Make sure asclen is at least 1

If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow. Regards CVE-2018-19540. Regards jasper-software/jasper#182 bug#3 Fix by Markus Koschany <apo@debian.org>. From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823 Location adapted. See: jasper-software/jasper#198 Fix #22
jasper-maint · Jun 19, 2020 · 0fac004 · 0fac004
1 parent 84d00fb
commit 0fac004
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
@@ -1099,6 +1099,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
 	txtdesc->ucdata = 0;
 	if (jas_iccgetuint32(in, &txtdesc->asclen))
 		goto error;
+	if (txtdesc->asclen < 1)
+		goto error;
 	if (!(txtdesc->ascdata = jas_malloc(txtdesc->asclen)))
 		goto error;
 	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=