openjpeg: fix CVE-2021-29338

CVE: CVE-2021-29338 Ref: * https://github.com/uclouvain/openjpeg/issues/1338 Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Kai Kang <kai.kang@windriver.com> 2022-02-15 17:34:12 +0800
committer: Khem Raj <raj.khem@gmail.com> 2022-02-16 08:26:02 -0800
commit: 33efb90737135ba568600996addf4dceac193dca (patch)
tree: 2928adb0f522c247c494c34ff84636e73dd82bbd /meta-oe/recipes-graphics/openjpeg
parent: ab6dd285b092d42e71de1d39a95e6ca4fea24662 (diff)
download: meta-openembedded-33efb90737135ba568600996addf4dceac193dca.tar.gz
2 files changed, 79 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch
new file mode 100644
index 000000000..a7c2bb4f3
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch
@@ -0,0 +1,78 @@
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/pull/1395/commits/f0727df]
+CVE: CVE-2021-29338
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From f0727df07c4d944d7d1c5002451cfbc9545d3288 Mon Sep 17 00:00:00 2001
+From: Brad Parham <brad.a.parham@intel.com>
+Date: Wed, 12 Jan 2022 12:20:28 +0100
+Subject: [PATCH] Fix integer overflow in num_images
+Includes the fix for CVE-2021-29338
+Credit to @kaniini based on #1346
+Fixes #1338
+---
+ src/bin/jp2/opj_compress.c   | 4 ++--
+ src/bin/jp2/opj_decompress.c | 5 ++---
+ src/bin/jp2/opj_dump.c       | 7 ++++---
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
+index 8c71d4536..1399d5277 100644
+--- a/src/bin/jp2/opj_compress.c
+++ b/src/bin/jp2/opj_compress.c
+@@ -1959,9 +1959,9 @@ int main(int argc, char **argv)
+         num_images = get_num_images(img_fol.imgdirpath);
+         dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
+         if (dirptr) {
+-            dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
+            dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
+                     char)); /* Stores at max 10 image file names*/
+-            dirptr->filename = (char**) malloc(num_images * sizeof(char*));
+            dirptr->filename = (char**) calloc(num_images, sizeof(char*));
+             if (!dirptr->filename_buf) {
+                 ret = 0;
+                 goto fin;
+diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
+index fc0012b63..e1217f891 100644
+--- a/src/bin/jp2/opj_decompress.c
+++ b/src/bin/jp2/opj_decompress.c
+@@ -1374,14 +1374,13 @@ int main(int argc, char **argv)
+             return EXIT_FAILURE;
+         }
+         /* Stores at max 10 image file names */
+-        dirptr->filename_buf = (char*)malloc(sizeof(char) *
+-                                             (size_t)num_images * OPJ_PATH_LEN);
+        dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
+         if (!dirptr->filename_buf) {
+             failed = 1;
+             goto fin;
+         }
+ 
+-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
+ 
+         if (!dirptr->filename) {
+             failed = 1;
+diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
+index 6111d2ab6..d2646f10e 100644
+--- a/src/bin/jp2/opj_dump.c
+++ b/src/bin/jp2/opj_dump.c
+@@ -515,13 +515,14 @@ int main(int argc, char *argv[])
+         if (!dirptr) {
+             return EXIT_FAILURE;
+         }
+-        dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
+-                char)); /* Stores at max 10 image file names*/
+        /* Stores at max 10 image file names*/
+        dirptr->filename_buf = (char*) calloc((size_t) num_images,
+                                              OPJ_PATH_LEN * sizeof(char));
+         if (!dirptr->filename_buf) {
+             free(dirptr);
+             return EXIT_FAILURE;
+         }
+-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
+        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
+ 
+         if (!dirptr->filename) {
+             goto fails;
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index 0533f9262..b41bb9eb8 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -9,6 +9,7 @@ SRC_URI = " \
    git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \
    file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \
    file://0001-This-patch-fixed-include-dir-to-usr-include-.-Obviou.patch \
+    file://CVE-2021-29338.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"
author	Kai Kang <kai.kang@windriver.com>	2022-02-15 17:34:12 +0800
committer	Khem Raj <raj.khem@gmail.com>	2022-02-16 08:26:02 -0800
commit	33efb90737135ba568600996addf4dceac193dca (patch)
tree	2928adb0f522c247c494c34ff84636e73dd82bbd /meta-oe/recipes-graphics/openjpeg
parent	ab6dd285b092d42e71de1d39a95e6ca4fea24662 (diff)
download	meta-openembedded-33efb90737135ba568600996addf4dceac193dca.tar.gz

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch new file mode 100644 index 000000000..a7c2bb4f3 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-29338.patch
@@ -0,0 +1,78 @@
		1	Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/pull/1395/commits/f0727df]
		2	CVE: CVE-2021-29338
		3
		4	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		5
		6	From f0727df07c4d944d7d1c5002451cfbc9545d3288 Mon Sep 17 00:00:00 2001
		7	From: Brad Parham <brad.a.parham@intel.com>
		8	Date: Wed, 12 Jan 2022 12:20:28 +0100
		9	Subject: [PATCH] Fix integer overflow in num_images
		10
		11	Includes the fix for CVE-2021-29338
		12	Credit to @kaniini based on #1346
		13	Fixes #1338
		14	---
		15	src/bin/jp2/opj_compress.c \| 4 ++--
		16	src/bin/jp2/opj_decompress.c \| 5 ++---
		17	src/bin/jp2/opj_dump.c \| 7 ++++---
		18	3 files changed, 8 insertions(+), 8 deletions(-)
		19
		20	diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
		21	index 8c71d4536..1399d5277 100644
		22	--- a/src/bin/jp2/opj_compress.c
		23	+++ b/src/bin/jp2/opj_compress.c
		24	@@ -1959,9 +1959,9 @@ int main(int argc, char **argv)
		25	num_images = get_num_images(img_fol.imgdirpath);
		26	dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
		27	if (dirptr) {
		28	- dirptr->filename_buf = (char)malloc(num_images OPJ_PATH_LEN * sizeof(
		29	+ dirptr->filename_buf = (char)calloc(num_images, OPJ_PATH_LEN sizeof(
		30	char)); /* Stores at max 10 image file names*/
		31	- dirptr->filename = (char*) malloc(num_images sizeof(char*));
		32	+ dirptr->filename = (char*) calloc(num_images, sizeof(char));
		33	if (!dirptr->filename_buf) {
		34	ret = 0;
		35	goto fin;
		36	diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
		37	index fc0012b63..e1217f891 100644
		38	--- a/src/bin/jp2/opj_decompress.c
		39	+++ b/src/bin/jp2/opj_decompress.c
		40	@@ -1374,14 +1374,13 @@ int main(int argc, char **argv)
		41	return EXIT_FAILURE;
		42	}
		43	/* Stores at max 10 image file names */
		44	- dirptr->filename_buf = (char)malloc(sizeof(char)
		45	- (size_t)num_images * OPJ_PATH_LEN);
		46	+ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
		47	if (!dirptr->filename_buf) {
		48	failed = 1;
		49	goto fin;
		50	}
		51
		52	- dirptr->filename = (char*) malloc((size_t)num_images sizeof(char*));
		53	+ dirptr->filename = (char*) calloc((size_t) num_images, sizeof(char));
		54
		55	if (!dirptr->filename) {
		56	failed = 1;
		57	diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
		58	index 6111d2ab6..d2646f10e 100644
		59	--- a/src/bin/jp2/opj_dump.c
		60	+++ b/src/bin/jp2/opj_dump.c
		61	@@ -515,13 +515,14 @@ int main(int argc, char *argv[])
		62	if (!dirptr) {
		63	return EXIT_FAILURE;
		64	}
		65	- dirptr->filename_buf = (char)malloc((size_t)num_images OPJ_PATH_LEN * sizeof(
		66	- char)); /* Stores at max 10 image file names*/
		67	+ /* Stores at max 10 image file names*/
		68	+ dirptr->filename_buf = (char*) calloc((size_t) num_images,
		69	+ OPJ_PATH_LEN * sizeof(char));
		70	if (!dirptr->filename_buf) {
		71	free(dirptr);
		72	return EXIT_FAILURE;
		73	}
		74	- dirptr->filename = (char*) malloc((size_t)num_images sizeof(char*));
		75	+ dirptr->filename = (char*) calloc((size_t) num_images, sizeof(char));
		76
		77	if (!dirptr->filename) {
		78	goto fails;


diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb index 0533f9262..b41bb9eb8 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -9,6 +9,7 @@ SRC_URI = " \
9	git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \	9	git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \
10	file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \	10	file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \
11	file://0001-This-patch-fixed-include-dir-to-usr-include-.-Obviou.patch \	11	file://0001-This-patch-fixed-include-dir-to-usr-include-.-Obviou.patch \
		12	file://CVE-2021-29338.patch \
12	"	13	"
13	SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"	14	SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
14	S = "${WORKDIR}/git"	15	S = "${WORKDIR}/git"