87 lines
3.0 KiB
Diff
87 lines
3.0 KiB
Diff
From aa8516b28344aa1263ee538bb7366c4679a0e1a5 Mon Sep 17 00:00:00 2001
|
|
From: Max Kellermann <max.kellermann@gmail.com>
|
|
Date: Wed, 24 Jun 2020 21:41:24 +0200
|
|
Subject: [PATCH] jpc_t2dec: fix various memory leaks in jpc_dec_decodepkt()
|
|
|
|
Fixes CVE-2018-20622
|
|
|
|
Closes https://github.com/jasper-maint/jasper/issues/12
|
|
Closes https://github.com/mdadams/jasper/issues/193
|
|
---
|
|
src/libjasper/jpc/jpc_t2dec.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
|
|
index 81d1f61..e88ccb6 100644
|
|
--- a/src/libjasper/jpc/jpc_t2dec.c
|
|
+++ b/src/libjasper/jpc/jpc_t2dec.c
|
|
@@ -225,6 +225,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
|
|
}
|
|
|
|
if ((present = jpc_bitstream_getbit(inb)) < 0) {
|
|
+ jpc_bitstream_close(inb);
|
|
return 1;
|
|
}
|
|
JAS_DBGLOG(10, ("\n", present));
|
|
@@ -252,10 +253,12 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
|
|
if (!cblk->numpasses) {
|
|
leaf = jpc_tagtree_getleaf(prc->incltagtree, usedcblkcnt - 1);
|
|
if ((included = jpc_tagtree_decode(prc->incltagtree, leaf, lyrno + 1, inb)) < 0) {
|
|
+ jpc_bitstream_close(inb);
|
|
return -1;
|
|
}
|
|
} else {
|
|
if ((included = jpc_bitstream_getbit(inb)) < 0) {
|
|
+ jpc_bitstream_close(inb);
|
|
return -1;
|
|
}
|
|
}
|
|
@@ -269,6 +272,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
|
|
leaf = jpc_tagtree_getleaf(prc->numimsbstagtree, usedcblkcnt - 1);
|
|
for (;;) {
|
|
if ((ret = jpc_tagtree_decode(prc->numimsbstagtree, leaf, i, inb)) < 0) {
|
|
+ jpc_bitstream_close(inb);
|
|
return -1;
|
|
}
|
|
if (ret) {
|
|
@@ -280,6 +284,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
|
|
cblk->firstpassno = cblk->numimsbs * 3;
|
|
}
|
|
if ((numnewpasses = jpc_getnumnewpasses(inb)) < 0) {
|
|
+ jpc_bitstream_close(inb);
|
|
return -1;
|
|
}
|
|
JAS_DBGLOG(10, ("numnewpasses=%d ", numnewpasses));
|
|
@@ -288,6 +293,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
|
|
mycounter = 0;
|
|
if (numnewpasses > 0) {
|
|
if ((m = jpc_getcommacode(inb)) < 0) {
|
|
+ jpc_bitstream_close(inb);
|
|
return -1;
|
|
}
|
|
cblk->numlenbits += m;
|
|
@@ -298,6 +304,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
|
|
maxpasses = JPC_SEGPASSCNT(passno, cblk->firstpassno, 10000, (ccp->cblkctx & JPC_COX_LAZY) != 0, (ccp->cblkctx & JPC_COX_TERMALL) != 0);
|
|
if (!discard && !seg) {
|
|
if (!(seg = jpc_seg_alloc())) {
|
|
+ jpc_bitstream_close(inb);
|
|
return -1;
|
|
}
|
|
jpc_seglist_insert(&cblk->segs, cblk->segs.tail, seg);
|
|
@@ -312,6 +319,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
|
|
mycounter += n;
|
|
numnewpasses -= n;
|
|
if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
|
|
+ jpc_bitstream_close(inb);
|
|
return -1;
|
|
}
|
|
JAS_DBGLOG(10, ("len=%d ", len));
|
|
@@ -333,6 +341,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
|
|
} else {
|
|
if (jpc_bitstream_inalign(inb, 0x7f, 0)) {
|
|
jas_eprintf("alignment failed\n");
|
|
+ jpc_bitstream_close(inb);
|
|
return -1;
|
|
}
|
|
}
|