rpms / jasper

Clone
Source Code
GIT

Blame SOURCES/jasper-CVE-2016-9600.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   94b862d2431727bf8937bddc216e5094fdb2e1c6
  2.   SOURCES
  3.   jasper-CVE-2016-9600.patch
Blob History Raw
94b862 
From a632c6b54bd4ffc3bebab420e00b7e7688aa3846 Mon Sep 17 00:00:00 2001
94b862 
From: Michael Adams <mdadams@ece.uvic.ca>
94b862 
Date: Fri, 30 Dec 2016 07:27:48 -0800
94b862 
Subject: [PATCH] Fixed a problem in the JP2 encoder that caused a null pointer
94b862 
 dereference when no ICC profile data is available (e.g., in the case of an
94b862 
 unknown color space). Reference:
94b862 
 https://github.com/mdadams/jasper/issues/109
94b862
94b862 
---
94b862 
 src/libjasper/jp2/jp2_enc.c | 46 +++++++++++++++++++++++++++++++++------------
94b862 
 1 file changed, 34 insertions(+), 12 deletions(-)
94b862
94b862 
diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c
94b862 
index bca3ca6..b979216 100644
94b862 
--- a/src/libjasper/jp2/jp2_enc.c
94b862 
+++ b/src/libjasper/jp2/jp2_enc.c
94b862 
@@ -112,6 +112,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
94b862
94b862 
 	box = 0;
94b862 
 	tmpstream = 0;
94b862 
+	iccstream = 0;
94b862 
+	iccprof = 0;
94b862
94b862 
 	allcmptssame = 1;
94b862 
 	sgnd = jas_image_cmptsgnd(image, 0);
94b862 
@@ -225,22 +227,36 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
94b862 
 		colr->method = JP2_COLR_ICC;
94b862 
 		colr->pri = JP2_COLR_PRI;
94b862 
 		colr->approx = 0;
94b862 
-		iccprof = jas_iccprof_createfromcmprof(jas_image_cmprof(image));
94b862 
-		assert(iccprof);
94b862 
-		iccstream = jas_stream_memopen(0, 0);
94b862 
-		assert(iccstream);
94b862 
-		if (jas_iccprof_save(iccprof, iccstream))
94b862 
-			abort();
94b862 
-		if ((pos = jas_stream_tell(iccstream)) < 0)
94b862 
-			abort();
94b862 
+		/* Ensure that cmprof_ is not null. */
94b862 
+		if (!jas_image_cmprof(image)) {
94b862 
+			goto error;
94b862 
+		}
94b862 
+		if (!(iccprof = jas_iccprof_createfromcmprof(
94b862 
+		  jas_image_cmprof(image)))) {
94b862 
+			goto error;
94b862 
+		}
94b862 
+		if (!(iccstream = jas_stream_memopen(0, 0))) {
94b862 
+			goto error;
94b862 
+		}
94b862 
+		if (jas_iccprof_save(iccprof, iccstream)) {
94b862 
+			goto error;
94b862 
+		}
94b862 
+		if ((pos = jas_stream_tell(iccstream)) < 0) {
94b862 
+			goto error;
94b862 
+		}
94b862 
 		colr->iccplen = pos;
94b862 
-		colr->iccp = jas_malloc(pos);
94b862 
-		assert(colr->iccp);
94b862 
+		if (!(colr->iccp = jas_malloc(pos))) {
94b862 
+			goto error;
94b862 
+		}
94b862 
 		jas_stream_rewind(iccstream);
94b862 
-		if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) != colr->iccplen)
94b862 
-			abort();
94b862 
+		if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) !=
94b862 
+		  colr->iccplen) {
94b862 
+			goto error;
94b862 
+		}
94b862 
 		jas_stream_close(iccstream);
94b862 
+		iccstream = 0;
94b862 
 		jas_iccprof_destroy(iccprof);
94b862 
+		iccprof = 0;
94b862 
 		break;
94b862 
 	}
94b862 
 	if (jp2_box_put(box, tmpstream)) {
94b862 
@@ -354,6 +370,12 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
94b862
94b862 
 error:
94b862
94b862 
+	if (iccprof) {
94b862 
+		jas_iccprof_destroy(iccprof);
94b862 
+	}
94b862 
+	if (iccstream) {
94b862 
+		jas_stream_close(iccstream);
94b862 
+	}
94b862 
 	if (box) {
94b862 
 		jp2_box_destroy(box);
94b862 
 	}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation