opj_compress/opj_uncompress: fix integer overflow in num_images (#1395)

Includes the fix for CVE-2021-29338
Credit to @kaniini based on #1346
Fixes #1338
This commit is contained in:
Brad Parham 2022-01-12 13:46:10 +01:00 committed by GitHub
parent fe2fa70716
commit 79c7d7af59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 8 deletions

View File

@ -1959,9 +1959,9 @@ int main(int argc, char **argv)
num_images = get_num_images(img_fol.imgdirpath);
dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
if (dirptr) {
dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
char)); /* Stores at max 10 image file names*/
dirptr->filename = (char**) malloc(num_images * sizeof(char*));
dirptr->filename = (char**) calloc(num_images, sizeof(char*));
if (!dirptr->filename_buf) {
ret = 0;
goto fin;

View File

@ -1374,14 +1374,13 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
/* Stores at max 10 image file names */
dirptr->filename_buf = (char*)malloc(sizeof(char) *
(size_t)num_images * OPJ_PATH_LEN);
dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
if (!dirptr->filename_buf) {
failed = 1;
goto fin;
}
dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) {
failed = 1;

View File

@ -515,13 +515,14 @@ int main(int argc, char *argv[])
if (!dirptr) {
return EXIT_FAILURE;
}
dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
char)); /* Stores at max 10 image file names*/
/* Stores at max 10 image file names*/
dirptr->filename_buf = (char*) calloc((size_t) num_images,
OPJ_PATH_LEN * sizeof(char));
if (!dirptr->filename_buf) {
free(dirptr);
return EXIT_FAILURE;
}
dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
if (!dirptr->filename) {
goto fails;