blob: 98382478941be7380d0f8a8e239a86ff0c4d91da (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Fix CVE-2007-2721 (heap corruption in jpc_qcx_getcompparms()).
Copied from Fedora.
http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/patch-libjasper-stepsizes-overflow.diff
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200
@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
compparms->numstepsizes = (len - n) / 2;
break;
}
- if (compparms->numstepsizes > 0) {
+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
sizeof(uint_fast16_t));
assert(compparms->stepsizes);
|