Backport of the upstream commit: From 2e82fa00466ae525339754bb3ab0a0474a31d4bd Mon Sep 17 00:00:00 2001 From: Michael Adams Date: Wed, 19 Oct 2016 17:57:40 -0700 Subject: [PATCH] Fixed an integral type promotion problem by adding a JAS_CAST. Modified the jpc_tsfb_synthesize function so that it will be a noop for an empty sequence (in order to avoid dereferencing a null pointer). diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h jasper-1.900.1/src/libjasper/include/jasper/jas_math.h --- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h 2017-03-31 14:08:18.000000000 +0200 +++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h 2017-03-31 14:09:06.000000000 +0200 @@ -115,6 +115,24 @@ extern "C" { ((1 << (n)) - 1) /******************************************************************************\ +* +\******************************************************************************/ + +__attribute__((no_sanitize("undefined"))) +inline static jas_int_asr(int x, int n) +{ + assert(n >= 0); + return x >> n; +} + +__attribute__((no_sanitize("undefined"))) +inline static jas_int_asl(int x, int n) +{ + assert(n >= 0); + return x << n; +} + +/******************************************************************************\ * Safe integer arithmetic (i.e., with overflow checking). \******************************************************************************/ diff -pruN jasper-1.900.1.orig/src/libjasper/include/jasper/jas_seq.h jasper-1.900.1/src/libjasper/include/jasper/jas_seq.h --- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_seq.h 2007-01-19 22:43:04.000000000 +0100 +++ jasper-1.900.1/src/libjasper/include/jasper/jas_seq.h 2017-03-31 14:09:06.000000000 +0200 @@ -154,6 +154,9 @@ typedef jas_matrix_t jas_seq_t; #define jas_matrix_numcols(matrix) \ ((matrix)->numcols_) +#define jas_matrix_size(matrix) \ + (jas_matrix_width(matrix) * jas_matrix_height(matrix)) + /* Get a matrix element. */ #define jas_matrix_get(matrix, i, j) \ ((matrix)->rows_[i][j]) @@ -269,6 +272,8 @@ jas_matrix_t *jas_seq2d_create(int xstar ((s)->xstart_ = (x), (s)->ystart_ = (y), \ (s)->xend_ = (s)->xstart_ + (s)->numcols_, \ (s)->yend_ = (s)->ystart_ + (s)->numrows_) +#define jas_seq2d_size(s) \ + (jas_seq2d_width(s) * jas_seq2d_height(s)) void jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, int xstart, int ystart, int xend, int yend); diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 14:08:18.000000000 +0200 +++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 14:09:06.000000000 +0200 @@ -1805,6 +1805,13 @@ static void jpc_undo_roi(jas_matrix_t *x bool warn; uint_fast32_t mask; + if (roishift < 0) { + /* We could instead return an error here. */ + /* I do not think it matters much. */ + jas_eprintf("warning: forcing negative ROI shift to zero " + "(bitstream is probably corrupt)\n"); + roishift = 0; + } if (roishift == 0 && bgshift == 0) { return; } @@ -1823,7 +1830,7 @@ static void jpc_undo_roi(jas_matrix_t *x } else { /* We are dealing with non-ROI (i.e., background) data. */ mag <<= bgshift; - mask = (1 << numbps) - 1; + mask = (JAS_CAST(uint_fast32_t, 1) << numbps) - 1; /* Perform a basic sanity check on the sample value. */ /* Some implementations write garbage in the unused most-significant bit planes introduced by ROI shifting. diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_tsfb.c jasper-1.900.1/src/libjasper/jpc/jpc_tsfb.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_tsfb.c 2007-01-19 22:43:07.000000000 +0100 +++ jasper-1.900.1/src/libjasper/jpc/jpc_tsfb.c 2017-03-31 14:09:06.000000000 +0200 @@ -148,7 +148,8 @@ int jpc_tsfb_analyze2(jpc_tsfb_t *tsfb, int jpc_tsfb_synthesize(jpc_tsfb_t *tsfb, jas_seq2d_t *a) { - return (tsfb->numlvls > 0) ? jpc_tsfb_synthesize2(tsfb, + return (tsfb->numlvls > 0 && jas_seq2d_size(a)) ? + jpc_tsfb_synthesize2(tsfb, jas_seq2d_getref(a, jas_seq2d_xstart(a), jas_seq2d_ystart(a)), jas_seq2d_xstart(a), jas_seq2d_ystart(a), jas_seq2d_width(a), jas_seq2d_height(a), jas_seq2d_rowstep(a), tsfb->numlvls - 1) : 0;