rpms / jasper

Clone
Source Code
GIT

Files

  1.   94b862d2431727bf8937bddc216e5094fdb2e1c6
  2.   SOURCES
  3.   jasper-CVE-2016-9600.patch
Blob Blame History Raw 
From a632c6b54bd4ffc3bebab420e00b7e7688aa3846 Mon Sep 17 00:00:00 2001
From: Michael Adams <mdadams@ece.uvic.ca>
Date: Fri, 30 Dec 2016 07:27:48 -0800
Subject: [PATCH] Fixed a problem in the JP2 encoder that caused a null pointer
 dereference when no ICC profile data is available (e.g., in the case of an
 unknown color space). Reference:    
 https://github.com/mdadams/jasper/issues/109

---
 src/libjasper/jp2/jp2_enc.c | 46 +++++++++++++++++++++++++++++++++------------
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c
index bca3ca6..b979216 100644
--- a/src/libjasper/jp2/jp2_enc.c
+++ b/src/libjasper/jp2/jp2_enc.c
@@ -112,6 +112,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
 
 	box = 0;
 	tmpstream = 0;
+	iccstream = 0;
+	iccprof = 0;
 
 	allcmptssame = 1;
 	sgnd = jas_image_cmptsgnd(image, 0);
@@ -225,22 +227,36 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
 		colr->method = JP2_COLR_ICC;
 		colr->pri = JP2_COLR_PRI;
 		colr->approx = 0;
-		iccprof = jas_iccprof_createfromcmprof(jas_image_cmprof(image));
-		assert(iccprof);
-		iccstream = jas_stream_memopen(0, 0);
-		assert(iccstream);
-		if (jas_iccprof_save(iccprof, iccstream))
-			abort();
-		if ((pos = jas_stream_tell(iccstream)) < 0)
-			abort();
+		/* Ensure that cmprof_ is not null. */
+		if (!jas_image_cmprof(image)) {
+			goto error;
+		}
+		if (!(iccprof = jas_iccprof_createfromcmprof(
+		  jas_image_cmprof(image)))) {
+			goto error;
+		}
+		if (!(iccstream = jas_stream_memopen(0, 0))) {
+			goto error;
+		}
+		if (jas_iccprof_save(iccprof, iccstream)) {
+			goto error;
+		}
+		if ((pos = jas_stream_tell(iccstream)) < 0) {
+			goto error;
+		}
 		colr->iccplen = pos;
-		colr->iccp = jas_malloc(pos);
-		assert(colr->iccp);
+		if (!(colr->iccp = jas_malloc(pos))) {
+			goto error;
+		}
 		jas_stream_rewind(iccstream);
-		if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) != colr->iccplen)
-			abort();
+		if (jas_stream_read(iccstream, colr->iccp, colr->iccplen) !=
+		  colr->iccplen) {
+			goto error;
+		}
 		jas_stream_close(iccstream);
+		iccstream = 0;
 		jas_iccprof_destroy(iccprof);
+		iccprof = 0;
 		break;
 	}
 	if (jp2_box_put(box, tmpstream)) {
@@ -354,6 +370,12 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
 
 error:
 
+	if (iccprof) {
+		jas_iccprof_destroy(iccprof);
+	}
+	if (iccstream) {
+		jas_stream_close(iccstream);
+	}
 	if (box) {
 		jp2_box_destroy(box);
 	}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation