File jasper-CVE-2017-5503-CVE-2017-5504-CVE-2017-5505.patch of Package jasper.16208
Index: jasper-2.0.14/src/libjasper/base/jas_seq.c
===================================================================
--- jasper-2.0.14.orig/src/libjasper/base/jas_seq.c
+++ jasper-2.0.14/src/libjasper/base/jas_seq.c
@@ -211,11 +211,15 @@ jas_matrix_t *jas_matrix_copy(jas_matrix
* Bind operations.
\******************************************************************************/
-void jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, jas_matind_t xstart,
+int jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, jas_matind_t xstart,
jas_matind_t ystart, jas_matind_t xend, jas_matind_t yend)
{
+ if (xstart < s1->xstart_ || ystart < s1->ystart_ ||
+ xend > s1->xend_ || yend > s1->yend_)
+ return -1;
jas_matrix_bindsub(s, s1, ystart - s1->ystart_, xstart - s1->xstart_,
- yend - s1->ystart_ - 1, xend - s1->xstart_ - 1);
+ yend - s1->ystart_ - 1, xend - s1->xstart_ - 1);
+ return 0;
}
void jas_matrix_bindsub(jas_matrix_t *mat0, jas_matrix_t *mat1,
Index: jasper-2.0.14/src/libjasper/include/jasper/jas_seq.h
===================================================================
--- jasper-2.0.14.orig/src/libjasper/include/jasper/jas_seq.h
+++ jasper-2.0.14/src/libjasper/include/jasper/jas_seq.h
@@ -285,7 +285,7 @@ JAS_DLLEXPORT jas_matrix_t *jas_seq2d_cr
#define jas_seq2d_size(s) \
(jas_seq2d_width(s) * jas_seq2d_height(s))
-JAS_DLLEXPORT void jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, jas_matind_t xstart,
+JAS_DLLEXPORT int jas_seq2d_bindsub(jas_matrix_t *s, jas_matrix_t *s1, jas_matind_t xstart,
jas_matind_t ystart, jas_matind_t xend, jas_matind_t yend);
/******************************************************************************\
Index: jasper-2.0.14/src/libjasper/jpc/jpc_dec.c
===================================================================
--- jasper-2.0.14.orig/src/libjasper/jpc/jpc_dec.c
+++ jasper-2.0.14/src/libjasper/jpc/jpc_dec.c
@@ -831,8 +831,10 @@ static int jpc_dec_tileinit(jpc_dec_t *d
if (!(band->data = jas_seq2d_create(0, 0, 0, 0))) {
return -1;
}
- jas_seq2d_bindsub(band->data, tcomp->data, bnd->locxstart,
- bnd->locystart, bnd->locxend, bnd->locyend);
+ if (jas_seq2d_bindsub(band->data, tcomp->data, bnd->locxstart,
+ bnd->locystart, bnd->locxend, bnd->locyend)) {
+ return -1;
+ }
jas_seq2d_setshift(band->data, bnd->xstart, bnd->ystart);
assert(rlvl->numprcs);
@@ -912,8 +914,10 @@ static int jpc_dec_tileinit(jpc_dec_t *d
0))) {
return -1;
}
- jas_seq2d_bindsub(cblk->data, band->data,
- tmpxstart, tmpystart, tmpxend, tmpyend);
+ if (jas_seq2d_bindsub(cblk->data, band->data,
+ tmpxstart, tmpystart, tmpxend, tmpyend)) {
+ return -1;
+ }
++cblk;
--cblkcnt;
}
Index: jasper-2.0.14/src/libjasper/jpc/jpc_enc.c
===================================================================
--- jasper-2.0.14.orig/src/libjasper/jpc/jpc_enc.c
+++ jasper-2.0.14/src/libjasper/jpc/jpc_enc.c
@@ -2332,8 +2332,10 @@ if (bandinfo->xstart != bandinfo->xend &
if (!(band->data = jas_seq2d_create(0, 0, 0, 0))) {
goto error;
}
- jas_seq2d_bindsub(band->data, tcmpt->data, bandinfo->locxstart,
- bandinfo->locystart, bandinfo->locxend, bandinfo->locyend);
+ if (jas_seq2d_bindsub(band->data, tcmpt->data, bandinfo->locxstart,
+ bandinfo->locystart, bandinfo->locxend, bandinfo->locyend)) {
+ goto error;
+ }
jas_seq2d_setshift(band->data, bandinfo->xstart, bandinfo->ystart);
}
band->orient = bandinfo->orient;
@@ -2609,7 +2611,9 @@ static jpc_enc_cblk_t *cblk_create(jpc_e
if (!(cblk->data = jas_seq2d_create(0, 0, 0, 0))) {
goto error;
}
- jas_seq2d_bindsub(cblk->data, band->data, cblktlx, cblktly, cblkbrx, cblkbry);
+ if (jas_seq2d_bindsub(cblk->data, band->data, cblktlx, cblktly, cblkbrx, cblkbry)) {
+ goto error;
+ }
return cblk;