Overview

File jasper-CVE-2018-9252.patch of Package jasper

Index: jasper-1.900.14/src/libjasper/jpc/jpc_enc.c
===================================================================
--- jasper-1.900.14.orig/src/libjasper/jpc/jpc_enc.c
+++ jasper-1.900.14/src/libjasper/jpc/jpc_enc.c
@@ -173,7 +173,7 @@ static uint_fast32_t jpc_abstorelstepsiz
 	int n;
 
 	if (absdelta < 0) {
-		abort();
+		return UINT_FAST32_MAX;
 	}
 
 	p = jpc_firstone(absdelta) - JPC_FIX_FRACBITS;
@@ -181,8 +181,10 @@ static uint_fast32_t jpc_abstorelstepsiz
 	mant = ((n < 0) ? (absdelta >> (-n)) : (absdelta << n)) & 0x7ff;
 	expn = scaleexpn - p;
 	if (scaleexpn < p) {
-		abort();
+		return UINT_FAST32_MAX;
 	}
+	if (expn >= 0x1f)
+		return UINT_FAST32_MAX;
 	return JPC_QCX_EXPN(expn) | JPC_QCX_MANT(mant);
 }
 
@@ -1005,9 +1007,12 @@ startoff = jas_stream_getrwcount(enc->ou
 			} else {
 				absstepsize = jpc_inttofix(1);
 			}	
-			cp->ccps[cmptno].stepsizes[bandno] =
+			const uint_fast32_t stepsize =
 			  jpc_abstorelstepsize(absstepsize,
 			  cp->ccps[cmptno].prec + analgain);
+			if (stepsize == UINT_FAST32_MAX)
+				return -1;
+			cp->ccps[cmptno].stepsizes[bandno] = stepsize;
 		}
 		cp->ccps[cmptno].numstepsizes = numbands;
 	}
@@ -1241,9 +1246,12 @@ jas_eprintf("%d %d mag=%d actual=%d numg
 					} else {
 						band->absstepsize = jpc_inttofix(1);
 					}
-					band->stepsize = jpc_abstorelstepsize(
+					const uint_fast32_t stepsize = jpc_abstorelstepsize(
 					  band->absstepsize, cp->ccps[cmptno].prec +
 					  band->analgain);
+					if (stepsize == UINT_FAST32_MAX)
+						return -1;
+					band->stepsize = stepsize;
 					band->numbps = cp->tccp.numgbits +
 					  JPC_QCX_GETEXPN(band->stepsize) - 1;
openSUSE Build Service is sponsored by
Places