jasper: patch CVE-2025-8836

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836 Pick the patch that is referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-23 18:43:08 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-30 15:13:57 +0100
commit: 42058c812064a7189baa8861bb181454a85c668f (patch)
tree: b86fe0701a9ab1020efe5d6d919bb34f6c66b69d
parent: 95ecb0c5635fc6a596f78a459752abd76fecfc56 (diff)
download: meta-openembedded-42058c812064a7189baa8861bb181454a85c668f.tar.gz
2 files changed, 79 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch
new file mode 100644
index 0000000000..247d1064ca
--- /dev/null
+++ b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch
@@ -0,0 +1,78 @@
+From 0e045908b1fec6748688cbc13bd3dc3703ddb17e Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sat, 2 Aug 2025 18:00:39 -0700
+Subject: [PATCH] Fixes #401.
+JPEG-2000 (JPC) Encoder:
+- Added some missing range checking on several coding parameters
+  (e.g., precint width/height and codeblock width/height).
+CVE: CVE-2025-8836
+Upstream-Status: Backport [https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/libjasper/jpc/jpc_enc.c   | 30 ++++++++++++++++++++++++------
+ src/libjasper/jpc/jpc_t2dec.c |  3 ++-
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
+index 93013f9..c957e3f 100644
+--- a/src/libjasper/jpc/jpc_enc.c
+++ b/src/libjasper/jpc/jpc_enc.c
+@@ -474,18 +474,36 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image)
+                        cp->tileheight = atoi(jas_tvparser_getval(tvp));
+                        break;
+                case OPT_PRCWIDTH:
+-                       prcwidthexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
+                       i = atoi(jas_tvparser_getval(tvp));
+                       if (i <= 0) {
+                               jas_eprintf("invalid precinct width (%d)\n", i);
+                               goto error;
+                       }
+                       prcwidthexpn = jpc_floorlog2(i);
+                        break;
+                case OPT_PRCHEIGHT:
+-                       prcheightexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
+                       i = atoi(jas_tvparser_getval(tvp));
+                       if (i <= 0) {
+                               jas_eprintf("invalid precinct height (%d)\n", i);
+                               goto error;
+                       }
+                       prcheightexpn = jpc_floorlog2(i);
+                        break;
+                case OPT_CBLKWIDTH:
+-                       tccp->cblkwidthexpn =
+-                         jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
+                       i = atoi(jas_tvparser_getval(tvp));
+                       if (i <= 0) {
+                               jas_eprintf("invalid code block width (%d)\n", i);
+                               goto error;
+                       }
+                       tccp->cblkwidthexpn = jpc_floorlog2(i);
+                        break;
+                case OPT_CBLKHEIGHT:
+-                       tccp->cblkheightexpn =
+-                         jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
+                       i = atoi(jas_tvparser_getval(tvp));
+                       if (i <= 0) {
+                               jas_eprintf("invalid code block height (%d)\n", i);
+                               goto error;
+                       }
+                       tccp->cblkheightexpn = jpc_floorlog2(i);
+                        break;
+                case OPT_MODE:
+                        if ((tagid = jas_taginfo_nonull(jas_taginfos_lookup(modetab,
+diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
+index e52b549..6e1f1f7 100644
+--- a/src/libjasper/jpc/jpc_t2dec.c
+++ b/src/libjasper/jpc/jpc_t2dec.c
+@@ -337,7 +337,8 @@ static int jpc_dec_decodepkt(jpc_dec_t *dec, jas_stream_t *pkthdrstream, jas_str
+                                                const unsigned n = JAS_MIN((unsigned)numnewpasses, maxpasses);
+                                                mycounter += n;
+                                                numnewpasses -= n;
+-                                               if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
+                                               if ((len = jpc_bitstream_getbits(inb,
+                                                 cblk->numlenbits + jpc_floorlog2(n))) < 0) {
+                                                        jpc_bitstream_close(inb);
+                                                        return -1;
+                                                }
diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
index c314da539f..d78250306b 100644
--- a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
+++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
 SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master \
           file://CVE-2023-51257.patch \
           file://CVE-2025-8835.patch \
+           file://CVE-2025-8836.patch \
           "
 SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-23 18:43:08 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-30 15:13:57 +0100
commit	42058c812064a7189baa8861bb181454a85c668f (patch)
tree	b86fe0701a9ab1020efe5d6d919bb34f6c66b69d
parent	95ecb0c5635fc6a596f78a459752abd76fecfc56 (diff)
download	meta-openembedded-42058c812064a7189baa8861bb181454a85c668f.tar.gz

diff --git a/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch new file mode 100644 index 0000000000..247d1064ca --- /dev/null +++ b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch
@@ -0,0 +1,78 @@
		1	From 0e045908b1fec6748688cbc13bd3dc3703ddb17e Mon Sep 17 00:00:00 2001
		2	From: Michael Adams <mdadams@ece.uvic.ca>
		3	Date: Sat, 2 Aug 2025 18:00:39 -0700
		4	Subject: [PATCH] Fixes #401.
		5
		6	JPEG-2000 (JPC) Encoder:
		7	- Added some missing range checking on several coding parameters
		8	(e.g., precint width/height and codeblock width/height).
		9
		10	CVE: CVE-2025-8836
		11	Upstream-Status: Backport [https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4]
		12	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		13	---
		14	src/libjasper/jpc/jpc_enc.c \| 30 ++++++++++++++++++++++++------
		15	src/libjasper/jpc/jpc_t2dec.c \| 3 ++-
		16	2 files changed, 26 insertions(+), 7 deletions(-)
		17
		18	diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
		19	index 93013f9..c957e3f 100644
		20	--- a/src/libjasper/jpc/jpc_enc.c
		21	+++ b/src/libjasper/jpc/jpc_enc.c
		22	@@ -474,18 +474,36 @@ static jpc_enc_cp_t cp_create(const char optstr, jas_image_t *image)
		23	cp->tileheight = atoi(jas_tvparser_getval(tvp));
		24	break;
		25	case OPT_PRCWIDTH:
		26	- prcwidthexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
		27	+ i = atoi(jas_tvparser_getval(tvp));
		28	+ if (i <= 0) {
		29	+ jas_eprintf("invalid precinct width (%d)\n", i);
		30	+ goto error;
		31	+ }
		32	+ prcwidthexpn = jpc_floorlog2(i);
		33	break;
		34	case OPT_PRCHEIGHT:
		35	- prcheightexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
		36	+ i = atoi(jas_tvparser_getval(tvp));
		37	+ if (i <= 0) {
		38	+ jas_eprintf("invalid precinct height (%d)\n", i);
		39	+ goto error;
		40	+ }
		41	+ prcheightexpn = jpc_floorlog2(i);
		42	break;
		43	case OPT_CBLKWIDTH:
		44	- tccp->cblkwidthexpn =
		45	- jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
		46	+ i = atoi(jas_tvparser_getval(tvp));
		47	+ if (i <= 0) {
		48	+ jas_eprintf("invalid code block width (%d)\n", i);
		49	+ goto error;
		50	+ }
		51	+ tccp->cblkwidthexpn = jpc_floorlog2(i);
		52	break;
		53	case OPT_CBLKHEIGHT:
		54	- tccp->cblkheightexpn =
		55	- jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
		56	+ i = atoi(jas_tvparser_getval(tvp));
		57	+ if (i <= 0) {
		58	+ jas_eprintf("invalid code block height (%d)\n", i);
		59	+ goto error;
		60	+ }
		61	+ tccp->cblkheightexpn = jpc_floorlog2(i);
		62	break;
		63	case OPT_MODE:
		64	if ((tagid = jas_taginfo_nonull(jas_taginfos_lookup(modetab,
		65	diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
		66	index e52b549..6e1f1f7 100644
		67	--- a/src/libjasper/jpc/jpc_t2dec.c
		68	+++ b/src/libjasper/jpc/jpc_t2dec.c
		69	@@ -337,7 +337,8 @@ static int jpc_dec_decodepkt(jpc_dec_t dec, jas_stream_t pkthdrstream, jas_str
		70	const unsigned n = JAS_MIN((unsigned)numnewpasses, maxpasses);
		71	mycounter += n;
		72	numnewpasses -= n;
		73	- if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
		74	+ if ((len = jpc_bitstream_getbits(inb,
		75	+ cblk->numlenbits + jpc_floorlog2(n))) < 0) {
		76	jpc_bitstream_close(inb);
		77	return -1;
		78	}


diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb index c314da539f..d78250306b 100644 --- a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb +++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
6	SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master \	6	SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master \
7	file://CVE-2023-51257.patch \	7	file://CVE-2023-51257.patch \
8	file://CVE-2025-8835.patch \	8	file://CVE-2025-8835.patch \
		9	file://CVE-2025-8836.patch \
9	"	10	"
10	SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"	11	SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"
11		12