File jasper-CVE-2016-9583.patch of Package jasper.18194

--- jasper-1.900.14/src/libjasper/include/jasper/jas_types.h	2017-03-22 10:14:30.098037013 +0100
+++ jasper-1.900.14/src/libjasper/include/jasper/jas_types.h	2017-03-22 10:15:11.619685037 +0100
@@ -128,6 +128,10 @@
 #define	JAS_CAST(t, e) \
 	((t) (e))
 
+/* The number of bits in the integeral type uint_fast32_t. */
+/* NOTE: This could underestimate the size on some exotic architectures. */
+#define JAS_UINTFAST32_NUMBITS (8 * sizeof(uint_fast32_t))
+
 #ifdef __cplusplus
 extern "C" {
 #endif
--- jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c	2017-03-22 10:14:30.102037013 +0100
+++ jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c	2017-03-22 10:15:11.619685037 +0100
@@ -200,7 +200,8 @@
 		  JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) {
 			for (pi->compno = pchg->compnostart, pi->picomp =
 			  &pi->picomps[pi->compno]; pi->compno < pi->numcomps &&
-			  pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, ++pi->picomp) {
+			  pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
+			  ++pi->picomp) {
 				if (pi->rlvlno >= pi->picomp->numrlvls) {
 					continue;
 				}
@@ -249,10 +250,17 @@
 		  ++compno, ++picomp) {
 			for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno <
 			  picomp->numrlvls; ++rlvlno, ++pirlvl) {
-				xstep = picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
-				  picomp->numrlvls - rlvlno - 1));
-				ystep = picomp->vsamp * (1 << (pirlvl->prcheightexpn +
-				  picomp->numrlvls - rlvlno - 1));
+				// Check for the potential for overflow problems.
+				if (pirlvl->prcwidthexpn + pi->picomp->numrlvls >
+				  JAS_UINTFAST32_NUMBITS - 2 ||
+				  pirlvl->prcheightexpn + pi->picomp->numrlvls >
+				  JAS_UINTFAST32_NUMBITS - 2) {
+					return -1;
+				}
+				xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
+				  (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1));
+				ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
+				  (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1));
 				pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep);
 				pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep);
 			}
@@ -282,21 +290,24 @@
 					rpy = r + pi->pirlvl->prcheightexpn;
 					trx0 = JPC_CEILDIV(pi->xstart, pi->picomp->hsamp << r);
 					try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r);
-					if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx)))
-					  || !(pi->x % (1 << rpx))) &&
-					  ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy)))
-					  || !(pi->y % (1 << rpy)))) {
-						prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp
-						  << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0,
-						  pi->pirlvl->prcwidthexpn);
-						prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp
-						  << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0,
-						  pi->pirlvl->prcheightexpn);
+					if (((pi->x == pi->xstart &&
+					  ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx)))
+					  || !(pi->x % (JAS_CAST(uint_fast32_t, 1) << rpx))) &&
+					  ((pi->y == pi->ystart &&
+					  ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy)))
+					  || !(pi->y % (JAS_CAST(uint_fast32_t, 1) << rpy)))) {
+						prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x,
+						  pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) -
+						  JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn);
+						prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y,
+						  pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) -
+						  JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn);
 						pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind;
 
 						assert(pi->prcno < pi->pirlvl->numprcs);
 						for (pi->lyrno = 0; pi->lyrno <
-						  pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) {
+						  pi->numlyrs && pi->lyrno < JAS_CAST(int,
+						  pchg->lyrnoend); ++pi->lyrno) {
 							prclyrno = &pi->pirlvl->prclyrnos[pi->prcno];
 							if (pi->lyrno >= *prclyrno) {
 								++(*prclyrno);
@@ -341,16 +352,19 @@
 		  ++compno, ++picomp) {
 			for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno <
 			  picomp->numrlvls; ++rlvlno, ++pirlvl) {
-				xstep = picomp->hsamp * (1 <<
-				  (pirlvl->prcwidthexpn + picomp->numrlvls -
-				  rlvlno - 1));
-				ystep = picomp->vsamp * (1 <<
-				  (pirlvl->prcheightexpn + picomp->numrlvls -
-				  rlvlno - 1));
-				pi->xstep = (!pi->xstep) ? xstep :
-				  JAS_MIN(pi->xstep, xstep);
-				pi->ystep = (!pi->ystep) ? ystep :
-				  JAS_MIN(pi->ystep, ystep);
+				// Check for the potential for overflow problems.
+				if (pirlvl->prcwidthexpn + picomp->numrlvls >
+				  JAS_UINTFAST32_NUMBITS - 2 ||
+				  pirlvl->prcheightexpn + picomp->numrlvls >
+				  JAS_UINTFAST32_NUMBITS - 2) {
+					return -1;
+				}
+				xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
+				  (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1));
+				ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
+				  (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1));
+				pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep);
+				pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep);
 			}
 		}
 		pi->prgvolfirst = 0;
@@ -377,20 +391,23 @@
 					try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r);
 					rpx = r + pi->pirlvl->prcwidthexpn;
 					rpy = r + pi->pirlvl->prcheightexpn;
-					if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) ||
+					if (((pi->x == pi->xstart &&
+					  ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) ||
 					  !(pi->x % (pi->picomp->hsamp << rpx))) &&
-					  ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) ||
+					  ((pi->y == pi->ystart &&
+					  ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) ||
 					  !(pi->y % (pi->picomp->vsamp << rpy)))) {
-						prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp
-						  << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0,
-						  pi->pirlvl->prcwidthexpn);
-						prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp
-						  << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0,
-						  pi->pirlvl->prcheightexpn);
+						prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x,
+						  pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) -
+						  JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn);
+						prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y,
+						  pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) -
+						  JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn);
 						pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind;
 						assert(pi->prcno < pi->pirlvl->numprcs);
 						for (pi->lyrno = 0; pi->lyrno < pi->numlyrs &&
-						  pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) {
+						  pi->lyrno < JAS_CAST(int, pchg->lyrnoend);
+						  ++pi->lyrno) {
 							prclyrno = &pi->pirlvl->prclyrnos[pi->prcno];
 							if (pi->lyrno >= *prclyrno) {
 								++(*prclyrno);
@@ -428,10 +445,17 @@
 		pi->prgvolfirst = 0;
 	}
 
-	for (pi->compno = pchg->compnostart, pi->picomp =
-	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
-	  ++pi->picomp) {
+	for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno];
+	  pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps;
+	  ++pi->compno, ++pi->picomp) {
 		pirlvl = pi->picomp->pirlvls;
+		// Check for the potential for overflow problems.
+		if (pirlvl->prcwidthexpn + pi->picomp->numrlvls >
+		  JAS_UINTFAST32_NUMBITS - 2 ||
+		  pirlvl->prcheightexpn + pi->picomp->numrlvls >
+		  JAS_UINTFAST32_NUMBITS - 2) {
+			return -1;
+		}
 		pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
 		  (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1));
 		pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
@@ -461,23 +485,23 @@
 					try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r);
 					rpx = r + pi->pirlvl->prcwidthexpn;
 					rpy = r + pi->pirlvl->prcheightexpn;
-					if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) ||
+					if (((pi->x == pi->xstart &&
+					  ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) ||
 					  !(pi->x % (pi->picomp->hsamp << rpx))) &&
-					  ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) ||
+					  ((pi->y == pi->ystart &&
+					  ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) ||
 					  !(pi->y % (pi->picomp->vsamp << rpy)))) {
-						prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp
-						  << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0,
-						  pi->pirlvl->prcwidthexpn);
-						prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp
-						  << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0,
-						  pi->pirlvl->prcheightexpn);
-						pi->prcno = prcvind *
-						  pi->pirlvl->numhprcs +
-						  prchind;
-						assert(pi->prcno <
-						  pi->pirlvl->numprcs);
-						for (pi->lyrno = 0; pi->lyrno <
-						  pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) {
+						prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x,
+						  pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) -
+						  JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn);
+						prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y,
+						  pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) -
+						  JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn);
+						pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind;
+						assert(pi->prcno < pi->pirlvl->numprcs);
+						for (pi->lyrno = 0; pi->lyrno < pi->numlyrs &&
+						  pi->lyrno < JAS_CAST(int, pchg->lyrnoend);
+						  ++pi->lyrno) {
 							prclyrno = &pi->pirlvl->prclyrnos[pi->prcno];
 							if (pi->lyrno >= *prclyrno) {
 								++(*prclyrno);
--- jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c	2017-03-22 10:14:30.102037013 +0100
+++ jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c	2017-03-22 10:15:11.619685037 +0100
@@ -454,8 +454,8 @@
 			  jas_stream_getrwcount(in), jpc_pi_prg(pi), jpc_pi_cmptno(pi),
 			  jpc_pi_rlvlno(pi), jpc_pi_prcno(pi), jpc_pi_lyrno(pi));
 		}
-		if (jpc_dec_decodepkt(dec, pkthdrstream, in, jpc_pi_cmptno(pi), jpc_pi_rlvlno(pi),
-		  jpc_pi_prcno(pi), jpc_pi_lyrno(pi))) {
+		if (jpc_dec_decodepkt(dec, pkthdrstream, in, jpc_pi_cmptno(pi),
+		  jpc_pi_rlvlno(pi), jpc_pi_prcno(pi), jpc_pi_lyrno(pi))) {
 			return -1;
 		}
 ++dec->numpkts;
openSUSE Build Service is sponsored by