51 lines
1.4 KiB
C
51 lines
1.4 KiB
C
$NetBSD: patch-src_libjasper_base_jas__image.c,v 1.2 2016/05/16 14:03:40 he Exp $
|
|
|
|
CVE-2016-2089 denial of service. Via Debian.
|
|
|
|
Fix CVE-2008-3520, patches from
|
|
https://bugs.gentoo.org/show_bug.cgi?id=222819
|
|
|
|
--- src/libjasper/base/jas_image.c.old 2016-03-31 14:47:00.000000000 +0200
|
|
+++ src/libjasper/base/jas_image.c 2016-03-31 14:47:50.000000000 +0200
|
|
@@ -142,7 +142,7 @@
|
|
image->inmem_ = true;
|
|
|
|
/* Allocate memory for the per-component information. */
|
|
- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
|
|
+ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
|
|
sizeof(jas_image_cmpt_t *)))) {
|
|
jas_image_destroy(image);
|
|
return 0;
|
|
@@ -426,6 +426,10 @@
|
|
return -1;
|
|
}
|
|
|
|
+ if (!data->rows_) {
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
|
|
if (jas_matrix_resize(data, height, width)) {
|
|
return -1;
|
|
@@ -479,6 +483,10 @@
|
|
return -1;
|
|
}
|
|
|
|
+ if (!data->rows_) {
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
|
|
return -1;
|
|
}
|
|
@@ -774,8 +782,7 @@
|
|
jas_image_cmpt_t **newcmpts;
|
|
int cmptno;
|
|
|
|
- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
|
|
- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
|
|
+ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
|
|
if (!newcmpts) {
|
|
return -1;
|
|
}
|