1 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
new file mode 100644
index 0000000000..bcba0b513d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
+From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 6 Apr 2023 18:33:41 -0500
+Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
+When computing the downsampled width for a particular component,
+jpeg_crop_scanline() needs to take into account the fact that the
+libjpeg code uses a combination of IDCT scaling and upsampling to
+implement 4x2 and 2x4 upsampling with certain decompression scaling
+factors.  Failing to account for that led to incomplete upsampling of
+4x2- or 2x4-subsampled components, which caused the color converter to
+read from uninitialized memory.  With 12-bit data precision, this caused
+a buffer overrun or underrun and subsequent segfault if the
+uninitialized memory contained a value that was outside of the valid
+sample range (because the color converter uses the value as an array
+index.)
+Fixes #669
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md |  8 ++++++++
+ jdapistd.c   | 10 ++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index de0c4d0dd..159bd1610 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed
+ (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+ enabled.
+ 
+10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
+downsampled width for components with 4x2 or 2x4 subsampling factors if
+decompression scaling was enabled.  This caused the components to be upsampled
+incompletely, which caused the color converter to read from uninitialized
+memory.  With 12-bit data precision, this caused a buffer overrun or underrun
+and subsequent segfault if the sample value read from unitialized memory was
+outside of the valid sample range.
+
+ 2.0.4
+ =====
+ 
+diff --git a/jdapistd.c b/jdapistd.c
+index 628626254..eb577928c 100644
+--- a/jdapistd.c
+++ b/jdapistd.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
+ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
+     /* Set downsampled_width to the new output width. */
+     orig_downsampled_width = compptr->downsampled_width;
+     compptr->downsampled_width =
+-      (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
+-                                       compptr->h_samp_factor),
+-                                (long)cinfo->max_h_samp_factor);
+      (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
+                                (long)(compptr->h_samp_factor *
+                                       compptr->_DCT_scaled_size),
+                                (long)(cinfo->max_h_samp_factor *
+                                       cinfo->_min_DCT_scaled_size));
+     if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
+       reinit_upsampler = TRUE;
+

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..bcba0b513d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
	1	From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001
	2	From: DRC <information@libjpeg-turbo.org>
	3	Date: Thu, 6 Apr 2023 18:33:41 -0500
	4	Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
	5
	6	When computing the downsampled width for a particular component,
	7	jpeg_crop_scanline() needs to take into account the fact that the
	8	libjpeg code uses a combination of IDCT scaling and upsampling to
	9	implement 4x2 and 2x4 upsampling with certain decompression scaling
	10	factors. Failing to account for that led to incomplete upsampling of
	11	4x2- or 2x4-subsampled components, which caused the color converter to
	12	read from uninitialized memory. With 12-bit data precision, this caused
	13	a buffer overrun or underrun and subsequent segfault if the
	14	uninitialized memory contained a value that was outside of the valid
	15	sample range (because the color converter uses the value as an array
	16	index.)
	17
	18	Fixes #669
	19
	20	CVE: CVE-2023-2804
	21	Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001]
	22
	23	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	24	---
	25	ChangeLog.md \| 8 ++++++++
	26	jdapistd.c \| 10 ++++++----
	27	2 files changed, 14 insertions(+), 4 deletions(-)
	28
	29	diff --git a/ChangeLog.md b/ChangeLog.md
	30	index de0c4d0dd..159bd1610 100644
	31	--- a/ChangeLog.md
	32	+++ b/ChangeLog.md
	33	@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed
	34	(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
	35	enabled.
	36
	37	+10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
	38	+downsampled width for components with 4x2 or 2x4 subsampling factors if
	39	+decompression scaling was enabled. This caused the components to be upsampled
	40	+incompletely, which caused the color converter to read from uninitialized
	41	+memory. With 12-bit data precision, this caused a buffer overrun or underrun
	42	+and subsequent segfault if the sample value read from unitialized memory was
	43	+outside of the valid sample range.
	44	+
	45	2.0.4
	46	=====
	47
	48	diff --git a/jdapistd.c b/jdapistd.c
	49	index 628626254..eb577928c 100644
	50	--- a/jdapistd.c
	51	+++ b/jdapistd.c
	52	@@ -4,7 +4,7 @@
	53	* This file was part of the Independent JPEG Group's software:
	54	* Copyright (C) 1994-1996, Thomas G. Lane.
	55	* libjpeg-turbo Modifications:
	56	- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
	57	+ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander.
	58	* Copyright (C) 2015, Google, Inc.
	59	* For conditions of distribution and use, see the accompanying README.ijg
	60	* file.
	61	@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
	62	/* Set downsampled_width to the new output width. */
	63	orig_downsampled_width = compptr->downsampled_width;
	64	compptr->downsampled_width =
	65	- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
	66	- compptr->h_samp_factor),
	67	- (long)cinfo->max_h_samp_factor);
	68	+ (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
	69	+ (long)(compptr->h_samp_factor *
	70	+ compptr->_DCT_scaled_size),
	71	+ (long)(cinfo->max_h_samp_factor *
	72	+ cinfo->_min_DCT_scaled_size));
	73	if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
	74	reinit_upsampler = TRUE;
	75