apoleon/CVE-2018-19540.patch

## CVE-2018-19540.patch
From: Markus Koschany <apo@debian.org>
Date: Tue, 1 Jan 2019 18:41:34 +0100
Subject: CVE-2018-19540

If the asclen value is smaller than 1 the array index will be negative
which causes the heap-based overflow.

Bug-Upstream: https://github.com/mdadams/jasper/issues/182
---
 src/libjasper/base/jas_icc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
index 4607930..762c0e8 100644
--- a/src/libjasper/base/jas_icc.c
+++ b/src/libjasper/base/jas_icc.c
@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
 	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
 	  JAS_CAST(int, txtdesc->asclen))
 		goto error;
+	if (txtdesc->asclen < 1)
+		goto error;
 	txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
 	  jas_iccgetuint32(in, &txtdesc->uclen))
	From: Markus Koschany <apo@debian.org>
	Date: Tue, 1 Jan 2019 18:41:34 +0100
	Subject: CVE-2018-19540

	If the asclen value is smaller than 1 the array index will be negative
	which causes the heap-based overflow.

	Bug-Upstream: https://github.com/mdadams/jasper/issues/182
	---
	src/libjasper/base/jas_icc.c \| 2 ++
	1 file changed, 2 insertions(+)

	diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
	index 4607930..762c0e8 100644
	--- a/src/libjasper/base/jas_icc.c
	+++ b/src/libjasper/base/jas_icc.c
	@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t attrval, jas_stream_t in,
	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
	JAS_CAST(int, txtdesc->asclen))
	goto error;
	+ if (txtdesc->asclen < 1)
	+ goto error;
	txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
	if (jas_iccgetuint32(in, &txtdesc->uclangcode) \|\|
	jas_iccgetuint32(in, &txtdesc->uclen))