walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

opj_compress/opj_uncompress: fix integer overflow in num_images (#1395) 

Includes the fix for CVE-2021-29338
Credit to @kaniini based on #1346
Fixes #1338
This commit is contained in:
Brad Parham 2022-01-12 13:46:10 +01:00 committed by GitHub
parent fe2fa70716
commit 79c7d7af59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/bin/jp2/opj_compress.c
View File

@ -1959,9 +1959,9 @@ int main(int argc, char **argv)
num_images = get_num_images(img_fol.imgdirpath); num_images = get_num_images(img_fol.imgdirpath);
dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
if (dirptr) { if (dirptr) {
dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof( dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
char)); /* Stores at max 10 image file names*/ char)); /* Stores at max 10 image file names*/
dirptr->filename = (char**) malloc(num_images * sizeof(char*)); dirptr->filename = (char**) calloc(num_images, sizeof(char*));
if (!dirptr->filename_buf) { if (!dirptr->filename_buf) {
ret = 0; ret = 0;
goto fin; goto fin;

5
src/bin/jp2/opj_decompress.c
View File

@ -1374,14 +1374,13 @@ int main(int argc, char **argv)
return EXIT_FAILURE; return EXIT_FAILURE;
} }
/* Stores at max 10 image file names */ /* Stores at max 10 image file names */
dirptr->filename_buf = (char*)malloc(sizeof(char) * dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
(size_t)num_images * OPJ_PATH_LEN);
if (!dirptr->filename_buf) { if (!dirptr->filename_buf) {
failed = 1; failed = 1;
goto fin; goto fin;
} }
dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) { if (!dirptr->filename) {
failed = 1; failed = 1;

7
src/bin/jp2/opj_dump.c
View File

@ -515,13 +515,14 @@ int main(int argc, char *argv[])
if (!dirptr) { if (!dirptr) {
return EXIT_FAILURE; return EXIT_FAILURE;
} }
dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof( /* Stores at max 10 image file names*/
char)); /* Stores at max 10 image file names*/ dirptr->filename_buf = (char*) calloc((size_t) num_images,
OPJ_PATH_LEN * sizeof(char));
if (!dirptr->filename_buf) { if (!dirptr->filename_buf) {
free(dirptr); free(dirptr);
return EXIT_FAILURE; return EXIT_FAILURE;
} }
dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) { if (!dirptr->filename) {
goto fails; goto fails;