Resolves: #1298138 - CVE-2016-1867 - out-of-bounds read in the jpc_pi_nextcprl() function

jasper-CVE-2016-1867.patch

@@ -0,0 +1,12 @@
+diff -urNp jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_t2cod.c	2016-08-11 14:34:31.795661973 +0200
++++ jasper-1.900.1.new/src/libjasper/jpc/jpc_t2cod.c	2016-08-12 07:02:40.044860209 +0200
+@@ -429,7 +429,7 @@ static int jpc_pi_nextcprl(register jpc_
+ 	}
+ 
+ 	for (pi->compno = pchg->compnostart, pi->picomp =
+-	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
++	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+ 	  ++pi->picomp) {
+ 		pirlvl = pi->picomp->pirlvls;
+ 		pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +

jasper.spec

@@ -39,6 +39,7 @@ Patch12: jasper-CVE-2014-8157.patch
 Patch13: jasper-CVE-2014-8158.patch
 Patch14: jasper-CVE-2015-5203.patch
 Patch15: jasper-CVE-2015-5221.patch
+Patch16: jasper-CVE-2016-1867.patch
 
 # Issues found by static analysis of code
 Patch110: jasper-1.900.1-Coverity-BAD_SIZEOF.patch
@@ -108,6 +109,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %patch13 -p1 -b .CVE-2014-8158
 %patch14 -p1 -b .CVE-2015-5203
 %patch15 -p1 -b .CVE-2015-5221
+%patch16 -p1 -b .CVE-2016-1867
 
 %patch110 -p1 -b .BAD_SIZEOF
 %patch111 -p1 -b .CHECKED_RETURN
@@ -185,9 +187,10 @@ make check
 
 
 %changelog
-* Thu Aug 11 2016 Josef Ridky <jridky@redhat.com> - 1.900.1-33
+* Fri Aug 12 2016 Josef Ridky <jridky@redhat.com> - 1.900.1-33
 - CVE-2015-5203 - double free in jasper_image_stop_load() (#1254244)
 - CVE-2015-5221 - Use-after-free and double-free flaws (#1255714)
+- CVE-2016-1867 - out-of-bounds read in the jpc_pi_nextcprl() function (#1298138)
 
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.900.1-32
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild