Commit | Line | Data |
---|---|---|
90bcecc5 LF |
1 | Fix CVE-2011-4516 and CVE-2011-4517 (heap buffer overflow flaws lead to |
2 | arbitrary code execution). | |
3 | ||
4 | Copied from Fedora. | |
5 | ||
6 | http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch | |
7 | https://bugzilla.redhat.com/show_bug.cgi?id=747726 | |
8 | ||
9 | diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c | |
10 | --- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 2011-10-25 17:25:39.000000000 +0200 | |
11 | +++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-10-25 17:29:14.379371908 +0200 | |
12 | @@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t | |
13 | return -1; | |
14 | } | |
15 | compparms->numrlvls = compparms->numdlvls + 1; | |
16 | + if (compparms->numrlvls > JPC_MAXRLVLS) { | |
17 | + jpc_cox_destroycompparms(compparms); | |
18 | + return -1; | |
19 | + } | |
20 | if (prtflag) { | |
21 | for (i = 0; i < compparms->numrlvls; ++i) { | |
22 | if (jpc_getuint8(in, &tmp)) { | |
23 | @@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms | |
24 | jpc_crgcomp_t *comp; | |
25 | uint_fast16_t compno; | |
26 | crg->numcomps = cstate->numcomps; | |
27 | - if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { | |
28 | + if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { | |
29 | return -1; | |
30 | } | |
31 | for (compno = 0, comp = crg->comps; compno < cstate->numcomps; |