1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
$NetBSD: patch-src_libjasper_base_jas__seq.c,v 1.2 2016/05/16 14:03:40 he Exp $
CVE-2016-2089 denial of service. Via Debian.
Fix CVE-2008-3520, patches from
https://bugs.gentoo.org/show_bug.cgi?id=222819
--- src/libjasper/base/jas_seq.c.old 2016-03-31 14:47:00.000000000 +0200
+++ src/libjasper/base/jas_seq.c 2016-03-31 14:47:50.000000000 +0200
@@ -114,7 +114,7 @@
matrix->datasize_ = numrows * numcols;
if (matrix->maxrows_ > 0) {
- if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
+ if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
sizeof(jas_seqent_t *)))) {
jas_matrix_destroy(matrix);
return 0;
@@ -122,7 +122,7 @@
}
if (matrix->datasize_ > 0) {
- if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
+ if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
sizeof(jas_seqent_t)))) {
jas_matrix_destroy(matrix);
return 0;
@@ -220,7 +220,7 @@
mat0->numrows_ = r1 - r0 + 1;
mat0->numcols_ = c1 - c0 + 1;
mat0->maxrows_ = mat0->numrows_;
- mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
+ mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
for (i = 0; i < mat0->numrows_; ++i) {
mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
}
@@ -262,6 +262,10 @@
int rowstep;
jas_seqent_t *data;
+ if (!matrix->rows_) {
+ return;
+ }
+
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
rowstart += rowstep) {
@@ -282,6 +286,10 @@
jas_seqent_t *data;
int rowstep;
+ if (!matrix->rows_) {
+ return;
+ }
+
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
rowstart += rowstep) {
@@ -306,6 +314,10 @@
int rowstep;
jas_seqent_t *data;
+ if (!matrix->rows_) {
+ return;
+ }
+
assert(n >= 0);
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
@@ -325,6 +337,10 @@
int rowstep;
jas_seqent_t *data;
+ if (!matrix->rows_) {
+ return;
+ }
+
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
rowstart += rowstep) {
@@ -367,6 +383,10 @@
int rowstep;
jas_seqent_t *data;
+ if (!matrix->rows_) {
+ return;
+ }
+
rowstep = jas_matrix_rowstep(matrix);
for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
rowstart += rowstep) {
@@ -432,7 +452,8 @@
for (i = 0; i < jas_matrix_numrows(matrix); ++i) {
for (j = 0; j < jas_matrix_numcols(matrix); ++j) {
x = jas_matrix_get(matrix, i, j);
- sprintf(sbuf, "%s%4ld", (strlen(buf) > 0) ? " " : "",
+ snprintf(sbuf, sizeof sbuf,
+ "%s%4ld", (strlen(buf) > 0) ? " " : "",
JAS_CAST(long, x));
n = strlen(buf);
if (n + strlen(sbuf) > MAXLINELEN) {
|
