rpms / jasper

Clone
Source Code
GIT

Blame SOURCES/jasper-CVE-2016-10249.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   83be9eeb05bf9a646f913d7b812b21a3e8d9e570
  2.   SOURCES
  3.   jasper-CVE-2016-10249.patch
Blob History Raw
83be9e 
Backport of the upstream commit:
83be9e
83be9e 
From 988f8365f7d8ad8073b6786e433d34c553ecf568 Mon Sep 17 00:00:00 2001
83be9e 
From: Michael Adams <mdadams@ece.uvic.ca>
83be9e 
Date: Sat, 22 Oct 2016 14:36:49 -0700
83be9e 
Subject: [PATCH] Fixed an integer overflow problem.
83be9e
83be9e 
Further enhanced by an explicit check to ensure that size not only fits into
83be9e 
size_t, but that it also does not exceed INT_FAST32_MAX (the type of
83be9e 
matrix->datasize_).  This is similar approach to what upstream used in
83be9e 
a712a2041085e7cd5f2b153e1532ac2a2954ffaa.
83be9e
83be9e 
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
83be9e 
--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c	2017-03-31 15:02:01.000000000 +0200
83be9e 
+++ jasper-1.900.1/src/libjasper/base/jas_seq.c	2017-03-31 15:41:17.527623038 +0200
83be9e 
@@ -101,13 +101,16 @@ jas_matrix_t *jas_matrix_create(int numr
83be9e 
 {
83be9e 
 	jas_matrix_t *matrix;
83be9e 
 	int i;
83be9e 
+	size_t size;
83be9e 
+
83be9e 
+	matrix = 0;
83be9e
83be9e 
 	if (numrows < 0 || numcols < 0) {
83be9e 
-		return 0;
83be9e 
+		goto error;
83be9e 
 	}
83be9e
83be9e 
 	if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
83be9e 
-		return 0;
83be9e 
+		goto error;
83be9e 
 	}
83be9e 
 	matrix->flags_ = 0;
83be9e 
 	matrix->numrows_ = numrows;
83be9e 
@@ -115,21 +118,25 @@ jas_matrix_t *jas_matrix_create(int numr
83be9e 
 	matrix->rows_ = 0;
83be9e 
 	matrix->maxrows_ = numrows;
83be9e 
 	matrix->data_ = 0;
83be9e 
-	matrix->datasize_ = numrows * numcols;
83be9e 
+	matrix->datasize_ = 0;
83be9e 
+
83be9e 
+	// matrix->datasize_ = numrows * numcols;
83be9e 
+	if (!jas_safe_size_mul(numrows, numcols, &size) || size > INT_FAST32_MAX) {
83be9e 
+		goto error;
83be9e 
+	}
83be9e 
+	matrix->datasize_ = size;
83be9e
83be9e 
 	if (matrix->maxrows_ > 0) {
83be9e 
 		if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
83be9e 
 		  sizeof(jas_seqent_t *)))) {
83be9e 
-			jas_matrix_destroy(matrix);
83be9e 
-			return 0;
83be9e 
+			goto error;
83be9e 
 		}
83be9e 
 	}
83be9e
83be9e 
 	if (matrix->datasize_ > 0) {
83be9e 
 		if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
83be9e 
 		  sizeof(jas_seqent_t)))) {
83be9e 
-			jas_matrix_destroy(matrix);
83be9e 
-			return 0;
83be9e 
+			goto error;
83be9e 
 		}
83be9e 
 	}
83be9e
83be9e 
@@ -147,6 +154,12 @@ jas_matrix_t *jas_matrix_create(int numr
83be9e 
 	matrix->yend_ = matrix->numrows_;
83be9e
83be9e 
 	return matrix;
83be9e 
+
83be9e 
+error:
83be9e 
+	if (matrix) {
83be9e 
+		jas_matrix_destroy(matrix);
83be9e 
+	}
83be9e 
+	return 0;
83be9e 
 }
83be9e
83be9e 
 void jas_matrix_destroy(jas_matrix_t *matrix)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation