diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-05-12 16:42:50 +0300 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-05-12 16:42:50 +0300 |
commit | 752d6256e5204b958b0ef7905675a940b5e9172f (patch) | |
tree | 330d16e6362a49cbed8875a777fe641a43376cd3 /media-libs/openjpeg/files | |
parent | 0c100b7dd2b30e75b799d806df4ef899fd98e1ea (diff) |
gentoo resync : 12.05.2022
Diffstat (limited to 'media-libs/openjpeg/files')
-rw-r--r-- | media-libs/openjpeg/files/openjpeg-2.4.0-r3-avoid-mult-overflow.patch | 52 | ||||
-rw-r--r-- | media-libs/openjpeg/files/openjpeg-2.4.0-r3-fix-integer-overflow.patch | 57 |
2 files changed, 109 insertions, 0 deletions
diff --git a/media-libs/openjpeg/files/openjpeg-2.4.0-r3-avoid-mult-overflow.patch b/media-libs/openjpeg/files/openjpeg-2.4.0-r3-avoid-mult-overflow.patch new file mode 100644 index 000000000000..3733a1b94545 --- /dev/null +++ b/media-libs/openjpeg/files/openjpeg-2.4.0-r3-avoid-mult-overflow.patch @@ -0,0 +1,52 @@ +Upstream: https://github.com/uclouvain/openjpeg/commit/1daaa0b909aebdf71be36238d16dfbec83c494ed +Bug: https://bugs.gentoo.org/783513 +CVE-2021-29338 +--- a/src/bin/jp2/opj_compress.c ++++ b/src/bin/jp2/opj_compress.c +@@ -1967,7 +1967,7 @@ int main(int argc, char **argv) + goto fin; + } + for (i = 0; i < num_images; i++) { +- dirptr->filename[i] = dirptr->filename_buf + i * OPJ_PATH_LEN; ++ dirptr->filename[i] = dirptr->filename_buf + (size_t)i * OPJ_PATH_LEN; + } + } + if (load_images(dirptr, img_fol.imgdirpath) == 1) { +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -1367,7 +1367,6 @@ int main(int argc, char **argv) + if (img_fol.set_imgdir == 1) { + int it_image; + num_images = get_num_images(img_fol.imgdirpath); +- + dirptr = (dircnt_t*)calloc(1, sizeof(dircnt_t)); + if (!dirptr) { + destroy_parameters(¶meters); +@@ -1387,7 +1386,8 @@ int main(int argc, char **argv) + goto fin; + } + for (it_image = 0; it_image < num_images; it_image++) { +- dirptr->filename[it_image] = dirptr->filename_buf + it_image * OPJ_PATH_LEN; ++ dirptr->filename[it_image] = dirptr->filename_buf + (size_t)it_image * ++ OPJ_PATH_LEN; + } + + if (load_images(dirptr, img_fol.imgdirpath) == 1) { +--- a/src/bin/jp2/opj_dump.c ++++ b/src/bin/jp2/opj_dump.c +@@ -529,13 +529,13 @@ int main(int argc, char *argv[]) + } + + for (it_image = 0; it_image < num_images; it_image++) { +- dirptr->filename[it_image] = dirptr->filename_buf + it_image * OPJ_PATH_LEN; ++ dirptr->filename[it_image] = dirptr->filename_buf + (size_t)it_image * ++ OPJ_PATH_LEN; + } + + if (load_images(dirptr, img_fol.imgdirpath) == 1) { + goto fails; + } +- + if (num_images == 0) { + fprintf(stdout, "Folder is empty\n"); + goto fails; diff --git a/media-libs/openjpeg/files/openjpeg-2.4.0-r3-fix-integer-overflow.patch b/media-libs/openjpeg/files/openjpeg-2.4.0-r3-fix-integer-overflow.patch new file mode 100644 index 000000000000..6ceb5be8f6d1 --- /dev/null +++ b/media-libs/openjpeg/files/openjpeg-2.4.0-r3-fix-integer-overflow.patch @@ -0,0 +1,57 @@ +opj_compress/opj_uncompress: fix integer overflow in num_images +CVE-2021-29338 +Bug 783513 +Upstream: https://github.com/uclouvain/openjpeg/commit/79c7d7af598b778c3cdcb455df23d50efc95eb3c +--- a/src/bin/jp2/opj_compress.c ++++ b/src/bin/jp2/opj_compress.c +@@ -1959,9 +1959,9 @@ int main(int argc, char **argv) + num_images = get_num_images(img_fol.imgdirpath); + dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); + if (dirptr) { +- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof( ++ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof( + char)); /* Stores at max 10 image file names*/ +- dirptr->filename = (char**) malloc(num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc(num_images, sizeof(char*)); + if (!dirptr->filename_buf) { + ret = 0; + goto fin; +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -1374,14 +1374,13 @@ int main(int argc, char **argv) + return EXIT_FAILURE; + } + /* Stores at max 10 image file names */ +- dirptr->filename_buf = (char*)malloc(sizeof(char) * +- (size_t)num_images * OPJ_PATH_LEN); ++ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN); + if (!dirptr->filename_buf) { + failed = 1; + goto fin; + } + +- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); + + if (!dirptr->filename) { + failed = 1; +--- a/src/bin/jp2/opj_dump.c ++++ b/src/bin/jp2/opj_dump.c +@@ -515,13 +515,14 @@ int main(int argc, char *argv[]) + if (!dirptr) { + return EXIT_FAILURE; + } +- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof( +- char)); /* Stores at max 10 image file names*/ ++ /* Stores at max 10 image file names*/ ++ dirptr->filename_buf = (char*) calloc((size_t) num_images, ++ OPJ_PATH_LEN * sizeof(char)); + if (!dirptr->filename_buf) { + free(dirptr); + return EXIT_FAILURE; + } +- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); + + if (!dirptr->filename) { + goto fails; |