diff options
| author | Zhang Peng <peng.zhang1.cn@windriver.com> | 2025-01-14 18:09:09 +0800 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2025-01-22 19:25:56 -0500 |
| commit | 3749051d29bf546b0772583f4148a8000015febf (patch) | |
| tree | e4600d6e49c9b3e2886ba57c2bd0dfce4958478f /meta-oe | |
| parent | 954acdcf1b7306654dc4aba36a2c423d64ee5a80 (diff) | |
| download | meta-openembedded-3749051d29bf546b0772583f4148a8000015febf.tar.gz | |
openjpeg: fix CVE-2024-56826
CVE-2024-56826:
A flaw was found in the OpenJPEG project. A heap buffer overflow
condition may be triggered when certain options are specified while
using the opj_decompress utility. This can lead to an application crash
or other undefined behavior.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-56826]
[https://github.com/uclouvain/openjpeg/issues/1563]
Upstream patches:
[https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch | 130 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb | 1 |
2 files changed, 131 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch new file mode 100644 index 0000000000..1943cf4ccf --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch | |||
| @@ -0,0 +1,130 @@ | |||
| 1 | From 2bed72075bd17518907a6a57e3411669188e49bd Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Even Rouault <even.rouault@spatialys.com> | ||
| 3 | Date: Mon, 25 Nov 2024 23:11:24 +0100 | ||
| 4 | Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 * | ||
| 5 | width_component_1_or_2 + 1 == with_component_0 | ||
| 6 | |||
| 7 | Fixes #1563 | ||
| 8 | |||
| 9 | Also adjusts sycc420_to_rgb() for potential similar issue (amending | ||
| 10 | commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf) | ||
| 11 | |||
| 12 | CVE: CVE-2024-56826 | ||
| 13 | Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2] | ||
| 14 | |||
| 15 | Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> | ||
| 16 | --- | ||
| 17 | src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++---------- | ||
| 18 | 1 file changed, 32 insertions(+), 10 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/src/bin/common/color.c b/src/bin/common/color.c | ||
| 21 | index ae5d648d..e4924a15 100644 | ||
| 22 | --- a/src/bin/common/color.c | ||
| 23 | +++ b/src/bin/common/color.c | ||
| 24 | @@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img) | ||
| 25 | { | ||
| 26 | int *d0, *d1, *d2, *r, *g, *b; | ||
| 27 | const int *y, *cb, *cr; | ||
| 28 | - size_t maxw, maxh, max, offx, loopmaxw; | ||
| 29 | + size_t maxw, maxh, max, offx, loopmaxw, comp12w; | ||
| 30 | int offset, upb; | ||
| 31 | size_t i; | ||
| 32 | |||
| 33 | @@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img) | ||
| 34 | upb = (1 << upb) - 1; | ||
| 35 | |||
| 36 | maxw = (size_t)img->comps[0].w; | ||
| 37 | + comp12w = (size_t)img->comps[1].w; | ||
| 38 | maxh = (size_t)img->comps[0].h; | ||
| 39 | max = maxw * maxh; | ||
| 40 | |||
| 41 | @@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img) | ||
| 42 | ++cr; | ||
| 43 | } | ||
| 44 | if (j < loopmaxw) { | ||
| 45 | - sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); | ||
| 46 | + if (j / 2 == comp12w) { | ||
| 47 | + sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); | ||
| 48 | + } else { | ||
| 49 | + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); | ||
| 50 | + } | ||
| 51 | ++y; | ||
| 52 | ++r; | ||
| 53 | ++g; | ||
| 54 | ++b; | ||
| 55 | - ++cb; | ||
| 56 | - ++cr; | ||
| 57 | + if (j / 2 < comp12w) { | ||
| 58 | + ++cb; | ||
| 59 | + ++cr; | ||
| 60 | + } | ||
| 61 | } | ||
| 62 | } | ||
| 63 | |||
| 64 | @@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img) | ||
| 65 | { | ||
| 66 | int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb; | ||
| 67 | const int *y, *cb, *cr, *ny; | ||
| 68 | - size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh; | ||
| 69 | + size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w; | ||
| 70 | int offset, upb; | ||
| 71 | size_t i; | ||
| 72 | |||
| 73 | @@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img) | ||
| 74 | upb = (1 << upb) - 1; | ||
| 75 | |||
| 76 | maxw = (size_t)img->comps[0].w; | ||
| 77 | + comp12w = (size_t)img->comps[1].w; | ||
| 78 | maxh = (size_t)img->comps[0].h; | ||
| 79 | max = maxw * maxh; | ||
| 80 | |||
| 81 | @@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img) | ||
| 82 | ++cr; | ||
| 83 | } | ||
| 84 | if (j < loopmaxw) { | ||
| 85 | - sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); | ||
| 86 | + if (j / 2 == comp12w) { | ||
| 87 | + sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); | ||
| 88 | + } else { | ||
| 89 | + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); | ||
| 90 | + } | ||
| 91 | ++y; | ||
| 92 | ++r; | ||
| 93 | ++g; | ||
| 94 | ++b; | ||
| 95 | |||
| 96 | - sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb); | ||
| 97 | + if (j / 2 == comp12w) { | ||
| 98 | + sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb); | ||
| 99 | + } else { | ||
| 100 | + sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb); | ||
| 101 | + } | ||
| 102 | ++ny; | ||
| 103 | ++nr; | ||
| 104 | ++ng; | ||
| 105 | ++nb; | ||
| 106 | - ++cb; | ||
| 107 | - ++cr; | ||
| 108 | + if (j / 2 < comp12w) { | ||
| 109 | + ++cb; | ||
| 110 | + ++cr; | ||
| 111 | + } | ||
| 112 | } | ||
| 113 | y += maxw; | ||
| 114 | r += maxw; | ||
| 115 | @@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img) | ||
| 116 | ++cr; | ||
| 117 | } | ||
| 118 | if (j < loopmaxw) { | ||
| 119 | - sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); | ||
| 120 | + if (j / 2 == comp12w) { | ||
| 121 | + sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); | ||
| 122 | + } else { | ||
| 123 | + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); | ||
| 124 | + } | ||
| 125 | } | ||
| 126 | } | ||
| 127 | |||
| 128 | -- | ||
| 129 | 2.39.4 | ||
| 130 | |||
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb index a619c07aa4..9c0fe0e30f 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb | |||
| @@ -12,6 +12,7 @@ SRC_URI = " \ | |||
| 12 | file://CVE-2021-29338.patch \ | 12 | file://CVE-2021-29338.patch \ |
| 13 | file://CVE-2022-1122.patch \ | 13 | file://CVE-2022-1122.patch \ |
| 14 | file://CVE-2021-3575.patch \ | 14 | file://CVE-2021-3575.patch \ |
| 15 | file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \ | ||
| 15 | " | 16 | " |
| 16 | SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505" | 17 | SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505" |
| 17 | S = "${WORKDIR}/git" | 18 | S = "${WORKDIR}/git" |
