenBSD: patch-src_libjasper_jpc_jpc_de sizeof(jpc_dec_tcomp_t)))) { return -1; } +@@ -1280,7 +1280,7 @@ static int jpc_dec_process_coc(jpc_dec_t *dec, jpc_ms_ + jpc_coc_t *coc = &ms->parms.coc; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, coc->compno) > dec->numcomps) { ++ if (JAS_CAST(int, coc->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in COC marker segment\n"); + return -1; + } +@@ -1306,7 +1306,7 @@ static int jpc_dec_process_rgn(jpc_dec_t *dec, jpc_ms_ + jpc_rgn_t *rgn = &ms->parms.rgn; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, rgn->compno) > dec->numcomps) { ++ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in RGN marker segment\n"); + return -1; + } +@@ -1355,7 +1355,7 @@ static int jpc_dec_process_qcc(jpc_dec_t *dec, jpc_ms_ + jpc_qcc_t *qcc = &ms->parms.qcc; + jpc_dec_tile_t *tile; + +- if (JAS_CAST(int, qcc->compno) > dec->numcomps) { ++ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { + jas_eprintf("invalid component number in QCC marker segment\n"); + return -1; + } @@ -1466,7 +1466,9 @@ static int jpc_dec_process_unk(jpc_dec_t *dec, jpc_ms_ dec = 0; Index: patches/patch-src_libjasper_jpc_jpc_qmfb_c =================================================================== RCS file: /cvs/obsd/ports/graphics/jasper/patches/patch-src_libjasper_jpc_jpc_qmfb_c,v retrieving revision 1.1 diff -u -p -u -p -r1.1 patch-src_libjasper_jpc_jpc_qmfb_c --- patches/patch-src_libjasper_jpc_jpc_qmfb_c 17 May 2008 09:32:16 -0000 1.1 +++ patches/patch-src_libjasper_jpc_jpc_qmfb_c 30 Oct 2015 05:37:32 -0000 @@ -1,8 +1,27 @@ $OpenBSD$ ---- src/libjasper/jpc/jpc_qmfb.c.orig Fri Jan 19 22:43:07 2007 -+++ src/libjasper/jpc/jpc_qmfb.c Fri May 16 22:46:25 2008 -@@ -321,7 +321,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int - #if !defined(HAVE_VLA) + +Security fix from Slackware: + CVE-2014-8158: multiple stack-based buffer overflows + +--- src/libjasper/jpc/jpc_qmfb.c.orig Fri Jan 19 13:43:07 2007 ++++ src/libjasper/jpc/jpc_qmfb.c Thu Oct 29 22:06:54 2015 +@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int + { + + int bufsize = JPC_CEILDIVPOW2(numcols, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize]; +-#endif + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; +@@ -318,15 +314,13 @@ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int + register int m; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -10,8 +29,41 @@ $OpenBSD$ /* We have no choice but to commit suicide in this case. */ abort(); } -@@ -389,7 +389,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int - #if !defined(HAVE_VLA) + } +-#endif + + if (numcols >= 2) { + hstartcol = (numcols + 1 - parity) >> 1; +@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize]; +-#endif + jpc_fix_t *buf = splitbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; +@@ -386,15 +374,13 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int + register int m; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -19,8 +71,41 @@ $OpenBSD$ /* We have no choice but to commit suicide in this case. */ abort(); } -@@ -460,7 +460,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, - #if !defined(HAVE_VLA) + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; +-#endif + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -457,15 +437,13 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, + int m; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -28,8 +113,41 @@ $OpenBSD$ /* We have no choice but to commit suicide in this case. */ abort(); } -@@ -549,7 +549,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, - #if !defined(HAVE_VLA) + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t splitbuf[bufsize * numcols]; +-#endif + jpc_fix_t *buf = splitbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -546,15 +518,13 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, + int m; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -37,8 +155,40 @@ $OpenBSD$ /* We have no choice but to commit suicide in this case. */ abort(); } -@@ -633,7 +633,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int - #if !defined(HAVE_VLA) + } +-#endif + + if (numrows >= 2) { + hstartcol = (numrows + 1 - parity) >> 1; +@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, + } + } + +-#if !defined(HAVE_VLA) + /* If the split buffer was allocated on the heap, free this memory. */ + if (buf != splitbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -619,26 +587,20 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int + { + + int bufsize = JPC_CEILDIVPOW2(numcols, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize]; +-#endif + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; + register int n; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -46,8 +196,40 @@ $OpenBSD$ /* We have no choice but to commit suicide. */ abort(); } -@@ -698,7 +698,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int numrows, int - #if !defined(HAVE_VLA) + } +-#endif + + hstartcol = (numcols + 1 - parity) >> 1; + +@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int + ++srcptr; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -684,26 +644,20 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int numrows, int + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize]; +-#endif + jpc_fix_t *buf = joinbuf; + register jpc_fix_t *srcptr; + register jpc_fix_t *dstptr; + register int n; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { @@ -55,8 +237,41 @@ $OpenBSD$ /* We have no choice but to commit suicide. */ abort(); } -@@ -766,7 +766,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, i - #if !defined(HAVE_VLA) + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int numrows, int + ++srcptr; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, i + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; +-#endif + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -763,15 +711,13 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, i + register int i; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { @@ -64,8 +279,41 @@ $OpenBSD$ /* We have no choice but to commit suicide. */ abort(); } -@@ -852,7 +852,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, int numrows, i - #if !defined(HAVE_VLA) + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, i + srcptr += JPC_QMFB_COLGRPSIZE; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } + +@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, int numrows, i + { + + int bufsize = JPC_CEILDIVPOW2(numrows, 1); +-#if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; +-#else +- jpc_fix_t joinbuf[bufsize * numcols]; +-#endif + jpc_fix_t *buf = joinbuf; + jpc_fix_t *srcptr; + jpc_fix_t *dstptr; +@@ -849,15 +789,13 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, int numrows, i + register int i; + int hstartcol; + +-#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { @@ -73,3 +321,21 @@ $OpenBSD$ /* We have no choice but to commit suicide. */ abort(); } + } +-#endif + + hstartcol = (numrows + 1 - parity) >> 1; + +@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, int numrows, i + srcptr += numcols; + } + +-#if !defined(HAVE_VLA) + /* If the join buffer was allocated on the heap, free this memory. */ + if (buf != joinbuf) { + jas_free(buf); + } +-#endif + + } +