File jasper-CVE-2016-9398-upstream.patch of Package jasper.18194

Index: jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c
===================================================================
--- jasper-1.900.14.orig/src/libjasper/jpc/jpc_t2dec.c
+++ jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c
@@ -292,6 +292,20 @@ hdroffstart = jas_stream_getrwcount(pkth
 				savenumnewpasses = numnewpasses;
 				mycounter = 0;
 				if (numnewpasses > 0) {
+					if (cblk->firstpassno > 10000) {
+						/* workaround for
+						   CVE-2016-9398: this
+						   large value would
+						   make
+						   JPC_SEGPASSCNT()
+						   return a negative
+						   value, causing an
+						   assertion failure
+						   in
+						   jpc_floorlog2() */
+						jpc_bitstream_close(inb);
+						return -1;
+					}
 					if ((m = jpc_getcommacode(inb)) < 0) {
 						jpc_bitstream_close(inb);
 						return -1;
@@ -300,11 +314,19 @@ hdroffstart = jas_stream_getrwcount(pkth
 					JAS_DBGLOG(10, ("increment=%d ", m));
 					while (numnewpasses > 0) {
 						passno = cblk->firstpassno + cblk->numpasses + mycounter;
+						if (passno >= 10000) {
+							/* with this value,
+							   JPC_SEGPASSCNT()
+							   would return 0,
+							   which is an illegal
+							   value and would
+							   later crash in
+							   jpc_floorlog2() */
+							jpc_bitstream_close(inb);
+							return -1;
+						}
 	/* XXX - the maxpasses is not set precisely but this doesn't matter... */
 						maxpasses = JPC_SEGPASSCNT(passno, cblk->firstpassno, 10000, (ccp->cblkctx & JPC_COX_LAZY) != 0, (ccp->cblkctx & JPC_COX_TERMALL) != 0);
-						// Avoid maxpasses to be negative
-						if (maxpasses < 0)
-							maxpasses = -maxpasses;
 						if (!discard && !seg) {
 							if (!(seg = jpc_seg_alloc())) {
 								jpc_bitstream_close(inb);
openSUSE Build Service is sponsored by