rpms / jasper

Clone
Source Code
GIT

Blame SOURCES/jasper-CVE-2016-8693.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   425a81bb10b1acbaaa1c8a4ea0e1911a92b6f5b1
  2.   SOURCES
  3.   jasper-CVE-2016-8693.patch
Blob History Raw
425a81 
Backport of the upstream commit:
425a81
425a81 
From 44a524e367597af58d6265ae2014468b334d0309 Mon Sep 17 00:00:00 2001
425a81 
From: Michael Adams <mdadams@ece.uvic.ca>
425a81 
Date: Thu, 20 Oct 2016 07:34:32 -0700
425a81 
Subject: [PATCH] The memory stream interface allows for a buffer size of zero.
425a81 
 The case of a zero-sized buffer was not handled correctly, as it could lead
425a81 
 to a double free. This problem has now been fixed (hopefully). One might ask
425a81 
 whether a zero-sized buffer should be allowed at all, but this is a question
425a81 
 for another day.
425a81
425a81 
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
425a81 
--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c	2017-03-24 13:23:23.000000000 +0100
425a81 
+++ jasper-1.900.1/src/libjasper/base/jas_stream.c	2017-03-24 13:33:01.986069625 +0100
425a81 
@@ -991,8 +991,8 @@ static int mem_resize(jas_stream_memobj_
425a81 
 {
425a81 
 	unsigned char *buf;
425a81
425a81 
-	assert(m->buf_);
425a81 
-	if (!(buf = jas_realloc(m->buf_, bufsize))) {
425a81 
+	//assert(m->buf_);
425a81 
+	if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) {
425a81 
 		return -1;
425a81 
 	}
425a81 
 	m->buf_ = buf;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation