File jasper-CVE-2016-9262.patch of Package jasper.18194

diff -urEbwB jasper-1.900.14/src/libjasper/base/jas_image.c jasper-1.900.14.new/src/libjasper/base/jas_image.c
--- jasper-1.900.14/src/libjasper/base/jas_image.c	2017-07-11 12:01:22.628016305 +0200
+++ jasper-1.900.14.new/src/libjasper/base/jas_image.c	2017-07-11 12:38:10.115887712 +0200
@@ -78,6 +78,7 @@
 #include <ctype.h>
 #include <inttypes.h>
 #include <stdbool.h>
+#include <limits.h>
 
 #include "jasper/jas_math.h"
 #include "jasper/jas_image.h"
@@ -333,8 +334,8 @@
 	// Compute the number of samples in the image component, while protecting
 	// against overflow.
 	// size = cmpt->width_ * cmpt->height_ * cmpt->cps_;
-	if (!jas_safe_size_mul(cmpt->width_, cmpt->height_, &size) ||
-	  !jas_safe_size_mul(size, cmpt->cps_, &size)) {
+	if (!jas_safe_size_mul3(cmpt->width_, cmpt->height_, cmpt->cps_, &size) ||
+		size > INT_MAX) {
 		goto error;
 	}
 	cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) :
diff -urEbwB jasper-1.900.14/src/libjasper/include/jasper/jas_math.h jasper-1.900.14.new/src/libjasper/include/jasper/jas_math.h
--- jasper-1.900.14/src/libjasper/include/jasper/jas_math.h	2017-07-11 12:01:22.616016305 +0200
+++ jasper-1.900.14.new/src/libjasper/include/jasper/jas_math.h	2017-07-11 12:42:52.798047647 +0200
@@ -181,7 +181,23 @@
 		/* Overflow would occur. */
 		return false;
 	}
+	if (result) {
 	*result = x * y;
+	}
+	return true;
+}
+
+inline static bool jas_safe_size_mul3(size_t a, size_t b, size_t c,
+  size_t *result)
+{
+	size_t tmp;
+	if (!jas_safe_size_mul(a, b, &tmp) ||
+	  !jas_safe_size_mul(tmp, c, &tmp)) {
+		return false;
+	}
+	if (result) {
+		*result = tmp;
+	}
 	return true;
 }
 
@@ -191,7 +207,9 @@
 	if (y > SIZE_MAX - x) {
 		return false;
 	}
+	if (result) {
 	*result = x + y;
+	}
 	return true;
 }
 
@@ -201,7 +219,9 @@
 	if (y > x) {
 		return false;
 	}
+	if (result) {
 	*result = x - y;
+	}
 	return true;
 }
openSUSE Build Service is sponsored by