File jasper-CVE-2025-8835.patch of Package jasper.40244
https://github.com/jasper-software/jasper/commit/bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52
With some adaptations:
* goto error instead of abort (done in previous commit)
* unsigned (done in previous commit)
* JAS_DBGLOG instead of JAS_LOGDEBUGF (79d28727141f608eef79649918c4657bb80068c4)
* jas_eprintf instead of jas_logerrorf
Index: jasper-2.0.14/src/libjasper/base/jas_image.c
===================================================================
--- jasper-2.0.14.orig/src/libjasper/base/jas_image.c
+++ jasper-2.0.14/src/libjasper/base/jas_image.c
@@ -115,6 +115,8 @@ static long convert(long val, int oldsgn
int newprec);
static void jas_image_calcbbox2(jas_image_t *image, jas_image_coord_t *tlx,
jas_image_coord_t *tly, jas_image_coord_t *brx, jas_image_coord_t *bry);
+static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n);
+static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n);
/******************************************************************************\
* Global data.
@@ -415,6 +417,36 @@ static void jas_image_cmpt_destroy(jas_i
jas_free(cmpt);
}
+static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n)
+{
+ jas_cmcmptfmt_t* cmptfmts;
+ JAS_DBGLOG(10, ("jas_cmcmptfmt_array_create(%d)\n", n));
+ if (!(cmptfmts = jas_alloc2(n, sizeof(jas_cmcmptfmt_t)))) {
+ return 0;
+ }
+ for (int i = 0; i < n; ++i) {
+ cmptfmts[i].buf = 0;
+ }
+ JAS_DBGLOG(10, ("jas_cmcmptfmt_array_create(%d) returning %p\n", n,
+ JAS_CAST(void *, cmptfmts)));
+ return cmptfmts;
+}
+
+static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n)
+{
+ assert(cmptfmts);
+ assert(n > 0);
+ JAS_DBGLOG(10, ("jas_cmcmptfmt_array_destroy(%p, %d)\n",
+ JAS_CAST(void *, cmptfmts), n));
+ for (int i = 0; i < n; ++i) {
+ if (cmptfmts[i].buf) {
+ jas_free(cmptfmts[i].buf);
+ }
+ cmptfmts[i].buf = 0;
+ }
+ jas_free(cmptfmts);
+}
+
/******************************************************************************\
* Load and save operations.
\******************************************************************************/
@@ -1442,19 +1474,25 @@ jas_image_t *jas_image_chclrspc(jas_imag
jas_cmcmptfmt_t *incmptfmts;
jas_cmcmptfmt_t *outcmptfmts;
+ assert(image);
+ assert(outprof);
+
#if 0
jas_eprintf("IMAGE\n");
jas_image_dump(image, stderr);
#endif
- if (image->numcmpts_ == 0)
- /* can't work with a file with no components;
- * continuing would crash because we'd attempt to
- * obtain information about the first component */
- return NULL;
+ if (!jas_image_numcmpts(image)) {
+ /* can't work with a file with no components;
+ * continuing would crash because we'd attempt to
+ * obtain information about the first component */
+ return NULL;
+ }
outimage = 0;
xform = 0;
+ incmptfmts = 0;
+ outcmptfmts = 0;
if (!(inimage = jas_image_copy(image)))
goto error;
image = 0;
@@ -1540,16 +1578,21 @@ jas_image_dump(image, stderr);
}
inpixmap.numcmpts = numinclrchans;
- if (!(incmptfmts = jas_alloc2(numinclrchans, sizeof(jas_cmcmptfmt_t)))) {
- abort();
+ assert(numinclrchans != 0);
+ if (!(incmptfmts = jas_cmcmptfmt_array_create(numinclrchans))) {
+ goto error;
}
inpixmap.cmptfmts = incmptfmts;
- for (i = 0; i < numinclrchans; ++i) {
- j = jas_image_getcmptbytype(inimage, JAS_IMAGE_CT_COLOR(i));
- assert(j >= 0);
+ for (unsigned i = 0; i < numinclrchans; ++i) {
+ const int j = jas_image_getcmptbytype(inimage, JAS_IMAGE_CT_COLOR(i));
+ if (j < 0) {
+ jas_eprintf("missing color component %d\n", i);
+ goto error;
+ }
if (!(incmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) {
goto error;
}
+ assert(j >= 0 && j < jas_image_numcmpts(inimage));
incmptfmts[i].prec = jas_image_cmptprec(inimage, j);
incmptfmts[i].sgnd = jas_image_cmptsgnd(inimage, j);
incmptfmts[i].width = width;
@@ -1557,8 +1600,8 @@ jas_image_dump(image, stderr);
}
outpixmap.numcmpts = numoutclrchans;
- if (!(outcmptfmts = jas_alloc2(numoutclrchans, sizeof(jas_cmcmptfmt_t)))) {
- abort();
+ if (!(outcmptfmts = jas_cmcmptfmt_array_create(numoutclrchans))) {
+ goto error;
}
outpixmap.cmptfmts = outcmptfmts;
