Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() Origin: vendor Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 Bug-Debian: https://bugs.debian.org/812978 Forwarded: not-needed Author: Tomas Hoger Reviewed-by: Salvatore Bonaccorso Last-Update: 2016-03-05 --- a/src/libjasper/base/jas_image.c +++ b/src/libjasper/base/jas_image.c @@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag return -1; } + if (!data->rows_) { + return -1; + } + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { if (jas_matrix_resize(data, height, width)) { return -1; @@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima return -1; } + if (!data->rows_) { + return -1; + } + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { return -1; } --- a/src/libjasper/base/jas_seq.c +++ b/src/libjasper/base/jas_seq.c @@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma int rowstep; jas_seqent_t *data; + if (!matrix->rows_) { + return; + } + rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { @@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri jas_seqent_t *data; int rowstep; + if (!matrix->rows_) { + return; + } + rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { @@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix int rowstep; jas_seqent_t *data; + if (!matrix->rows_) { + return; + } + assert(n >= 0); rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, @@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix int rowstep; jas_seqent_t *data; + if (!matrix->rows_) { + return; + } + rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { @@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat int rowstep; jas_seqent_t *data; + if (!matrix->rows_) { + return; + } + rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) {