media-libs/openjpeg: backport upstream fix for CVE-2021-29338

The fix is split across two commits upstream, considered merging them
but decided against it.

Bug: https://bugs.gentoo.org/783513
Fixes: CVE-2021-29338
Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz>
Closes: https://github.com/gentoo/gentoo/pull/25142
Signed-off-by: Joonas Niilola <juippis@gentoo.org>

2 files changed, 109 insertions, 0 deletions

diff --git a/media-libs/openjpeg/files/openjpeg-2.4.0-r3-avoid-mult-overflow.patch b/media-libs/openjpeg/files/openjpeg-2.4.0-r3-avoid-mult-overflow.patch
new file mode 100644
index 000000000000..3733a1b94545
--- /dev/null
+++ b/media-libs/openjpeg/files/openjpeg-2.4.0-r3-avoid-mult-overflow.patch
@@ -0,0 +1,52 @@
+Upstream: https://github.com/uclouvain/openjpeg/commit/1daaa0b909aebdf71be36238d16dfbec83c494ed
+Bug: https://bugs.gentoo.org/783513
+CVE-2021-29338
+--- a/src/bin/jp2/opj_compress.c
++++ b/src/bin/jp2/opj_compress.c
+@@ -1967,7 +1967,7 @@ int main(int argc, char **argv)
+                 goto fin;
+             }
+             for (i = 0; i < num_images; i++) {
+-                dirptr->filename[i] = dirptr->filename_buf + i * OPJ_PATH_LEN;
++                dirptr->filename[i] = dirptr->filename_buf + (size_t)i * OPJ_PATH_LEN;
+             }
+         }
+         if (load_images(dirptr, img_fol.imgdirpath) == 1) {
+--- a/src/bin/jp2/opj_decompress.c
++++ b/src/bin/jp2/opj_decompress.c
+@@ -1367,7 +1367,6 @@ int main(int argc, char **argv)
+     if (img_fol.set_imgdir == 1) {
+         int it_image;
+         num_images = get_num_images(img_fol.imgdirpath);
+-
+         dirptr = (dircnt_t*)calloc(1, sizeof(dircnt_t));
+         if (!dirptr) {
+             destroy_parameters(&parameters);
+@@ -1387,7 +1386,8 @@ int main(int argc, char **argv)
+             goto fin;
+         }
+         for (it_image = 0; it_image < num_images; it_image++) {
+-            dirptr->filename[it_image] = dirptr->filename_buf + it_image * OPJ_PATH_LEN;
++            dirptr->filename[it_image] = dirptr->filename_buf + (size_t)it_image *
++                                         OPJ_PATH_LEN;
+         }
+ 
+         if (load_images(dirptr, img_fol.imgdirpath) == 1) {
+--- a/src/bin/jp2/opj_dump.c
++++ b/src/bin/jp2/opj_dump.c
+@@ -529,13 +529,13 @@ int main(int argc, char *argv[])
+         }
+ 
+         for (it_image = 0; it_image < num_images; it_image++) {
+-            dirptr->filename[it_image] = dirptr->filename_buf + it_image * OPJ_PATH_LEN;
++            dirptr->filename[it_image] = dirptr->filename_buf + (size_t)it_image *
++                                         OPJ_PATH_LEN;
+         }
+ 
+         if (load_images(dirptr, img_fol.imgdirpath) == 1) {
+             goto fails;
+         }
+-
+         if (num_images == 0) {
+             fprintf(stdout, "Folder is empty\n");
+             goto fails;
diff --git a/media-libs/openjpeg/files/openjpeg-2.4.0-r3-fix-integer-overflow.patch b/media-libs/openjpeg/files/openjpeg-2.4.0-r3-fix-integer-overflow.patch
new file mode 100644
index 000000000000..6ceb5be8f6d1
--- /dev/null
+++ b/media-libs/openjpeg/files/openjpeg-2.4.0-r3-fix-integer-overflow.patch
@@ -0,0 +1,57 @@
+opj_compress/opj_uncompress: fix integer overflow in num_images
+CVE-2021-29338
+Bug 783513
+Upstream: https://github.com/uclouvain/openjpeg/commit/79c7d7af598b778c3cdcb455df23d50efc95eb3c
+--- a/src/bin/jp2/opj_compress.c
++++ b/src/bin/jp2/opj_compress.c
+@@ -1959,9 +1959,9 @@ int main(int argc, char **argv)
+         num_images = get_num_images(img_fol.imgdirpath);
+         dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
+         if (dirptr) {
+-            dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof(
++            dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof(
+                     char)); /* Stores at max 10 image file names*/
+-            dirptr->filename = (char**) malloc(num_images * sizeof(char*));
++            dirptr->filename = (char**) calloc(num_images, sizeof(char*));
+             if (!dirptr->filename_buf) {
+                 ret = 0;
+                 goto fin;
+--- a/src/bin/jp2/opj_decompress.c
++++ b/src/bin/jp2/opj_decompress.c
+@@ -1374,14 +1374,13 @@ int main(int argc, char **argv)
+             return EXIT_FAILURE;
+         }
+         /* Stores at max 10 image file names */
+-        dirptr->filename_buf = (char*)malloc(sizeof(char) *
+-                                             (size_t)num_images * OPJ_PATH_LEN);
++        dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN);
+         if (!dirptr->filename_buf) {
+             failed = 1;
+             goto fin;
+         }
+ 
+-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
++        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
+ 
+         if (!dirptr->filename) {
+             failed = 1;
+--- a/src/bin/jp2/opj_dump.c
++++ b/src/bin/jp2/opj_dump.c
+@@ -515,13 +515,14 @@ int main(int argc, char *argv[])
+         if (!dirptr) {
+             return EXIT_FAILURE;
+         }
+-        dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof(
+-                char)); /* Stores at max 10 image file names*/
++        /* Stores at max 10 image file names*/
++        dirptr->filename_buf = (char*) calloc((size_t) num_images,
++                                              OPJ_PATH_LEN * sizeof(char));
+         if (!dirptr->filename_buf) {
+             free(dirptr);
+             return EXIT_FAILURE;
+         }
+-        dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*));
++        dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*));
+ 
+         if (!dirptr->filename) {
+             goto fails;