parent
df0ae8d43e
commit
242036c5d5
165
openjpeg2-CVE-2021-29338.patch
Normal file
165
openjpeg2-CVE-2021-29338.patch
Normal file
@ -0,0 +1,165 @@
|
|||||||
|
From efbfbbb723e100cfbcea287a30958bf678e83458 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ariadne Conill <ariadne@dereferenced.org>
|
||||||
|
Date: Tue, 27 Apr 2021 09:37:40 -0600
|
||||||
|
Subject: [PATCH] opj_{compress,decompress,dump}: fix possible buffer overflows
|
||||||
|
in path manipulation functions
|
||||||
|
|
||||||
|
---
|
||||||
|
src/bin/jp2/opj_compress.c | 12 ++++++------
|
||||||
|
src/bin/jp2/opj_decompress.c | 13 ++++++-------
|
||||||
|
src/bin/jp2/opj_dump.c | 14 +++++++-------
|
||||||
|
3 files changed, 19 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c
|
||||||
|
index 6827484..d8f894c 100644
|
||||||
|
--- a/src/bin/jp2/opj_compress.c
|
||||||
|
+++ b/src/bin/jp2/opj_compress.c
|
||||||
|
@@ -543,8 +543,8 @@ static char * get_file_name(char *name)
|
||||||
|
static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
|
||||||
|
opj_cparameters_t *parameters)
|
||||||
|
{
|
||||||
|
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
|
||||||
|
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
|
||||||
|
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
|
||||||
|
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
|
||||||
|
char *temp_p, temp1[OPJ_PATH_LEN] = "";
|
||||||
|
|
||||||
|
strcpy(image_filename, dirptr->filename[imageno]);
|
||||||
|
@@ -553,7 +553,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
|
||||||
|
if (parameters->decod_format == -1) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
|
||||||
|
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
|
||||||
|
if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
|
||||||
|
infilename) != 0) {
|
||||||
|
return 1;
|
||||||
|
@@ -566,7 +566,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
|
||||||
|
sprintf(temp1, ".%s", temp_p);
|
||||||
|
}
|
||||||
|
if (img_fol->set_out_format == 1) {
|
||||||
|
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
|
||||||
|
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
|
||||||
|
img_fol->out_format);
|
||||||
|
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
|
||||||
|
outfilename) != 0) {
|
||||||
|
@@ -1910,9 +1910,9 @@ int main(int argc, char **argv)
|
||||||
|
num_images = get_num_images(img_fol.imgdirpath);
|
||||||
|
dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
|
||||||
|
if (dirptr) {
|
||||||
|
- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
|
||||||
|
+ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
|
||||||
|
char)); /* Stores at max 10 image file names*/
|
||||||
|
- dirptr->filename = (char**) malloc(num_images * sizeof(char*));
|
||||||
|
+ dirptr->filename = (char**) calloc(num_images, sizeof(char*));
|
||||||
|
if (!dirptr->filename_buf) {
|
||||||
|
ret = 0;
|
||||||
|
goto fin;
|
||||||
|
diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
|
||||||
|
index 2634907..e54e54f 100644
|
||||||
|
--- a/src/bin/jp2/opj_decompress.c
|
||||||
|
+++ b/src/bin/jp2/opj_decompress.c
|
||||||
|
@@ -455,13 +455,13 @@ const char* path_separator = "/";
|
||||||
|
char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
|
||||||
|
opj_decompress_parameters *parameters)
|
||||||
|
{
|
||||||
|
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
|
||||||
|
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
|
||||||
|
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
|
||||||
|
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
|
||||||
|
char *temp_p, temp1[OPJ_PATH_LEN] = "";
|
||||||
|
|
||||||
|
strcpy(image_filename, dirptr->filename[imageno]);
|
||||||
|
fprintf(stderr, "File Number %d \"%s\"\n", imageno, image_filename);
|
||||||
|
- sprintf(infilename, "%s%s%s", img_fol->imgdirpath, path_separator,
|
||||||
|
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s%s%s", img_fol->imgdirpath, path_separator,
|
||||||
|
image_filename);
|
||||||
|
parameters->decod_format = infile_format(infilename);
|
||||||
|
if (parameters->decod_format == -1) {
|
||||||
|
@@ -479,7 +479,7 @@ char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
|
||||||
|
sprintf(temp1, ".%s", temp_p);
|
||||||
|
}
|
||||||
|
if (img_fol->set_out_format == 1) {
|
||||||
|
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
|
||||||
|
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
|
||||||
|
img_fol->out_format);
|
||||||
|
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
|
||||||
|
outfilename) != 0) {
|
||||||
|
@@ -1357,14 +1357,13 @@ int main(int argc, char **argv)
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
/* Stores at max 10 image file names */
|
||||||
|
- dirptr->filename_buf = (char*)malloc(sizeof(char) *
|
||||||
|
- (size_t)num_images * OPJ_PATH_LEN);
|
||||||
|
+ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
|
||||||
|
if (!dirptr->filename_buf) {
|
||||||
|
failed = 1;
|
||||||
|
goto fin;
|
||||||
|
}
|
||||||
|
|
||||||
|
- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
|
||||||
|
+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
|
||||||
|
|
||||||
|
if (!dirptr->filename) {
|
||||||
|
failed = 1;
|
||||||
|
diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c
|
||||||
|
index 6e15fee..4e19c61 100644
|
||||||
|
--- a/src/bin/jp2/opj_dump.c
|
||||||
|
+++ b/src/bin/jp2/opj_dump.c
|
||||||
|
@@ -201,8 +201,8 @@ static int get_file_format(const char *filename)
|
||||||
|
static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
|
||||||
|
opj_dparameters_t *parameters)
|
||||||
|
{
|
||||||
|
- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN],
|
||||||
|
- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN];
|
||||||
|
+ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2],
|
||||||
|
+ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN];
|
||||||
|
char *temp_p, temp1[OPJ_PATH_LEN] = "";
|
||||||
|
|
||||||
|
strcpy(image_filename, dirptr->filename[imageno]);
|
||||||
|
@@ -211,7 +211,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
|
||||||
|
if (parameters->decod_format == -1) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename);
|
||||||
|
+ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename);
|
||||||
|
if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile),
|
||||||
|
infilename) != 0) {
|
||||||
|
return 1;
|
||||||
|
@@ -224,7 +224,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol,
|
||||||
|
sprintf(temp1, ".%s", temp_p);
|
||||||
|
}
|
||||||
|
if (img_fol->set_out_format == 1) {
|
||||||
|
- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
|
||||||
|
+ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname,
|
||||||
|
img_fol->out_format);
|
||||||
|
if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile),
|
||||||
|
outfilename) != 0) {
|
||||||
|
@@ -457,7 +457,7 @@ int main(int argc, char *argv[])
|
||||||
|
opj_codestream_info_v2_t* cstr_info = NULL;
|
||||||
|
opj_codestream_index_t* cstr_index = NULL;
|
||||||
|
|
||||||
|
- OPJ_INT32 num_images, imageno;
|
||||||
|
+ int num_images, imageno;
|
||||||
|
img_fol_t img_fol;
|
||||||
|
dircnt_t *dirptr = NULL;
|
||||||
|
|
||||||
|
@@ -486,13 +486,13 @@ int main(int argc, char *argv[])
|
||||||
|
if (!dirptr) {
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
|
||||||
|
+ dirptr->filename_buf = (char*) calloc((size_t) num_images, OPJ_PATH_LEN * sizeof(
|
||||||
|
char)); /* Stores at max 10 image file names*/
|
||||||
|
if (!dirptr->filename_buf) {
|
||||||
|
free(dirptr);
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
|
||||||
|
+ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
|
||||||
|
|
||||||
|
if (!dirptr->filename) {
|
||||||
|
goto fails;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
Name: openjpeg2
|
Name: openjpeg2
|
||||||
Version: 2.4.0
|
Version: 2.4.0
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: C-Library for JPEG 2000
|
Summary: C-Library for JPEG 2000
|
||||||
|
|
||||||
# windirent.h is MIT, the rest is BSD
|
# windirent.h is MIT, the rest is BSD
|
||||||
@ -22,6 +22,8 @@ Source1: data.tar.xz
|
|||||||
|
|
||||||
# Rename tool names to avoid conflicts with openjpeg-1.x
|
# Rename tool names to avoid conflicts with openjpeg-1.x
|
||||||
Patch0: openjpeg2_opj2.patch
|
Patch0: openjpeg2_opj2.patch
|
||||||
|
# Fix CVE-2021-29338
|
||||||
|
Patch1: openjpeg2-CVE-2021-29338.patch
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
@ -324,6 +326,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 25 2021 Nikola Forró <nforro@redhat.com> - 2.4.0-4
|
||||||
|
- Fix CVE-2021-29338 (#1951333)
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.0-3
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.0-3
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user