1Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/pull/1395/commits/f0727df] 2CVE: CVE-2021-29338 3 4Signed-off-by: Kai Kang <kai.kang@windriver.com> 5 6From f0727df07c4d944d7d1c5002451cfbc9545d3288 Mon Sep 17 00:00:00 2001 7From: Brad Parham <brad.a.parham@intel.com> 8Date: Wed, 12 Jan 2022 12:20:28 +0100 9Subject: [PATCH] Fix integer overflow in num_images 10 11Includes the fix for CVE-2021-29338 12Credit to @kaniini based on #1346 13Fixes #1338 14--- 15 src/bin/jp2/opj_compress.c | 4 ++-- 16 src/bin/jp2/opj_decompress.c | 5 ++--- 17 src/bin/jp2/opj_dump.c | 7 ++++--- 18 3 files changed, 8 insertions(+), 8 deletions(-) 19 20diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c 21index 8c71d4536..1399d5277 100644 22--- a/src/bin/jp2/opj_compress.c 23+++ b/src/bin/jp2/opj_compress.c 24@@ -1959,9 +1959,9 @@ int main(int argc, char **argv) 25 num_images = get_num_images(img_fol.imgdirpath); 26 dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); 27 if (dirptr) { 28- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof( 29+ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof( 30 char)); /* Stores at max 10 image file names*/ 31- dirptr->filename = (char**) malloc(num_images * sizeof(char*)); 32+ dirptr->filename = (char**) calloc(num_images, sizeof(char*)); 33 if (!dirptr->filename_buf) { 34 ret = 0; 35 goto fin; 36diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c 37index fc0012b63..e1217f891 100644 38--- a/src/bin/jp2/opj_decompress.c 39+++ b/src/bin/jp2/opj_decompress.c 40@@ -1374,14 +1374,13 @@ int main(int argc, char **argv) 41 return EXIT_FAILURE; 42 } 43 /* Stores at max 10 image file names */ 44- dirptr->filename_buf = (char*)malloc(sizeof(char) * 45- (size_t)num_images * OPJ_PATH_LEN); 46+ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN); 47 if (!dirptr->filename_buf) { 48 failed = 1; 49 goto fin; 50 } 51 52- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); 53+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); 54 55 if (!dirptr->filename) { 56 failed = 1; 57diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c 58index 6111d2ab6..d2646f10e 100644 59--- a/src/bin/jp2/opj_dump.c 60+++ b/src/bin/jp2/opj_dump.c 61@@ -515,13 +515,14 @@ int main(int argc, char *argv[]) 62 if (!dirptr) { 63 return EXIT_FAILURE; 64 } 65- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof( 66- char)); /* Stores at max 10 image file names*/ 67+ /* Stores at max 10 image file names*/ 68+ dirptr->filename_buf = (char*) calloc((size_t) num_images, 69+ OPJ_PATH_LEN * sizeof(char)); 70 if (!dirptr->filename_buf) { 71 free(dirptr); 72 return EXIT_FAILURE; 73 } 74- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); 75+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); 76 77 if (!dirptr->filename) { 78 goto fails; 79