opencv: Fix for CVE-2023-2617

A vulnerability classified as problematic was found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this vulnerability is the function DecodedBitStreamParser::decodeByteSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-228547. Signed-off-by: Soumya <soumya.sambu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Soumya <soumya.sambu@windriver.com> 2023-06-15 16:03:28 +0000
committer: Khem Raj <raj.khem@gmail.com> 2023-06-15 15:04:51 -0700
commit: f0cd4aca2018d31659fa8a19c0bc88d9d9baec8a (patch)
tree: 3eb3ceb19da4abed8491633478cc8e1d181a2782
parent: a1dfcaeb5988aa4691481d05841017bc881fa026 (diff)
download: meta-openembedded-f0cd4aca2018d31659fa8a19c0bc88d9d9baec8a.tar.gz
2 files changed, 89 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch
new file mode 100644
index 000000000..92c096e29
--- /dev/null
+++ b/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch
@@ -0,0 +1,88 @@
+commit ccc277247ac1a7aef0a90353edcdec35fbc5903c
+Author: Nano <nanoapezlk@gmail.com>
+Date:   Wed Apr 26 15:09:52 2023 +0800
+    fix(wechat_qrcode): Init nBytes after the count value is determined (#3480)
+    * fix(wechat_qrcode): Initialize nBytes after the count value is determined
+    * fix(wechat_qrcode): Incorrect count data repair
+    * chore: format expr
+    * fix(wechat_qrcode): Avoid null pointer exception
+    * fix(wechat_qrcode): return when bytes_ is empty
+    * test(wechat_qrcode): add test case
+    ---------
+    Co-authored-by: GZTime <Time.GZ@outlook.com>
+CVE: CVE-2023-2617
+Upstream-Status: Backport [https://github.com/opencv/opencv_contrib/commit/ccc277247ac1a7aef0a90353edcdec35fbc5903c]
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+diff --git a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+index 05de793c..b3a0a69c 100644
+--- a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+++ b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+@@ -65,7 +65,8 @@ void DecodedBitStreamParser::append(std::string& result, string const& in,
+ void DecodedBitStreamParser::append(std::string& result, const char* bufIn, size_t nIn,
+                                     ErrorHandler& err_handler) {
+-    if (err_handler.ErrCode()) return;
+    // avoid null pointer exception
+    if (err_handler.ErrCode() || bufIn == nullptr) return;
+ #ifndef NO_ICONV_INSIDE
+     if (nIn == 0) {
+         return;
+@@ -190,16 +191,20 @@ void DecodedBitStreamParser::decodeByteSegment(Ref<BitSource> bits_, string& res
+                                                CharacterSetECI* currentCharacterSetECI,
+                                                ArrayRef<ArrayRef<char> >& byteSegments,
+                                                ErrorHandler& err_handler) {
+-    int nBytes = count;
+     BitSource& bits(*bits_);
+     // Don't crash trying to read more bits than we have available.
+     int available = bits.available();
+     // try to repair count data if count data is invalid
+     if (count * 8 > available) {
+-        count = (available + 7 / 8);
+        count = (available + 7) / 8;
+     }
+    size_t nBytes = count;
+
+    ArrayRef<char> bytes_(nBytes);
+    // issue https://github.com/opencv/opencv_contrib/issues/3478
+    if (bytes_->empty())
+        return;
+-    ArrayRef<char> bytes_(count);
+     char* readBytes = &(*bytes_)[0];
+     for (int i = 0; i < count; i++) {
+         //    readBytes[i] = (char) bits.readBits(8);
+diff --git a/modules/wechat_qrcode/test/test_qrcode.cpp b/modules/wechat_qrcode/test/test_qrcode.cpp
+index d59932b8..ec2559b0 100644
+--- a/modules/wechat_qrcode/test/test_qrcode.cpp
+++ b/modules/wechat_qrcode/test/test_qrcode.cpp
+@@ -455,5 +455,16 @@ TEST_P(Objdetect_QRCode_Easy_Multi, regression) {
+ std::string qrcode_model_path[] = {"", "dnn/wechat_2021-01"};
+ INSTANTIATE_TEST_CASE_P(/**/, Objdetect_QRCode_Easy_Multi, testing::ValuesIn(qrcode_model_path));
+TEST(Objdetect_QRCode_bug, issue_3478) {
+    auto detector = wechat_qrcode::WeChatQRCode();
+    std::string image_path = findDataFile("qrcode/issue_3478.png");
+    Mat src = imread(image_path, IMREAD_GRAYSCALE);
+    ASSERT_FALSE(src.empty()) << "Can't read image: " << image_path;
+    std::vector<std::string> outs = detector.detectAndDecode(src);
+    ASSERT_EQ(1, (int) outs.size());
+    ASSERT_EQ(16, (int) outs[0].size());
+    ASSERT_EQ("KFCVW50         ", outs[0]);
+}
+
+ }  // namespace
+ }  // namespace opencv_test
diff --git a/meta-oe/recipes-support/opencv/opencv_4.7.0.bb b/meta-oe/recipes-support/opencv/opencv_4.7.0.bb
index 361b00430..d02fd34ae 100644
--- a/meta-oe/recipes-support/opencv/opencv_4.7.0.bb
+++ b/meta-oe/recipes-support/opencv/opencv_4.7.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol
           file://download.patch \
           file://0001-Make-ts-module-external.patch \
           file://0008-Do-not-embed-build-directory-in-binaries.patch \
+           file://CVE-2023-2617.patch;patchdir=contrib \
           "
 SRC_URI:append:riscv64 = " file://0001-Use-Os-to-compile-tinyxml2.cpp.patch;patchdir=contrib"
author	Soumya <soumya.sambu@windriver.com>	2023-06-15 16:03:28 +0000
committer	Khem Raj <raj.khem@gmail.com>	2023-06-15 15:04:51 -0700
commit	f0cd4aca2018d31659fa8a19c0bc88d9d9baec8a (patch)
tree	3eb3ceb19da4abed8491633478cc8e1d181a2782
parent	a1dfcaeb5988aa4691481d05841017bc881fa026 (diff)
download	meta-openembedded-f0cd4aca2018d31659fa8a19c0bc88d9d9baec8a.tar.gz

diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch new file mode 100644 index 000000000..92c096e29 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch
@@ -0,0 +1,88 @@
		1	commit ccc277247ac1a7aef0a90353edcdec35fbc5903c
		2	Author: Nano <nanoapezlk@gmail.com>
		3	Date: Wed Apr 26 15:09:52 2023 +0800
		4
		5	fix(wechat_qrcode): Init nBytes after the count value is determined (#3480)
		6
		7	* fix(wechat_qrcode): Initialize nBytes after the count value is determined
		8
		9	* fix(wechat_qrcode): Incorrect count data repair
		10
		11	* chore: format expr
		12
		13	* fix(wechat_qrcode): Avoid null pointer exception
		14
		15	* fix(wechat_qrcode): return when bytes_ is empty
		16
		17	* test(wechat_qrcode): add test case
		18
		19	---------
		20
		21	Co-authored-by: GZTime <Time.GZ@outlook.com>
		22
		23	CVE: CVE-2023-2617
		24
		25	Upstream-Status: Backport [https://github.com/opencv/opencv_contrib/commit/ccc277247ac1a7aef0a90353edcdec35fbc5903c]
		26
		27	Signed-off-by: Soumya <soumya.sambu@windriver.com>
		28	---
		29
		30	diff --git a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
		31	index 05de793c..b3a0a69c 100644
		32	--- a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
		33	+++ b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
		34	@@ -65,7 +65,8 @@ void DecodedBitStreamParser::append(std::string& result, string const& in,
		35
		36	void DecodedBitStreamParser::append(std::string& result, const char* bufIn, size_t nIn,
		37	ErrorHandler& err_handler) {
		38	- if (err_handler.ErrCode()) return;
		39	+ // avoid null pointer exception
		40	+ if (err_handler.ErrCode() \|\| bufIn == nullptr) return;
		41	#ifndef NO_ICONV_INSIDE
		42	if (nIn == 0) {
		43	return;
		44	@@ -190,16 +191,20 @@ void DecodedBitStreamParser::decodeByteSegment(Ref<BitSource> bits_, string& res
		45	CharacterSetECI* currentCharacterSetECI,
		46	ArrayRef<ArrayRef<char> >& byteSegments,
		47	ErrorHandler& err_handler) {
		48	- int nBytes = count;
		49	BitSource& bits(*bits_);
		50	// Don't crash trying to read more bits than we have available.
		51	int available = bits.available();
		52	// try to repair count data if count data is invalid
		53	if (count * 8 > available) {
		54	- count = (available + 7 / 8);
		55	+ count = (available + 7) / 8;
		56	}
		57	+ size_t nBytes = count;
		58	+
		59	+ ArrayRef<char> bytes_(nBytes);
		60	+ // issue https://github.com/opencv/opencv_contrib/issues/3478
		61	+ if (bytes_->empty())
		62	+ return;
		63
		64	- ArrayRef<char> bytes_(count);
		65	char* readBytes = &(*bytes_)[0];
		66	for (int i = 0; i < count; i++) {
		67	// readBytes[i] = (char) bits.readBits(8);
		68	diff --git a/modules/wechat_qrcode/test/test_qrcode.cpp b/modules/wechat_qrcode/test/test_qrcode.cpp
		69	index d59932b8..ec2559b0 100644
		70	--- a/modules/wechat_qrcode/test/test_qrcode.cpp
		71	+++ b/modules/wechat_qrcode/test/test_qrcode.cpp
		72	@@ -455,5 +455,16 @@ TEST_P(Objdetect_QRCode_Easy_Multi, regression) {
		73	std::string qrcode_model_path[] = {"", "dnn/wechat_2021-01"};
		74	INSTANTIATE_TEST_CASE_P(/**/, Objdetect_QRCode_Easy_Multi, testing::ValuesIn(qrcode_model_path));
		75
		76	+TEST(Objdetect_QRCode_bug, issue_3478) {
		77	+ auto detector = wechat_qrcode::WeChatQRCode();
		78	+ std::string image_path = findDataFile("qrcode/issue_3478.png");
		79	+ Mat src = imread(image_path, IMREAD_GRAYSCALE);
		80	+ ASSERT_FALSE(src.empty()) << "Can't read image: " << image_path;
		81	+ std::vector<std::string> outs = detector.detectAndDecode(src);
		82	+ ASSERT_EQ(1, (int) outs.size());
		83	+ ASSERT_EQ(16, (int) outs[0].size());
		84	+ ASSERT_EQ("KFCVW50 ", outs[0]);
		85	+}
		86	+
		87	} // namespace
		88	} // namespace opencv_test


diff --git a/meta-oe/recipes-support/opencv/opencv_4.7.0.bb b/meta-oe/recipes-support/opencv/opencv_4.7.0.bb index 361b00430..d02fd34ae 100644 --- a/meta-oe/recipes-support/opencv/opencv_4.7.0.bb +++ b/meta-oe/recipes-support/opencv/opencv_4.7.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol
31	file://download.patch \	31	file://download.patch \
32	file://0001-Make-ts-module-external.patch \	32	file://0001-Make-ts-module-external.patch \
33	file://0008-Do-not-embed-build-directory-in-binaries.patch \	33	file://0008-Do-not-embed-build-directory-in-binaries.patch \
		34	file://CVE-2023-2617.patch;patchdir=contrib \
34	"	35	"
35	SRC_URI:append:riscv64 = " file://0001-Use-Os-to-compile-tinyxml2.cpp.patch;patchdir=contrib"	36	SRC_URI:append:riscv64 = " file://0001-Use-Os-to-compile-tinyxml2.cpp.patch;patchdir=contrib"
36		37