diff options
author | Kai Kang <kai.kang@windriver.com> | 2022-02-15 17:34:12 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2022-02-16 08:26:02 -0800 |
commit | 33efb90737135ba568600996addf4dceac193dca (patch) | |
tree | 2928adb0f522c247c494c34ff84636e73dd82bbd /meta-oe | |
parent | ab6dd285b092d42e71de1d39a95e6ca4fea24662 (diff) | |
download | meta-openembedded-contrib-33efb90737135ba568600996addf4dceac193dca.tar.gz |
openjpeg: fix CVE-2021-29338
CVE: CVE-2021-29338
Ref:
* https://github.com/uclouvain/openjpeg/issues/1338
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe')
-rw-r--r-- | meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch | 78 | ||||
-rw-r--r-- | meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb | 1 |
2 files changed, 79 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch new file mode 100644 index 0000000000..a7c2bb4f38 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch @@ -0,0 +1,78 @@ +Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/pull/1395/commits/f0727df] +CVE: CVE-2021-29338 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From f0727df07c4d944d7d1c5002451cfbc9545d3288 Mon Sep 17 00:00:00 2001 +From: Brad Parham <brad.a.parham@intel.com> +Date: Wed, 12 Jan 2022 12:20:28 +0100 +Subject: [PATCH] Fix integer overflow in num_images + +Includes the fix for CVE-2021-29338 +Credit to @kaniini based on #1346 +Fixes #1338 +--- + src/bin/jp2/opj_compress.c | 4 ++-- + src/bin/jp2/opj_decompress.c | 5 ++--- + src/bin/jp2/opj_dump.c | 7 ++++--- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c +index 8c71d4536..1399d5277 100644 +--- a/src/bin/jp2/opj_compress.c ++++ b/src/bin/jp2/opj_compress.c +@@ -1959,9 +1959,9 @@ int main(int argc, char **argv) + num_images = get_num_images(img_fol.imgdirpath); + dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); + if (dirptr) { +- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof( ++ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof( + char)); /* Stores at max 10 image file names*/ +- dirptr->filename = (char**) malloc(num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc(num_images, sizeof(char*)); + if (!dirptr->filename_buf) { + ret = 0; + goto fin; +diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c +index fc0012b63..e1217f891 100644 +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -1374,14 +1374,13 @@ int main(int argc, char **argv) + return EXIT_FAILURE; + } + /* Stores at max 10 image file names */ +- dirptr->filename_buf = (char*)malloc(sizeof(char) * +- (size_t)num_images * OPJ_PATH_LEN); ++ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN); + if (!dirptr->filename_buf) { + failed = 1; + goto fin; + } + +- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); + + if (!dirptr->filename) { + failed = 1; +diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c +index 6111d2ab6..d2646f10e 100644 +--- a/src/bin/jp2/opj_dump.c ++++ b/src/bin/jp2/opj_dump.c +@@ -515,13 +515,14 @@ int main(int argc, char *argv[]) + if (!dirptr) { + return EXIT_FAILURE; + } +- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof( +- char)); /* Stores at max 10 image file names*/ ++ /* Stores at max 10 image file names*/ ++ dirptr->filename_buf = (char*) calloc((size_t) num_images, ++ OPJ_PATH_LEN * sizeof(char)); + if (!dirptr->filename_buf) { + free(dirptr); + return EXIT_FAILURE; + } +- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); + + if (!dirptr->filename) { + goto fails; diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb index 0533f9262a..b41bb9eb8a 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb @@ -9,6 +9,7 @@ SRC_URI = " \ git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ file://0001-This-patch-fixed-include-dir-to-usr-include-.-Obviou.patch \ + file://CVE-2021-29338.patch \ " SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505" S = "${WORKDIR}/git" |