1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
$NetBSD: patch-CVE-2016-8654,v 1.2 2016/12/17 23:10:25 dholland Exp $
From 4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a Mon Sep 17 00:00:00 2001
From: Michael Adams <mdadams@ece.uvic.ca>
Date: Sat, 26 Nov 2016 20:23:23 -0800
Subject: [PATCH] Fixed a buffer overrun problem in the QMFB code in the JPC
codec that was caused by a buffer being allocated with a size that was too
small in some cases. Added a new regression test case.
---
data/test/bad/PoC1.jpc | Bin 0 -> 233 bytes
src/libjasper/jpc/jpc_qmfb.c | 28 +++++++++++++++-------------
2 files changed, 15 insertions(+), 13 deletions(-)
create mode 100644 data/test/bad/PoC1.jpc
# diff --git a/data/test/bad/PoC1.jpc b/data/test/bad/PoC1.jpc
# new file mode 100644
# index 0000000000000000000000000000000000000000..95239547c40ebd947169f8d87ec399759d1acd3f
# GIT binary patch
# literal 233
# zcmezG|38pHlYx<efuVtcK><X=Km(8g!Vtj7&dB&bh=G@t0i>9PMS)TLe+&alg2Vq5
# z23-b5=c3falKdho1;;R5FC%XSjbu#)BLf2i9Ux(-;Fy!1uMn15oSC2Ze*yy+*u*jh
# z#{ZKa{p#MIIpO~#?i1JcuDH+a{XxR{o@qS)=2<S+_kGs5vcd1wR*^ZWYAZ`pBG>(V
# z>o4CL(REnycXM0m>2?DJ+q$m14-a1!FY%njRQ9-BmDw#gXoZ8CkKEbRXJ=<JubTMl
# Q@K-MmpN6@L&;H*808TDYDF6Tf
#
# literal 0
# HcmV?d00001
diff --git src/libjasper/jpc/jpc_qmfb.c src/libjasper/jpc/jpc_qmfb.c
index 45be24e..f26070f 100644
--- src/libjasper/jpc/jpc_qmfb.c
+++ src/libjasper/jpc/jpc_qmfb.c
@@ -374,7 +374,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
register jpc_fix_t *dstptr;
register int n;
register int m;
- int hstartcol;
+ int hstartrow;
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
@@ -385,9 +385,9 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
}
if (numrows >= 2) {
- hstartcol = (numrows + 1 - parity) >> 1;
- // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
- m = numrows - hstartcol;
+ hstartrow = (numrows + 1 - parity) >> 1;
+ // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
+ m = numrows - hstartrow;
/* Save the samples destined for the highpass channel. */
n = m;
@@ -408,7 +408,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
srcptr += stride << 1;
}
/* Copy the saved samples into the highpass channel. */
- dstptr = &a[hstartcol * stride];
+ dstptr = &a[hstartrow * stride];
srcptr = buf;
n = m;
while (n-- > 0) {
@@ -439,20 +439,21 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
register int n;
register int i;
int m;
- int hstartcol;
+ int hstartrow;
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
+ sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide in this case. */
abort();
}
}
if (numrows >= 2) {
- hstartcol = (numrows + 1 - parity) >> 1;
- // ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
- m = numrows - hstartcol;
+ hstartrow = (numrows + 1 - parity) >> 1;
+ // ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
+ m = numrows - hstartrow;
/* Save the samples destined for the highpass channel. */
n = m;
@@ -485,7 +486,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
srcptr += stride << 1;
}
/* Copy the saved samples into the highpass channel. */
- dstptr = &a[hstartcol * stride];
+ dstptr = &a[hstartrow * stride];
srcptr = buf;
n = m;
while (n-- > 0) {
@@ -526,7 +527,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols,
/* Get a buffer. */
if (bufsize > QMFB_SPLITBUFSIZE) {
- if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide in this case. */
abort();
}
@@ -721,7 +722,8 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride,
/* Allocate memory for the join buffer from the heap. */
if (bufsize > QMFB_JOINBUFSIZE) {
- if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
+ if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
+ sizeof(jpc_fix_t)))) {
/* We have no choice but to commit suicide. */
abort();
}
|
