File jasper-CVE-2017-5503-CVE-2017-5504-CVE-2017-5505.patch of Package jasper.40243
Index: jasper-1.900.14/src/libjasper/base/jas_seq.c
===================================================================
--- jasper-1.900.14.orig/src/libjasper/base/jas_seq.c
+++ jasper-1.900.14/src/libjasper/base/jas_seq.c
@@ -211,11 +211,17 @@ jas_matrix_t *jas_matrix_copy(jas_matrix
* Bind operations.
\******************************************************************************/
-void jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, int xstart, int ystart,
+int jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, int xstart, int ystart,
int xend, int yend)
{
+ if (xstart < s1->xstart_ || ystart < s1->ystart_ ||
+ xend > s1->xend_ || yend > s1->yend_)
+ return -1;
+
jas_matrix_bindsub(s, s1, ystart - s1->ystart_, xstart - s1->xstart_,
- yend - s1->ystart_ - 1, xend - s1->xstart_ - 1);
+ yend - s1->ystart_ - 1, xend - s1->xstart_ - 1);
+
+ return 0;
}
void jas_matrix_bindsub(jas_matrix_t *mat0, jas_matrix_t *mat1, int r0, int c0,
Index: jasper-1.900.14/src/libjasper/jpc/jpc_dec.c
===================================================================
--- jasper-1.900.14.orig/src/libjasper/jpc/jpc_dec.c
+++ jasper-1.900.14/src/libjasper/jpc/jpc_dec.c
@@ -798,8 +798,10 @@ static int jpc_dec_tileinit(jpc_dec_t *d
if (!(band->data = jas_seq2d_create(0, 0, 0, 0))) {
return -1;
}
- jas_seq2d_bindsub(band->data, tcomp->data, bnd->locxstart,
- bnd->locystart, bnd->locxend, bnd->locyend);
+ if (jas_seq2d_bindsub(band->data, tcomp->data, bnd->locxstart,
+ bnd->locystart, bnd->locxend, bnd->locyend)) {
+ return -1;
+ }
jas_seq2d_setshift(band->data, bnd->xstart, bnd->ystart);
assert(rlvl->numprcs);
@@ -879,8 +881,9 @@ static int jpc_dec_tileinit(jpc_dec_t *d
0))) {
return -1;
}
- jas_seq2d_bindsub(cblk->data, band->data,
- tmpxstart, tmpystart, tmpxend, tmpyend);
+ if (jas_seq2d_bindsub(cblk->data, band->data, tmpxstart, tmpystart, tmpxend, tmpyend)) {
+ return -1;
+ }
++cblk;
--cblkcnt;
}
Index: jasper-1.900.14/src/libjasper/jpc/jpc_enc.c
===================================================================
--- jasper-1.900.14.orig/src/libjasper/jpc/jpc_enc.c
+++ jasper-1.900.14/src/libjasper/jpc/jpc_enc.c
@@ -2283,8 +2283,10 @@ if (bandinfo->xstart != bandinfo->xend &
if (!(band->data = jas_seq2d_create(0, 0, 0, 0))) {
goto error;
}
- jas_seq2d_bindsub(band->data, tcmpt->data, bandinfo->locxstart,
- bandinfo->locystart, bandinfo->locxend, bandinfo->locyend);
+ if (jas_seq2d_bindsub(band->data, tcmpt->data, bandinfo->locxstart,
+ bandinfo->locystart, bandinfo->locxend, bandinfo->locyend)) {
+ goto error;
+ }
jas_seq2d_setshift(band->data, bandinfo->xstart, bandinfo->ystart);
}
band->orient = bandinfo->orient;
@@ -2549,7 +2551,9 @@ static jpc_enc_cblk_t *cblk_create(jpc_e
if (!(cblk->data = jas_seq2d_create(0, 0, 0, 0))) {
goto error;
}
- jas_seq2d_bindsub(cblk->data, band->data, cblktlx, cblktly, cblkbrx, cblkbry);
+ if (jas_seq2d_bindsub(cblk->data, band->data, cblktlx, cblktly, cblkbrx, cblkbry)) {
+ goto error;
+ }
return cblk;
Index: jasper-1.900.14/src/libjasper/include/jasper/jas_seq.h
===================================================================
--- jasper-1.900.14.orig/src/libjasper/include/jasper/jas_seq.h
+++ jasper-1.900.14/src/libjasper/include/jasper/jas_seq.h
@@ -280,7 +280,7 @@ jas_matrix_t *jas_seq2d_create(int xstar
#define jas_seq2d_size(s) \
(jas_seq2d_width(s) * jas_seq2d_height(s))
-void jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, int xstart,
+int jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, int xstart,
int ystart, int xend, int yend);
/******************************************************************************\
