kumquat-buildroot/package/jasper/0003-test-asclen-CVE-2018-19540.patch

From e38454aa1a15b78c028a778fc8bfba3587e25c25 Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Fri, 15 Mar 2019 11:01:02 +0100
Subject: [PATCH] Make sure asclen is at least 1

If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.

Regards CVE-2018-19540.
Regards https://github.com/mdadams/jasper/issues/182 bug#3
Fix by Markus Koschany <apo@debian.org>.
From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
 src/libjasper/base/jas_icc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
index 4607930..762c0e8 100644
--- a/src/libjasper/base/jas_icc.c
+++ b/src/libjasper/base/jas_icc.c
@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
 	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
 	  JAS_CAST(int, txtdesc->asclen))
 		goto error;
+	if (txtdesc->asclen < 1)
+		goto error;
 	txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
 	  jas_iccgetuint32(in, &txtdesc->uclen))