86 lines
2.7 KiB
C
86 lines
2.7 KiB
C
$NetBSD$
|
|
|
|
Apply fixes from
|
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469786
|
|
and
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9029
|
|
|
|
Also add a patch from Debian (bug #413041) to fix some heap corruption
|
|
on malformed image input (CVE-2007-2721),
|
|
|
|
Apply fix for CVE-2014-8157, taken from
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1179282
|
|
|
|
--- src/libjasper/jpc/jpc_dec.c.orig 2014-12-05 12:10:45.000000000 +0000
|
|
+++ src/libjasper/jpc/jpc_dec.c
|
|
@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
|
|
dec->curtileendoff = 0;
|
|
}
|
|
|
|
- if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
|
|
+ if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
|
|
jas_eprintf("invalid tile number in SOT marker segment\n");
|
|
return -1;
|
|
}
|
|
@@ -1069,12 +1069,12 @@ static int jpc_dec_tiledecode(jpc_dec_t
|
|
/* Apply an inverse intercomponent transform if necessary. */
|
|
switch (tile->cp->mctid) {
|
|
case JPC_MCT_RCT:
|
|
- assert(dec->numcomps == 3);
|
|
+ assert(dec->numcomps >= 3);
|
|
jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data,
|
|
tile->tcomps[2].data);
|
|
break;
|
|
case JPC_MCT_ICT:
|
|
- assert(dec->numcomps == 3);
|
|
+ assert(dec->numcomps >= 3);
|
|
jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
|
|
tile->tcomps[2].data);
|
|
break;
|
|
@@ -1234,6 +1234,7 @@ static int jpc_dec_process_siz(jpc_dec_t
|
|
}
|
|
for (compno = 0, cmpt = dec->cmpts, tcomp = tile->tcomps;
|
|
compno < dec->numcomps; ++compno, ++cmpt, ++tcomp) {
|
|
+ tcomp->numrlvls = 0;
|
|
tcomp->rlvls = 0;
|
|
tcomp->data = 0;
|
|
tcomp->xstart = JPC_CEILDIV(tile->xstart, cmpt->hstep);
|
|
@@ -1280,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
|
|
jpc_coc_t *coc = &ms->parms.coc;
|
|
jpc_dec_tile_t *tile;
|
|
|
|
- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
|
|
+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
|
|
jas_eprintf("invalid component number in COC marker segment\n");
|
|
return -1;
|
|
}
|
|
@@ -1306,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
|
|
jpc_rgn_t *rgn = &ms->parms.rgn;
|
|
jpc_dec_tile_t *tile;
|
|
|
|
- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
|
|
+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
|
|
jas_eprintf("invalid component number in RGN marker segment\n");
|
|
return -1;
|
|
}
|
|
@@ -1355,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
|
|
jpc_qcc_t *qcc = &ms->parms.qcc;
|
|
jpc_dec_tile_t *tile;
|
|
|
|
- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
|
|
+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
|
|
jas_eprintf("invalid component number in QCC marker segment\n");
|
|
return -1;
|
|
}
|
|
@@ -1466,7 +1467,9 @@ static int jpc_dec_process_unk(jpc_dec_t
|
|
dec = 0;
|
|
|
|
jas_eprintf("warning: ignoring unknown marker segment\n");
|
|
- jpc_ms_dump(ms, stderr);
|
|
+ if (jas_getdbglevel() >= 1) {
|
|
+ jpc_ms_dump(ms, stderr);
|
|
+ }
|
|
return 0;
|
|
}
|
|
|