diff options
Diffstat (limited to 'gnu/packages/patches/jasper-CVE-2016-2089.patch')
| -rw-r--r-- | gnu/packages/patches/jasper-CVE-2016-2089.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/gnu/packages/patches/jasper-CVE-2016-2089.patch b/gnu/packages/patches/jasper-CVE-2016-2089.patch new file mode 100644 index 0000000000..95d4b61111 --- /dev/null +++ b/gnu/packages/patches/jasper-CVE-2016-2089.patch @@ -0,0 +1,90 @@ +Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() +Origin: vendor +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 +Bug-Debian: https://bugs.debian.org/812978 +Forwarded: not-needed +Author: Tomas Hoger <thoger@redhat.com> +Reviewed-by: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2016-03-05 + +--- a/src/libjasper/base/jas_image.c ++++ b/src/libjasper/base/jas_image.c +@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + if (jas_matrix_resize(data, height, width)) { + return -1; +@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + return -1; + } +--- a/src/libjasper/base/jas_seq.c ++++ b/src/libjasper/base/jas_seq.c +@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri + jas_seqent_t *data; + int rowstep; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + assert(n >= 0); + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { |