Blame SOURCES/jasper-CVE-2016-8693.patch

425a81
Backport of the upstream commit:
425a81
425a81
From 44a524e367597af58d6265ae2014468b334d0309 Mon Sep 17 00:00:00 2001
425a81
From: Michael Adams <mdadams@ece.uvic.ca>
425a81
Date: Thu, 20 Oct 2016 07:34:32 -0700
425a81
Subject: [PATCH] The memory stream interface allows for a buffer size of zero.
425a81
 The case of a zero-sized buffer was not handled correctly, as it could lead
425a81
 to a double free. This problem has now been fixed (hopefully). One might ask
425a81
 whether a zero-sized buffer should be allowed at all, but this is a question
425a81
 for another day.
425a81
425a81
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
425a81
--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c	2017-03-24 13:23:23.000000000 +0100
425a81
+++ jasper-1.900.1/src/libjasper/base/jas_stream.c	2017-03-24 13:33:01.986069625 +0100
425a81
@@ -991,8 +991,8 @@ static int mem_resize(jas_stream_memobj_
425a81
 {
425a81
 	unsigned char *buf;
425a81
 
425a81
-	assert(m->buf_);
425a81
-	if (!(buf = jas_realloc(m->buf_, bufsize))) {
425a81
+	//assert(m->buf_);
425a81
+	if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) {
425a81
 		return -1;
425a81
 	}
425a81
 	m->buf_ = buf;