Resolves: #1302636 - CVE-2016-2089 matrix rows_ NULL pointer dereference in jas_matrix_clip()

jasper-CVE-2016-2089-matrix-rows-NULL-check.diff

@@ -0,0 +1,83 @@
+diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c	2016-02-01 14:53:56.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c	2016-02-01 21:49:58.746006339 +0100
+@@ -433,6 +433,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ 		return -1;
+ 	}
+ 
++	if (!data->rows_) {
++		return -1;
++	}
++
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		if (jas_matrix_resize(data, height, width)) {
+ 			return -1;
+@@ -486,6 +490,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ 		return -1;
+ 	}
+ 
++	if (!data->rows_) {
++		return -1;
++	}
++
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		return -1;
+ 	}
+diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c	2016-02-01 14:53:56.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c	2016-02-01 21:53:45.149193159 +0100
+@@ -266,6 +266,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -286,6 +290,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ 	jas_seqent_t *data;
+ 	int rowstep;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -310,6 +318,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	assert(n >= 0);
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -329,6 +341,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -371,6 +387,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {

jasper.spec

@@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1
 Name:    jasper
 Group:   System Environment/Libraries
 Version: 1.900.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 %if "%{version}" >= "1.900.2"
 %define ext .tar.gz
@@ -28,6 +28,7 @@ Patch1: patch-libjasper-stepsizes-overflow.diff
 Patch2: jasper-1.900.1-CVE-2008-3520.patch
 Patch3: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
 Patch4: jasper-CVE-2014-8137.patch
+Patch5: jasper-CVE-2016-2089-matrix-rows-NULL-check.diff
 
 # Issues found by static analysis of code
 Patch110: jasper-1.900.1-Coverity-NULL_RETURNS.patch
@@ -82,6 +83,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %patch2 -p1 -b .CVE-2008-3520
 %patch3 -p1 -b .CVE-2011-4516-4517
 %patch4 -p1 -b .CVE-2014-8137-variant2
+%patch5 -p1 -b .CVE-2016-2089
 
 %patch110 -p1 -b .NULL_RETURNS
 %patch111 -p1 -b .RESOURCE_LEAK
@@ -155,6 +157,9 @@ make check
 
 
 %changelog
+* Tue Oct 11 2016 Josef Ridky <jridky@redhat.com> - 1.900.2-2
+- CVE-2016-2089 - matrix rows_ NULL pointer dereference in jas_matrix_clip() (#1302636)
+
 * Mon Oct 10 2016 Josef Ridky <jridky@redhat.com> - 1.900.2-1
 - New upstream release 1.900.2 (#1382188)