File jasper-CVE-2018-9252.patch of Package jasper
Index: jasper-1.900.14/src/libjasper/jpc/jpc_enc.c
===================================================================
--- jasper-1.900.14.orig/src/libjasper/jpc/jpc_enc.c
+++ jasper-1.900.14/src/libjasper/jpc/jpc_enc.c
@@ -173,7 +173,7 @@ static uint_fast32_t jpc_abstorelstepsiz
int n;
if (absdelta < 0) {
- abort();
+ return UINT_FAST32_MAX;
}
p = jpc_firstone(absdelta) - JPC_FIX_FRACBITS;
@@ -181,8 +181,10 @@ static uint_fast32_t jpc_abstorelstepsiz
mant = ((n < 0) ? (absdelta >> (-n)) : (absdelta << n)) & 0x7ff;
expn = scaleexpn - p;
if (scaleexpn < p) {
- abort();
+ return UINT_FAST32_MAX;
}
+ if (expn >= 0x1f)
+ return UINT_FAST32_MAX;
return JPC_QCX_EXPN(expn) | JPC_QCX_MANT(mant);
}
@@ -1005,9 +1007,12 @@ startoff = jas_stream_getrwcount(enc->ou
} else {
absstepsize = jpc_inttofix(1);
}
- cp->ccps[cmptno].stepsizes[bandno] =
+ const uint_fast32_t stepsize =
jpc_abstorelstepsize(absstepsize,
cp->ccps[cmptno].prec + analgain);
+ if (stepsize == UINT_FAST32_MAX)
+ return -1;
+ cp->ccps[cmptno].stepsizes[bandno] = stepsize;
}
cp->ccps[cmptno].numstepsizes = numbands;
}
@@ -1241,9 +1246,12 @@ jas_eprintf("%d %d mag=%d actual=%d numg
} else {
band->absstepsize = jpc_inttofix(1);
}
- band->stepsize = jpc_abstorelstepsize(
+ const uint_fast32_t stepsize = jpc_abstorelstepsize(
band->absstepsize, cp->ccps[cmptno].prec +
band->analgain);
+ if (stepsize == UINT_FAST32_MAX)
+ return -1;
+ band->stepsize = stepsize;
band->numbps = cp->tccp.numgbits +
JPC_QCX_GETEXPN(band->stepsize) - 1;