Blame SOURCES/jasper-CVE-2016-8693.patch

83be9e
Backport of the upstream commit:
83be9e
83be9e
From 44a524e367597af58d6265ae2014468b334d0309 Mon Sep 17 00:00:00 2001
83be9e
From: Michael Adams <mdadams@ece.uvic.ca>
83be9e
Date: Thu, 20 Oct 2016 07:34:32 -0700
83be9e
Subject: [PATCH] The memory stream interface allows for a buffer size of zero.
83be9e
 The case of a zero-sized buffer was not handled correctly, as it could lead
83be9e
 to a double free. This problem has now been fixed (hopefully). One might ask
83be9e
 whether a zero-sized buffer should be allowed at all, but this is a question
83be9e
 for another day.
83be9e
83be9e
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1/src/libjasper/base/jas_stream.c
83be9e
--- jasper-1.900.1.orig/src/libjasper/base/jas_stream.c	2017-03-24 13:23:23.000000000 +0100
83be9e
+++ jasper-1.900.1/src/libjasper/base/jas_stream.c	2017-03-24 13:33:01.986069625 +0100
83be9e
@@ -991,8 +991,8 @@ static int mem_resize(jas_stream_memobj_
83be9e
 {
83be9e
 	unsigned char *buf;
83be9e
 
83be9e
-	assert(m->buf_);
83be9e
-	if (!(buf = jas_realloc(m->buf_, bufsize))) {
83be9e
+	//assert(m->buf_);
83be9e
+	if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) {
83be9e
 		return -1;
83be9e
 	}
83be9e
 	m->buf_ = buf;