9ad3263e80
- Security fixes Multiple integer overflows Buffer overflow in the jas_stream_printf execute arbitrary code on decodes images Security: CVE-2008-3520 Security: CVE-2008-3522 Security: CVE-2011-4516 Security: CVE-2011-4517 PR: 163718 Obtained from: Fedora Feature safe: yes
29 lines
1.1 KiB
C
29 lines
1.1 KiB
C
--- src/libjasper/jpc/jpc_t2enc.c.orig 2007-01-19 22:43:07.000000000 +0100
|
|
+++ src/libjasper/jpc/jpc_t2enc.c 2013-04-17 22:32:23.000000000 +0200
|
|
@@ -565,7 +565,7 @@
|
|
}
|
|
pi->pktno = -1;
|
|
pi->numcomps = cp->numcmpts;
|
|
- if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
|
|
+ if (!(pi->picomps = jas_malloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
|
|
jpc_pi_destroy(pi);
|
|
return 0;
|
|
}
|
|
@@ -577,7 +577,7 @@
|
|
for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
|
|
compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
|
|
picomp->numrlvls = tcomp->numrlvls;
|
|
- if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
|
|
+ if (!(picomp->pirlvls = jas_malloc2(picomp->numrlvls,
|
|
sizeof(jpc_pirlvl_t)))) {
|
|
jpc_pi_destroy(pi);
|
|
return 0;
|
|
@@ -591,7 +591,7 @@
|
|
/* XXX sizeof(long) should be sizeof different type */
|
|
pirlvl->numprcs = rlvl->numprcs;
|
|
if (rlvl->numprcs) {
|
|
- if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
|
|
+ if (!(pirlvl->prclyrnos = jas_malloc2(pirlvl->numprcs,
|
|
sizeof(long)))) {
|
|
jpc_pi_destroy(pi);
|
|
return 0;
|