File jasper-CVE-2016-9399.patch of Package jasper

Index: jasper-1.900.14/src/libjasper/jpc/jpc_dec.c
===================================================================
--- jasper-1.900.14.orig/src/libjasper/jpc/jpc_dec.c
+++ jasper-1.900.14/src/libjasper/jpc/jpc_dec.c
@@ -1633,7 +1633,7 @@ static int jpc_dec_cp_isvalid(jpc_dec_cp
 	return 1;
 }
 
-static void calcstepsizes(uint_fast16_t refstepsize, int numrlvls,
+static int calcstepsizes(uint_fast16_t refstepsize, int numrlvls,
   uint_fast16_t *stepsizes)
 {
 	int bandno;
@@ -1645,9 +1645,12 @@ static void calcstepsizes(uint_fast16_t
 	numbands = 3 * numrlvls - 2;
 	for (bandno = 0; bandno < numbands; ++bandno) {
 //jas_eprintf("DEBUG %d %d %d %d %d\n", bandno, expn, numrlvls, bandno, ((numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))));
-		stepsizes[bandno] = JPC_QCX_MANT(mant) | JPC_QCX_EXPN(expn +
-		  (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0))));
+		uint_fast16_t e = expn + (bandno + 2) / 3;
+		if (e >= 0x20)
+			return -1;
+		stepsizes[bandno] = JPC_QCX_MANT(mant) | JPC_QCX_EXPN(e);
 	}
+	return 0;
 }
 
 static int jpc_dec_cp_prepare(jpc_dec_cp_t *cp)
@@ -1664,7 +1667,9 @@ static int jpc_dec_cp_prepare(jpc_dec_cp
 			}
 		}
 		if (ccp->qsty == JPC_QCX_SIQNT) {
-			calcstepsizes(ccp->stepsizes[0], ccp->numrlvls, ccp->stepsizes);
+			if (calcstepsizes(ccp->stepsizes[0], ccp->numrlvls, ccp->stepsizes)) {
+				return -1;
+			}
 		}
 	}
 	return 0;
Places

File jasper-CVE-2016-9399.patch of Package jasper

Places
