Add fixes for CVE-2008-3520 and CVE-2008-3522, patches from

https://bugs.gentoo.org/show_bug.cgi?id=222819 Bump PKGREVISION.
2016-05-16 14:03:40 +00:00 · 2016-05-16 14:03:40 +00:00 · 06d2094ae5
commit 06d2094ae5
parent 3831816ba1
27 changed files with 1094 additions and 92 deletions
--- a/graphics/jasper/Makefile
+++ b/graphics/jasper/Makefile
@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.42 2016/03/13 04:11:18 tnn Exp $
+# $NetBSD: Makefile,v 1.43 2016/05/16 14:03:40 he Exp $

 DISTNAME=	jasper-1.900.1
-PKGREVISION=	11
+PKGREVISION=	12
 CATEGORIES=	graphics
 MASTER_SITES=	http://www.ece.uvic.ca/~mdadams/jasper/software/
 EXTRACT_SUFX=	.zip
--- a/graphics/jasper/distinfo
+++ b/graphics/jasper/distinfo
@ -1,15 +1,32 @@
-$NetBSD: distinfo,v 1.19 2016/03/13 04:11:18 tnn Exp $
+$NetBSD: distinfo,v 1.20 2016/05/16 14:03:40 he Exp $

 SHA1 (jasper-1.900.1.zip) = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
 RMD160 (jasper-1.900.1.zip) = fb2c188abf5b8c297078ac1f913101734f72db5c
 SHA512 (jasper-1.900.1.zip) = e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6
 Size (jasper-1.900.1.zip) = 1415752 bytes
 SHA1 (patch-configure) = c8aa09f8432f0e3f5667ecb3ccd738c3c03f3f05
-SHA1 (patch-src_libjasper_base_jas__icc.c) = ec2faf717f8d561cda3cdc63516d843e195b102c
-SHA1 (patch-src_libjasper_base_jas__image.c) = a901a5847c4732a22c0e771c1d5763432fb5a1db
-SHA1 (patch-src_libjasper_base_jas__seq.c) = 609171c4aa905ba3e3dd74779c18c7b5ab52200c
-SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 7902e9900130f466fa60a5389409cc9495b6260c
-SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 5a795502f9241829afa1acf0a2a341155b954108
-SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 794de4dcf8f809275a5bee5cb60d95cf9608e0a7
-SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 9b0d764671ef32868a390464480c5b3ee805e258
-SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 8c8d6e6fbb8ce0117a9e806777a6fdde21e6d780
+SHA1 (patch-src_libjasper_base_jas__cm.c) = 51bcaa7d992616c4caf764d190d42c8c802324f8
+SHA1 (patch-src_libjasper_base_jas__icc.c) = 855e8b733a4a043d06cea60deaa497784e55838c
+SHA1 (patch-src_libjasper_base_jas__image.c) = d9119ab45d95f954604167374f5f97c1d94d508f
+SHA1 (patch-src_libjasper_base_jas__malloc.c) = 887509258c8a957932bb212b747aa5b8932e82af
+SHA1 (patch-src_libjasper_base_jas__seq.c) = bc1c38439eb61e3c50a5900e38e4a8992bc790fe
+SHA1 (patch-src_libjasper_base_jas__stream.c) = 1e6cbd1cf0a273f94144e1f12624b9a5d612dd84
+SHA1 (patch-src_libjasper_bmp_bmp__dec.c) = 162f760235fba871c48afc273276fad884250ed6
+SHA1 (patch-src_libjasper_include_jasper_jas__malloc.h) = 3d6e873f11074bc54bd6dc5665d3c80413ef89fe
+SHA1 (patch-src_libjasper_jp2_jp2__cod.c) = 656f23983f97e3b5eea49898e9f29d6b3eef5b19
+SHA1 (patch-src_libjasper_jp2_jp2__dec.c) = 9b8fbb8e947e403fed6c610a0d4a0c63640462e5
+SHA1 (patch-src_libjasper_jp2_jp2__enc.c) = f6a86101e04a2efdb0840b44a2b892de18683c59
+SHA1 (patch-src_libjasper_jpc_jpc__cs.c) = 603ee1ac6089bd190581fd0e00efabc18a41f48a
+SHA1 (patch-src_libjasper_jpc_jpc__dec.c) = 026235b7f59ecaa8ee148f0301dd96dc9a570e80
+SHA1 (patch-src_libjasper_jpc_jpc__enc.c) = 81cf4df888d1542cf52fadb202b82a05c8bdfd83
+SHA1 (patch-src_libjasper_jpc_jpc__mqdec.c) = bcf41d1da270478a731494a913bd626ba7d533f4
+SHA1 (patch-src_libjasper_jpc_jpc__mqenc.c) = b6c80212129f82268c43e5a3e39a7c7e1c12655a
+SHA1 (patch-src_libjasper_jpc_jpc__qmfb.c) = 6e7b5180047c6c8855aa22a3dd94d8deeb39b560
+SHA1 (patch-src_libjasper_jpc_jpc__t1enc.c) = 3aade36d3a171ad08f7be93c48bb51ab9fb9126f
+SHA1 (patch-src_libjasper_jpc_jpc__t2cod.c) = ce1a300066db7adfed03f55fc47d6392dd2d2221
+SHA1 (patch-src_libjasper_jpc_jpc__t2dec.c) = 06a2e58843b59bbf698a5aa15ba253fa51f18568
+SHA1 (patch-src_libjasper_jpc_jpc__t2enc.c) = 0a6119b4fc5a6305a8adb92357805af1fb55f1d9
+SHA1 (patch-src_libjasper_jpc_jpc__tagtree.c) = 9f0594c4aa576ef5d0cb85ec2c01c364efecf855
+SHA1 (patch-src_libjasper_jpc_jpc__util.c) = e7069e6106d7dd883aab18a1fa20c9dbfe1bebf1
+SHA1 (patch-src_libjasper_mif_mif__cod.c) = 7c34864c0c9f82eee89795673014feb5824fc7b5
+SHA1 (patch-src_libjasper_pnm_pnm__enc.c) = 3279f184f6191ea69d1b5ef8fb270ffcc6a69640
--- a/graphics/jasper/patches/patch-src_libjasper_base_jas__cm.c
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__cm.c
@ -0,0 +1,51 @@
+$NetBSD: patch-src_libjasper_base_jas__cm.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/base/jas_cm.c.orig	2007-01-19 21:43:05.000000000 +0000
+++ src/libjasper/base/jas_cm.c
+@@ -704,8 +704,7 @@ static int jas_cmpxformseq_resize(jas_cm
+ {
+ 	jas_cmpxform_t **p;
+ 	assert(n >= pxformseq->numpxforms);
+-	p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) :
+-	  jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *));
+	p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *));
+ 	if (!p) {
+ 		return -1;
+ 	}
+@@ -889,13 +888,13 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ 	jas_cmshapmatlut_cleanup(lut);
+ 	if (curv->numents == 0) {
+ 		lut->size = 2;
+-		if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
+		if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ 			goto error;
+ 		lut->data[0] = 0.0;
+ 		lut->data[1] = 1.0;
+ 	} else if (curv->numents == 1) {
+ 		lut->size = 256;
+-		if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
+		if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ 			goto error;
+ 		gamma = curv->ents[0] / 256.0;
+ 		for (i = 0; i < lut->size; ++i) {
+@@ -903,7 +902,7 @@ static int jas_cmshapmatlut_set(jas_cmsh
+ 		}
+ 	} else {
+ 		lut->size = curv->numents;
+-		if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
+		if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
+ 			goto error;
+ 		for (i = 0; i < lut->size; ++i) {
+ 			lut->data[i] = curv->ents[i] / 65535.0;
+@@ -953,7 +952,7 @@ static int jas_cmshapmatlut_invert(jas_c
+ 			return -1;
+ 		}
+ 	}
+-	if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t))))
+	if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t))))
+ 		return -1;
+ 	invlut->size = n;
+ 	for (i = 0; i < invlut->size; ++i) {
--- a/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__icc.c
@ -1,11 +1,14 @@
-$NetBSD: patch-src_libjasper_base_jas__icc.c,v 1.1 2016/03/13 04:11:18 tnn Exp $
+$NetBSD: patch-src_libjasper_base_jas__icc.c,v 1.2 2016/05/16 14:03:40 he Exp $

 CVE-2016-1577 prevent double free. Via Debian.
 CVE-2016-2116 memory leak / DoS. Via Debian.

--- src/libjasper/base/jas_icc.c.orig	2016-03-13 04:09:54.821655643 +0000
-+++ src/libjasper/base/jas_icc.c
-@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/base/jas_icc.c.old	2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/base/jas_icc.c	2016-03-31 14:48:20.000000000 +0200
+@@ -300,6 +300,7 @@
 				if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
 					goto error;
 				jas_iccattrval_destroy(attrval);
@ -13,7 +16,103 @@ CVE-2016-2116 memory leak / DoS. Via Debian.
 			} else {
 #if 0
 				jas_eprintf("warning: skipping unknown tag type\n");
-@@ -1699,6 +1700,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
+@@ -373,7 +374,7 @@
+ 	jas_icctagtab_t *tagtab;
+ 
+ 	tagtab = &prof->tagtab;
+-	if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
+	if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
+ 	  sizeof(jas_icctagtabent_t))))
+ 		goto error;
+ 	tagtab->numents = prof->attrtab->numattrs;
+@@ -522,7 +523,7 @@
+ 	}
+ 	if (jas_iccgetuint32(in, &tagtab->numents))
+ 		goto error;
+-	if (!(tagtab->ents = jas_malloc(tagtab->numents *
+	if (!(tagtab->ents = jas_alloc2(tagtab->numents,
+ 	  sizeof(jas_icctagtabent_t))))
+ 		goto error;
+ 	tagtabent = tagtab->ents;
+@@ -743,8 +744,7 @@
+ {
+ 	jas_iccattr_t *newattrs;
+ 	assert(maxents >= tab->numattrs);
+-	newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
+-	  sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
+	newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
+ 	if (!newattrs)
+ 		return -1;
+ 	tab->attrs = newattrs;
+@@ -999,7 +999,7 @@
+ 
+ 	if (jas_iccgetuint32(in, &curv->numents))
+ 		goto error;
+-	if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
+	if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
+ 		goto error;
+ 	for (i = 0; i < curv->numents; ++i) {
+ 		if (jas_iccgetuint16(in, &curv->ents[i]))
+@@ -1100,7 +1100,7 @@
+ 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ 	  jas_iccgetuint32(in, &txtdesc->uclen))
+ 		goto error;
+-	if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
+	if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
+ 		goto error;
+ 	if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
+ 	  JAS_CAST(int, txtdesc->uclen * 2))
+@@ -1292,17 +1292,17 @@
+ 	  jas_iccgetuint16(in, &lut8->numouttabents))
+ 		goto error;
+ 	clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
+-	if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
+-	  !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
+-	  lut8->numintabents * sizeof(jas_iccuint8_t))) ||
+-	  !(lut8->intabs = jas_malloc(lut8->numinchans *
+	if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
+	  !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
+	  lut8->numintabents, sizeof(jas_iccuint8_t))) ||
+	  !(lut8->intabs = jas_alloc2(lut8->numinchans,
+ 	  sizeof(jas_iccuint8_t *))))
+ 		goto error;
+ 	for (i = 0; i < lut8->numinchans; ++i)
+ 		lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
+-	if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
+-	  lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
+-	  !(lut8->outtabs = jas_malloc(lut8->numoutchans *
+	if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
+	  lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
+	  !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
+ 	  sizeof(jas_iccuint8_t *))))
+ 		goto error;
+ 	for (i = 0; i < lut8->numoutchans; ++i)
+@@ -1461,17 +1461,17 @@
+ 	  jas_iccgetuint16(in, &lut16->numouttabents))
+ 		goto error;
+ 	clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
+-	if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
+-	  !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
+-	  lut16->numintabents * sizeof(jas_iccuint16_t))) ||
+-	  !(lut16->intabs = jas_malloc(lut16->numinchans *
+	if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
+	  !(lut16->intabsbuf = jas_alloc3(lut16->numinchans,
+	  lut16->numintabents, sizeof(jas_iccuint16_t))) ||
+	  !(lut16->intabs = jas_alloc2(lut16->numinchans,
+ 	  sizeof(jas_iccuint16_t *))))
+ 		goto error;
+ 	for (i = 0; i < lut16->numinchans; ++i)
+ 		lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
+-	if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
+-	  lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
+-	  !(lut16->outtabs = jas_malloc(lut16->numoutchans *
+	if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
+	  lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
+	  !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
+ 	  sizeof(jas_iccuint16_t *))))
+ 		goto error;
+ 	for (i = 0; i < lut16->numoutchans; ++i)
+@@ -1699,6 +1699,8 @@
 	jas_stream_close(in);
 	return prof;
 error:
--- a/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__image.c
@ -1,10 +1,22 @@
-$NetBSD: patch-src_libjasper_base_jas__image.c,v 1.1 2016/03/13 04:11:18 tnn Exp $
+$NetBSD: patch-src_libjasper_base_jas__image.c,v 1.2 2016/05/16 14:03:40 he Exp $

 CVE-2016-2089 denial of service. Via Debian.

--- src/libjasper/base/jas_image.c.orig	2007-01-19 21:43:05.000000000 +0000
-+++ src/libjasper/base/jas_image.c
-@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/base/jas_image.c.old	2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/base/jas_image.c	2016-03-31 14:47:50.000000000 +0200
+@@ -142,7 +142,7 @@
+ 	image->inmem_ = true;
+ 
+ 	/* Allocate memory for the per-component information. */
+-	if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
+	if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
+ 	  sizeof(jas_image_cmpt_t *)))) {
+ 		jas_image_destroy(image);
+ 		return 0;
+@@ -426,6 +426,10 @@
 		return -1;
 	}
 
@ -15,7 +27,7 @@ CVE-2016-2089 denial of service. Via Debian.
 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
 		if (jas_matrix_resize(data, height, width)) {
 			return -1;
-@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
+@@ -479,6 +483,10 @@
 		return -1;
 	}
 
@ -26,3 +38,13 @@ CVE-2016-2089 denial of service. Via Debian.
 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
 		return -1;
 	}
+@@ -774,8 +782,7 @@
+ 	jas_image_cmpt_t **newcmpts;
+ 	int cmptno;
+ 
+-	newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
+-	  jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
+	newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
+ 	if (!newcmpts) {
+ 		return -1;
+ 	}
--- a/graphics/jasper/patches/patch-src_libjasper_base_jas__malloc.c
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__malloc.c
@ -0,0 +1,75 @@
+$NetBSD: patch-src_libjasper_base_jas__malloc.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/base/jas_malloc.c.orig	2007-01-19 21:43:05.000000000 +0000
+++ src/libjasper/base/jas_malloc.c
+@@ -76,6 +76,9 @@
+ 
+ /* We need the prototype for memset. */
+ #include <string.h>
+#include <limits.h>
+#include <errno.h>
+#include <stdint.h>
+ 
+ #include "jasper/jas_malloc.h"
+ 
+@@ -113,18 +116,50 @@ void jas_free(void *ptr)
+ 
+ void *jas_realloc(void *ptr, size_t size)
+ {
+-	return realloc(ptr, size);
+	return ptr ? realloc(ptr, size) : malloc(size);
+ }
+ 
+-void *jas_calloc(size_t nmemb, size_t size)
+void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
+{
+	if (!ptr)
+		return jas_alloc2(nmemb, size);
+	if (nmemb && SIZE_MAX / nmemb < size) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	return jas_realloc(ptr, nmemb * size);
+
+}
+
+void *jas_alloc2(size_t nmemb, size_t size)
+{
+	if (nmemb && SIZE_MAX / nmemb < size) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	return jas_malloc(nmemb * size);
+}
+
+void *jas_alloc3(size_t a, size_t b, size_t c)
+ {
+-	void *ptr;
+ 	size_t n;
+-	n = nmemb * size;
+-	if (!(ptr = jas_malloc(n * sizeof(char)))) {
+-		return 0;
+
+	if (a && SIZE_MAX / a < b) {
+		errno = ENOMEM;
+		return NULL;
+ 	}
+-	memset(ptr, 0, n);
+
+	return jas_alloc2(a*b, c);
+}
+
+void *jas_calloc(size_t nmemb, size_t size)
+{
+	void *ptr;
+
+	ptr = jas_alloc2(nmemb, size);
+	if (ptr)
+		memset(ptr, 0, nmemb*size);
+ 	return ptr;
+ }
+ 
--- a/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__seq.c
@ -1,10 +1,40 @@
-$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.1 2016/03/13 04:11:18 tnn Exp $
+$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.2 2016/05/16 14:03:40 he Exp $

 CVE-2016-2089 denial of service. Via Debian.

--- src/libjasper/base/jas_seq.c.orig	2007-01-19 21:43:05.000000000 +0000
-+++ src/libjasper/base/jas_seq.c
-@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/base/jas_seq.c.old	2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/base/jas_seq.c	2016-03-31 14:47:50.000000000 +0200
+@@ -114,7 +114,7 @@
+ 	matrix->datasize_ = numrows * numcols;
+ 
+ 	if (matrix->maxrows_ > 0) {
+-		if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
+		if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
+ 		  sizeof(jas_seqent_t *)))) {
+ 			jas_matrix_destroy(matrix);
+ 			return 0;
+@@ -122,7 +122,7 @@
+ 	}
+ 
+ 	if (matrix->datasize_ > 0) {
+-		if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
+		if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
+ 		  sizeof(jas_seqent_t)))) {
+ 			jas_matrix_destroy(matrix);
+ 			return 0;
+@@ -220,7 +220,7 @@
+ 	mat0->numrows_ = r1 - r0 + 1;
+ 	mat0->numcols_ = c1 - c0 + 1;
+ 	mat0->maxrows_ = mat0->numrows_;
+-	mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
+	mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
+ 	for (i = 0; i < mat0->numrows_; ++i) {
+ 		mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
+ 	}
+@@ -262,6 +262,10 @@
 	int rowstep;
 	jas_seqent_t *data;
 
@ -15,7 +45,7 @@ CVE-2016-2089 denial of service. Via Debian.
 	rowstep = jas_matrix_rowstep(matrix);
 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
 	  rowstart += rowstep) {
-@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+@@ -282,6 +286,10 @@
 	jas_seqent_t *data;
 	int rowstep;
 
@ -26,7 +56,7 @@ CVE-2016-2089 denial of service. Via Debian.
 	rowstep = jas_matrix_rowstep(matrix);
 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
 	  rowstart += rowstep) {
-@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+@@ -306,6 +314,10 @@
 	int rowstep;
 	jas_seqent_t *data;
 
@ -37,7 +67,7 @@ CVE-2016-2089 denial of service. Via Debian.
 	assert(n >= 0);
 	rowstep = jas_matrix_rowstep(matrix);
 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
-@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+@@ -325,6 +337,10 @@
 	int rowstep;
 	jas_seqent_t *data;
 
@ -48,7 +78,7 @@ CVE-2016-2089 denial of service. Via Debian.
 	rowstep = jas_matrix_rowstep(matrix);
 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
 	  rowstart += rowstep) {
-@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+@@ -367,6 +383,10 @@
 	int rowstep;
 	jas_seqent_t *data;
 
@ -59,3 +89,13 @@ CVE-2016-2089 denial of service. Via Debian.
 	rowstep = jas_matrix_rowstep(matrix);
 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
 	  rowstart += rowstep) {
+@@ -432,7 +452,8 @@
+ 	for (i = 0; i < jas_matrix_numrows(matrix); ++i) {
+ 		for (j = 0; j < jas_matrix_numcols(matrix); ++j) {
+ 			x = jas_matrix_get(matrix, i, j);
+-			sprintf(sbuf, "%s%4ld", (strlen(buf) > 0) ? " " : "",
+			snprintf(sbuf, sizeof sbuf, 
+			    "%s%4ld", (strlen(buf) > 0) ? " " : "",
+ 			  JAS_CAST(long, x));
+ 			n = strlen(buf);
+ 			if (n + strlen(sbuf) > MAXLINELEN) {
--- a/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c
+++ b/graphics/jasper/patches/patch-src_libjasper_base_jas__stream.c
@ -0,0 +1,67 @@
+$NetBSD: patch-src_libjasper_base_jas__stream.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3521 and CVE-2008-3522, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/base/jas_stream.c.orig	2007-01-19 21:43:05.000000000 +0000
+++ src/libjasper/base/jas_stream.c
+@@ -212,7 +212,7 @@ jas_stream_t *jas_stream_memopen(char *b
+ 	if (buf) {
+ 		obj->buf_ = (unsigned char *) buf;
+ 	} else {
+-		obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char));
+		obj->buf_ = jas_malloc(obj->bufsize_);
+ 		obj->myalloc_ = 1;
+ 	}
+ 	if (!obj->buf_) {
+@@ -361,28 +361,22 @@ jas_stream_t *jas_stream_tmpfile()
+ 	}
+ 	obj->fd = -1;
+ 	obj->flags = 0;
+-	obj->pathname[0] = '\0';
+ 	stream->obj_ = obj;
+ 
+ 	/* Choose a file name. */
+-	tmpnam(obj->pathname);
+	snprintf(obj->pathname, L_tmpnam, "%stmp.XXXXXXXXXX", P_tmpdir);
+ 
+ 	/* Open the underlying file. */
+-	if ((obj->fd = open(obj->pathname, O_CREAT | O_EXCL | O_RDWR | O_TRUNC | O_BINARY,
+-	  JAS_STREAM_PERMS)) < 0) {
+	if ((obj->fd = mkstemp(obj->pathname)) < 0) {
+ 		jas_stream_destroy(stream);
+ 		return 0;
+ 	}
+ 
+ 	/* Unlink the file so that it will disappear if the program
+ 	terminates abnormally. */
+-	/* Under UNIX, one can unlink an open file and continue to do I/O
+-	on it.  Not all operating systems support this functionality, however.
+-	For example, under Microsoft Windows the unlink operation will fail,
+-	since the file is open. */
+ 	if (unlink(obj->pathname)) {
+-		/* We will try unlinking the file again after it is closed. */
+-		obj->flags |= JAS_STREAM_FILEOBJ_DELONCLOSE;
+		jas_stream_destroy(stream);
+		return 0;
+ 	}
+ 
+ 	/* Use full buffering. */
+@@ -553,7 +547,7 @@ int jas_stream_printf(jas_stream_t *stre
+ 	int ret;
+ 
+ 	va_start(ap, fmt);
+-	ret = vsprintf(buf, fmt, ap);
+	ret = vsnprintf(buf, sizeof buf, fmt, ap);
+ 	jas_stream_puts(stream, buf);
+ 	va_end(ap);
+ 	return ret;
+@@ -992,7 +986,7 @@ static int mem_resize(jas_stream_memobj_
+ 	unsigned char *buf;
+ 
+ 	assert(m->buf_);
+-	if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) {
+	if (!(buf = jas_realloc(m->buf_, bufsize))) {
+ 		return -1;
+ 	}
+ 	m->buf_ = buf;
--- a/graphics/jasper/patches/patch-src_libjasper_bmp_bmp__dec.c
+++ b/graphics/jasper/patches/patch-src_libjasper_bmp_bmp__dec.c
@ -0,0 +1,16 @@
+$NetBSD: patch-src_libjasper_bmp_bmp__dec.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/bmp/bmp_dec.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/bmp/bmp_dec.c
+@@ -283,7 +283,7 @@ static bmp_info_t *bmp_getinfo(jas_strea
+ 	}
+ 
+ 	if (info->numcolors > 0) {
+-		if (!(info->palents = jas_malloc(info->numcolors *
+		if (!(info->palents = jas_alloc2(info->numcolors,
+ 		  sizeof(bmp_palent_t)))) {
+ 			bmp_info_destroy(info);
+ 			return 0;
--- a/graphics/jasper/patches/patch-src_libjasper_include_jasper_jas__malloc.h
+++ b/graphics/jasper/patches/patch-src_libjasper_include_jasper_jas__malloc.h
@ -0,0 +1,30 @@
+$NetBSD: patch-src_libjasper_include_jasper_jas__malloc.h,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/include/jasper/jas_malloc.h.orig	2007-01-19 21:43:04.000000000 +0000
+++ src/libjasper/include/jasper/jas_malloc.h
+@@ -95,6 +95,9 @@ extern "C" {
+ #define	jas_free	MEMFREE
+ #define	jas_realloc	MEMREALLOC
+ #define	jas_calloc	MEMCALLOC
+#define jas_alloc2(a, b)	MEMALLOC((a)*(b))
+#define jas_alloc3(a, b, c)	MEMALLOC((a)*(b)*(c))
+#define jas_realloc2(p, a, b)	MEMREALLOC((p), (a)*(b))
+ #endif
+ 
+ /******************************************************************************\
+@@ -115,6 +118,12 @@ void *jas_realloc(void *ptr, size_t size
+ /* Allocate a block of memory and initialize the contents to zero. */
+ void *jas_calloc(size_t nmemb, size_t size);
+ 
+/* size-checked double allocation .*/
+void *jas_alloc2(size_t, size_t);
+
+void *jas_alloc3(size_t, size_t, size_t);
+
+void *jas_realloc2(void *, size_t, size_t);
+ #endif
+ 
+ #ifdef __cplusplus
--- a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__cod.c
@ -1,10 +1,49 @@
-$NetBSD: patch-src_libjasper_jp2_jp2__cod.c,v 1.1 2015/01/01 14:15:27 he Exp $
+$NetBSD: patch-src_libjasper_jp2_jp2__cod.c,v 1.2 2016/05/16 14:03:40 he Exp $

 Only output debug info if debuglevel >= 1.

--- src/libjasper/jp2/jp2_cod.c.orig	2006-12-08 00:23:36.000000000 +0000
-+++ src/libjasper/jp2/jp2_cod.c
-@@ -795,11 +795,15 @@ static void jp2_cmap_dumpdata(jp2_box_t 
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jp2/jp2_cod.c.old	2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/jp2/jp2_cod.c	2016-03-31 14:48:20.000000000 +0200
+@@ -372,7 +372,7 @@
+ 	jp2_bpcc_t *bpcc = &box->data.bpcc;
+ 	unsigned int i;
+ 	bpcc->numcmpts = box->datalen;
+-	if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) {
+	if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
+ 		return -1;
+ 	}
+ 	for (i = 0; i < bpcc->numcmpts; ++i) {
+@@ -416,7 +416,7 @@
+ 		break;
+ 	case JP2_COLR_ICC:
+ 		colr->iccplen = box->datalen - 3;
+-		if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) {
+		if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) {
+ 			return -1;
+ 		}
+ 		if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
+@@ -453,7 +453,7 @@
+ 	if (jp2_getuint16(in, &cdef->numchans)) {
+ 		return -1;
+ 	}
+-	if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) {
+	if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) {
+ 		return -1;
+ 	}
+ 	for (channo = 0; channo < cdef->numchans; ++channo) {
+@@ -766,7 +766,7 @@
+ 	unsigned int i;
+ 
+ 	cmap->numchans = (box->datalen) / 4;
+-	if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) {
+	if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
+ 		return -1;
+ 	}
+ 	for (i = 0; i < cmap->numchans; ++i) {
+@@ -795,11 +795,15 @@
 	jp2_cmap_t *cmap = &box->data.cmap;
 	unsigned int i;
 	jp2_cmapent_t *ent;
@ -23,3 +62,16 @@ Only output debug info if debuglevel >= 1.
 	}
 }
 
+@@ -828,10 +832,10 @@
+ 		return -1;
+ 	}
+ 	lutsize = pclr->numlutents * pclr->numchans;
+-	if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) {
+	if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ 		return -1;
+ 	}
+-	if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) {
+	if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) {
+ 		return -1;
+ 	}
+ 	for (i = 0; i < pclr->numchans; ++i) {
--- a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__dec.c
@ -1,12 +1,15 @@
-$NetBSD: patch-src_libjasper_jp2_jp2__dec.c,v 1.1 2015/01/01 14:15:27 he Exp $
+$NetBSD: patch-src_libjasper_jp2_jp2__dec.c,v 1.2 2016/05/16 14:03:40 he Exp $

 Only output debug info if debuglevel >= 1.
 Apply fix for oCERT-2014-012, from
 https://bugzilla.redhat.com/show_bug.cgi?id=1173162

--- src/libjasper/jp2/jp2_dec.c.orig	2004-02-09 01:34:40.000000000 +0000
-+++ src/libjasper/jp2/jp2_dec.c
-@@ -293,7 +293,9 @@ jas_image_t *jp2_decode(jas_stream_t *in
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jp2/jp2_dec.c.old	2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/jp2/jp2_dec.c	2016-03-31 14:48:20.000000000 +0200
+@@ -293,7 +293,9 @@
 		  dec->colr->data.colr.iccplen);
 		assert(iccprof);
 		jas_iccprof_gethdr(iccprof, &icchdr);
@ -17,7 +20,25 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1173162
 		jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
 		dec->image->cmprof_ = jas_cmprof_createfromiccprof(iccprof);
 		assert(dec->image->cmprof_);
-@@ -386,6 +388,13 @@ jas_image_t *jp2_decode(jas_stream_t *in
+@@ -336,7 +338,7 @@
+ 	}
+ 
+ 	/* Allocate space for the channel-number to component-number LUT. */
+-	if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
+	if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) {
+ 		jas_eprintf("error: no memory\n");
+ 		goto error;
+ 	}
+@@ -354,7 +356,7 @@
+ 			if (cmapent->map == JP2_CMAP_DIRECT) {
+ 				dec->chantocmptlut[channo] = channo;
+ 			} else if (cmapent->map == JP2_CMAP_PALETTE) {
+-				lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
+				lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t));
+ 				for (i = 0; i < pclrd->numlutents; ++i) {
+ 					lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
+ 				}
+@@ -386,6 +388,13 @@
 	/* Determine the type of each component. */
 	if (dec->cdef) {
 		for (i = 0; i < dec->numchans; ++i) {
--- a/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jp2_jp2__enc.c
@ -0,0 +1,35 @@
+$NetBSD: patch-src_libjasper_jp2_jp2__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jp2/jp2_enc.c.orig	2007-01-19 21:43:05.000000000 +0000
+++ src/libjasper/jp2/jp2_enc.c
+@@ -191,7 +191,7 @@ int sgnd;
+ 		}
+ 		bpcc = &box->data.bpcc;
+ 		bpcc->numcmpts = jas_image_numcmpts(image);
+-		if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts *
+		if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts,
+ 		  sizeof(uint_fast8_t)))) {
+ 			goto error;
+ 		}
+@@ -285,7 +285,7 @@ int sgnd;
+ 		}
+ 		cdef = &box->data.cdef;
+ 		cdef->numchans = jas_image_numcmpts(image);
+-		cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t));
+		cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t));
+ 		for (i = 0; i < jas_image_numcmpts(image); ++i) {
+ 			cdefchanent = &cdef->ents[i];
+ 			cdefchanent->channo = i;
+@@ -343,7 +343,8 @@ int sgnd;
+ 	/* Output the JPEG-2000 code stream. */
+ 
+ 	overhead = jas_stream_getrwcount(out);
+-	sprintf(buf, "%s\n_jp2overhead=%lu\n", (optstr ? optstr : ""),
+	snprintf(buf, sizeof buf, "%s\n_jp2overhead=%lu\n", 
+	  (optstr ? optstr : ""),
+ 	  (unsigned long) overhead);
+ 
+ 	if (jpc_encode(image, out, buf)) {
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__cs.c
@ -1,9 +1,21 @@
-$NetBSD: patch-src_libjasper_jpc_jpc__cs.c,v 1.1 2015/01/01 14:15:27 he Exp $
+$NetBSD: patch-src_libjasper_jpc_jpc__cs.c,v 1.2 2016/05/16 14:03:40 he Exp $

 Add fixes for CVE-2011-4516 and CVE-2011-4517.

+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
 --- src/libjasper/jpc/jpc_cs.c.orig	2007-01-19 21:43:07.000000000 +0000
 +++ src/libjasper/jpc/jpc_cs.c
+@@ -502,7 +502,7 @@ static int jpc_siz_getparms(jpc_ms_t *ms
+ 	  !siz->tileheight || !siz->numcomps) {
+ 		return -1;
+ 	}
+-	if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) {
+	if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
+ 		return -1;
+ 	}
+ 	for (i = 0; i < siz->numcomps; ++i) {
@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t
 		return -1;
 	}
@ -15,24 +27,62 @@ Add fixes for CVE-2011-4516 and CVE-2011-4517.
 	if (prtflag) {
 		for (i = 0; i < compparms->numrlvls; ++i) {
 			if (jpc_getuint8(in, &tmp)) {
-@@ -982,7 +986,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
+@@ -982,8 +986,11 @@ static int jpc_qcx_getcompparms(jpc_qcxc
 		compparms->numstepsizes = (len - n) / 2;
 		break;
 	}
 -	if (compparms->numstepsizes > 0) {
+-		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
 +	if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
 +		jpc_qcx_destroycompparms(compparms);
 +                return -1;
 +        } else if (compparms->numstepsizes > 0) {
- 		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+		compparms->stepsizes = jas_alloc2(compparms->numstepsizes,
 		  sizeof(uint_fast16_t));
 		assert(compparms->stepsizes);
+ 		for (i = 0; i < compparms->numstepsizes; ++i) {
+@@ -1091,7 +1098,7 @@ static int jpc_ppm_getparms(jpc_ms_t *ms
+ 
+ 	ppm->len = ms->len - 1;
+ 	if (ppm->len > 0) {
+-		if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) {
+		if (!(ppm->data = jas_malloc(ppm->len))) {
+ 			goto error;
+ 		}
+ 		if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
+@@ -1160,7 +1167,7 @@ static int jpc_ppt_getparms(jpc_ms_t *ms
+ 	}
+ 	ppt->len = ms->len - 1;
+ 	if (ppt->len > 0) {
+-		if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) {
+		if (!(ppt->data = jas_malloc(ppt->len))) {
+ 			goto error;
+ 		}
+ 		if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
+@@ -1223,7 +1230,7 @@ static int jpc_poc_getparms(jpc_ms_t *ms
+ 	uint_fast8_t tmp;
+ 	poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
+ 	  (ms->len / 7);
+-	if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) {
+	if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) {
+ 		goto error;
+ 	}
+ 	for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
@@ -1328,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms
 	jpc_crgcomp_t *comp;
 	uint_fast16_t compno;
 	crg->numcomps = cstate->numcomps;
 -	if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
-+	if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(jpc_crgcomp_t)))) {
+	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
 		return -1;
 	}
 	for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
+@@ -1467,7 +1474,7 @@ static int jpc_unk_getparms(jpc_ms_t *ms
+ 	cstate = 0;
+ 
+ 	if (ms->len > 0) {
+-		if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) {
+		if (!(unk->data = jas_malloc(ms->len))) {
+ 			return -1;
+ 		}
+ 		if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) {
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__dec.c
@ -11,9 +11,21 @@ on malformed image input (CVE-2007-2721),
 Apply fix for CVE-2014-8157, taken from
 https://bugzilla.redhat.com/show_bug.cgi?id=1179282

--- src/libjasper/jpc/jpc_dec.c.orig	2014-12-05 12:10:45.000000000 +0000
-+++ src/libjasper/jpc/jpc_dec.c
-@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_dec.c.old	2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/jpc/jpc_dec.c	2016-03-31 14:48:20.000000000 +0200
+@@ -449,7 +449,7 @@
+ 
+ 	if (dec->state == JPC_MH) {
+ 
+-		compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
+		compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
+ 		assert(compinfos);
+ 		for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
+ 		  cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -489,7 +489,7 @@
 		dec->curtileendoff = 0;
 	}
 
@ -22,7 +34,43 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282
 		jas_eprintf("invalid tile number in SOT marker segment\n");
 		return -1;
 	}
-@@ -1069,12 +1069,12 @@ static int jpc_dec_tiledecode(jpc_dec_t 
+@@ -692,7 +692,7 @@
+ 			tile->realmode = 1;
+ 		}
+ 		tcomp->numrlvls = ccp->numrlvls;
+-		if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
+		if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
+ 		  sizeof(jpc_dec_rlvl_t)))) {
+ 			return -1;
+ 		}
+@@ -764,7 +764,7 @@
+ 			  rlvl->cbgheightexpn);
+ 
+ 			rlvl->numbands = (!rlvlno) ? 1 : 3;
+-			if (!(rlvl->bands = jas_malloc(rlvl->numbands *
+			if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
+ 			  sizeof(jpc_dec_band_t)))) {
+ 				return -1;
+ 			}
+@@ -797,7 +797,7 @@
+ 
+ 				assert(rlvl->numprcs);
+ 
+-				if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
+				if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
+ 					return -1;
+ 				}
+ 
+@@ -834,7 +834,7 @@
+ 			if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
+ 				return -1;
+ 			}
+-			if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
+			if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
+ 				return -1;
+ 			}
+ 
+@@ -1069,12 +1069,12 @@
 	/* Apply an inverse intercomponent transform if necessary. */
 	switch (tile->cp->mctid) {
 	case JPC_MCT_RCT:
@ -37,7 +85,32 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282
 		jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
 		  tile->tcomps[2].data);
 		break;
-@@ -1234,6 +1234,7 @@ static int jpc_dec_process_siz(jpc_dec_t
+@@ -1181,7 +1181,7 @@
+ 		return -1;
+ 	}
+ 
+-	if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
+	if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
+ 		return -1;
+ 	}
+ 
+@@ -1204,7 +1204,7 @@
+ 	dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ 	dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ 	dec->numtiles = dec->numhtiles * dec->numvtiles;
+-	if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
+	if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ 		return -1;
+ 	}
+ 
+@@ -1228,12 +1228,13 @@
+ 		tile->pkthdrstreampos = 0;
+ 		tile->pptstab = 0;
+ 		tile->cp = 0;
+-		if (!(tile->tcomps = jas_malloc(dec->numcomps *
+		if (!(tile->tcomps = jas_alloc2(dec->numcomps,
+ 		  sizeof(jpc_dec_tcomp_t)))) {
+ 			return -1;
 		}
 		for (compno = 0, cmpt = dec->cmpts, tcomp = tile->tcomps;
 		  compno < dec->numcomps; ++compno, ++cmpt, ++tcomp) {
@ -45,7 +118,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282
 			tcomp->rlvls = 0;
 			tcomp->data = 0;
 			tcomp->xstart = JPC_CEILDIV(tile->xstart, cmpt->hstep);
-@@ -1280,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
+@@ -1280,7 +1281,7 @@
 	jpc_coc_t *coc = &ms->parms.coc;
 	jpc_dec_tile_t *tile;
 
@ -54,7 +127,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282
 		jas_eprintf("invalid component number in COC marker segment\n");
 		return -1;
 	}
-@@ -1306,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
+@@ -1306,7 +1307,7 @@
 	jpc_rgn_t *rgn = &ms->parms.rgn;
 	jpc_dec_tile_t *tile;
 
@ -63,7 +136,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282
 		jas_eprintf("invalid component number in RGN marker segment\n");
 		return -1;
 	}
-@@ -1355,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
+@@ -1355,7 +1356,7 @@
 	jpc_qcc_t *qcc = &ms->parms.qcc;
 	jpc_dec_tile_t *tile;
 
@ -72,7 +145,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282
 		jas_eprintf("invalid component number in QCC marker segment\n");
 		return -1;
 	}
-@@ -1466,7 +1467,9 @@ static int jpc_dec_process_unk(jpc_dec_t
+@@ -1466,7 +1467,9 @@
 	dec = 0;
 
 	jas_eprintf("warning: ignoring unknown marker segment\n");
@ -83,3 +156,42 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179282
 	return 0;
 }
 
+@@ -1489,7 +1492,7 @@
+ 	cp->numlyrs = 0;
+ 	cp->mctid = 0;
+ 	cp->csty = 0;
+-	if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
+	if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
+ 		return 0;
+ 	}
+ 	if (!(cp->pchglist = jpc_pchglist_create())) {
+@@ -2048,7 +2051,7 @@
+ 	}
+ 	streamlist->numstreams = 0;
+ 	streamlist->maxstreams = 100;
+-	if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
+	if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
+ 	  sizeof(jas_stream_t *)))) {
+ 		jas_free(streamlist);
+ 		return 0;
+@@ -2068,8 +2071,8 @@
+ 	/* Grow the array of streams if necessary. */
+ 	if (streamlist->numstreams >= streamlist->maxstreams) {
+ 		newmaxstreams = streamlist->maxstreams + 1024;
+-		if (!(newstreams = jas_realloc(streamlist->streams,
+-		  (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
+		if (!(newstreams = jas_realloc2(streamlist->streams,
+		  (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
+ 			return -1;
+ 		}
+ 		for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
+@@ -2155,8 +2158,7 @@
+ {
+ 	jpc_ppxstabent_t **newents;
+ 	if (tab->maxents < maxents) {
+-		newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
+-		  sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
+		newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
+ 		if (!newents) {
+ 			return -1;
+ 		}
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__enc.c
@ -0,0 +1,107 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_enc.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_enc.c
+@@ -403,7 +403,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+ 		vsteplcm *= jas_image_cmptvstep(image, cmptno);
+ 	}
+ 
+-	if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) {
+	if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) {
+ 		goto error;
+ 	}
+ 	for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno,
+@@ -656,7 +656,7 @@ static jpc_enc_cp_t *cp_create(char *opt
+ 
+ 	if (ilyrrates && numilyrrates > 0) {
+ 		tcp->numlyrs = numilyrrates + 1;
+-		if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) *
+		if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1),
+ 		  sizeof(jpc_fix_t)))) {
+ 			goto error;
+ 		}
+@@ -940,7 +940,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ 	siz->tilewidth = cp->tilewidth;
+ 	siz->tileheight = cp->tileheight;
+ 	siz->numcomps = cp->numcmpts;
+-	siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t));
+	siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t));
+ 	assert(siz->comps);
+ 	for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) {
+ 		siz->comps[i].prec = cp->ccps[i].prec;
+@@ -958,7 +958,8 @@ startoff = jas_stream_getrwcount(enc->ou
+ 	if (!(enc->mrk = jpc_ms_create(JPC_MS_COM))) {
+ 		return -1;
+ 	}
+-	sprintf(buf, "Creator: JasPer Version %s", jas_getversion());
+	snprintf(buf, sizeof buf, "Creator: JasPer Version %s", 
+	    jas_getversion());
+ 	com = &enc->mrk->parms.com;
+ 	com->len = strlen(buf);
+ 	com->regid = JPC_COM_LATIN;
+@@ -977,7 +978,7 @@ startoff = jas_stream_getrwcount(enc->ou
+ 		return -1;
+ 	}
+ 	crg = &enc->mrk->parms.crg;
+-	crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t));
+	crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t));
+ 	if (jpc_putms(enc->out, enc->cstate, enc->mrk)) {
+ 		jas_eprintf("cannot write CRG marker\n");
+ 		return -1;
+@@ -1955,7 +1956,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ 	tile->mctid = cp->tcp.mctid;
+ 
+ 	tile->numlyrs = cp->tcp.numlyrs;
+-	if (!(tile->lyrsizes = jas_malloc(tile->numlyrs *
+	if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs,
+ 	  sizeof(uint_fast32_t)))) {
+ 		goto error;
+ 	}
+@@ -1964,7 +1965,7 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_
+ 	}
+ 
+ 	/* Allocate an array for the per-tile-component information. */
+-	if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) {
+	if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) {
+ 		goto error;
+ 	}
+ 	/* Initialize a few members critical for error recovery. */
+@@ -2110,7 +2111,7 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc
+ 	  jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data),
+ 	  jas_seq2d_yend(tcmpt->data), bandinfos);
+ 
+-	if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) {
+	if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) {
+ 		goto error;
+ 	}
+ 	for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls;
+@@ -2213,7 +2214,7 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_e
+ 	rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn);
+ 	rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs;
+ 
+-	if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) {
+	if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) {
+ 		goto error;
+ 	}
+ 	for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands;
+@@ -2290,7 +2291,7 @@ if (bandinfo->xstart != bandinfo->xend &
+ 	band->synweight = bandinfo->synenergywt;
+ 
+ if (band->data) {
+-	if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) {
+	if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) {
+ 		goto error;
+ 	}
+ 	for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno,
+@@ -2422,7 +2423,7 @@ if (!rlvlno) {
+ 			goto error;
+ 		}
+ 
+-		if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) {
+		if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) {
+ 			goto error;
+ 		}
+ 		for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks;
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqdec.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqdec.c
@ -0,0 +1,16 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__mqdec.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_mqdec.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_mqdec.c
+@@ -118,7 +118,7 @@ jpc_mqdec_t *jpc_mqdec_create(int maxctx
+ 	mqdec->in = in;
+ 	mqdec->maxctxs = maxctxs;
+ 	/* Allocate memory for the per-context state information. */
+-	if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) {
+	if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ 		goto error;
+ 	}
+ 	/* Set the current context to the first context. */
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqenc.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__mqenc.c
@ -0,0 +1,16 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__mqenc.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_mqenc.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_mqenc.c
+@@ -197,7 +197,7 @@ jpc_mqenc_t *jpc_mqenc_create(int maxctx
+ 	mqenc->maxctxs = maxctxs;
+ 
+ 	/* Allocate memory for the per-context state information. */
+-	if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) {
+	if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) {
+ 		goto error;
+ 	}
+ 
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__qmfb.c
@ -1,11 +1,14 @@
-$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.1 2015/02/08 23:04:22 snj Exp $
+$NetBSD: patch-src_libjasper_jpc_jpc__qmfb.c,v 1.2 2016/05/16 14:03:40 he Exp $

 Fix CVE-2014-8158.  Patch taken from
 https://bugzilla.redhat.com/show_bug.cgi?id=1179298

--- src/libjasper/jpc/jpc_qmfb.c.orig	2007-01-19 13:43:07.000000000 -0800
-+++ src/libjasper/jpc/jpc_qmfb.c	2015-02-08 14:49:33.000000000 -0800
-@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_qmfb.c.old	2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/jpc/jpc_qmfb.c	2016-03-31 14:48:03.000000000 +0200
+@@ -306,11 +306,7 @@
 {
 
 	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
@ -17,15 +20,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 	jpc_fix_t *buf = splitbuf;
 	register jpc_fix_t *srcptr;
 	register jpc_fix_t *dstptr;
-@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+@@ -318,15 +314,13 @@
 	register int m;
 	int hstartcol;
 
 -#if !defined(HAVE_VLA)
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
- 		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
-@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
 			abort();
 		}
 	}
@ -33,7 +37,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 	if (numcols >= 2) {
 		hstartcol = (numcols + 1 - parity) >> 1;
-@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+@@ -360,12 +354,10 @@
 		}
 	}
 
@ -46,7 +50,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 }
 
-@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+@@ -374,11 +366,7 @@
 {
 
 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
@ -58,15 +62,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 	jpc_fix_t *buf = splitbuf;
 	register jpc_fix_t *srcptr;
 	register jpc_fix_t *dstptr;
-@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+@@ -386,15 +374,13 @@
 	register int m;
 	int hstartcol;
 
 -#if !defined(HAVE_VLA)
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
- 		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
-@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
 			abort();
 		}
 	}
@ -74,7 +79,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 	if (numrows >= 2) {
 		hstartcol = (numrows + 1 - parity) >> 1;
-@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+@@ -428,12 +414,10 @@
 		}
 	}
 
@ -87,7 +92,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 }
 
-@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+@@ -442,11 +426,7 @@
 {
 
 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
@ -99,15 +104,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 	jpc_fix_t *buf = splitbuf;
 	jpc_fix_t *srcptr;
 	jpc_fix_t *dstptr;
-@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+@@ -457,15 +437,13 @@
 	int m;
 	int hstartcol;
 
 -#if !defined(HAVE_VLA)
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
- 		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
-@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
 			abort();
 		}
 	}
@ -115,7 +121,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 	if (numrows >= 2) {
 		hstartcol = (numrows + 1 - parity) >> 1;
-@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+@@ -517,12 +495,10 @@
 		}
 	}
 
@ -128,7 +134,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 }
 
-@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+@@ -531,11 +507,7 @@
 {
 
 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
@ -140,15 +146,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 	jpc_fix_t *buf = splitbuf;
 	jpc_fix_t *srcptr;
 	jpc_fix_t *dstptr;
-@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+@@ -546,15 +518,13 @@
 	int m;
 	int hstartcol;
 
 -#if !defined(HAVE_VLA)
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
- 		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
-@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide in this case. */
 			abort();
 		}
 	}
@ -156,7 +163,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 	if (numrows >= 2) {
 		hstartcol = (numrows + 1 - parity) >> 1;
-@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+@@ -606,12 +576,10 @@
 		}
 	}
 
@ -169,7 +176,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 }
 
-@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+@@ -619,26 +587,20 @@
 {
 
 	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
@ -187,8 +194,9 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 -#if !defined(HAVE_VLA)
 	/* Allocate memory for the join buffer from the heap. */
 	if (bufsize > QMFB_JOINBUFSIZE) {
- 		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
-@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide. */
 			abort();
 		}
 	}
@ -196,7 +204,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 	hstartcol = (numcols + 1 - parity) >> 1;
 
-@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+@@ -670,12 +632,10 @@
 		++srcptr;
 	}
 
@ -209,7 +217,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 }
 
-@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+@@ -684,26 +644,20 @@
 {
 
 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
@ -227,8 +235,9 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 -#if !defined(HAVE_VLA)
 	/* Allocate memory for the join buffer from the heap. */
 	if (bufsize > QMFB_JOINBUFSIZE) {
- 		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
-@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+-		if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide. */
 			abort();
 		}
 	}
@ -236,7 +245,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 	hstartcol = (numrows + 1 - parity) >> 1;
 
-@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+@@ -735,12 +689,10 @@
 		++srcptr;
 	}
 
@ -249,7 +258,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 }
 
-@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 
+@@ -749,11 +701,7 @@
 {
 
 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
@ -261,15 +270,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 	jpc_fix_t *buf = joinbuf;
 	jpc_fix_t *srcptr;
 	jpc_fix_t *dstptr;
-@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 
+@@ -763,15 +711,13 @@
 	register int i;
 	int hstartcol;
 
 -#if !defined(HAVE_VLA)
 	/* Allocate memory for the join buffer from the heap. */
 	if (bufsize > QMFB_JOINBUFSIZE) {
- 		if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
-@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 
+-		if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide. */
 			abort();
 		}
 	}
@ -277,7 +287,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 	hstartcol = (numrows + 1 - parity) >> 1;
 
-@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, 
+@@ -821,12 +767,10 @@
 		srcptr += JPC_QMFB_COLGRPSIZE;
 	}
 
@ -290,7 +300,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 }
 
-@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 
+@@ -835,11 +779,7 @@
 {
 
 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
@ -302,15 +312,16 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 	jpc_fix_t *buf = joinbuf;
 	jpc_fix_t *srcptr;
 	jpc_fix_t *dstptr;
-@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 
+@@ -849,15 +789,13 @@
 	register int i;
 	int hstartcol;
 
 -#if !defined(HAVE_VLA)
 	/* Allocate memory for the join buffer from the heap. */
 	if (bufsize > QMFB_JOINBUFSIZE) {
- 		if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
-@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 
+-		if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+ 			/* We have no choice but to commit suicide. */
 			abort();
 		}
 	}
@ -318,7 +329,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1179298
 
 	hstartcol = (numrows + 1 - parity) >> 1;
 
-@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, 
+@@ -907,12 +845,10 @@
 		srcptr += numcols;
 	}
 
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t1enc.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t1enc.c
@ -0,0 +1,16 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__t1enc.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_t1enc.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_t1enc.c
+@@ -219,7 +219,7 @@ int jpc_enc_enccblk(jpc_enc_t *enc, jas_
+ 
+ 	cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0;
+ 	if (cblk->numpasses > 0) {
+-		cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t));
+		cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t));
+ 		assert(cblk->passes);
+ 	} else {
+ 		cblk->passes = 0;
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2cod.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2cod.c
@ -0,0 +1,16 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__t2cod.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_t2cod.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_t2cod.c
+@@ -573,7 +573,7 @@ int jpc_pchglist_insert(jpc_pchglist_t *
+ 	}
+ 	if (pchglist->numpchgs >= pchglist->maxpchgs) {
+ 		newmaxpchgs = pchglist->maxpchgs + 128;
+-		if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) {
+		if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) {
+ 			return -1;
+ 		}
+ 		pchglist->maxpchgs = newmaxpchgs;
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2dec.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2dec.c
@ -0,0 +1,34 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__t2dec.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_t2dec.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_t2dec.c
+@@ -478,7 +478,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ 		return 0;
+ 	}
+ 	pi->numcomps = dec->numcomps;
+-	if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
+	if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ 		jpc_pi_destroy(pi);
+ 		return 0;
+ 	}
+@@ -490,7 +490,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ 	for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
+ 	  compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ 		picomp->numrlvls = tcomp->numrlvls;
+-		if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
+		if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ 		  sizeof(jpc_pirlvl_t)))) {
+ 			jpc_pi_destroy(pi);
+ 			return 0;
+@@ -503,7 +503,7 @@ jpc_pi_t *jpc_dec_pi_create(jpc_dec_t *d
+ 		  rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
+ /* XXX sizeof(long) should be sizeof different type */
+ 			pirlvl->numprcs = rlvl->numprcs;
+-			if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
+			if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ 			  sizeof(long)))) {
+ 				jpc_pi_destroy(pi);
+ 				return 0;
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2enc.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__t2enc.c
@ -0,0 +1,34 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__t2enc.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_t2enc.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_t2enc.c
+@@ -565,7 +565,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ 	}
+ 	pi->pktno = -1;
+ 	pi->numcomps = cp->numcmpts;
+-	if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
+	if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
+ 		jpc_pi_destroy(pi);
+ 		return 0;
+ 	}
+@@ -577,7 +577,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ 	for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
+ 	  compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
+ 		picomp->numrlvls = tcomp->numrlvls;
+-		if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
+		if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
+ 		  sizeof(jpc_pirlvl_t)))) {
+ 			jpc_pi_destroy(pi);
+ 			return 0;
+@@ -591,7 +591,7 @@ jpc_pi_t *jpc_enc_pi_create(jpc_enc_cp_t
+ /* XXX sizeof(long) should be sizeof different type */
+ 			pirlvl->numprcs = rlvl->numprcs;
+ 			if (rlvl->numprcs) {
+-				if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
+				if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
+ 				  sizeof(long)))) {
+ 					jpc_pi_destroy(pi);
+ 					return 0;
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__tagtree.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__tagtree.c
@ -0,0 +1,16 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__tagtree.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_tagtree.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_tagtree.c
+@@ -125,7 +125,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu
+ 		++numlvls;
+ 	} while (n > 1);
+ 
+-	if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) {
+	if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
+ 		return 0;
+ 	}
+ 
--- a/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__util.c
+++ b/graphics/jasper/patches/patch-src_libjasper_jpc_jpc__util.c
@ -0,0 +1,16 @@
+$NetBSD: patch-src_libjasper_jpc_jpc__util.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/jpc/jpc_util.c.orig	2007-01-19 21:43:07.000000000 +0000
+++ src/libjasper/jpc/jpc_util.c
+@@ -109,7 +109,7 @@ int jpc_atoaf(char *s, int *numvalues, d
+ 	}
+ 
+ 	if (n) {
+-		if (!(vs = jas_malloc(n * sizeof(double)))) {
+		if (!(vs = jas_alloc2(n, sizeof(double)))) {
+ 			return -1;
+ 		}
+ 
--- a/graphics/jasper/patches/patch-src_libjasper_mif_mif__cod.c
+++ b/graphics/jasper/patches/patch-src_libjasper_mif_mif__cod.c
@ -0,0 +1,17 @@
+$NetBSD: patch-src_libjasper_mif_mif__cod.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/mif/mif_cod.c.orig	2007-01-19 21:43:05.000000000 +0000
+++ src/libjasper/mif/mif_cod.c
+@@ -438,8 +438,7 @@ static int mif_hdr_growcmpts(mif_hdr_t *
+ 	int cmptno;
+ 	mif_cmpt_t **newcmpts;
+ 	assert(maxcmpts >= hdr->numcmpts);
+-	newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) :
+-	  jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *));
+	newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *));
+ 	if (!newcmpts) {
+ 		return -1;
+ 	}
--- a/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c
+++ b/graphics/jasper/patches/patch-src_libjasper_pnm_pnm__enc.c
@ -0,0 +1,16 @@
+$NetBSD: patch-src_libjasper_pnm_pnm__enc.c,v 1.1 2016/05/16 14:03:40 he Exp $
+
+Fix CVE-2008-3520, patches from
+https://bugs.gentoo.org/show_bug.cgi?id=222819
+
+--- src/libjasper/pnm/pnm_enc.c.orig	2007-01-19 21:43:05.000000000 +0000
+++ src/libjasper/pnm/pnm_enc.c
+@@ -374,7 +374,7 @@ static int pnm_putdata(jas_stream_t *out
+ 						}
+ 					}
+ 				} else {
+-					n = sprintf(buf, "%s%ld", ((!(!x && !cmptno)) ? " " : ""),
+					n = snprintf(buf, sizeof buf, "%s%ld", ((!(!x && !cmptno)) ? " " : ""),
+ 					  (long) v);
+ 					if (linelen > 0 && linelen + n > PNM_MAXLINELEN) {
+ 						jas_stream_printf(out, "\n");