meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/pull/1395/commits/f0727df]
CVE: CVE-2021-29338

Signed-off-by: Kai Kang <kai.kang@windriver.com>

From f0727df07c4d944d7d1c5002451cfbc9545d3288 Mon Sep 17 00:00:00 2001
From: Brad Parham <brad.a.parham@intel.com>
Date: Wed, 12 Jan 2022 12:20:28 +0100
Subject: [PATCH] Fix integer overflow in num_images

Includes the fix for CVE-2021-29338
Credit to @kaniini based on #1346
Fixes #1338
---
 src/bin/jp2/opj_compress.c   | 4 ++--
 src/bin/jp2/opj_decompress.c | 5 ++---
 src/bin/jp2/opj_dump.c       | 7 ++++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
index 8c71d4536..1399d5277 100644
--- a/src/bin/jp2/opj_compress.c
+++ b/src/bin/jp2/opj_compress.c
@@ -1959,9 +1959,9 @@ int main(int argc, char **argv)
         num_images = get_num_images(img_fol.imgdirpath);
         dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
         if (dirptr) {
-            dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
+            dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
                     char)); /* Stores at max 10 image file names*/
-            dirptr->filename = (char**) malloc(num_images * sizeof(char*));
+            dirptr->filename = (char**) calloc(num_images, sizeof(char*));
             if (!dirptr->filename_buf) {
                 ret = 0;
                 goto fin;
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
index fc0012b63..e1217f891 100644
--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
@@ -1374,14 +1374,13 @@ int main(int argc, char **argv)
             return EXIT_FAILURE;
         }
         /* Stores at max 10 image file names */
-        dirptr->filename_buf = (char*)malloc(sizeof(char) *
-                                             (size_t)num_images * OPJ_PATH_LEN);
+        dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
         if (!dirptr->filename_buf) {
             failed = 1;
             goto fin;
         }
 
-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
 
         if (!dirptr->filename) {
             failed = 1;
diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
index 6111d2ab6..d2646f10e 100644
--- a/src/bin/jp2/opj_dump.c
+++ b/src/bin/jp2/opj_dump.c
@@ -515,13 +515,14 @@ int main(int argc, char *argv[])
         if (!dirptr) {
             return EXIT_FAILURE;
         }
-        dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
-                char)); /* Stores at max 10 image file names*/
+        /* Stores at max 10 image file names*/
+        dirptr->filename_buf = (char*) calloc((size_t) num_images,
+                                              OPJ_PATH_LEN * sizeof(char));
         if (!dirptr->filename_buf) {
             free(dirptr);
             return EXIT_FAILURE;
         }
-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
 
         if (!dirptr->filename) {
             goto fails;