jubalh
commented
4 years ago Please also state in the commit message which commit contains the not correctly backported fix.
Closed theta682 closed 4 years ago
jubalh
commented
4 years ago Please also state in the commit message which commit contains the not correctly backported fix.
theta682
commented
4 years ago @jubalh I updated the fix with a reference to jasper-maint/jasper#25 commit
theta682
commented
4 years ago @jubalh is this fix going to be merged? The decoder still has a problem.
jubalh
commented
4 years ago @theta682
The fix was not backported from jasper-maint properly.
Why not backported properly? It seems the fix that you show here was not proposed somewhere else yet, right? So there was no problem when backporting the fix was just incomplete.
So it is more like https://github.com/jasper-software/jasper/commit/27d5a884598e909b6e88ee8bf0c5db300a418adb is only fixing the encoder. And this Pr fixes the decoder. Correct?
theta682
commented
4 years ago @theta682
The fix was not backported from jasper-maint properly.
Why not backported properly? It seems the fix that you show here was not proposed somewhere else yet, right? So there was no problem when backporting the fix was just incomplete.
So it is more like 27d5a88 is only fixing the encoder. And this Pr fixes the decoder. Correct?
I don't remember exactly where it was reported. Initially the problem was fixed in the decoder and you @jubalh agreed with the fix, but in jasper-maint this CVE was fixed in the encoder only. So, it was not fixing the initial problem in the decoder.
The fix was not backported from jasper-maint properly. The commit 27d5a884598e909b6e88ee8bf0c5db300a418adb (see jasper-maint/jasper#25)
numlutensfield is only validate in the encoder, butjas_image_depalettizeis used only in the decoder. The decoder should validate incoming data, otherwise specifically crafter file can crash the application. Ifnumlutentsis exactly 0vcan too big as unsigned-1on line 1044