$OpenBSD: patch-src_libjasper_jpc_jpc_dec_c,v 1.4 2015/11/06 22:28:29 sthen Exp $

Security fixes from Slackware:
	CVE-2014-8157: off-by-one
	CVE-2014-9029: multiple off-by-one

--- src/libjasper/jpc/jpc_dec.c.orig	Fri Jan 19 13:43:07 2007
+++ src/libjasper/jpc/jpc_dec.c	Thu Oct 29 22:08:08 2015
@@ -449,7 +449,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_
 
 	if (dec->state == JPC_MH) {
 
-		compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
+		compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
 		assert(compinfos);
 		for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
 		  cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_
 		dec->curtileendoff = 0;
 	}
 
-	if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
+	if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
 		jas_eprintf("invalid tile number in SOT marker segment\n");
 		return -1;
 	}
@@ -692,7 +692,7 @@ static int jpc_dec_tileinit(jpc_dec_t *dec, jpc_dec_ti
 			tile->realmode = 1;
 		}
 		tcomp->numrlvls = ccp->numrlvls;
-		if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
+		if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
 		  sizeof(jpc_dec_rlvl_t)))) {
 			return -1;
 		}
@@ -764,7 +764,7 @@ rlvl->bands = 0;
 			  rlvl->cbgheightexpn);
 
 			rlvl->numbands = (!rlvlno) ? 1 : 3;
-			if (!(rlvl->bands = jas_malloc(rlvl->numbands *
+			if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
 			  sizeof(jpc_dec_band_t)))) {
 				return -1;
 			}
@@ -797,7 +797,7 @@ rlvl->bands = 0;
 
 				assert(rlvl->numprcs);
 
-				if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
+				if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
 					return -1;
 				}
 
@@ -834,7 +834,7 @@ rlvl->bands = 0;
 			if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
 				return -1;
 			}
-			if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
+			if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
 				return -1;
 			}
 
@@ -1181,7 +1181,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_
 		return -1;
 	}
 
-	if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
+	if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
 		return -1;
 	}
 
@@ -1204,7 +1204,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_
 	dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
 	dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
 	dec->numtiles = dec->numhtiles * dec->numvtiles;
-	if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
+	if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
 		return -1;
 	}
 
@@ -1228,7 +1228,7 @@ static int jpc_dec_process_siz(jpc_dec_t *dec, jpc_ms_
 		tile->pkthdrstreampos = 0;
 		tile->pptstab = 0;
 		tile->cp = 0;
-		if (!(tile->tcomps = jas_malloc(dec->numcomps *
+		if (!(tile->tcomps = jas_alloc2(dec->numcomps,
 		  sizeof(jpc_dec_tcomp_t)))) {
 			return -1;
 		}
@@ -1280,7 +1280,7 @@ static int jpc_dec_process_coc(jpc_dec_t *dec, jpc_ms_
 	jpc_coc_t *coc = &ms->parms.coc;
 	jpc_dec_tile_t *tile;
 
-	if (JAS_CAST(int, coc->compno) > dec->numcomps) {
+	if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
 		jas_eprintf("invalid component number in COC marker segment\n");
 		return -1;
 	}
@@ -1306,7 +1306,7 @@ static int jpc_dec_process_rgn(jpc_dec_t *dec, jpc_ms_
 	jpc_rgn_t *rgn = &ms->parms.rgn;
 	jpc_dec_tile_t *tile;
 
-	if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
+	if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
 		jas_eprintf("invalid component number in RGN marker segment\n");
 		return -1;
 	}
@@ -1355,7 +1355,7 @@ static int jpc_dec_process_qcc(jpc_dec_t *dec, jpc_ms_
 	jpc_qcc_t *qcc = &ms->parms.qcc;
 	jpc_dec_tile_t *tile;
 
-	if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
+	if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
 		jas_eprintf("invalid component number in QCC marker segment\n");
 		return -1;
 	}
@@ -1466,7 +1466,9 @@ static int jpc_dec_process_unk(jpc_dec_t *dec, jpc_ms_
 	dec = 0;
 
 	jas_eprintf("warning: ignoring unknown marker segment\n");
-	jpc_ms_dump(ms, stderr);
+	if (jas_getdbglevel() >= 1) {
+		jpc_ms_dump(ms, stderr);
+	}
 	return 0;
 }
 
@@ -1489,7 +1491,7 @@ static jpc_dec_cp_t *jpc_dec_cp_create(uint_fast16_t n
 	cp->numlyrs = 0;
 	cp->mctid = 0;
 	cp->csty = 0;
-	if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
+	if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
 		return 0;
 	}
 	if (!(cp->pchglist = jpc_pchglist_create())) {
@@ -2048,7 +2050,7 @@ jpc_streamlist_t *jpc_streamlist_create()
 	}
 	streamlist->numstreams = 0;
 	streamlist->maxstreams = 100;
-	if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
+	if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
 	  sizeof(jas_stream_t *)))) {
 		jas_free(streamlist);
 		return 0;
@@ -2068,8 +2070,8 @@ int jpc_streamlist_insert(jpc_streamlist_t *streamlist
 	/* Grow the array of streams if necessary. */
 	if (streamlist->numstreams >= streamlist->maxstreams) {
 		newmaxstreams = streamlist->maxstreams + 1024;
-		if (!(newstreams = jas_realloc(streamlist->streams,
-		  (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
+		if (!(newstreams = jas_realloc2(streamlist->streams,
+		  (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
 			return -1;
 		}
 		for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
@@ -2155,8 +2157,7 @@ int jpc_ppxstab_grow(jpc_ppxstab_t *tab, int maxents)
 {
 	jpc_ppxstabent_t **newents;
 	if (tab->maxents < maxents) {
-		newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
-		  sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
+		newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
 		if (!newents) {
 			return -1;
 		}
