File jasper-CVE-2016-9395.patch of Package jasper.4397

--- jasper-1.900.14/src/libjasper/jpc/jpc_cs.c	2016-10-26 08:57:31.000000000 +0200
+++ jasper-1.900.14/src/libjasper/jpc/jpc_cs.c	2016-12-13 10:49:36.673944174 +0100
@@ -489,6 +489,8 @@
 	unsigned int i;
 	uint_fast8_t tmp;
 
+	siz->comps = 0;
+
 	/* Eliminate compiler warning about unused variables. */
 	cstate = 0;
 
@@ -502,44 +504,67 @@
 	  jpc_getuint32(in, &siz->tilexoff) ||
 	  jpc_getuint32(in, &siz->tileyoff) ||
 	  jpc_getuint16(in, &siz->numcomps)) {
-		return -1;
+		goto error;
 	}
-	if (!siz->width || !siz->height || !siz->tilewidth ||
-	  !siz->tileheight || !siz->numcomps || siz->numcomps > 16384) {
-		return -1;
-	}
-	if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) {
-		jas_eprintf("all tiles are outside the image area\n");
-		return -1;
+	if (!siz->width || !siz->height) {
+		jas_eprintf("reference grid cannot have zero area\n");
+		goto error;
+	}
+	if (!siz->tilewidth || !siz->tileheight) {
+		jas_eprintf("tile cannot have zero area\n");
+		goto error;
+	}
+	if (!siz->numcomps || siz->numcomps > 16384) {
+		jas_eprintf("number of components not in permissible range\n");
+		goto error;
+	}
+	if (siz->xoff >= siz->width) {
+		jas_eprintf("XOsiz not in permissible range\n");
+		goto error;
+	}
+	if (siz->yoff >= siz->height) {
+		jas_eprintf("YOsiz not in permissible range\n");
+		goto error;
+	}
+	if (siz->tilexoff > siz->xoff || siz->tilexoff + siz->tilewidth <= siz->xoff) {
+		jas_eprintf("XTOsiz not in permissible range\n");
+		goto error;
+	}
+	if (siz->tileyoff > siz->yoff || siz->tileyoff + siz->tileheight <= siz->yoff) {
+		jas_eprintf("YTOsiz not in permissible range\n");
+		goto error;
 	}
+
 	if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
-		return -1;
+		goto error;
 	}
 	for (i = 0; i < siz->numcomps; ++i) {
 		if (jpc_getuint8(in, &tmp) ||
 		  jpc_getuint8(in, &siz->comps[i].hsamp) ||
 		  jpc_getuint8(in, &siz->comps[i].vsamp)) {
-			jas_free(siz->comps);
-			return -1;
+			goto error;
 		}
 		if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
 			jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
-			jas_free(siz->comps);
-			return -1;
+			goto error;
 		}
 		if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
 			jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
-			jas_free(siz->comps);
-			return -1;
+			goto error;
 		}
 		siz->comps[i].sgnd = (tmp >> 7) & 1;
 		siz->comps[i].prec = (tmp & 0x7f) + 1;
 	}
 	if (jas_stream_eof(in)) {
-		jas_free(siz->comps);
-		return -1;
+		goto error;
 	}
 	return 0;
+
+error:
+	if (siz->comps) {
+		jas_free(siz->comps);
+	}
+	return -1;
 }
 
 static int jpc_siz_putparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *out)
openSUSE Build Service is sponsored by