1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
$NetBSD: patch-src_libjasper_base_jas__image.c,v 1.2 2016/05/16 14:03:40 he Exp $
CVE-2016-2089 denial of service. Via Debian.
Fix CVE-2008-3520, patches from
https://bugs.gentoo.org/show_bug.cgi?id=222819
--- src/libjasper/base/jas_image.c.old 2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/base/jas_image.c 2016-03-31 14:47:50.000000000 +0200
@@ -142,7 +142,7 @@
image->inmem_ = true;
/* Allocate memory for the per-component information. */
- if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
+ if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
sizeof(jas_image_cmpt_t *)))) {
jas_image_destroy(image);
return 0;
@@ -426,6 +426,10 @@
return -1;
}
+ if (!data->rows_) {
+ return -1;
+ }
+
if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
if (jas_matrix_resize(data, height, width)) {
return -1;
@@ -479,6 +483,10 @@
return -1;
}
+ if (!data->rows_) {
+ return -1;
+ }
+
if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
return -1;
}
@@ -774,8 +782,7 @@
jas_image_cmpt_t **newcmpts;
int cmptno;
- newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
- jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
+ newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
if (!newcmpts) {
return -1;
}
|