From d5372ddd3f812c2d14527f2be00d45a2cc430b29 Mon Sep 17 00:00:00 2001 From: Josef Ridky Date: Tue, 11 Oct 2016 08:43:25 +0200 Subject: [PATCH] Resolves: #1302636 - CVE-2016-2089 matrix rows_ NULL pointer dereference in jas_matrix_clip() --- ...-CVE-2016-2089-matrix-rows-NULL-check.diff | 83 +++++++++++++++++++ jasper.spec | 7 +- 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 jasper-CVE-2016-2089-matrix-rows-NULL-check.diff diff --git a/jasper-CVE-2016-2089-matrix-rows-NULL-check.diff b/jasper-CVE-2016-2089-matrix-rows-NULL-check.diff new file mode 100644 index 0000000..f978958 --- /dev/null +++ b/jasper-CVE-2016-2089-matrix-rows-NULL-check.diff @@ -0,0 +1,83 @@ +diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2016-02-01 14:53:56.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_image.c 2016-02-01 21:49:58.746006339 +0100 +@@ -433,6 +433,10 @@ int jas_image_readcmpt(jas_image_t *imag + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + if (jas_matrix_resize(data, height, width)) { + return -1; +@@ -486,6 +490,10 @@ int jas_image_writecmpt(jas_image_t *ima + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + return -1; + } +diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c +--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2016-02-01 14:53:56.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2016-02-01 21:53:45.149193159 +0100 +@@ -266,6 +266,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -286,6 +290,10 @@ void jas_matrix_clip(jas_matrix_t *matri + jas_seqent_t *data; + int rowstep; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -310,6 +318,10 @@ void jas_matrix_asr(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + assert(n >= 0); + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +@@ -329,6 +341,10 @@ void jas_matrix_asl(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -371,6 +387,10 @@ void jas_matrix_setall(jas_matrix_t *mat + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { diff --git a/jasper.spec b/jasper.spec index 39f5e38..93e0311 100644 --- a/jasper.spec +++ b/jasper.spec @@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper Group: System Environment/Libraries Version: 1.900.2 -Release: 1%{?dist} +Release: 2%{?dist} %if "%{version}" >= "1.900.2" %define ext .tar.gz @@ -28,6 +28,7 @@ Patch1: patch-libjasper-stepsizes-overflow.diff Patch2: jasper-1.900.1-CVE-2008-3520.patch Patch3: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch Patch4: jasper-CVE-2014-8137.patch +Patch5: jasper-CVE-2016-2089-matrix-rows-NULL-check.diff # Issues found by static analysis of code Patch110: jasper-1.900.1-Coverity-NULL_RETURNS.patch @@ -82,6 +83,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} %patch2 -p1 -b .CVE-2008-3520 %patch3 -p1 -b .CVE-2011-4516-4517 %patch4 -p1 -b .CVE-2014-8137-variant2 +%patch5 -p1 -b .CVE-2016-2089 %patch110 -p1 -b .NULL_RETURNS %patch111 -p1 -b .RESOURCE_LEAK @@ -155,6 +157,9 @@ make check %changelog +* Tue Oct 11 2016 Josef Ridky - 1.900.2-2 +- CVE-2016-2089 - matrix rows_ NULL pointer dereference in jas_matrix_clip() (#1302636) + * Mon Oct 10 2016 Josef Ridky - 1.900.2-1 - New upstream release 1.900.2 (#1382188)