From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001 From: mancha Date: Mon, 17 Aug 2015 Subject: CVE-2015-5203 Prevent integer conversion errors. jasper is vulnerable to integer conversion errors that can be leveraged, via crafted input, to trigger faults such as double free's. This patch addresses that by using size_t for buffer sizes. --- src/libjasper/base/jas_stream.c | 10 +++++----- src/libjasper/include/jasper/jas_stream.h | 8 ++++---- src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++-------- src/libjasper/mif/mif_cod.c | 4 ++-- 4 files changed, 19 insertions(+), 19 deletions(-) --- a/src/libjasper/include/jasper/jas_stream.h +++ b/src/libjasper/include/jasper/jas_stream.h @@ -215,7 +215,7 @@ typedef struct { uchar *bufstart_; /* The buffer size. */ - int bufsize_; + size_t bufsize_; /* The current position in the buffer. */ uchar *ptr_; @@ -267,7 +267,7 @@ typedef struct { uchar *buf_; /* The allocated size of the buffer for holding file data. */ - int bufsize_; + size_t bufsize_; /* The length of the file. */ int_fast32_t len_; @@ -291,7 +291,7 @@ typedef struct { jas_stream_t *jas_stream_fopen(const char *filename, const char *mode); /* Open a memory buffer as a stream. */ -jas_stream_t *jas_stream_memopen(char *buf, int bufsize); +jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize); /* Open a file descriptor as a stream. */ jas_stream_t *jas_stream_fdopen(int fd, const char *mode); @@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre int jas_stream_puts(jas_stream_t *stream, const char *s); /* Read a line of input from a stream. */ -char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize); +char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize); /* Look at the next character to be read from a stream without actually removing it from the stream. */ --- a/src/libjasper/base/jas_stream.c +++ b/src/libjasper/base/jas_stream.c @@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char static void jas_stream_destroy(jas_stream_t *stream); static jas_stream_t *jas_stream_create(void); static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, - int bufsize); + size_t bufsize); static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt); static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt); @@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create() return stream; } -jas_stream_t *jas_stream_memopen(char *buf, int bufsize) +jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize) { jas_stream_t *stream; jas_stream_memobj_t *obj; @@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream return 0; } -char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) +char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize) { int c; char *bufptr; @@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea \******************************************************************************/ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, - int bufsize) + size_t bufsize) { /* If this function is being called, the buffer should not have been initialized yet. */ @@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob return cnt; } -static int mem_resize(jas_stream_memobj_t *m, int bufsize) +static int mem_resize(jas_stream_memobj_t *m, size_t bufsize) { unsigned char *buf; --- a/src/libjasper/mif/mif_cod.c +++ b/src/libjasper/mif/mif_cod.c @@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt); static mif_cmpt_t *mif_cmpt_create(void); static void mif_cmpt_destroy(mif_cmpt_t *cmpt); -static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize); +static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize); static int mif_getc(jas_stream_t *in); static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image); @@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t * MIF parsing code. \******************************************************************************/ -static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize) +static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize) { int c; char *bufptr; --- ./src/libjasper/jpc/jpc_qmfb.c.orig +++ ./src/libjasper/jpc/jpc_qmfb.c @@ -305,7 +305,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) { - int bufsize = JPC_CEILDIVPOW2(numcols, 1); + size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; @@ -365,7 +365,7 @@ int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; @@ -425,7 +425,7 @@ int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; jpc_fix_t *buf = splitbuf; jpc_fix_t *srcptr; @@ -506,7 +506,7 @@ int stride, int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; jpc_fix_t *buf = splitbuf; jpc_fix_t *srcptr; @@ -586,7 +586,7 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity) { - int bufsize = JPC_CEILDIVPOW2(numcols, 1); + size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; jpc_fix_t *buf = joinbuf; register jpc_fix_t *srcptr; @@ -643,7 +643,7 @@ int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; jpc_fix_t *buf = joinbuf; register jpc_fix_t *srcptr; @@ -700,7 +700,7 @@ int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; jpc_fix_t *buf = joinbuf; jpc_fix_t *srcptr; @@ -778,7 +778,7 @@ int stride, int parity) { - int bufsize = JPC_CEILDIVPOW2(numrows, 1); + size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; jpc_fix_t *buf = joinbuf; jpc_fix_t *srcptr;