File jasper-CVE-2016-9398-upstream.patch of Package jasper.23813
Index: jasper-2.0.14/src/libjasper/jpc/jpc_t2dec.c
===================================================================
--- jasper-2.0.14.orig/src/libjasper/jpc/jpc_t2dec.c
+++ jasper-2.0.14/src/libjasper/jpc/jpc_t2dec.c
@@ -292,6 +292,20 @@ hdroffstart = jas_stream_getrwcount(pkth
savenumnewpasses = numnewpasses;
mycounter = 0;
if (numnewpasses > 0) {
+ if (cblk->firstpassno > 10000) {
+ /* workaround for
+ CVE-2016-9398: this
+ large value would
+ make
+ JPC_SEGPASSCNT()
+ return a negative
+ value, causing an
+ assertion failure
+ in
+ jpc_floorlog2() */
+ jpc_bitstream_close(inb);
+ return -1;
+ }
if ((m = jpc_getcommacode(inb)) < 0) {
jpc_bitstream_close(inb);
return -1;
@@ -300,11 +314,19 @@ hdroffstart = jas_stream_getrwcount(pkth
JAS_DBGLOG(10, ("increment=%d ", m));
while (numnewpasses > 0) {
passno = cblk->firstpassno + cblk->numpasses + mycounter;
+ if (passno >= 10000) {
+ /* with this value,
+ JPC_SEGPASSCNT()
+ would return 0,
+ which is an illegal
+ value and would
+ later crash in
+ jpc_floorlog2() */
+ jpc_bitstream_close(inb);
+ return -1;
+ }
/* XXX - the maxpasses is not set precisely but this doesn't matter... */
maxpasses = JPC_SEGPASSCNT(passno, cblk->firstpassno, 10000, (ccp->cblkctx & JPC_COX_LAZY) != 0, (ccp->cblkctx & JPC_COX_TERMALL) != 0);
- // Avoid maxpasses to be negative
- if (maxpasses < 0)
- maxpasses = -maxpasses;
if (!discard && !seg) {
if (!(seg = jpc_seg_alloc())) {
jpc_bitstream_close(inb);