Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / f7a3395e850d59f92b1f42550ec244f567df39eb / . / meta-openembedded / meta-oe / recipes-graphics / openjpeg / openjpeg / CVE-2021-29338.patch
blob: a7c2bb4f38804e80800b4fa6ce1a8e0166606d25 [file] [log] [blame]
Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/pull/1395/commits/f0727df]
CVE: CVE-2021-29338
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From f0727df07c4d944d7d1c5002451cfbc9545d3288 Mon Sep 17 00:00:00 2001
From: Brad Parham <brad.a.parham@intel.com>
Date: Wed, 12 Jan 2022 12:20:28 +0100
Subject: [PATCH] Fix integer overflow in num_images
Includes the fix for CVE-2021-29338
Credit to @kaniini based on #1346
Fixes #1338
---
src/bin/jp2/opj_compress.c | 4 ++--
src/bin/jp2/opj_decompress.c | 5 ++---
src/bin/jp2/opj_dump.c | 7 ++++---
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
index 8c71d4536..1399d5277 100644
--- a/src/bin/jp2/opj_compress.c
+++ b/src/bin/jp2/opj_compress.c
@@ -1959,9 +1959,9 @@ int main(int argc, char **argv)
num_images = get_num_images(img_fol.imgdirpath);
dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
if (dirptr) {
- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
+ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
char)); /* Stores at max 10 image file names*/
- dirptr->filename = (char**) malloc(num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc(num_images, sizeof(char*));
if (!dirptr->filename_buf) {
ret = 0;
goto fin;
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
index fc0012b63..e1217f891 100644
--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
@@ -1374,14 +1374,13 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
/* Stores at max 10 image file names */
- dirptr->filename_buf = (char*)malloc(sizeof(char) *
- (size_t)num_images * OPJ_PATH_LEN);
+ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
if (!dirptr->filename_buf) {
failed = 1;
goto fin;
}
- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) {
failed = 1;
diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
index 6111d2ab6..d2646f10e 100644
--- a/src/bin/jp2/opj_dump.c
+++ b/src/bin/jp2/opj_dump.c
@@ -515,13 +515,14 @@ int main(int argc, char *argv[])
if (!dirptr) {
return EXIT_FAILURE;
}
- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
- char)); /* Stores at max 10 image file names*/
+ /* Stores at max 10 image file names*/
+ dirptr->filename_buf = (char*) calloc((size_t) num_images,
+ OPJ_PATH_LEN * sizeof(char));
if (!dirptr->filename_buf) {
free(dirptr);
return EXIT_FAILURE;
}
- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) {
goto fails;