Overview

File jasper-CVE-2016-8654.patch of Package jasper.6993

--- jasper-1.900.14/src/libjasper/jpc/jpc_qmfb.c	2016-10-24 08:18:43.000000000 +0200
+++ jasper-1.900.14/src/libjasper/jpc/jpc_qmfb.c	2016-12-13 10:45:00.879969920 +0100
@@ -374,7 +374,7 @@
 	register jpc_fix_t *dstptr;
 	register int n;
 	register int m;
-	int hstartcol;
+	int hstartrow;
 
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
@@ -385,9 +385,9 @@
 	}
 
 	if (numrows >= 2) {
-		hstartcol = (numrows + 1 - parity) >> 1;
-		// ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
-		m = numrows - hstartcol;
+		hstartrow = (numrows + 1 - parity) >> 1;
+		// ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
+		m = numrows - hstartrow;
 
 		/* Save the samples destined for the highpass channel. */
 		n = m;
@@ -408,7 +408,7 @@
 			srcptr += stride << 1;
 		}
 		/* Copy the saved samples into the highpass channel. */
-		dstptr = &a[hstartcol * stride];
+		dstptr = &a[hstartrow * stride];
 		srcptr = buf;
 		n = m;
 		while (n-- > 0) {
@@ -439,20 +439,21 @@
 	register int n;
 	register int i;
 	int m;
-	int hstartcol;
+	int hstartrow;
 
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
-		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
+		  sizeof(jpc_fix_t)))) {
 			/* We have no choice but to commit suicide in this case. */
 			abort();
 		}
 	}
 
 	if (numrows >= 2) {
-		hstartcol = (numrows + 1 - parity) >> 1;
-		// ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
-		m = numrows - hstartcol;
+		hstartrow = (numrows + 1 - parity) >> 1;
+		// ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
+		m = numrows - hstartrow;
 
 		/* Save the samples destined for the highpass channel. */
 		n = m;
@@ -485,7 +486,7 @@
 			srcptr += stride << 1;
 		}
 		/* Copy the saved samples into the highpass channel. */
-		dstptr = &a[hstartcol * stride];
+		dstptr = &a[hstartrow * stride];
 		srcptr = buf;
 		n = m;
 		while (n-- > 0) {
@@ -526,7 +527,7 @@
 
 	/* Get a buffer. */
 	if (bufsize > QMFB_SPLITBUFSIZE) {
-		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
 			/* We have no choice but to commit suicide in this case. */
 			abort();
 		}
@@ -721,7 +722,8 @@
 
 	/* Allocate memory for the join buffer from the heap. */
 	if (bufsize > QMFB_JOINBUFSIZE) {
-		if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
+		if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
+		  sizeof(jpc_fix_t)))) {
 			/* We have no choice but to commit suicide. */
 			abort();
 		}
openSUSE Build Service is sponsored by
Places