$OpenBSD: patch-src_libjasper_base_jas_image_c,v 1.2 2016/02/04 10:08:07 jasper Exp $

Security fix for CVE-2016-2089, patch (rows_ NULL check) from RH:
https://bugzilla.redhat.com/show_bug.cgi?id=1302636

--- src/libjasper/base/jas_image.c.orig	Thu Feb  4 10:57:40 2016
+++ src/libjasper/base/jas_image.c	Thu Feb  4 10:57:15 2016
@@ -142,7 +142,7 @@ jas_image_t *jas_image_create(int numcmpts, jas_image_
 	image->inmem_ = true;
 
 	/* Allocate memory for the per-component information. */
-	if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
+	if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
 	  sizeof(jas_image_cmpt_t *)))) {
 		jas_image_destroy(image);
 		return 0;
@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *image, int cmptno,
 		return -1;
 	}
 
+	if (!data->rows_) {
+		return -1;
+	}
+
 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
 		if (jas_matrix_resize(data, height, width)) {
 			return -1;
@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *image, int cmptno
 		return -1;
 	}
 
+	if (!data->rows_) {
+		return -1;
+	}
+
 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
 		return -1;
 	}
@@ -774,8 +782,7 @@ static int jas_image_growcmpts(jas_image_t *image, int
 	jas_image_cmpt_t **newcmpts;
 	int cmptno;
 
-	newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
-	  jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
+	newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
 	if (!newcmpts) {
 		return -1;
 	}
