From 3dd700edafadf4f8b51289de10306be92f7c8dca Mon Sep 17 00:00:00 2001
From: Josef Ridky <jridky@redhat.com>
Date: Fri, 25 Aug 2017 13:05:09 +0200
Subject: [PATCH] Resolves: #1472888 - fix CVE-2017-1000050

---
 jasper-2.0.12-CVE-2017-1000050.patch | 15 +++++++++++++++
 jasper.spec                          |  9 +++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 jasper-2.0.12-CVE-2017-1000050.patch

diff --git a/jasper-2.0.12-CVE-2017-1000050.patch b/jasper-2.0.12-CVE-2017-1000050.patch
new file mode 100644
index 0000000..eee1506
--- /dev/null
+++ b/jasper-2.0.12-CVE-2017-1000050.patch
@@ -0,0 +1,15 @@
+diff -urNp old/src/libjasper/jp2/jp2_enc.c new/src/libjasper/jp2/jp2_enc.c
+--- old/src/libjasper/jp2/jp2_enc.c	2017-08-25 12:49:46.242889564 +0200
++++ new/src/libjasper/jp2/jp2_enc.c	2017-08-25 12:56:41.041654317 +0200
+@@ -115,6 +115,11 @@ int jp2_encode(jas_image_t *image, jas_s
+ 	iccstream = 0;
+ 	iccprof = 0;
+ 
++	if (jas_image_numcmpts(image) < 1) {
++		jas_eprintf("image must have at least one component\n");
++		goto error;
++	}
++
+ 	allcmptssame = 1;
+ 	sgnd = jas_image_cmptsgnd(image, 0);
+ 	prec = jas_image_cmptprec(image, 0);
diff --git a/jasper.spec b/jasper.spec
index 1614073..f6c4209 100644
--- a/jasper.spec
+++ b/jasper.spec
@@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1
 Name:    jasper
 Group:   System Environment/Libraries
 Version: 2.0.12
-Release: 3%{?dist}
+Release: 4%{?dist}
 
 %if "%{version}" > "1.900.1"
 %define ext .tar.gz
@@ -23,6 +23,7 @@ Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}%{ext}
 # during the memory allocations
 # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520
 Patch1: jasper-1.900.1-CVE-2008-3520.patch
+Patch2: jasper-2.0.12-CVE-2017-1000050.patch
 
 # architecture related patches
 Patch100: jasper-2.0.2-test-ppc64-disable.patch
@@ -73,6 +74,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %prep
 %setup -q -n %{name}-%{version}
 %patch1 -p1 -b .CVE-2008-3520
+%patch2 -p1 -b .CVE-2017-1000050
 
 # Need to disable one test to be able to build it on ppc64 arch
 # At ppc64 this test just stuck (nothing happend - no exception or error)
@@ -150,6 +152,9 @@ popd
 
 
 %changelog
+* Fri Aug 25 2017 Josef Ridky <jridky@redhat.com> - 2.0.12-4
+- CVE-2017-1000050 jasper: NULL pointer exception in jp2_encode() (#1472888)
+
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.12-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 
@@ -162,7 +167,7 @@ popd
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.10-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 
-* Thu Jan 17 2017 Josef Ridky <jridky@redhat.com> - 2.0.10-1
+* Tue Jan 17 2017 Josef Ridky <jridky@redhat.com> - 2.0.10-1
 - New upstream release 2.0.10 (#1403401)
 
 * Thu Dec  1 2016 Josef Ridky <jridky@redhat.com> - 2.0.2-1