1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 0000000000..6668f6e41d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,97 @@
+From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+The 2-pass color quantization algorithm assumes 3-sample pixels.  RGB565
+is the only 3-component colorspace that doesn't have 3-sample pixels, so
+we need to treat it as a special case when determining whether to enable
+2-pass color quantization.  Otherwise, attempting to initialize 2-pass
+color quantization with an RGB565 output buffer could cause
+prescan_quantize() to read from uninitialized memory and subsequently
+underflow/overflow the histogram array.
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are
+specified, because none of its destination managers (image writers)
+support color quantization with RGB565.  However, prescan_quantize() was
+called before that could occur.  It is possible but very unlikely that
+these issues could have been reproduced in applications other than
+djpeg.  The issues involve the use of two features (12-bit precision and
+RGB565) that are incompatible, and they also involve the use of two
+rarely-used legacy features (RGB565 and color quantization) that don't
+make much sense when combined.
+Fixes #668
+Fixes #671
+Fixes #680
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md | 6 ++++++
+ jdmaster.c   | 5 +++--
+ jquant2.c    | 5 +++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index e605abe73..de0c4d0dd 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -1,3 +1,9 @@ quality values.
+9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
+overruns when attempting to decompress various specially-crafted malformed
+12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
+(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+enabled.
+
+ 2.0.4
+ =====
+ 
+diff --git a/jdmaster.c b/jdmaster.c
+index b20906438..8d8ef9956 100644
+--- a/jdmaster.c
+++ b/jdmaster.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2002-2009 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, D. R. Commander.
+ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
+     if (cinfo->raw_data_out)
+       ERREXIT(cinfo, JERR_NOTIMPL);
+     /* 2-pass quantizer only works in 3-component color space. */
+-    if (cinfo->out_color_components != 3) {
+    if (cinfo->out_color_components != 3 ||
+        cinfo->out_color_space == JCS_RGB565) {
+       cinfo->enable_1pass_quant = TRUE;
+       cinfo->enable_external_quant = FALSE;
+       cinfo->enable_2pass_quant = FALSE;
+diff --git a/jquant2.c b/jquant2.c
+index 6570613bb..c760380fb 100644
+--- a/jquant2.c
+++ b/jquant2.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, D. R. Commander.
+ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
+   cquantize->error_limiter = NULL;
+ 
+   /* Make sure jdmaster didn't give me a case I can't handle */
+-  if (cinfo->out_color_components != 3)
+  if (cinfo->out_color_components != 3 ||
+      cinfo->out_color_space == JCS_RGB565)
+     ERREXIT(cinfo, JERR_NOTIMPL);
+ 
+   /* Allocate the histogram/inverse colormap storage */

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch new file mode 100644 index 0000000000..6668f6e41d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,97 @@
	1	From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
	2	From: DRC <information@libjpeg-turbo.org>
	3	Date: Tue, 4 Apr 2023 19:06:20 -0500
	4	Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
	5
	6	The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565
	7	is the only 3-component colorspace that doesn't have 3-sample pixels, so
	8	we need to treat it as a special case when determining whether to enable
	9	2-pass color quantization. Otherwise, attempting to initialize 2-pass
	10	color quantization with an RGB565 output buffer could cause
	11	prescan_quantize() to read from uninitialized memory and subsequently
	12	underflow/overflow the histogram array.
	13
	14	djpeg is supposed to fail gracefully if both -rgb565 and -colors are
	15	specified, because none of its destination managers (image writers)
	16	support color quantization with RGB565. However, prescan_quantize() was
	17	called before that could occur. It is possible but very unlikely that
	18	these issues could have been reproduced in applications other than
	19	djpeg. The issues involve the use of two features (12-bit precision and
	20	RGB565) that are incompatible, and they also involve the use of two
	21	rarely-used legacy features (RGB565 and color quantization) that don't
	22	make much sense when combined.
	23
	24	Fixes #668
	25	Fixes #671
	26	Fixes #680
	27
	28	CVE: CVE-2023-2804
	29	Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
	30
	31	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	32	---
	33	ChangeLog.md \| 6 ++++++
	34	jdmaster.c \| 5 +++--
	35	jquant2.c \| 5 +++--
	36	3 files changed, 12 insertions(+), 4 deletions(-)
	37
	38	diff --git a/ChangeLog.md b/ChangeLog.md
	39	index e605abe73..de0c4d0dd 100644
	40	--- a/ChangeLog.md
	41	+++ b/ChangeLog.md
	42	@@ -1,3 +1,9 @@ quality values.
	43	+9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
	44	+overruns when attempting to decompress various specially-crafted malformed
	45	+12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
	46	+(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
	47	+enabled.
	48	+
	49	2.0.4
	50	=====
	51
	52	diff --git a/jdmaster.c b/jdmaster.c
	53	index b20906438..8d8ef9956 100644
	54	--- a/jdmaster.c
	55	+++ b/jdmaster.c
	56	@@ -5,7 +5,7 @@
	57	* Copyright (C) 1991-1997, Thomas G. Lane.
	58	* Modified 2002-2009 by Guido Vollbeding.
	59	* libjpeg-turbo Modifications:
	60	- * Copyright (C) 2009-2011, 2016, D. R. Commander.
	61	+ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
	62	* Copyright (C) 2013, Linaro Limited.
	63	* Copyright (C) 2015, Google, Inc.
	64	* For conditions of distribution and use, see the accompanying README.ijg
	65	@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
	66	if (cinfo->raw_data_out)
	67	ERREXIT(cinfo, JERR_NOTIMPL);
	68	/* 2-pass quantizer only works in 3-component color space. */
	69	- if (cinfo->out_color_components != 3) {
	70	+ if (cinfo->out_color_components != 3 \|\|
	71	+ cinfo->out_color_space == JCS_RGB565) {
	72	cinfo->enable_1pass_quant = TRUE;
	73	cinfo->enable_external_quant = FALSE;
	74	cinfo->enable_2pass_quant = FALSE;
	75	diff --git a/jquant2.c b/jquant2.c
	76	index 6570613bb..c760380fb 100644
	77	--- a/jquant2.c
	78	+++ b/jquant2.c
	79	@@ -4,7 +4,7 @@
	80	* This file was part of the Independent JPEG Group's software:
	81	* Copyright (C) 1991-1996, Thomas G. Lane.
	82	* libjpeg-turbo Modifications:
	83	- * Copyright (C) 2009, 2014-2015, D. R. Commander.
	84	+ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
	85	* For conditions of distribution and use, see the accompanying README.ijg
	86	* file.
	87	*
	88	@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
	89	cquantize->error_limiter = NULL;
	90
	91	/* Make sure jdmaster didn't give me a case I can't handle */
	92	- if (cinfo->out_color_components != 3)
	93	+ if (cinfo->out_color_components != 3 \|\|
	94	+ cinfo->out_color_space == JCS_RGB565)
	95	ERREXIT(cinfo, JERR_NOTIMPL);
	96
	97	/* Allocate the histogram/inverse colormap storage */