Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
jasper.22852
jasper-CVE-2016-9583.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File jasper-CVE-2016-9583.patch of Package jasper.22852
--- jasper-1.900.14/src/libjasper/include/jasper/jas_types.h 2017-03-22 10:14:30.098037013 +0100 +++ jasper-1.900.14/src/libjasper/include/jasper/jas_types.h 2017-03-22 10:15:11.619685037 +0100 @@ -128,6 +128,10 @@ #define JAS_CAST(t, e) \ ((t) (e)) +/* The number of bits in the integeral type uint_fast32_t. */ +/* NOTE: This could underestimate the size on some exotic architectures. */ +#define JAS_UINTFAST32_NUMBITS (8 * sizeof(uint_fast32_t)) + #ifdef __cplusplus extern "C" { #endif --- jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c 2017-03-22 10:14:30.102037013 +0100 +++ jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c 2017-03-22 10:15:11.619685037 +0100 @@ -200,7 +200,8 @@ JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno]; pi->compno < pi->numcomps && - pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, ++pi->picomp) { + pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, + ++pi->picomp) { if (pi->rlvlno >= pi->picomp->numrlvls) { continue; } @@ -249,10 +250,17 @@ ++compno, ++picomp) { for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl) { - xstep = picomp->hsamp * (1 << (pirlvl->prcwidthexpn + - picomp->numrlvls - rlvlno - 1)); - ystep = picomp->vsamp * (1 << (pirlvl->prcheightexpn + - picomp->numrlvls - rlvlno - 1)); + // Check for the potential for overflow problems. + if (pirlvl->prcwidthexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2 || + pirlvl->prcheightexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2) { + return -1; + } + xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); + ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep); pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep); } @@ -282,21 +290,24 @@ rpy = r + pi->pirlvl->prcheightexpn; trx0 = JPC_CEILDIV(pi->xstart, pi->picomp->hsamp << r); try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); - if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) - || !(pi->x % (1 << rpx))) && - ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) - || !(pi->y % (1 << rpy)))) { - prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp - << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, - pi->pirlvl->prcwidthexpn); - prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp - << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, - pi->pirlvl->prcheightexpn); + if (((pi->x == pi->xstart && + ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) + || !(pi->x % (JAS_CAST(uint_fast32_t, 1) << rpx))) && + ((pi->y == pi->ystart && + ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) + || !(pi->y % (JAS_CAST(uint_fast32_t, 1) << rpy)))) { + prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, + pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - + JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); + prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, + pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - + JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; assert(pi->prcno < pi->pirlvl->numprcs); for (pi->lyrno = 0; pi->lyrno < - pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { + pi->numlyrs && pi->lyrno < JAS_CAST(int, + pchg->lyrnoend); ++pi->lyrno) { prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; if (pi->lyrno >= *prclyrno) { ++(*prclyrno); @@ -341,16 +352,19 @@ ++compno, ++picomp) { for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl) { - xstep = picomp->hsamp * (1 << - (pirlvl->prcwidthexpn + picomp->numrlvls - - rlvlno - 1)); - ystep = picomp->vsamp * (1 << - (pirlvl->prcheightexpn + picomp->numrlvls - - rlvlno - 1)); - pi->xstep = (!pi->xstep) ? xstep : - JAS_MIN(pi->xstep, xstep); - pi->ystep = (!pi->ystep) ? ystep : - JAS_MIN(pi->ystep, ystep); + // Check for the potential for overflow problems. + if (pirlvl->prcwidthexpn + picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2 || + pirlvl->prcheightexpn + picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2) { + return -1; + } + xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); + ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); + pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep); + pi->ystep = (!pi->ystep) ? ystep : JAS_MIN(pi->ystep, ystep); } } pi->prgvolfirst = 0; @@ -377,20 +391,23 @@ try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); rpx = r + pi->pirlvl->prcwidthexpn; rpy = r + pi->pirlvl->prcheightexpn; - if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) || + if (((pi->x == pi->xstart && + ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) || !(pi->x % (pi->picomp->hsamp << rpx))) && - ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) || + ((pi->y == pi->ystart && + ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) || !(pi->y % (pi->picomp->vsamp << rpy)))) { - prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp - << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, - pi->pirlvl->prcwidthexpn); - prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp - << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, - pi->pirlvl->prcheightexpn); + prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, + pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - + JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); + prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, + pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - + JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; assert(pi->prcno < pi->pirlvl->numprcs); for (pi->lyrno = 0; pi->lyrno < pi->numlyrs && - pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { + pi->lyrno < JAS_CAST(int, pchg->lyrnoend); + ++pi->lyrno) { prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; if (pi->lyrno >= *prclyrno) { ++(*prclyrno); @@ -428,10 +445,17 @@ pi->prgvolfirst = 0; } - for (pi->compno = pchg->compnostart, pi->picomp = - &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, - ++pi->picomp) { + for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno]; + pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; + ++pi->compno, ++pi->picomp) { pirlvl = pi->picomp->pirlvls; + // Check for the potential for overflow problems. + if (pirlvl->prcwidthexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2 || + pirlvl->prcheightexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2) { + return -1; + } pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1)); pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << @@ -461,23 +485,23 @@ try0 = JPC_CEILDIV(pi->ystart, pi->picomp->vsamp << r); rpx = r + pi->pirlvl->prcwidthexpn; rpy = r + pi->pirlvl->prcheightexpn; - if (((pi->x == pi->xstart && ((trx0 << r) % (1 << rpx))) || + if (((pi->x == pi->xstart && + ((trx0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpx))) || !(pi->x % (pi->picomp->hsamp << rpx))) && - ((pi->y == pi->ystart && ((try0 << r) % (1 << rpy))) || + ((pi->y == pi->ystart && + ((try0 << r) % (JAS_CAST(uint_fast32_t, 1) << rpy))) || !(pi->y % (pi->picomp->vsamp << rpy)))) { - prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, pi->picomp->hsamp - << r), pi->pirlvl->prcwidthexpn) - JPC_FLOORDIVPOW2(trx0, - pi->pirlvl->prcwidthexpn); - prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, pi->picomp->vsamp - << r), pi->pirlvl->prcheightexpn) - JPC_FLOORDIVPOW2(try0, - pi->pirlvl->prcheightexpn); - pi->prcno = prcvind * - pi->pirlvl->numhprcs + - prchind; - assert(pi->prcno < - pi->pirlvl->numprcs); - for (pi->lyrno = 0; pi->lyrno < - pi->numlyrs && pi->lyrno < JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { + prchind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->x, + pi->picomp->hsamp << r), pi->pirlvl->prcwidthexpn) - + JPC_FLOORDIVPOW2(trx0, pi->pirlvl->prcwidthexpn); + prcvind = JPC_FLOORDIVPOW2(JPC_CEILDIV(pi->y, + pi->picomp->vsamp << r), pi->pirlvl->prcheightexpn) - + JPC_FLOORDIVPOW2(try0, pi->pirlvl->prcheightexpn); + pi->prcno = prcvind * pi->pirlvl->numhprcs + prchind; + assert(pi->prcno < pi->pirlvl->numprcs); + for (pi->lyrno = 0; pi->lyrno < pi->numlyrs && + pi->lyrno < JAS_CAST(int, pchg->lyrnoend); + ++pi->lyrno) { prclyrno = &pi->pirlvl->prclyrnos[pi->prcno]; if (pi->lyrno >= *prclyrno) { ++(*prclyrno); --- jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c 2017-03-22 10:14:30.102037013 +0100 +++ jasper-1.900.14/src/libjasper/jpc/jpc_t2dec.c 2017-03-22 10:15:11.619685037 +0100 @@ -454,8 +454,8 @@ jas_stream_getrwcount(in), jpc_pi_prg(pi), jpc_pi_cmptno(pi), jpc_pi_rlvlno(pi), jpc_pi_prcno(pi), jpc_pi_lyrno(pi)); } - if (jpc_dec_decodepkt(dec, pkthdrstream, in, jpc_pi_cmptno(pi), jpc_pi_rlvlno(pi), - jpc_pi_prcno(pi), jpc_pi_lyrno(pi))) { + if (jpc_dec_decodepkt(dec, pkthdrstream, in, jpc_pi_cmptno(pi), + jpc_pi_rlvlno(pi), jpc_pi_prcno(pi), jpc_pi_lyrno(pi))) { return -1; } ++dec->numpkts;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
