|
 |
425a81 |
Backport of the upstream patch:
|
|
|
425a81 |
|
|
|
425a81 |
From 03fe49ab96bf65fea784cdc256507ea88267fc7c Mon Sep 17 00:00:00 2001
|
|
|
425a81 |
From: Michael Adams <mdadams@ece.uvic.ca>
|
|
|
425a81 |
Date: Thu, 2 Mar 2017 08:07:04 -0800
|
|
|
425a81 |
Subject: [PATCH] Fixed some potential double-free problems in the JPC codec.
|
|
|
425a81 |
|
|
|
425a81 |
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c jasper-1.900.1/src/libjasper/jpc/jpc_enc.c
|
|
|
425a81 |
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_enc.c 2017-03-30 22:53:59.000000000 +0200
|
|
|
425a81 |
+++ jasper-1.900.1/src/libjasper/jpc/jpc_enc.c 2017-03-31 13:40:12.000000000 +0200
|
|
|
425a81 |
@@ -1140,8 +1140,9 @@ int numgbits;
|
|
|
425a81 |
tilex = tileno % cp->numhtiles;
|
|
|
425a81 |
tiley = tileno / cp->numhtiles;
|
|
|
425a81 |
|
|
|
425a81 |
- if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image, tileno))) {
|
|
|
425a81 |
- abort();
|
|
|
425a81 |
+ if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image,
|
|
|
425a81 |
+ tileno))) {
|
|
|
425a81 |
+ return -1;
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
tile = enc->curtile;
|
|
|
425a81 |
@@ -2016,6 +2017,8 @@ error:
|
|
|
425a81 |
return 0;
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: I don't think that it is necessary to marked destroyed subobjects
|
|
|
425a81 |
+as such in this function. */
|
|
|
425a81 |
void jpc_enc_tile_destroy(jpc_enc_tile_t *tile)
|
|
|
425a81 |
{
|
|
|
425a81 |
jpc_enc_tcmpt_t *tcmpt;
|
|
|
425a81 |
@@ -2027,16 +2030,21 @@ void jpc_enc_tile_destroy(jpc_enc_tile_t
|
|
|
425a81 |
tcmpt_destroy(tcmpt);
|
|
|
425a81 |
}
|
|
|
425a81 |
jas_free(tile->tcmpts);
|
|
|
425a81 |
+ /* tile->tcmpts = NULL; */
|
|
|
425a81 |
}
|
|
|
425a81 |
if (tile->lyrsizes) {
|
|
|
425a81 |
jas_free(tile->lyrsizes);
|
|
|
425a81 |
+ /* tile->lyrsizes = NULL; */
|
|
|
425a81 |
}
|
|
|
425a81 |
if (tile->pi) {
|
|
|
425a81 |
jpc_pi_destroy(tile->pi);
|
|
|
425a81 |
+ /* tile->pi = NULL; */
|
|
|
425a81 |
}
|
|
|
425a81 |
jas_free(tile);
|
|
|
425a81 |
+ /* tile = NULL; */
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: This constructor creates the object in place. */
|
|
|
425a81 |
static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp,
|
|
|
425a81 |
jas_image_t *image, jpc_enc_tile_t *tile)
|
|
|
425a81 |
{
|
|
|
425a81 |
@@ -2132,6 +2140,10 @@ error:
|
|
|
425a81 |
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: Since jpc_enc_tcmpt_t objects are created in-place, they might
|
|
|
425a81 |
+potentially be destroyed multiple times at different levels in the call
|
|
|
425a81 |
+chain. So, destroyed subobjects must be marked as destroyed to prevent
|
|
|
425a81 |
+problems such as double frees. */
|
|
|
425a81 |
static void tcmpt_destroy(jpc_enc_tcmpt_t *tcmpt)
|
|
|
425a81 |
{
|
|
|
425a81 |
jpc_enc_rlvl_t *rlvl;
|
|
|
425a81 |
@@ -2143,16 +2155,20 @@ static void tcmpt_destroy(jpc_enc_tcmpt_
|
|
|
425a81 |
rlvl_destroy(rlvl);
|
|
|
425a81 |
}
|
|
|
425a81 |
jas_free(tcmpt->rlvls);
|
|
|
425a81 |
+ tcmpt->rlvls = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
if (tcmpt->data) {
|
|
|
425a81 |
jas_seq2d_destroy(tcmpt->data);
|
|
|
425a81 |
+ tcmpt->data = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (tcmpt->tsfb) {
|
|
|
425a81 |
jpc_tsfb_destroy(tcmpt->tsfb);
|
|
|
425a81 |
+ tcmpt->tsfb = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: This constructor creates the object in place. */
|
|
|
425a81 |
static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp,
|
|
|
425a81 |
jpc_enc_tcmpt_t *tcmpt, jpc_tsfb_band_t *bandinfos)
|
|
|
425a81 |
{
|
|
|
425a81 |
@@ -2234,6 +2250,10 @@ error:
|
|
|
425a81 |
return 0;
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: Since jpc_enc_rlvl_t objects are created in-place, they might
|
|
|
425a81 |
+potentially be destroyed multiple times at different levels in the call
|
|
|
425a81 |
+chain. So, destroyed subobjects must be marked as destroyed to prevent
|
|
|
425a81 |
+problems such as double frees. */
|
|
|
425a81 |
static void rlvl_destroy(jpc_enc_rlvl_t *rlvl)
|
|
|
425a81 |
{
|
|
|
425a81 |
jpc_enc_band_t *band;
|
|
|
425a81 |
@@ -2245,9 +2265,11 @@ static void rlvl_destroy(jpc_enc_rlvl_t
|
|
|
425a81 |
band_destroy(band);
|
|
|
425a81 |
}
|
|
|
425a81 |
jas_free(rlvl->bands);
|
|
|
425a81 |
+ rlvl->bands = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: This constructor creates the object in place. */
|
|
|
425a81 |
static jpc_enc_band_t *band_create(jpc_enc_band_t *band, jpc_enc_cp_t *cp,
|
|
|
425a81 |
jpc_enc_rlvl_t *rlvl, jpc_tsfb_band_t *bandinfos)
|
|
|
425a81 |
{
|
|
|
425a81 |
@@ -2315,6 +2337,10 @@ error:
|
|
|
425a81 |
return 0;
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: Since jpc_enc_band_t objects are created in-place, they might
|
|
|
425a81 |
+potentially be destroyed multiple times at different levels in the call
|
|
|
425a81 |
+chain. So, destroyed subobjects must be marked as destroyed to prevent
|
|
|
425a81 |
+problems such as double frees. */
|
|
|
425a81 |
static void band_destroy(jpc_enc_band_t *band)
|
|
|
425a81 |
{
|
|
|
425a81 |
jpc_enc_prc_t *prc;
|
|
|
425a81 |
@@ -2328,12 +2354,15 @@ static void band_destroy(jpc_enc_band_t
|
|
|
425a81 |
prc_destroy(prc);
|
|
|
425a81 |
}
|
|
|
425a81 |
jas_free(band->prcs);
|
|
|
425a81 |
+ band->prcs = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (band->data) {
|
|
|
425a81 |
jas_seq2d_destroy(band->data);
|
|
|
425a81 |
+ band->data = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: This constructor creates the object in place. */
|
|
|
425a81 |
static jpc_enc_prc_t *prc_create(jpc_enc_prc_t *prc, jpc_enc_cp_t *cp, jpc_enc_band_t *band)
|
|
|
425a81 |
{
|
|
|
425a81 |
uint_fast32_t prcno;
|
|
|
425a81 |
@@ -2459,6 +2488,10 @@ error:
|
|
|
425a81 |
return 0;
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: Since jpc_enc_prc_t objects are created in-place, they might
|
|
|
425a81 |
+potentially be destroyed multiple times at different levels in the call
|
|
|
425a81 |
+chain. So, destroyed subobjects must be marked as destroyed to prevent
|
|
|
425a81 |
+problems such as double frees. */
|
|
|
425a81 |
static void prc_destroy(jpc_enc_prc_t *prc)
|
|
|
425a81 |
{
|
|
|
425a81 |
jpc_enc_cblk_t *cblk;
|
|
|
425a81 |
@@ -2470,22 +2503,29 @@ static void prc_destroy(jpc_enc_prc_t *p
|
|
|
425a81 |
cblk_destroy(cblk);
|
|
|
425a81 |
}
|
|
|
425a81 |
jas_free(prc->cblks);
|
|
|
425a81 |
+ prc->cblks = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (prc->incltree) {
|
|
|
425a81 |
jpc_tagtree_destroy(prc->incltree);
|
|
|
425a81 |
+ prc->incltree = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (prc->nlibtree) {
|
|
|
425a81 |
jpc_tagtree_destroy(prc->nlibtree);
|
|
|
425a81 |
+ prc->nlibtree = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (prc->savincltree) {
|
|
|
425a81 |
jpc_tagtree_destroy(prc->savincltree);
|
|
|
425a81 |
+ prc->savincltree = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (prc->savnlibtree) {
|
|
|
425a81 |
jpc_tagtree_destroy(prc->savnlibtree);
|
|
|
425a81 |
+ prc->savnlibtree = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
-static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, jpc_enc_prc_t *prc)
|
|
|
425a81 |
+/* Note: This constructor creates the object in place. */
|
|
|
425a81 |
+static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp,
|
|
|
425a81 |
+ jpc_enc_prc_t *prc)
|
|
|
425a81 |
{
|
|
|
425a81 |
jpc_enc_band_t *band;
|
|
|
425a81 |
uint_fast32_t cblktlx;
|
|
|
425a81 |
@@ -2543,6 +2583,10 @@ error:
|
|
|
425a81 |
return 0;
|
|
|
425a81 |
}
|
|
|
425a81 |
|
|
|
425a81 |
+/* Note: Since jpc_enc_cblk_t objects are created in-place, they might
|
|
|
425a81 |
+potentially be destroyed multiple times at different levels in the call
|
|
|
425a81 |
+chain. So, destroyed subobjects must be marked as destroyed to prevent
|
|
|
425a81 |
+problems such as double frees. */
|
|
|
425a81 |
static void cblk_destroy(jpc_enc_cblk_t *cblk)
|
|
|
425a81 |
{
|
|
|
425a81 |
uint_fast16_t passno;
|
|
|
425a81 |
@@ -2553,18 +2597,23 @@ static void cblk_destroy(jpc_enc_cblk_t
|
|
|
425a81 |
pass_destroy(pass);
|
|
|
425a81 |
}
|
|
|
425a81 |
jas_free(cblk->passes);
|
|
|
425a81 |
+ cblk->passes = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (cblk->stream) {
|
|
|
425a81 |
jas_stream_close(cblk->stream);
|
|
|
425a81 |
+ cblk->stream = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (cblk->mqenc) {
|
|
|
425a81 |
jpc_mqenc_destroy(cblk->mqenc);
|
|
|
425a81 |
+ cblk->mqenc = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (cblk->data) {
|
|
|
425a81 |
jas_seq2d_destroy(cblk->data);
|
|
|
425a81 |
+ cblk->data = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
if (cblk->flags) {
|
|
|
425a81 |
jas_seq2d_destroy(cblk->flags);
|
|
|
425a81 |
+ cblk->flags = NULL;
|
|
|
425a81 |
}
|
|
|
425a81 |
}
|
|
|
425a81 |
|