openjpeg: Backport fix CVE-2023-39327

Upstream commit: https://github.com/uclouvain/openjpeg/commit/c58bc128b4f770e7c89bc8ba3d0273b9a3904aad Reference: https://github.com/uclouvain/openjpeg/pull/1547 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-01-28 18:24:12 +0530
committer: Armin Kuster <akuster808@gmail.com> 2025-02-09 07:55:02 -0800
commit: 2a486ee7cdd88887a671c442db7c632f851a4c97 (patch)
tree: de154bdcef9b7134db6420bbcc107bea38e5bcb6 /meta-oe
parent: de8681b4a2a101b99dd2c48d89a7de2ccd9a961f (diff)
download: meta-openembedded-2a486ee7cdd88887a671c442db7c632f851a4c97.tar.gz
2 files changed, 83 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch
new file mode 100644
index 0000000000..2d485c050d
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch
@@ -0,0 +1,82 @@
+From c58bc128b4f770e7c89bc8ba3d0273b9a3904aad Mon Sep 17 00:00:00 2001
+From: mayeut <mayeut@users.noreply.github.com>
+Date: Sat, 17 Aug 2024 15:59:56 +0200
+Subject: [PATCH] fix: when EPH markers are specified, they are required.
+reference from Rec. ITU-T T.800 (06/2019):
+- Table A.13 – Coding style parameter values for the Scod parameter
+- Section A.8.1 Start of packet (SOP)
+- Section A.8.2 End of packet header (EPH)
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/c58bc128b4f770e7c89bc8ba3d0273b9a3904aad]
+CVE: CVE-2023-39327
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/lib/openjp2/t2.c                    | 19 +++++++++++++------
+ tests/nonregression/test_suite.ctest.in |  3 +++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
+index 1481e16f..b7ffd5fb 100644
+--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
+@@ -1110,6 +1110,7 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+     /* SOP markers */
+ 
+     if (p_tcp->csty & J2K_CP_CSTY_SOP) {
+        /* SOP markers are allowed (i.e. optional), just warn */
+         if (p_max_length < 6) {
+             opj_event_msg(p_manager, EVT_WARNING,
+                           "Not enough space for expected SOP marker\n");
+@@ -1162,12 +1163,15 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+ 
+         /* EPH markers */
+         if (p_tcp->csty & J2K_CP_CSTY_EPH) {
+            /* EPH markers are required */
+             if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data -
+                     *l_header_data_start)) < 2U) {
+-                opj_event_msg(p_manager, EVT_WARNING,
+-                              "Not enough space for expected EPH marker\n");
+                opj_event_msg(p_manager, EVT_ERROR,
+                              "Not enough space for required EPH marker\n");
+                return OPJ_FALSE;
+             } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) {
+-                opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n");
+                opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n");
+                return OPJ_FALSE;
+             } else {
+                 l_header_data += 2;
+             }
+@@ -1301,12 +1305,15 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+ 
+     /* EPH markers */
+     if (p_tcp->csty & J2K_CP_CSTY_EPH) {
+        /* EPH markers are required */
+         if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data -
+                 *l_header_data_start)) < 2U) {
+-            opj_event_msg(p_manager, EVT_WARNING,
+-                          "Not enough space for expected EPH marker\n");
+            opj_event_msg(p_manager, EVT_ERROR,
+                          "Not enough space for required EPH marker\n");
+            return OPJ_FALSE;
+         } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) {
+-            opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n");
+            opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n");
+            return OPJ_FALSE;
+         } else {
+             l_header_data += 2;
+         }
+diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
+index 72155329..78a7a783 100644
+--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
+@@ -647,3 +647,6 @@ opj_decompress -i @INPUT_NR_PATH@/tnsot_zero.jp2 -o @TEMP_PATH@/tnsot_zero.png
+ !opj_decompress -i @INPUT_NR_PATH@/oss-fuzz2785.jp2 -o @TEMP_PATH@/oss-fuzz2785.png
+ 
+ opj_decompress -i @INPUT_NR_PATH@/tnsot_zero_missing_eoc.jp2 -o @TEMP_PATH@/tnsot_zero_missing_eoc.png
+
+# missing EPH Marker
+!opj_decompress -i @INPUT_NR_PATH@/issue1472-bigloop.j2k -o @TEMP_PATH@/issue1472-bigloop.raw
+-- 
+2.25.1
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index 871b324dff..feecb957ba 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -14,6 +14,7 @@ SRC_URI = " \
    file://CVE-2021-3575.patch \
    file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
    file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \
+    file://CVE-2023-39327.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-01-28 18:24:12 +0530
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:55:02 -0800
commit	2a486ee7cdd88887a671c442db7c632f851a4c97 (patch)
tree	de154bdcef9b7134db6420bbcc107bea38e5bcb6 /meta-oe
parent	de8681b4a2a101b99dd2c48d89a7de2ccd9a961f (diff)
download	meta-openembedded-2a486ee7cdd88887a671c442db7c632f851a4c97.tar.gz

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch new file mode 100644 index 0000000000..2d485c050d --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch
@@ -0,0 +1,82 @@
		1	From c58bc128b4f770e7c89bc8ba3d0273b9a3904aad Mon Sep 17 00:00:00 2001
		2	From: mayeut <mayeut@users.noreply.github.com>
		3	Date: Sat, 17 Aug 2024 15:59:56 +0200
		4	Subject: [PATCH] fix: when EPH markers are specified, they are required.
		5
		6	reference from Rec. ITU-T T.800 (06/2019):
		7	- Table A.13 – Coding style parameter values for the Scod parameter
		8	- Section A.8.1 Start of packet (SOP)
		9	- Section A.8.2 End of packet header (EPH)
		10
		11	Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/c58bc128b4f770e7c89bc8ba3d0273b9a3904aad]
		12	CVE: CVE-2023-39327
		13	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		14	---
		15	src/lib/openjp2/t2.c \| 19 +++++++++++++------
		16	tests/nonregression/test_suite.ctest.in \| 3 +++
		17	2 files changed, 16 insertions(+), 6 deletions(-)
		18
		19	diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
		20	index 1481e16f..b7ffd5fb 100644
		21	--- a/src/lib/openjp2/t2.c
		22	+++ b/src/lib/openjp2/t2.c
		23	@@ -1110,6 +1110,7 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
		24	/* SOP markers */
		25
		26	if (p_tcp->csty & J2K_CP_CSTY_SOP) {
		27	+ /* SOP markers are allowed (i.e. optional), just warn */
		28	if (p_max_length < 6) {
		29	opj_event_msg(p_manager, EVT_WARNING,
		30	"Not enough space for expected SOP marker\n");
		31	@@ -1162,12 +1163,15 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
		32
		33	/* EPH markers */
		34	if (p_tcp->csty & J2K_CP_CSTY_EPH) {
		35	+ /* EPH markers are required */
		36	if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data -
		37	*l_header_data_start)) < 2U) {
		38	- opj_event_msg(p_manager, EVT_WARNING,
		39	- "Not enough space for expected EPH marker\n");
		40	+ opj_event_msg(p_manager, EVT_ERROR,
		41	+ "Not enough space for required EPH marker\n");
		42	+ return OPJ_FALSE;
		43	} else if ((l_header_data) != 0xff \|\| ((l_header_data + 1) != 0x92)) {
		44	- opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n");
		45	+ opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n");
		46	+ return OPJ_FALSE;
		47	} else {
		48	l_header_data += 2;
		49	}
		50	@@ -1301,12 +1305,15 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
		51
		52	/* EPH markers */
		53	if (p_tcp->csty & J2K_CP_CSTY_EPH) {
		54	+ /* EPH markers are required */
		55	if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data -
		56	*l_header_data_start)) < 2U) {
		57	- opj_event_msg(p_manager, EVT_WARNING,
		58	- "Not enough space for expected EPH marker\n");
		59	+ opj_event_msg(p_manager, EVT_ERROR,
		60	+ "Not enough space for required EPH marker\n");
		61	+ return OPJ_FALSE;
		62	} else if ((l_header_data) != 0xff \|\| ((l_header_data + 1) != 0x92)) {
		63	- opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n");
		64	+ opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n");
		65	+ return OPJ_FALSE;
		66	} else {
		67	l_header_data += 2;
		68	}
		69	diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
		70	index 72155329..78a7a783 100644
		71	--- a/tests/nonregression/test_suite.ctest.in
		72	+++ b/tests/nonregression/test_suite.ctest.in
		73	@@ -647,3 +647,6 @@ opj_decompress -i @INPUT_NR_PATH@/tnsot_zero.jp2 -o @TEMP_PATH@/tnsot_zero.png
		74	!opj_decompress -i @INPUT_NR_PATH@/oss-fuzz2785.jp2 -o @TEMP_PATH@/oss-fuzz2785.png
		75
		76	opj_decompress -i @INPUT_NR_PATH@/tnsot_zero_missing_eoc.jp2 -o @TEMP_PATH@/tnsot_zero_missing_eoc.png
		77	+
		78	+# missing EPH Marker
		79	+!opj_decompress -i @INPUT_NR_PATH@/issue1472-bigloop.j2k -o @TEMP_PATH@/issue1472-bigloop.raw
		80	--
		81	2.25.1
		82


diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb index 871b324dff..feecb957ba 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -14,6 +14,7 @@ SRC_URI = " \
14	file://CVE-2021-3575.patch \	14	file://CVE-2021-3575.patch \
15	file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \	15	file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
16	file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \	16	file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \
		17	file://CVE-2023-39327.patch \
17	"	18	"
18	SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"	19	SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
19	S = "${WORKDIR}/git"	20	S = "${WORKDIR}/git"