Created
January 3, 2019 10:35
-
-
Save apoleon/3e9d4e86c51d16c7e551a1cc538528b9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From: Markus Koschany <apo@debian.org> | |
| Date: Tue, 1 Jan 2019 17:20:00 +0100 | |
| Subject: CVE-2018-19541 | |
| The index v of lutents[v] will be negative if numlutents is smaller than 1. | |
| This causes the heap-based buffer overflow because the lutents[] starts at 0. | |
| Bug-Upstream: https://github.com/mdadams/jasper/issues/182 | |
| --- | |
| src/libjasper/base/jas_image.c | 3 +++ | |
| 1 file changed, 3 insertions(+) | |
| diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c | |
| index e71b86a..00f37cd 100644 | |
| --- a/src/libjasper/base/jas_image.c | |
| +++ b/src/libjasper/base/jas_image.c | |
| @@ -975,6 +975,9 @@ int jas_image_depalettize(jas_image_t *image, int cmptno, int numlutents, | |
| cmptparms.prec = JAS_IMAGE_CDT_GETPREC(dtype); | |
| cmptparms.sgnd = JAS_IMAGE_CDT_GETSGND(dtype); | |
| + if (numlutents < 1) { | |
| + return -1; | |
| + } | |
| if (jas_image_addcmpt(image, newcmptno, &cmptparms)) { | |
| return -1; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment