PROJECT_MOVED -> https://lab.nexedi.com/nexedi/slapos
[slapos.git] / component / jasper / CVE-2014-8137.patch
1 Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy()
2 Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283,
3  https://bugzilla.redhat.com/attachment.cgi?id=967284
4 Bug-Debian: https://bugs.debian.org/773463
5 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157
6 Forwarded: no
7 Author: Tomas Hoger <thoger@redhat.com>
8 Last-Update: 2014-12-20
9
10 --- a/src/libjasper/base/jas_icc.c
11 +++ b/src/libjasper/base/jas_icc.c
12 @@ -1010,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattr
13         return 0;
14  
15  error:
16 -       jas_icccurv_destroy(attrval);
17         return -1;
18  }
19  
20 @@ -1128,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_icca
21  #endif
22         return 0;
23  error:
24 -       jas_icctxtdesc_destroy(attrval);
25         return -1;
26  }
27  
28 @@ -1207,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrv
29                 goto error;
30         return 0;
31  error:
32 -       if (txt->string)
33 -               jas_free(txt->string);
34         return -1;
35  }
36  
37 @@ -1329,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattr
38                 goto error;
39         return 0;
40  error:
41 -       jas_icclut8_destroy(attrval);
42         return -1;
43  }
44  
45 @@ -1498,7 +1493,6 @@ static int jas_icclut16_input(jas_iccatt
46                 goto error;
47         return 0;
48  error:
49 -       jas_icclut16_destroy(attrval);
50         return -1;
51  }
52  
53 --- a/src/libjasper/jp2/jp2_dec.c
54 +++ b/src/libjasper/jp2/jp2_dec.c
55 @@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
56         case JP2_COLR_ICC:
57                 iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
58                   dec->colr->data.colr.iccplen);
59 -               assert(iccprof);
60 +               if (!iccprof) {
61 +                       jas_eprintf("error: failed to parse ICC profile\n");
62 +                       goto error;
63 +               }
64                 jas_iccprof_gethdr(iccprof, &icchdr);
65                 jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
66                 jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));