CVE-2021-29338

Integer Overflow en OpenJPEG versión v2.4.0 permite a atacantes remotos bloquear la aplicación, causando una denegación de servicio (DoS). Esto ocurre cuando el atacante usa la opción de línea de comando "-ImgDir" en un directorio que contiene 1048576 archivos

There is a flaw in the opj2_compress program in openjpeg2. An attacker who is able to submit a large number of image files to be processed in a directory by opj2_compress, could trigger a heap out-of-bounds write due to an integer overflow, which is caused by the large number of image files. The greatest threat posed by this flaw is to confidentiality, integrity, and availability.

An update that fixes 13 vulnerabilities is now available. This update for openjpeg2 fixes the following issues. Fixed integer overflow vulnerability in theopj_t1_encode_cblks function. Fixed integer overflow caused by an out-of-bounds leftshift in the opj_j2k_setup_encoder function. Fixed excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c. Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c. Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c. Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.ci. Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor. Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c. Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor. Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode. Fixed integer overflow that allows remote attackers to crash the application. Fixed segmentation fault in opj2_decompress due to uninitialized pointer.