From 7ab73c4addad7cf5358b988943871ea85192f692 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Wed, 7 Oct 2015 22:17:12 -0400
Subject: [PATCH] gnu: openjpeg-2.x: Add fix for CVE-2015-6581.

* gnu/packages/patches/openjpeg-CVE-2015-6581.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/image.scm (openjpeg, openjpeg-2.0)[source]: Add patch.
---
 gnu-system.am                                 |  1 +
 gnu/packages/image.scm                        |  6 ++-
 .../patches/openjpeg-CVE-2015-6581.patch      | 47 +++++++++++++++++++
 3 files changed, 52 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/openjpeg-CVE-2015-6581.patch

diff --git a/gnu-system.am b/gnu-system.am
index 577c6e8c07..35d2da4701 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -572,6 +572,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/nvi-dbpagesize-binpower.patch		\
   gnu/packages/patches/nvi-db4.patch				\
   gnu/packages/patches/openexr-missing-samples.patch		\
+  gnu/packages/patches/openjpeg-CVE-2015-6581.patch		\
   gnu/packages/patches/openjpeg-use-after-free-fix.patch	\
   gnu/packages/patches/openssl-runpath.patch			\
   gnu/packages/patches/openssl-c-rehash.patch			\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 26f1be9a2f..23ad59ce9a 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -272,7 +272,8 @@ work.")
                         version ".tar.gz"))
         (sha256
          (base32 "00zzm303zvv4ijzancrsb1cqbph3pgz0nky92k9qx3fq9y0vnchj"))
-        (patches (list (search-patch "openjpeg-use-after-free-fix.patch")))))
+        (patches (map search-patch '("openjpeg-use-after-free-fix.patch"
+                                     "openjpeg-CVE-2015-6581.patch")))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.
@@ -308,7 +309,8 @@ error-resilience, a Java-viewer for j2k-images, ...")
                        version ".tar.gz"))
        (sha256
         (base32 "1c2xc3nl2mg511b63rk7hrckmy14681p1m44mzw3n1fyqnjm0b0z"))
-       (patches (list (search-patch "openjpeg-use-after-free-fix.patch")))))))
+       (patches (map search-patch '("openjpeg-use-after-free-fix.patch"
+                                    "openjpeg-CVE-2015-6581.patch")))))))
 
 (define-public openjpeg-1
   (package (inherit openjpeg)
diff --git a/gnu/packages/patches/openjpeg-CVE-2015-6581.patch b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch
new file mode 100644
index 0000000000..7ce03501f4
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch
@@ -0,0 +1,47 @@
+From 0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 Mon Sep 17 00:00:00 2001
+From: Matthieu Darbois <mayeut@users.noreply.github.com>
+Date: Tue, 19 May 2015 21:57:27 +0000
+Subject: [PATCH] [trunk] Correct potential double free on malloc failure in
+ opj_j2k_copy_default_tcp_and_create_tcp (fixes issue 492)
+
+---
+ src/lib/openjp2/j2k.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 8c62a39..cbdd368 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -7365,6 +7365,12 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd (       opj_j2k_t * p_j2
+                 l_tcp->cod = 0;
+                 l_tcp->ppt = 0;
+                 l_tcp->ppt_data = 00;
++                /* Remove memory not owned by this tile in case of early error return. */
++                l_tcp->m_mct_decoding_matrix = 00;
++                l_tcp->m_nb_max_mct_records = 0;
++                l_tcp->m_mct_records = 00;
++                l_tcp->m_nb_max_mcc_records = 0;
++                l_tcp->m_mcc_records = 00;
+                 /* Reconnect the tile-compo coding parameters pointer to the current tile coding parameters*/
+                 l_tcp->tccps = l_current_tccp;
+ 
+@@ -7402,6 +7408,8 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd (       opj_j2k_t * p_j2
+ 
+                         ++l_src_mct_rec;
+                         ++l_dest_mct_rec;
++                        /* Update with each pass to free exactly what has been allocated on early return. */
++                        l_tcp->m_nb_max_mct_records += 1;
+                 }
+ 
+                 /* Get the mcc_record of the dflt_tile_cp and copy them into the current tile cp*/
+@@ -7411,6 +7419,7 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd (       opj_j2k_t * p_j2
+                         return OPJ_FALSE;
+                 }
+                 memcpy(l_tcp->m_mcc_records,l_default_tcp->m_mcc_records,l_mcc_records_size);
++                l_tcp->m_nb_max_mcc_records = l_default_tcp->m_nb_max_mcc_records;
+ 
+                 /* Copy the mcc record data from dflt_tile_cp to the current tile*/
+                 l_src_mcc_rec = l_default_tcp->m_mcc_records;
+-- 
+2.5.0
+