From 242036c5d5e58f34287d555c3fea4cfd377f8be6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Fri, 25 Jun 2021 18:36:33 +0200
Subject: [PATCH] Fix CVE-2021-29338 - resolves: #1951333

---
 openjpeg2-CVE-2021-29338.patch | 165 +++++++++++++++++++++++++++++++++
 openjpeg2.spec                 |   7 +-
 2 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 openjpeg2-CVE-2021-29338.patch

diff --git a/openjpeg2-CVE-2021-29338.patch b/openjpeg2-CVE-2021-29338.patch
new file mode 100644
index 0000000..49bf268
--- /dev/null
+++ b/openjpeg2-CVE-2021-29338.patch
@@ -0,0 +1,165 @@
+From efbfbbb723e100cfbcea287a30958bf678e83458 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Tue, 27 Apr 2021 09:37:40 -0600
+Subject: [PATCH] opj_{compress,decompress,dump}: fix possible buffer overflows
+ in path manipulation functions
+
+---
+ src/bin/jp2/opj_compress.c   | 12 ++++++------
+ src/bin/jp2/opj_decompress.c | 13 ++++++-------
+ src/bin/jp2/opj_dump.c       | 14 +++++++-------
+ 3 files changed, 19 insertions(+), 20 deletions(-)
+
+diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
+index 6827484..d8f894c 100644
+--- a/src/bin/jp2/opj_compress.c
++++ b/src/bin/jp2/opj_compress.c
+@@ -543,8 +543,8 @@ static char * get_file_name(char *name)
+ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
+                           opj_cparameters_t *parameters)
+ {
+-    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
+-         outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
++    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
++         outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
+     char *temp_p, temp1[OPJ_PATH_LEN] = "";
+ 
+     strcpy(image_filename, dirptr->filename[imageno]);
+@@ -553,7 +553,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
+     if (parameters->decod_format == -1) {
+         return 1;
+     }
+-    sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
++    snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
+     if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
+                      infilename) != 0) {
+         return 1;
+@@ -566,7 +566,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
+         sprintf(temp1, ".%s", temp_p);
+     }
+     if (img_fol->set_out_format == 1) {
+-        sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
++        snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+                 img_fol->out_format);
+         if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
+                          outfilename) != 0) {
+@@ -1910,9 +1910,9 @@ int main(int argc, char **argv)
+         num_images = get_num_images(img_fol.imgdirpath);
+         dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
+         if (dirptr) {
+-            dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
++            dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
+                     char)); /* Stores at max 10 image file names*/
+-            dirptr->filename = (char**) malloc(num_images * sizeof(char*));
++            dirptr->filename = (char**) calloc(num_images, sizeof(char*));
+             if (!dirptr->filename_buf) {
+                 ret = 0;
+                 goto fin;
+diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
+index 2634907..e54e54f 100644
+--- a/src/bin/jp2/opj_decompress.c
++++ b/src/bin/jp2/opj_decompress.c
+@@ -455,13 +455,13 @@ const char* path_separator = "/";
+ char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
+                    opj_decompress_parameters *parameters)
+ {
+-    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
+-         outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
++    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
++         outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
+     char *temp_p, temp1[OPJ_PATH_LEN] = "";
+ 
+     strcpy(image_filename, dirptr->filename[imageno]);
+     fprintf(stderr, "File Number %d \"%s\"\n", imageno, image_filename);
+-    sprintf(infilename, "%s%s%s", img_fol->imgdirpath, path_separator,
++    snprintf(infilename, OPJ_PATH_LEN * 2, "%s%s%s", img_fol->imgdirpath, path_separator,
+             image_filename);
+     parameters->decod_format = infile_format(infilename);
+     if (parameters->decod_format == -1) {
+@@ -479,7 +479,7 @@ char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
+         sprintf(temp1, ".%s", temp_p);
+     }
+     if (img_fol->set_out_format == 1) {
+-        sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
++        snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+                 img_fol->out_format);
+         if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
+                          outfilename) != 0) {
+@@ -1357,14 +1357,13 @@ int main(int argc, char **argv)
+             return EXIT_FAILURE;
+         }
+         /* Stores at max 10 image file names */
+-        dirptr->filename_buf = (char*)malloc(sizeof(char) *
+-                                             (size_t)num_images * OPJ_PATH_LEN);
++        dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
+         if (!dirptr->filename_buf) {
+             failed = 1;
+             goto fin;
+         }
+ 
+-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
++        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
+ 
+         if (!dirptr->filename) {
+             failed = 1;
+diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
+index 6e15fee..4e19c61 100644
+--- a/src/bin/jp2/opj_dump.c
++++ b/src/bin/jp2/opj_dump.c
+@@ -201,8 +201,8 @@ static int get_file_format(const char *filename)
+ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
+                           opj_dparameters_t *parameters)
+ {
+-    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
+-         outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
++    char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
++         outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
+     char *temp_p, temp1[OPJ_PATH_LEN] = "";
+ 
+     strcpy(image_filename, dirptr->filename[imageno]);
+@@ -211,7 +211,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
+     if (parameters->decod_format == -1) {
+         return 1;
+     }
+-    sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
++    snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
+     if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
+                      infilename) != 0) {
+         return 1;
+@@ -224,7 +224,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
+         sprintf(temp1, ".%s", temp_p);
+     }
+     if (img_fol->set_out_format == 1) {
+-        sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
++        snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
+                 img_fol->out_format);
+         if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
+                          outfilename) != 0) {
+@@ -457,7 +457,7 @@ int main(int argc, char *argv[])
+     opj_codestream_info_v2_t* cstr_info = NULL;
+     opj_codestream_index_t* cstr_index = NULL;
+ 
+-    OPJ_INT32 num_images, imageno;
++    int num_images, imageno;
+     img_fol_t img_fol;
+     dircnt_t *dirptr = NULL;
+ 
+@@ -486,13 +486,13 @@ int main(int argc, char *argv[])
+         if (!dirptr) {
+             return EXIT_FAILURE;
+         }
+-        dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
++        dirptr->filename_buf = (char*) calloc((size_t) num_images, OPJ_PATH_LEN * sizeof(
+                 char)); /* Stores at max 10 image file names*/
+         if (!dirptr->filename_buf) {
+             free(dirptr);
+             return EXIT_FAILURE;
+         }
+-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
++        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
+ 
+         if (!dirptr->filename) {
+             goto fails;
+-- 
+2.31.1
+
diff --git a/openjpeg2.spec b/openjpeg2.spec
index 72ebb1d..a332aef 100644
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@@ -8,7 +8,7 @@
 
 Name:           openjpeg2
 Version:        2.4.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        C-Library for JPEG 2000
 
 # windirent.h is MIT, the rest is BSD
@@ -22,6 +22,8 @@ Source1:        data.tar.xz
 
 # Rename tool names to avoid conflicts with openjpeg-1.x
 Patch0:         openjpeg2_opj2.patch
+# Fix CVE-2021-29338
+Patch1:         openjpeg2-CVE-2021-29338.patch
 
 
 BuildRequires:  cmake
@@ -324,6 +326,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer
 
 
 %changelog
+* Fri Jun 25 2021 Nikola Forró <nforro@redhat.com> - 2.4.0-4
+- Fix CVE-2021-29338 (#1951333)
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.0-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937