opj_compress/opj_uncompress: fix integer overflow in num_images CVE-2021-29338 Bug 783513 Upstream: https://github.com/uclouvain/openjpeg/commit/79c7d7af598b778c3cdcb455df23d50efc95eb3c --- a/src/bin/jp2/opj_compress.c +++ b/src/bin/jp2/opj_compress.c @@ -1959,9 +1959,9 @@ int main(int argc, char **argv) num_images = get_num_images(img_fol.imgdirpath); dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); if (dirptr) { - dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof( + dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof( char)); /* Stores at max 10 image file names*/ - dirptr->filename = (char**) malloc(num_images * sizeof(char*)); + dirptr->filename = (char**) calloc(num_images, sizeof(char*)); if (!dirptr->filename_buf) { ret = 0; goto fin; --- a/src/bin/jp2/opj_decompress.c +++ b/src/bin/jp2/opj_decompress.c @@ -1374,14 +1374,13 @@ int main(int argc, char **argv) return EXIT_FAILURE; } /* Stores at max 10 image file names */ - dirptr->filename_buf = (char*)malloc(sizeof(char) * - (size_t)num_images * OPJ_PATH_LEN); + dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN); if (!dirptr->filename_buf) { failed = 1; goto fin; } - dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); + dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); if (!dirptr->filename) { failed = 1; --- a/src/bin/jp2/opj_dump.c +++ b/src/bin/jp2/opj_dump.c @@ -515,13 +515,14 @@ int main(int argc, char *argv[]) if (!dirptr) { return EXIT_FAILURE; } - dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof( - char)); /* Stores at max 10 image file names*/ + /* Stores at max 10 image file names*/ + dirptr->filename_buf = (char*) calloc((size_t) num_images, + OPJ_PATH_LEN * sizeof(char)); if (!dirptr->filename_buf) { free(dirptr); return EXIT_FAILURE; } - dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); + dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); if (!dirptr->filename) { goto fails;