File jasper-CVE-2016-9399.patch of Package jasper.25971
Index: jasper-1.900.14/src/libjasper/jpc/jpc_dec.c
===================================================================
--- jasper-1.900.14.orig/src/libjasper/jpc/jpc_dec.c
+++ jasper-1.900.14/src/libjasper/jpc/jpc_dec.c
@@ -1633,7 +1633,7 @@ static int jpc_dec_cp_isvalid(jpc_dec_cp
return 1;
}
-static void calcstepsizes(uint_fast16_t refstepsize, int numrlvls,
+static int calcstepsizes(uint_fast16_t refstepsize, int numrlvls,
uint_fast16_t *stepsizes)
{
int bandno;
@@ -1645,9 +1645,12 @@ static void calcstepsizes(uint_fast16_t
numbands = 3 * numrlvls - 2;
for (bandno = 0; bandno < numbands; ++bandno) {
//jas_eprintf("DEBUG %d %d %d %d %d\n", bandno, expn, numrlvls, bandno, ((numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))));
- stepsizes[bandno] = JPC_QCX_MANT(mant) | JPC_QCX_EXPN(expn +
- (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0))));
+ uint_fast16_t e = expn + (bandno + 2) / 3;
+ if (e >= 0x20)
+ return -1;
+ stepsizes[bandno] = JPC_QCX_MANT(mant) | JPC_QCX_EXPN(e);
}
+ return 0;
}
static int jpc_dec_cp_prepare(jpc_dec_cp_t *cp)
@@ -1664,7 +1667,9 @@ static int jpc_dec_cp_prepare(jpc_dec_cp
}
}
if (ccp->qsty == JPC_QCX_SIQNT) {
- calcstepsizes(ccp->stepsizes[0], ccp->numrlvls, ccp->stepsizes);
+ if (calcstepsizes(ccp->stepsizes[0], ccp->numrlvls, ccp->stepsizes)) {
+ return -1;
+ }
}
}
return 0;