Closed theta682 closed 4 years ago
Please also state in the commit message which commit contains the not correctly backported fix.
@jubalh I updated the fix with a reference to jasper-maint/jasper#25 commit
@jubalh is this fix going to be merged? The decoder still has a problem.
@theta682
The fix was not backported from jasper-maint properly.
Why not backported properly? It seems the fix that you show here was not proposed somewhere else yet, right? So there was no problem when backporting the fix was just incomplete.
So it is more like https://github.com/jasper-software/jasper/commit/27d5a884598e909b6e88ee8bf0c5db300a418adb is only fixing the encoder. And this Pr fixes the decoder. Correct?
@theta682
The fix was not backported from jasper-maint properly.
Why not backported properly? It seems the fix that you show here was not proposed somewhere else yet, right? So there was no problem when backporting the fix was just incomplete.
So it is more like 27d5a88 is only fixing the encoder. And this Pr fixes the decoder. Correct?
I don't remember exactly where it was reported. Initially the problem was fixed in the decoder and you @jubalh agreed with the fix, but in jasper-maint this CVE was fixed in the encoder only. So, it was not fixing the initial problem in the decoder.
The fix was not backported from jasper-maint properly. The commit 27d5a884598e909b6e88ee8bf0c5db300a418adb (see jasper-maint/jasper#25)
numlutens
field is only validate in the encoder, butjas_image_depalettize
is used only in the decoder. The decoder should validate incoming data, otherwise specifically crafter file can crash the application. Ifnumlutents
is exactly 0v
can too big as unsigned-1
on line 1044