exiv2: patch CVE-2025-55304

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55304 Backport patch mentioned in the details of the vulnerability. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-10-08 16:47:57 +0200
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-10-13 09:21:31 +0200
commit: f47fdfd73090c996f4edf9c7921bc07bbdffd908 (patch)
tree: 0cad753d4935ca4cbc5369a843776d9a3953e22d
parent: 40036aa47ad24659d20643195525310fc5fce123 (diff)
download: meta-openembedded-f47fdfd73090c996f4edf9c7921bc07bbdffd908.tar.gz
2 files changed, 97 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch
new file mode 100644
index 0000000000..a0399c539b
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch
@@ -0,0 +1,96 @@
+From 14a862213873b3f81941721a5972853fd269ca63 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 15 Aug 2025 12:08:49 +0100
+Subject: [PATCH] Add new method appendIccProfile to fix quadratic performance
+ issue.
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/3345/commits/e5bf22e0cebeabeb2ffd40678344467a271be12d]
+CVE: CVE-2025-55304
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ include/exiv2/image.hpp | 10 ++++++++++
+ src/image.cpp           | 29 +++++++++++++++++++++--------
+ src/jpgimage.cpp        |  7 +------
+ 3 files changed, 32 insertions(+), 14 deletions(-)
+diff --git a/include/exiv2/image.hpp b/include/exiv2/image.hpp
+index 629a8a4fd..072016013 100644
+--- a/include/exiv2/image.hpp
+++ b/include/exiv2/image.hpp
+@@ -191,6 +191,16 @@ class EXIV2API Image {
+     @param bTestValid - tests that iccProfile contains credible data
+    */
+   virtual void setIccProfile(DataBuf&& iccProfile, bool bTestValid = true);
+  /*!
+    @brief Append more bytes to the iccProfile.
+    @param iccProfile DataBuf containing profile (binary)
+    @param bTestValid - tests that iccProfile contains credible data
+   */
+  virtual void appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid);
+  /*!
+    @brief Throw an exception if the size at the beginning of the iccProfile isn't correct.
+   */
+  virtual void checkIccProfile();
+   /*!
+     @brief Erase iccProfile. the profile is not removed from
+         the actual image until the writeMetadata() method is called.
+diff --git a/src/image.cpp b/src/image.cpp
+index f06660cf7..eb6b3eb0a 100644
+--- a/src/image.cpp
+++ b/src/image.cpp
+@@ -625,16 +625,29 @@ void Image::setComment(const std::string& comment) {
+ }
+ 
+ void Image::setIccProfile(Exiv2::DataBuf&& iccProfile, bool bTestValid) {
+  iccProfile_ = std::move(iccProfile);
+   if (bTestValid) {
+-    if (iccProfile.size() < sizeof(long)) {
+-      throw Error(ErrorCode::kerInvalidIccProfile);
+-    }
+-    const size_t size = iccProfile.read_uint32(0, bigEndian);
+-    if (size != iccProfile.size()) {
+-      throw Error(ErrorCode::kerInvalidIccProfile);
+-    }
+    checkIccProfile();
+  }
+}
+
+void Image::appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid) {
+  const size_t start = iccProfile_.size();
+  iccProfile_.resize(Safe::add(start, size));
+  memcpy(iccProfile_.data(start), bytes, size);
+  if (bTestValid) {
+    checkIccProfile();
+  }
+}
+
+void Image::checkIccProfile() {
+  if (iccProfile_.size() < sizeof(long)) {
+    throw Error(ErrorCode::kerInvalidIccProfile);
+  }
+  const size_t size = iccProfile_.read_uint32(0, bigEndian);
+  if (size != iccProfile_.size()) {
+    throw Error(ErrorCode::kerInvalidIccProfile);
+   }
+-  iccProfile_ = std::move(iccProfile);
+ }
+ 
+ void Image::clearIccProfile() {
+diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp
+index 34187dc63..2c29135ae 100644
+--- a/src/jpgimage.cpp
+++ b/src/jpgimage.cpp
+@@ -268,12 +268,7 @@ void JpegBase::readMetadata() {
+         icc_size = s;
+       }
+ 
+-      DataBuf profile(Safe::add(iccProfile_.size(), icc_size));
+-      if (!iccProfile_.empty()) {
+-        std::copy(iccProfile_.begin(), iccProfile_.end(), profile.begin());
+-      }
+-      std::copy_n(buf.c_data(2 + 14), icc_size, profile.data() + iccProfile_.size());
+-      setIccProfile(std::move(profile), chunk == chunks);
+      appendIccProfile(buf.c_data(2 + 14), icc_size, chunk == chunks);
+     } else if (pixelHeight_ == 0 && inRange2(marker, sof0_, sof3_, sof5_, sof15_)) {
+       // We hit a SOFn (start-of-frame) marker
+       if (size < 8) {
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
index 947d13208d..db32398b4f 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
@@ -7,6 +7,7 @@ DEPENDS = "zlib expat brotli libinih"
 SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \
           file://0001-Revert-fix-copy-constructors.patch \
           file://0001-CVE-2025-54080-fix.patch \
+           file://0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch \
           "
 SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e"
 S = "${WORKDIR}/git"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-10-08 16:47:57 +0200
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-10-13 09:21:31 +0200
commit	f47fdfd73090c996f4edf9c7921bc07bbdffd908 (patch)
tree	0cad753d4935ca4cbc5369a843776d9a3953e22d
parent	40036aa47ad24659d20643195525310fc5fce123 (diff)
download	meta-openembedded-f47fdfd73090c996f4edf9c7921bc07bbdffd908.tar.gz

diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch new file mode 100644 index 0000000000..a0399c539b --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch
@@ -0,0 +1,96 @@
		1	From 14a862213873b3f81941721a5972853fd269ca63 Mon Sep 17 00:00:00 2001
		2	From: Kevin Backhouse <kevinbackhouse@github.com>
		3	Date: Fri, 15 Aug 2025 12:08:49 +0100
		4	Subject: [PATCH] Add new method appendIccProfile to fix quadratic performance
		5	issue.
		6
		7	Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/3345/commits/e5bf22e0cebeabeb2ffd40678344467a271be12d]
		8	CVE: CVE-2025-55304
		9	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		10	---
		11	include/exiv2/image.hpp \| 10 ++++++++++
		12	src/image.cpp \| 29 +++++++++++++++++++++--------
		13	src/jpgimage.cpp \| 7 +------
		14	3 files changed, 32 insertions(+), 14 deletions(-)
		15
		16	diff --git a/include/exiv2/image.hpp b/include/exiv2/image.hpp
		17	index 629a8a4fd..072016013 100644
		18	--- a/include/exiv2/image.hpp
		19	+++ b/include/exiv2/image.hpp
		20	@@ -191,6 +191,16 @@ class EXIV2API Image {
		21	@param bTestValid - tests that iccProfile contains credible data
		22	*/
		23	virtual void setIccProfile(DataBuf&& iccProfile, bool bTestValid = true);
		24	+ /*!
		25	+ @brief Append more bytes to the iccProfile.
		26	+ @param iccProfile DataBuf containing profile (binary)
		27	+ @param bTestValid - tests that iccProfile contains credible data
		28	+ */
		29	+ virtual void appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid);
		30	+ /*!
		31	+ @brief Throw an exception if the size at the beginning of the iccProfile isn't correct.
		32	+ */
		33	+ virtual void checkIccProfile();
		34	/*!
		35	@brief Erase iccProfile. the profile is not removed from
		36	the actual image until the writeMetadata() method is called.
		37	diff --git a/src/image.cpp b/src/image.cpp
		38	index f06660cf7..eb6b3eb0a 100644
		39	--- a/src/image.cpp
		40	+++ b/src/image.cpp
		41	@@ -625,16 +625,29 @@ void Image::setComment(const std::string& comment) {
		42	}
		43
		44	void Image::setIccProfile(Exiv2::DataBuf&& iccProfile, bool bTestValid) {
		45	+ iccProfile_ = std::move(iccProfile);
		46	if (bTestValid) {
		47	- if (iccProfile.size() < sizeof(long)) {
		48	- throw Error(ErrorCode::kerInvalidIccProfile);
		49	- }
		50	- const size_t size = iccProfile.read_uint32(0, bigEndian);
		51	- if (size != iccProfile.size()) {
		52	- throw Error(ErrorCode::kerInvalidIccProfile);
		53	- }
		54	+ checkIccProfile();
		55	+ }
		56	+}
		57	+
		58	+void Image::appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid) {
		59	+ const size_t start = iccProfile_.size();
		60	+ iccProfile_.resize(Safe::add(start, size));
		61	+ memcpy(iccProfile_.data(start), bytes, size);
		62	+ if (bTestValid) {
		63	+ checkIccProfile();
		64	+ }
		65	+}
		66	+
		67	+void Image::checkIccProfile() {
		68	+ if (iccProfile_.size() < sizeof(long)) {
		69	+ throw Error(ErrorCode::kerInvalidIccProfile);
		70	+ }
		71	+ const size_t size = iccProfile_.read_uint32(0, bigEndian);
		72	+ if (size != iccProfile_.size()) {
		73	+ throw Error(ErrorCode::kerInvalidIccProfile);
		74	}
		75	- iccProfile_ = std::move(iccProfile);
		76	}
		77
		78	void Image::clearIccProfile() {
		79	diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp
		80	index 34187dc63..2c29135ae 100644
		81	--- a/src/jpgimage.cpp
		82	+++ b/src/jpgimage.cpp
		83	@@ -268,12 +268,7 @@ void JpegBase::readMetadata() {
		84	icc_size = s;
		85	}
		86
		87	- DataBuf profile(Safe::add(iccProfile_.size(), icc_size));
		88	- if (!iccProfile_.empty()) {
		89	- std::copy(iccProfile_.begin(), iccProfile_.end(), profile.begin());
		90	- }
		91	- std::copy_n(buf.c_data(2 + 14), icc_size, profile.data() + iccProfile_.size());
		92	- setIccProfile(std::move(profile), chunk == chunks);
		93	+ appendIccProfile(buf.c_data(2 + 14), icc_size, chunk == chunks);
		94	} else if (pixelHeight_ == 0 && inRange2(marker, sof0_, sof3_, sof5_, sof15_)) {
		95	// We hit a SOFn (start-of-frame) marker
		96	if (size < 8) {


diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb index 947d13208d..db32398b4f 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
@@ -7,6 +7,7 @@ DEPENDS = "zlib expat brotli libinih"
7	SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \	7	SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \
8	file://0001-Revert-fix-copy-constructors.patch \	8	file://0001-Revert-fix-copy-constructors.patch \
9	file://0001-CVE-2025-54080-fix.patch \	9	file://0001-CVE-2025-54080-fix.patch \
		10	file://0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch \
10	"	11	"
11	SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e"	12	SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e"
12	S = "${WORKDIR}/git"	13	S = "${WORKDIR}/git"