jasper: import security fixes from Ubuntu

Alexander Pyhalov

2017-05-19 6946dd4868cb992da302092caa97757a33258c08

jasper: import security fixes from Ubuntu

 components/multimedia/jasper/Makefile

@@ -17,7 +17,7 @@

COMPONENT_NAME= jasper
COMPONENT_VERSION= 1.900.1
COMPONENT_REVISION= 2
COMPONENT_REVISION= 3
COMPONENT_SUMMARY= A free software-based reference implementation of the JPEG-2000 Part-1 CODEC
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).zip

 components/multimedia/jasper/patches/11-CVE-2016-1867_CVE-2016-8654_CVE-2016-8691_CVE-2016-8692_CVE-2016-8693_CVE-2016-8882_CVE-2016-9560.patch

New file
@@ -0,0 +1,194 @@
diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c
--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_stream.c    2017-02-07 22:46:28.000000000 +0100
+++ jasper-1.900.1-debian1/src/libjasper/base/jas_stream.c    2017-02-07 22:46:07.040456152 +0100
@@ -985,8 +985,9 @@
 {
     unsigned char *buf;
 
-    assert(m->buf_);
-    if (!(buf = jas_realloc(m->buf_, bufsize))) {
+    //assert(m->buf_);
+    assert(bufsize >= 0);
+    if (!(buf = jas_realloc(m->buf_, bufsize)) && bufsize) {
         return -1;
     }
     m->buf_ = buf;
diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c
--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_cs.c    2017-02-07 22:46:28.000000000 +0100
+++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_cs.c    2017-02-07 22:46:02.168382641 +0100
@@ -512,6 +512,16 @@
             jas_free(siz->comps);
             return -1;
         }
+        if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
+            jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
+            jas_free(siz->comps);
+            return -1;
+        }
+        if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
+            jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
+            jas_free(siz->comps);
+            return -1;
+        }
         siz->comps[i].sgnd = (tmp >> 7) & 1;
         siz->comps[i].prec = (tmp & 0x7f) + 1;
     }
diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c
--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_dec.c    2017-02-07 22:46:28.000000000 +0100
+++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_dec.c    2017-02-07 22:46:13.736555435 +0100
@@ -674,7 +674,7 @@
     uint_fast32_t tmpxend;
     uint_fast32_t tmpyend;
     jpc_dec_cp_t *cp;
-    jpc_tsfb_band_t bnds[64];
+    jpc_tsfb_band_t bnds[JPC_MAXBANDS];
     jpc_pchg_t *pchg;
     int pchgno;
     jpc_dec_cmpt_t *cmpt;
@@ -989,23 +989,23 @@
 }
     if (tile->cp) {
         jpc_dec_cp_destroy(tile->cp);
-        tile->cp = 0;
+        //tile->cp = 0;
     }
     if (tile->tcomps) {
         jas_free(tile->tcomps);
-        tile->tcomps = 0;
+        //tile->tcomps = 0;
     }
     if (tile->pi) {
         jpc_pi_destroy(tile->pi);
-        tile->pi = 0;
+        //tile->pi = 0;
     }
     if (tile->pkthdrstream) {
         jas_stream_close(tile->pkthdrstream);
-        tile->pkthdrstream = 0;
+        //tile->pkthdrstream = 0;
     }
     if (tile->pptstab) {
         jpc_ppxstab_destroy(tile->pptstab);
-        tile->pptstab = 0;
+        //tile->pptstab = 0;
     }
 
     tile->state = JPC_TILE_DONE;
@@ -1148,7 +1148,11 @@
                 return -1;
             }
         }
-        jpc_dec_tilefini(dec, tile);
+        /* If the tile has not yet been finalized, finalize it. */
+        // OLD CODE: jpc_dec_tilefini(dec, tile);
+        if (tile->state != JPC_TILE_DONE) {
+            jpc_dec_tilefini(dec, tile);
+        }
     }
 
     /* We are done processing the code stream. */
@@ -1204,6 +1208,8 @@
     dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
     dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
     dec->numtiles = dec->numhtiles * dec->numvtiles;
+    JAS_DBGLOG(10, ("numtiles = %d; numhtiles = %d; numvtiles = %d;\n",
+      dec->numtiles, dec->numhtiles, dec->numvtiles));
     if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
         return -1;
     }
@@ -1228,6 +1234,7 @@
         tile->pkthdrstreampos = 0;
         tile->pptstab = 0;
         tile->cp = 0;
+        tile->pi = 0;
         if (!(tile->tcomps = jas_alloc2(dec->numcomps,
           sizeof(jpc_dec_tcomp_t)))) {
             return -1;
diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c
--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_qmfb.c    2017-02-07 22:46:28.000000000 +0100
+++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_qmfb.c    2017-02-07 22:45:59.328339293 +0100
@@ -372,7 +372,7 @@
     register jpc_fix_t *dstptr;
     register int n;
     register int m;
-    int hstartcol;
+    int hstartrow;
 
     /* Get a buffer. */
     if (bufsize > QMFB_SPLITBUFSIZE) {
@@ -383,8 +383,9 @@
     }
 
     if (numrows >= 2) {
-        hstartcol = (numrows + 1 - parity) >> 1;
-        m = (parity) ? hstartcol : (numrows - hstartcol);
+        hstartrow = (numrows + 1 - parity) >> 1;
+        m = (parity) ? hstartrow : (numrows - hstartrow);
+
         /* Save the samples destined for the highpass channel. */
         n = m;
         dstptr = buf;
@@ -404,7 +405,7 @@
             srcptr += stride << 1;
         }
         /* Copy the saved samples into the highpass channel. */
-        dstptr = &a[hstartcol * stride];
+        dstptr = &a[hstartrow * stride];
         srcptr = buf;
         n = m;
         while (n-- > 0) {
@@ -435,19 +436,20 @@
     register int n;
     register int i;
     int m;
-    int hstartcol;
+    int hstartrow;
 
     /* Get a buffer. */
     if (bufsize > QMFB_SPLITBUFSIZE) {
-        if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+                if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
             /* We have no choice but to commit suicide in this case. */
             abort();
         }
     }
 
     if (numrows >= 2) {
-        hstartcol = (numrows + 1 - parity) >> 1;
-        m = (parity) ? hstartcol : (numrows - hstartcol);
+        hstartrow = (numrows + 1 - parity) >> 1;
+        m = (parity) ? hstartrow : (numrows - hstartrow);
+
         /* Save the samples destined for the highpass channel. */
         n = m;
         dstptr = buf;
@@ -479,7 +481,7 @@
             srcptr += stride << 1;
         }
         /* Copy the saved samples into the highpass channel. */
-        dstptr = &a[hstartcol * stride];
+        dstptr = &a[hstartrow * stride];
         srcptr = buf;
         n = m;
         while (n-- > 0) {
@@ -520,7 +522,7 @@
 
     /* Get a buffer. */
     if (bufsize > QMFB_SPLITBUFSIZE) {
-        if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+        if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
             /* We have no choice but to commit suicide in this case. */
             abort();
         }
diff -Naur jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c
--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_t2cod.c    2017-02-07 22:46:28.000000000 +0100
+++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_t2cod.c    2017-02-07 22:45:54.464331040 +0100
@@ -429,7 +429,7 @@
     }
 
     for (pi->compno = pchg->compnostart, pi->picomp =
-      &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
+      &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
       ++pi->picomp) {
         pirlvl = pi->picomp->pirlvls;
         pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +

 components/multimedia/jasper/patches/12-CVE-2016-9591.patch

New file
@@ -0,0 +1,247 @@
From 03fe49ab96bf65fea784cdc256507ea88267fc7c Mon Sep 17 00:00:00 2001
From: Michael Adams <mdadams@ece.uvic.ca>
Date: Thu, 2 Mar 2017 08:07:04 -0800
Subject: [PATCH] Fixed some potential double-free problems in the JPC codec.

---
 src/libjasper/jpc/jpc_enc.c | 75 +++++++++++++++++++++++++++++++++++++--------
 1 file changed, 62 insertions(+), 13 deletions(-)

diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
index 03646d6..b8b47f1 100644
--- a/src/libjasper/jpc/jpc_enc.c
+++ b/src/libjasper/jpc/jpc_enc.c
@@ -1140,8 +1140,9 @@ static int jpc_enc_encodemainbody(jpc_enc_t *enc)
         tilex = tileno % cp->numhtiles;
         tiley = tileno / cp->numhtiles;
 
-        if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image, tileno))) {
-            abort();
+        if (!(enc->curtile = jpc_enc_tile_create(enc->cp, enc->image,
+          tileno))) {
+            return -1;
         }
 
         tile = enc->curtile;
@@ -2036,6 +2037,8 @@ jpc_enc_tile_t *jpc_enc_tile_create(jpc_enc_cp_t *cp, jas_image_t *image, int ti
     return 0;
 }
 
+/* Note: I don't think that it is necessary to marked destroyed subobjects
+as such in this function. */
 void jpc_enc_tile_destroy(jpc_enc_tile_t *tile)
 {
     jpc_enc_tcmpt_t *tcmpt;
@@ -2047,16 +2050,21 @@ void jpc_enc_tile_destroy(jpc_enc_tile_t *tile)
             tcmpt_destroy(tcmpt);
         }
         jas_free(tile->tcmpts);
+        /* tile->tcmpts = NULL; */
     }
     if (tile->lyrsizes) {
         jas_free(tile->lyrsizes);
+        /* tile->lyrsizes = NULL; */
     }
     if (tile->pi) {
         jpc_pi_destroy(tile->pi);
+        /* tile->pi = NULL; */
     }
     jas_free(tile);
+    /* tile = NULL; */
 }
 
+/* Note: This constructor creates the object in place. */
 static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp,
   jas_image_t *image, jpc_enc_tile_t *tile)
 {
@@ -2152,6 +2160,10 @@ static jpc_enc_tcmpt_t *tcmpt_create(jpc_enc_tcmpt_t *tcmpt, jpc_enc_cp_t *cp,
 
 }
 
+/* Note: Since jpc_enc_tcmpt_t objects are created in-place, they might
+potentially be destroyed multiple times at different levels in the call
+chain.  So, destroyed subobjects must be marked as destroyed to prevent
+problems such as double frees. */
 static void tcmpt_destroy(jpc_enc_tcmpt_t *tcmpt)
 {
     jpc_enc_rlvl_t *rlvl;
@@ -2163,16 +2175,20 @@ static void tcmpt_destroy(jpc_enc_tcmpt_t *tcmpt)
             rlvl_destroy(rlvl);
         }
         jas_free(tcmpt->rlvls);
+        tcmpt->rlvls = NULL;
     }
 
     if (tcmpt->data) {
         jas_seq2d_destroy(tcmpt->data);
+        tcmpt->data = NULL;
     }
     if (tcmpt->tsfb) {
         jpc_tsfb_destroy(tcmpt->tsfb);
+        tcmpt->tsfb = NULL;
     }
 }
 
+/* Note: This constructor creates the object in place. */
 static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp,
   jpc_enc_tcmpt_t *tcmpt, jpc_tsfb_band_t *bandinfos)
 {
@@ -2254,6 +2270,10 @@ static jpc_enc_rlvl_t *rlvl_create(jpc_enc_rlvl_t *rlvl, jpc_enc_cp_t *cp,
     return 0;
 }
 
+/* Note: Since jpc_enc_rlvl_t objects are created in-place, they might
+potentially be destroyed multiple times at different levels in the call
+chain.  So, destroyed subobjects must be marked as destroyed to prevent
+problems such as double frees. */
 static void rlvl_destroy(jpc_enc_rlvl_t *rlvl)
 {
     jpc_enc_band_t *band;
@@ -2265,9 +2285,11 @@ static void rlvl_destroy(jpc_enc_rlvl_t *rlvl)
             band_destroy(band);
         }
         jas_free(rlvl->bands);
+        rlvl->bands = NULL;
     }
 }
 
+/* Note: This constructor creates the object in place. */
 static jpc_enc_band_t *band_create(jpc_enc_band_t *band, jpc_enc_cp_t *cp,
   jpc_enc_rlvl_t *rlvl, jpc_tsfb_band_t *bandinfos)
 {
@@ -2335,6 +2357,10 @@ if (band->data) {
     return 0;
 }
 
+/* Note: Since jpc_enc_band_t objects are created in-place, they might
+potentially be destroyed multiple times at different levels in the call
+chain.  So, destroyed subobjects must be marked as destroyed to prevent
+problems such as double frees. */
 static void band_destroy(jpc_enc_band_t *band)
 {
     jpc_enc_prc_t *prc;
@@ -2348,12 +2374,15 @@ static void band_destroy(jpc_enc_band_t *band)
             prc_destroy(prc);
         }
         jas_free(band->prcs);
+        band->prcs = NULL;
     }
     if (band->data) {
         jas_seq2d_destroy(band->data);
+        band->data = NULL;
     }
 }
 
+/* Note: This constructor creates the object in place. */
 static jpc_enc_prc_t *prc_create(jpc_enc_prc_t *prc, jpc_enc_cp_t *cp, jpc_enc_band_t *band)
 {
     uint_fast32_t prcno;
@@ -2383,21 +2412,21 @@ static jpc_enc_prc_t *prc_create(jpc_enc_prc_t *prc, jpc_enc_cp_t *cp, jpc_enc_b
 
     rlvl = band->rlvl;
     tcmpt = rlvl->tcmpt;
-rlvlno = rlvl - tcmpt->rlvls;
+    rlvlno = rlvl - tcmpt->rlvls;
     prcno = prc - band->prcs;
     prcxind = prcno % rlvl->numhprcs;
     prcyind = prcno / rlvl->numhprcs;
     prc->band = band;
 
-tlprctlx = JPC_FLOORTOMULTPOW2(rlvl->tlx, rlvl->prcwidthexpn);
-tlprctly = JPC_FLOORTOMULTPOW2(rlvl->tly, rlvl->prcheightexpn);
-if (!rlvlno) {
-    tlcbgtlx = tlprctlx;
-    tlcbgtly = tlprctly;
-} else {
-    tlcbgtlx = JPC_CEILDIVPOW2(tlprctlx, 1);
-    tlcbgtly = JPC_CEILDIVPOW2(tlprctly, 1);
-}
+    tlprctlx = JPC_FLOORTOMULTPOW2(rlvl->tlx, rlvl->prcwidthexpn);
+    tlprctly = JPC_FLOORTOMULTPOW2(rlvl->tly, rlvl->prcheightexpn);
+    if (!rlvlno) {
+        tlcbgtlx = tlprctlx;
+        tlcbgtly = tlprctly;
+    } else {
+        tlcbgtlx = JPC_CEILDIVPOW2(tlprctlx, 1);
+        tlcbgtly = JPC_CEILDIVPOW2(tlprctly, 1);
+    }
 
     /* Compute the coordinates of the top-left and bottom-right
       corners of the precinct. */
@@ -2479,6 +2508,10 @@ if (!rlvlno) {
     return 0;
 }
 
+/* Note: Since jpc_enc_prc_t objects are created in-place, they might
+potentially be destroyed multiple times at different levels in the call
+chain.  So, destroyed subobjects must be marked as destroyed to prevent
+problems such as double frees. */
 static void prc_destroy(jpc_enc_prc_t *prc)
 {
     jpc_enc_cblk_t *cblk;
@@ -2490,22 +2523,29 @@ static void prc_destroy(jpc_enc_prc_t *prc)
             cblk_destroy(cblk);
         }
         jas_free(prc->cblks);
+        prc->cblks = NULL;
     }
     if (prc->incltree) {
         jpc_tagtree_destroy(prc->incltree);
+        prc->incltree = NULL;
     }
     if (prc->nlibtree) {
         jpc_tagtree_destroy(prc->nlibtree);
+        prc->nlibtree = NULL;
     }
     if (prc->savincltree) {
         jpc_tagtree_destroy(prc->savincltree);
+        prc->savincltree = NULL;
     }
     if (prc->savnlibtree) {
         jpc_tagtree_destroy(prc->savnlibtree);
+        prc->savnlibtree = NULL;
     }
 }
 
-static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, jpc_enc_prc_t *prc)
+/* Note: This constructor creates the object in place. */
+static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp,
+  jpc_enc_prc_t *prc)
 {
     jpc_enc_band_t *band;
     uint_fast32_t cblktlx;
@@ -2563,6 +2603,10 @@ static jpc_enc_cblk_t *cblk_create(jpc_enc_cblk_t *cblk, jpc_enc_cp_t *cp, jpc_e
     return 0;
 }
 
+/* Note: Since jpc_enc_cblk_t objects are created in-place, they might
+potentially be destroyed multiple times at different levels in the call
+chain.  So, destroyed subobjects must be marked as destroyed to prevent
+problems such as double frees. */
 static void cblk_destroy(jpc_enc_cblk_t *cblk)
 {
     uint_fast16_t passno;
@@ -2573,18 +2617,23 @@ static void cblk_destroy(jpc_enc_cblk_t *cblk)
             pass_destroy(pass);
         }
         jas_free(cblk->passes);
+        cblk->passes = NULL;
     }
     if (cblk->stream) {
         jas_stream_close(cblk->stream);
+        cblk->stream = NULL;
     }
     if (cblk->mqenc) {
         jpc_mqenc_destroy(cblk->mqenc);
+        cblk->mqenc = NULL;
     }
     if (cblk->data) {
         jas_seq2d_destroy(cblk->data);
+        cblk->data = NULL;
     }
     if (cblk->flags) {
         jas_seq2d_destroy(cblk->flags);
+        cblk->flags = NULL;
     }
 }
 

 components/multimedia/jasper/patches/13-CVE-2016-10249.patch

New file
@@ -0,0 +1,100 @@
Backport of  988f8365f7d8ad8073b6786e433d34c553ecf568
From: Michael Adams <mdadams@ece.uvic.ca>

Also backport jas_safe_size_mul()

diff -aur jasper-1.900.1-debian1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1-debian1/src/libjasper/base/jas_seq.c
--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_seq.c    2017-03-15 16:30:46.000000000 +0100
+++ jasper-1.900.1-debian1/src/libjasper/base/jas_seq.c    2017-03-15 16:36:57.410704785 +0100
@@ -101,9 +101,16 @@
 {
     jas_matrix_t *matrix;
     int i;
+    size_t size;
 
+    matrix = 0;
+
+      if (numrows < 0 || numcols < 0) {
+        goto error;
+     }
+ 
     if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
-        return 0;
+        goto error;
     }
     matrix->flags_ = 0;
     matrix->numrows_ = numrows;
@@ -111,21 +118,25 @@
     matrix->rows_ = 0;
     matrix->maxrows_ = numrows;
     matrix->data_ = 0;
-    matrix->datasize_ = numrows * numcols;
+    matrix->datasize_ = 0;
+
+    // matrix->datasize_ = numrows * numcols;
+    if (!jas_safe_size_mul(numrows, numcols, &size)) {
+        goto error;
+    }
+    matrix->datasize_ = size;
 
     if (matrix->maxrows_ > 0) {
         if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
           sizeof(jas_seqent_t *)))) {
-            jas_matrix_destroy(matrix);
-            return 0;
+            goto error;
         }
     }
 
     if (matrix->datasize_ > 0) {
         if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
           sizeof(jas_seqent_t)))) {
-            jas_matrix_destroy(matrix);
-            return 0;
+            goto error;
         }
     }
 
@@ -143,6 +154,12 @@
     matrix->yend_ = matrix->numrows_;
 
     return matrix;
+
+error:
+    if (matrix) {
+        jas_matrix_destroy(matrix);
+    }
+    return 0;
 }
 
 void jas_matrix_destroy(jas_matrix_t *matrix)
--- jasper-1.900.1.orig/src/libjasper/include/jasper/jas_math.h    2016-11-30 15:16:36.376026487 +0100
+++ jasper-1.900.1/src/libjasper/include/jasper/jas_math.h    2016-11-30 15:17:11.011071690 +0100
@@ -79,6 +79,7 @@
 #include    <assert.h>
 #include    <stdio.h>
 #include    <string.h>
+#include <stdint.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -110,6 +111,19 @@
 #define    JAS_ONES(n) \
   ((1 << (n)) - 1)
 
+inline static int jas_safe_size_mul(size_t x, size_t y, size_t *result)
+{
+        /* Check if overflow would occur */
+        if (x && y > SIZE_MAX / x) {
+                /* Overflow would occur. */
+                return 0;
+        }
+        if (result) {
+                *result = x * y;
+        }
+        return 1;
+}
+
 #ifdef __cplusplus
 }
 #endif

 components/multimedia/jasper/patches/14-CVE-2016-10251.patch

New file
@@ -0,0 +1,102 @@
From 1f0dfe5a42911b6880a1445f13f6d615ddb55387 Mon Sep 17 00:00:00 2001
From: Michael Adams <mdadams@ece.uvic.ca>
Date: Fri, 4 Nov 2016 07:20:23 -0700
Subject: [PATCH] Fixed an integer overflow problem in the JPC codec that later
 resulted in the use of uninitialized data.

---
 src/libjasper/jpc/jpc_t2cod.c | 20 ++++++++++----------
 src/libjasper/jpc/jpc_t2cod.h | 20 ++++++++++----------
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c
index 08315dd..174442a 100644
--- a/src/libjasper/jpc/jpc_t2cod.c
+++ b/src/libjasper/jpc/jpc_t2cod.c
@@ -432,18 +432,18 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi)
       &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
       ++pi->picomp) {
         pirlvl = pi->picomp->pirlvls;
-        pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
-          pi->picomp->numrlvls - 1));
-        pi->ystep = pi->picomp->vsamp * (1 << (pirlvl->prcheightexpn +
-          pi->picomp->numrlvls - 1));
+        pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
+          (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1));
+        pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
+          (pirlvl->prcheightexpn + pi->picomp->numrlvls - 1));
         for (rlvlno = 1, pirlvl = &pi->picomp->pirlvls[1];
           rlvlno < pi->picomp->numrlvls; ++rlvlno, ++pirlvl) {
-            pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * (1 <<
-              (pirlvl->prcwidthexpn + pi->picomp->numrlvls -
-              rlvlno - 1)));
-            pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * (1 <<
-              (pirlvl->prcheightexpn + pi->picomp->numrlvls -
-              rlvlno - 1)));
+            pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp *
+              (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn +
+              pi->picomp->numrlvls - rlvlno - 1)));
+            pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp *
+              (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcheightexpn +
+              pi->picomp->numrlvls - rlvlno - 1)));
         }
         for (pi->y = pi->ystart; pi->y < pi->yend;
           pi->y += pi->ystep - (pi->y % pi->ystep)) {
diff --git a/src/libjasper/jpc/jpc_t2cod.h b/src/libjasper/jpc/jpc_t2cod.h
index 0a176c9..690e031 100644
--- a/src/libjasper/jpc/jpc_t2cod.h
+++ b/src/libjasper/jpc/jpc_t2cod.h
@@ -129,10 +129,10 @@ typedef struct {
     jpc_pirlvl_t *pirlvls;
 
     /* The horizontal sampling period. */
-    int hsamp;
+    uint_fast32_t hsamp;
 
     /* The vertical sampling period. */
-    int vsamp;
+    uint_fast32_t vsamp;
 
 } jpc_picomp_t;
 
@@ -171,32 +171,32 @@ typedef struct {
     int lyrno;
 
     /* The x-coordinate of the current position. */
-    int x;
+    uint_fast32_t x;
 
     /* The y-coordinate of the current position. */
-    int y;
+    uint_fast32_t y;
 
     /* The horizontal step size. */
-    int xstep;
+    uint_fast32_t xstep;
 
     /* The vertical step size. */
-    int ystep;
+    uint_fast32_t ystep;
 
     /* The x-coordinate of the top-left corner of the tile on the reference
       grid. */
-    int xstart;
+    uint_fast32_t xstart;
 
     /* The y-coordinate of the top-left corner of the tile on the reference
       grid. */
-    int ystart;
+    uint_fast32_t ystart;
 
     /* The x-coordinate of the bottom-right corner of the tile on the
       reference grid (plus one). */
-    int xend;
+    uint_fast32_t xend;
 
     /* The y-coordinate of the bottom-right corner of the tile on the
       reference grid (plus one). */
-    int yend;
+    uint_fast32_t yend;
 
     /* The current progression change. */
     jpc_pchg_t *pchg;