Blame SOURCES/jasper-CVE-2016-9392-CVE-2016-9393-CVE-2016-9394.patch

94b862
Backport of the upstream commit:
94b862
94b862
From f7038068550fba0e41e1d0c355787f1dcd5bf330 Mon Sep 17 00:00:00 2001
94b862
From: Michael Adams <mdadams@ece.uvic.ca>
94b862
Date: Thu, 27 Oct 2016 20:11:57 -0700
94b862
Subject: [PATCH] Added some missing sanity checks on the data in a SIZ marker
94b862
 segment.
94b862
94b862
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
94b862
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c	2017-03-29 22:30:41.000000000 +0200
94b862
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2017-03-29 22:48:20.267725023 +0200
94b862
@@ -483,6 +483,8 @@ static int jpc_siz_getparms(jpc_ms_t *ms
94b862
 	unsigned int i;
94b862
 	uint_fast8_t tmp;
94b862
 
94b862
+	siz->comps = 0;
94b862
+
94b862
 	/* Eliminate compiler warning about unused variables. */
94b862
 	cstate = 0;
94b862
 
94b862
@@ -496,44 +498,67 @@ static int jpc_siz_getparms(jpc_ms_t *ms
94b862
 	  jpc_getuint32(in, &siz->tilexoff) ||
94b862
 	  jpc_getuint32(in, &siz->tileyoff) ||
94b862
 	  jpc_getuint16(in, &siz->numcomps)) {
94b862
-		return -1;
94b862
+		goto error;
94b862
 	}
94b862
-	if (!siz->width || !siz->height || !siz->tilewidth ||
94b862
-	  !siz->tileheight || !siz->numcomps) {
94b862
-		return -1;
94b862
-	}
94b862
-	if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) {
94b862
-		jas_eprintf("all tiles are outside the image area\n");
94b862
-		return -1;
94b862
+	if (!siz->width || !siz->height) {
94b862
+		jas_eprintf("reference grid cannot have zero area\n");
94b862
+		goto error;
94b862
+ 	}
94b862
+	if (!siz->tilewidth || !siz->tileheight) {
94b862
+		jas_eprintf("tile cannot have zero area\n");
94b862
+		goto error;
94b862
+	}
94b862
+	if (!siz->numcomps || siz->numcomps > 16384) {
94b862
+		jas_eprintf("number of components not in permissible range\n");
94b862
+		goto error;
94b862
+ 	}
94b862
+	if (siz->xoff >= siz->width) {
94b862
+		jas_eprintf("XOsiz not in permissible range\n");
94b862
+		goto error;
94b862
+	}
94b862
+	if (siz->yoff >= siz->height) {
94b862
+		jas_eprintf("YOsiz not in permissible range\n");
94b862
+		goto error;
94b862
+	}
94b862
+	if (siz->tilexoff > siz->xoff || siz->tilexoff + siz->tilewidth <= siz->xoff) {
94b862
+		jas_eprintf("XTOsiz not in permissible range\n");
94b862
+		goto error;
94b862
+	}
94b862
+	if (siz->tileyoff > siz->yoff || siz->tileyoff + siz->tileheight <= siz->yoff) {
94b862
+		jas_eprintf("YTOsiz not in permissible range\n");
94b862
+		goto error;
94b862
 	}
94b862
+
94b862
 	if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
94b862
-		return -1;
94b862
+		goto error;
94b862
 	}
94b862
 	for (i = 0; i < siz->numcomps; ++i) {
94b862
 		if (jpc_getuint8(in, &tmp) ||
94b862
 		  jpc_getuint8(in, &siz->comps[i].hsamp) ||
94b862
 		  jpc_getuint8(in, &siz->comps[i].vsamp)) {
94b862
-			jas_free(siz->comps);
94b862
-			return -1;
94b862
+			goto error;
94b862
 		}
94b862
 		if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
94b862
 			jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
94b862
-			jas_free(siz->comps);
94b862
-			return -1;
94b862
+			goto error;
94b862
 		}
94b862
 		if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
94b862
 			jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
94b862
-			jas_free(siz->comps);
94b862
-			return -1;
94b862
+			goto error;
94b862
 		}
94b862
 		siz->comps[i].sgnd = (tmp >> 7) & 1;
94b862
 		siz->comps[i].prec = (tmp & 0x7f) + 1;
94b862
 	}
94b862
 	if (jas_stream_eof(in)) {
94b862
-		jas_free(siz->comps);
94b862
-		return -1;
94b862
+		goto error;
94b862
 	}
94b862
 	return 0;
94b862
+
94b862
+error:
94b862
+	if (siz->comps) {
94b862
+		jas_free(siz->comps);
94b862
+	}
94b862
+	return -1;
94b862
 }
94b862
 
94b862
 static int jpc_siz_putparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *out)