rpms / jasper

Clone
Source Code
GIT

Blame SOURCES/jasper-CVE-2016-9600.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   425a81bb10b1acbaaa1c8a4ea0e1911a92b6f5b1
  2.   SOURCES
  3.   jasper-CVE-2016-9600.patch
Blob History Raw
425a81 
From a632c6b54bd4ffc3bebab420e00b7e7688aa3846 Mon Sep 17 00:00:00 2001
425a81 
From: Michael Adams <mdadams@ece.uvic.ca>
425a81 
Date: Fri, 30 Dec 2016 07:27:48 -0800
425a81 
Subject: [PATCH] Fixed a problem in the JP2 encoder that caused a null pointer
425a81 
 dereference when no ICC profile data is available (e.g., in the case of an
425a81 
 unknown color space). Reference:
425a81 
 https://github.com/mdadams/jasper/issues/109
425a81
425a81 
---
425a81 
 src/libjasper/jp2/jp2_enc.c | 46 +++++++++++++++++++++++++++++++++------------
425a81 
 1 file changed, 34 insertions(+), 12 deletions(-)
425a81
425a81 
diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c
425a81 
index bca3ca6..b979216 100644
425a81 
--- a/src/libjasper/jp2/jp2_enc.c
425a81 
+++ b/src/libjasper/jp2/jp2_enc.c
425a81 
@@ -112,6 +112,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
425a81
425a81 
 	box = 0;
425a81 
 	tmpstream = 0;
425a81 
+	iccstream = 0;
425a81 
+	iccprof = 0;
425a81
425a81 
 	allcmptssame = 1;
425a81 
 	sgnd = jas_image_cmptsgnd(image, 0);
425a81 
@@ -225,22 +227,36 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
425a81 
 		colr->method = JP2_COLR_ICC;
425a81 
 		colr->pri = JP2_COLR_PRI;
425a81 
 		colr->approx = 0;
425a81 
-		iccprof = jas_iccprof_createfromcmprof(jas_image_cmprof(image));
425a81 
-		assert(iccprof);
425a81 
-		iccstream = jas_stream_memopen(0, 0);
425a81 
-		assert(iccstream);
425a81 
-		if (jas_iccprof_save(iccprof, iccstream))
425a81 
-			abort();
425a81 
-		if ((pos = jas_stream_tell(iccstream)) < 0)
425a81 
-			abort();
425a81 
+		/* Ensure that cmprof_ is not null. */
425a81 
+		if (!jas_image_cmprof(image)) {
425a81 
+			goto error;
425a81 
+		}
425a81 
+		if (!(iccprof = jas_iccprof_createfromcmprof(
425a81 
+		  jas_image_cmprof(image)))) {
425a81 
+			goto error;
425a81 
+		}
425a81 
+		if (!(iccstream = jas_stream_memopen(0, 0))) {
425a81 
+			goto error;
425a81 
+		}
425a81 
+		if (jas_iccprof_save(iccprof, iccstream)) {
425a81 
+			goto error;
425a81 
+		}
425a81 
+		if ((pos = jas_stream_tell(iccstream)) < 0) {
425a81 
+			goto error;
425a81 
+		}
425a81 
 		colr->iccplen = pos;
425a81 
-		colr->iccp = jas_malloc(pos);
425a81 
-		assert(colr->iccp);
425a81 
+		if (!(colr->iccp = jas_malloc(pos))) {
425a81 
+			goto error;
425a81 
+		}
425a81 
 		jas_stream_rewind(iccstream);
425a81 
-		if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) != colr->iccplen)
425a81 
-			abort();
425a81 
+		if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) !=
425a81 
+		  colr->iccplen) {
425a81 
+			goto error;
425a81 
+		}
425a81 
 		jas_stream_close(iccstream);
425a81 
+		iccstream = 0;
425a81 
 		jas_iccprof_destroy(iccprof);
425a81 
+		iccprof = 0;
425a81 
 		break;
425a81 
 	}
425a81 
 	if (jp2_box_put(box, tmpstream)) {
425a81 
@@ -354,6 +370,12 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
425a81
425a81 
 error:
425a81
425a81 
+	if (iccprof) {
425a81 
+		jas_iccprof_destroy(iccprof);
425a81 
+	}
425a81 
+	if (iccstream) {
425a81 
+		jas_stream_close(iccstream);
425a81 
+	}
425a81 
 	if (box) {
425a81 
 		jp2_box_destroy(box);
425a81 
 	}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation