Blame SOURCES/openjpeg2-CVE-2021-29338.patch

fcc2a4
From efbfbbb723e100cfbcea287a30958bf678e83458 Mon Sep 17 00:00:00 2001
fcc2a4
From: Ariadne Conill <ariadne@dereferenced.org>
fcc2a4
Date: Tue, 27 Apr 2021 09:37:40 -0600
fcc2a4
Subject: [PATCH] opj_{compress,decompress,dump}: fix possible buffer overflows
fcc2a4
 in path manipulation functions
fcc2a4
fcc2a4
---
fcc2a4
 src/bin/jp2/opj_compress.c   | 12 ++++++------
fcc2a4
 src/bin/jp2/opj_decompress.c | 13 ++++++-------
fcc2a4
 src/bin/jp2/opj_dump.c       | 14 +++++++-------
fcc2a4
 3 files changed, 19 insertions(+), 20 deletions(-)
fcc2a4
fcc2a4
diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
fcc2a4
index 6827484..d8f894c 100644
fcc2a4
--- a/src/bin/jp2/opj_compress.c
fcc2a4
+++ b/src/bin/jp2/opj_compress.c
fcc2a4
@@ -543,8 +543,8 @@ static char * get_file_name(char *name)
fcc2a4
 static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
fcc2a4
                           opj_cparameters_t *parameters)
fcc2a4
 {
fcc2a4
-    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
fcc2a4
-         outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
fcc2a4
+    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
fcc2a4
+         outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
fcc2a4
     char *temp_p, temp1[OPJ_PATH_LEN] = "";
fcc2a4
 
fcc2a4
     strcpy(image_filename, dirptr->filename[imageno]);
fcc2a4
@@ -553,7 +553,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
fcc2a4
     if (parameters->decod_format == -1) {
fcc2a4
         return 1;
fcc2a4
     }
fcc2a4
-    sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
fcc2a4
+    snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
fcc2a4
     if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
fcc2a4
                      infilename) != 0) {
fcc2a4
         return 1;
fcc2a4
@@ -566,7 +566,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
fcc2a4
         sprintf(temp1, ".%s", temp_p);
fcc2a4
     }
fcc2a4
     if (img_fol->set_out_format == 1) {
fcc2a4
-        sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
fcc2a4
+        snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
fcc2a4
                 img_fol->out_format);
fcc2a4
         if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
fcc2a4
                          outfilename) != 0) {
fcc2a4
@@ -1910,9 +1910,9 @@ int main(int argc, char **argv)
fcc2a4
         num_images = get_num_images(img_fol.imgdirpath);
fcc2a4
         dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
fcc2a4
         if (dirptr) {
fcc2a4
-            dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
fcc2a4
+            dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
fcc2a4
                     char)); /* Stores at max 10 image file names*/
fcc2a4
-            dirptr->filename = (char**) malloc(num_images * sizeof(char*));
fcc2a4
+            dirptr->filename = (char**) calloc(num_images, sizeof(char*));
fcc2a4
             if (!dirptr->filename_buf) {
fcc2a4
                 ret = 0;
fcc2a4
                 goto fin;
fcc2a4
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
fcc2a4
index 2634907..e54e54f 100644
fcc2a4
--- a/src/bin/jp2/opj_decompress.c
fcc2a4
+++ b/src/bin/jp2/opj_decompress.c
fcc2a4
@@ -455,13 +455,13 @@ const char* path_separator = "/";
fcc2a4
 char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
fcc2a4
                    opj_decompress_parameters *parameters)
fcc2a4
 {
fcc2a4
-    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
fcc2a4
-         outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
fcc2a4
+    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
fcc2a4
+         outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
fcc2a4
     char *temp_p, temp1[OPJ_PATH_LEN] = "";
fcc2a4
 
fcc2a4
     strcpy(image_filename, dirptr->filename[imageno]);
fcc2a4
     fprintf(stderr, "File Number %d \"%s\"\n", imageno, image_filename);
fcc2a4
-    sprintf(infilename, "%s%s%s", img_fol->imgdirpath, path_separator,
fcc2a4
+    snprintf(infilename, OPJ_PATH_LEN * 2, "%s%s%s", img_fol->imgdirpath, path_separator,
fcc2a4
             image_filename);
fcc2a4
     parameters->decod_format = infile_format(infilename);
fcc2a4
     if (parameters->decod_format == -1) {
fcc2a4
@@ -479,7 +479,7 @@ char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
fcc2a4
         sprintf(temp1, ".%s", temp_p);
fcc2a4
     }
fcc2a4
     if (img_fol->set_out_format == 1) {
fcc2a4
-        sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
fcc2a4
+        snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
fcc2a4
                 img_fol->out_format);
fcc2a4
         if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
fcc2a4
                          outfilename) != 0) {
fcc2a4
@@ -1357,14 +1357,13 @@ int main(int argc, char **argv)
fcc2a4
             return EXIT_FAILURE;
fcc2a4
         }
fcc2a4
         /* Stores at max 10 image file names */
fcc2a4
-        dirptr->filename_buf = (char*)malloc(sizeof(char) *
fcc2a4
-                                             (size_t)num_images * OPJ_PATH_LEN);
fcc2a4
+        dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
fcc2a4
         if (!dirptr->filename_buf) {
fcc2a4
             failed = 1;
fcc2a4
             goto fin;
fcc2a4
         }
fcc2a4
 
fcc2a4
-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
fcc2a4
+        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
fcc2a4
 
fcc2a4
         if (!dirptr->filename) {
fcc2a4
             failed = 1;
fcc2a4
diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
fcc2a4
index 6e15fee..4e19c61 100644
fcc2a4
--- a/src/bin/jp2/opj_dump.c
fcc2a4
+++ b/src/bin/jp2/opj_dump.c
fcc2a4
@@ -201,8 +201,8 @@ static int get_file_format(const char *filename)
fcc2a4
 static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
fcc2a4
                           opj_dparameters_t *parameters)
fcc2a4
 {
fcc2a4
-    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
fcc2a4
-         outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
fcc2a4
+    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
fcc2a4
+         outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
fcc2a4
     char *temp_p, temp1[OPJ_PATH_LEN] = "";
fcc2a4
 
fcc2a4
     strcpy(image_filename, dirptr->filename[imageno]);
fcc2a4
@@ -211,7 +211,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
fcc2a4
     if (parameters->decod_format == -1) {
fcc2a4
         return 1;
fcc2a4
     }
fcc2a4
-    sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
fcc2a4
+    snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
fcc2a4
     if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
fcc2a4
                      infilename) != 0) {
fcc2a4
         return 1;
fcc2a4
@@ -224,7 +224,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
fcc2a4
         sprintf(temp1, ".%s", temp_p);
fcc2a4
     }
fcc2a4
     if (img_fol->set_out_format == 1) {
fcc2a4
-        sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
fcc2a4
+        snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
fcc2a4
                 img_fol->out_format);
fcc2a4
         if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
fcc2a4
                          outfilename) != 0) {
fcc2a4
@@ -457,7 +457,7 @@ int main(int argc, char *argv[])
fcc2a4
     opj_codestream_info_v2_t* cstr_info = NULL;
fcc2a4
     opj_codestream_index_t* cstr_index = NULL;
fcc2a4
 
fcc2a4
-    OPJ_INT32 num_images, imageno;
fcc2a4
+    int num_images, imageno;
fcc2a4
     img_fol_t img_fol;
fcc2a4
     dircnt_t *dirptr = NULL;
fcc2a4
 
fcc2a4
@@ -486,13 +486,13 @@ int main(int argc, char *argv[])
fcc2a4
         if (!dirptr) {
fcc2a4
             return EXIT_FAILURE;
fcc2a4
         }
fcc2a4
-        dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
fcc2a4
+        dirptr->filename_buf = (char*) calloc((size_t) num_images, OPJ_PATH_LEN * sizeof(
fcc2a4
                 char)); /* Stores at max 10 image file names*/
fcc2a4
         if (!dirptr->filename_buf) {
fcc2a4
             free(dirptr);
fcc2a4
             return EXIT_FAILURE;
fcc2a4
         }
fcc2a4
-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
fcc2a4
+        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
fcc2a4
 
fcc2a4
         if (!dirptr->filename) {
fcc2a4
             goto fails;
fcc2a4
-- 
fcc2a4
2.31.1
fcc2a4