diff --git a/openjpeg2-CVE-2021-29338.patch b/openjpeg2-CVE-2021-29338.patch new file mode 100644 index 0000000..49bf268 --- /dev/null +++ b/openjpeg2-CVE-2021-29338.patch @@ -0,0 +1,165 @@ +From efbfbbb723e100cfbcea287a30958bf678e83458 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Tue, 27 Apr 2021 09:37:40 -0600 +Subject: [PATCH] opj_{compress,decompress,dump}: fix possible buffer overflows + in path manipulation functions + +--- + src/bin/jp2/opj_compress.c | 12 ++++++------ + src/bin/jp2/opj_decompress.c | 13 ++++++------- + src/bin/jp2/opj_dump.c | 14 +++++++------- + 3 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c +index 6827484..d8f894c 100644 +--- a/src/bin/jp2/opj_compress.c ++++ b/src/bin/jp2/opj_compress.c +@@ -543,8 +543,8 @@ static char * get_file_name(char *name) + static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + opj_cparameters_t *parameters) + { +- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], +- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; ++ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], ++ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; + char *temp_p, temp1[OPJ_PATH_LEN] = ""; + + strcpy(image_filename, dirptr->filename[imageno]); +@@ -553,7 +553,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + if (parameters->decod_format == -1) { + return 1; + } +- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename); ++ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename); + if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile), + infilename) != 0) { + return 1; +@@ -566,7 +566,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + sprintf(temp1, ".%s", temp_p); + } + if (img_fol->set_out_format == 1) { +- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, ++ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, + img_fol->out_format); + if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), + outfilename) != 0) { +@@ -1910,9 +1910,9 @@ int main(int argc, char **argv) + num_images = get_num_images(img_fol.imgdirpath); + dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); + if (dirptr) { +- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof( ++ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof( + char)); /* Stores at max 10 image file names*/ +- dirptr->filename = (char**) malloc(num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc(num_images, sizeof(char*)); + if (!dirptr->filename_buf) { + ret = 0; + goto fin; +diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c +index 2634907..e54e54f 100644 +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -455,13 +455,13 @@ const char* path_separator = "/"; + char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + opj_decompress_parameters *parameters) + { +- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], +- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; ++ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], ++ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; + char *temp_p, temp1[OPJ_PATH_LEN] = ""; + + strcpy(image_filename, dirptr->filename[imageno]); + fprintf(stderr, "File Number %d \"%s\"\n", imageno, image_filename); +- sprintf(infilename, "%s%s%s", img_fol->imgdirpath, path_separator, ++ snprintf(infilename, OPJ_PATH_LEN * 2, "%s%s%s", img_fol->imgdirpath, path_separator, + image_filename); + parameters->decod_format = infile_format(infilename); + if (parameters->decod_format == -1) { +@@ -479,7 +479,7 @@ char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + sprintf(temp1, ".%s", temp_p); + } + if (img_fol->set_out_format == 1) { +- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, ++ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, + img_fol->out_format); + if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), + outfilename) != 0) { +@@ -1357,14 +1357,13 @@ int main(int argc, char **argv) + return EXIT_FAILURE; + } + /* Stores at max 10 image file names */ +- dirptr->filename_buf = (char*)malloc(sizeof(char) * +- (size_t)num_images * OPJ_PATH_LEN); ++ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN); + if (!dirptr->filename_buf) { + failed = 1; + goto fin; + } + +- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); + + if (!dirptr->filename) { + failed = 1; +diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c +index 6e15fee..4e19c61 100644 +--- a/src/bin/jp2/opj_dump.c ++++ b/src/bin/jp2/opj_dump.c +@@ -201,8 +201,8 @@ static int get_file_format(const char *filename) + static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + opj_dparameters_t *parameters) + { +- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], +- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; ++ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], ++ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; + char *temp_p, temp1[OPJ_PATH_LEN] = ""; + + strcpy(image_filename, dirptr->filename[imageno]); +@@ -211,7 +211,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + if (parameters->decod_format == -1) { + return 1; + } +- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename); ++ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename); + if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile), + infilename) != 0) { + return 1; +@@ -224,7 +224,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + sprintf(temp1, ".%s", temp_p); + } + if (img_fol->set_out_format == 1) { +- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, ++ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, + img_fol->out_format); + if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), + outfilename) != 0) { +@@ -457,7 +457,7 @@ int main(int argc, char *argv[]) + opj_codestream_info_v2_t* cstr_info = NULL; + opj_codestream_index_t* cstr_index = NULL; + +- OPJ_INT32 num_images, imageno; ++ int num_images, imageno; + img_fol_t img_fol; + dircnt_t *dirptr = NULL; + +@@ -486,13 +486,13 @@ int main(int argc, char *argv[]) + if (!dirptr) { + return EXIT_FAILURE; + } +- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof( ++ dirptr->filename_buf = (char*) calloc((size_t) num_images, OPJ_PATH_LEN * sizeof( + char)); /* Stores at max 10 image file names*/ + if (!dirptr->filename_buf) { + free(dirptr); + return EXIT_FAILURE; + } +- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); + + if (!dirptr->filename) { + goto fails; +-- +2.31.1 + diff --git a/openjpeg2.spec b/openjpeg2.spec index 72ebb1d..a332aef 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -8,7 +8,7 @@ Name: openjpeg2 Version: 2.4.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -22,6 +22,8 @@ Source1: data.tar.xz # Rename tool names to avoid conflicts with openjpeg-1.x Patch0: openjpeg2_opj2.patch +# Fix CVE-2021-29338 +Patch1: openjpeg2-CVE-2021-29338.patch BuildRequires: cmake @@ -324,6 +326,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer %changelog +* Fri Jun 25 2021 Nikola Forró - 2.4.0-4 +- Fix CVE-2021-29338 (#1951333) + * Fri Apr 16 2021 Mohan Boddu - 2.4.0-3 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937