summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorZhang Peng <peng.zhang1.cn@windriver.com>2025-01-14 18:09:09 +0800
committerArmin Kuster <akuster808@gmail.com>2025-01-22 19:25:56 -0500
commit3749051d29bf546b0772583f4148a8000015febf (patch)
treee4600d6e49c9b3e2886ba57c2bd0dfce4958478f /meta-oe
parent954acdcf1b7306654dc4aba36a2c423d64ee5a80 (diff)
downloadmeta-openembedded-3749051d29bf546b0772583f4148a8000015febf.tar.gz
openjpeg: fix CVE-2024-56826
CVE-2024-56826: A flaw was found in the OpenJPEG project. A heap buffer overflow condition may be triggered when certain options are specified while using the opj_decompress utility. This can lead to an application crash or other undefined behavior. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-56826] [https://github.com/uclouvain/openjpeg/issues/1563] Upstream patches: [https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch130
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb1
2 files changed, 131 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch
new file mode 100644
index 0000000000..1943cf4ccf
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch
@@ -0,0 +1,130 @@
1From 2bed72075bd17518907a6a57e3411669188e49bd Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Mon, 25 Nov 2024 23:11:24 +0100
4Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 *
5 width_component_1_or_2 + 1 == with_component_0
6
7Fixes #1563
8
9Also adjusts sycc420_to_rgb() for potential similar issue (amending
10commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf)
11
12CVE: CVE-2024-56826
13Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2]
14
15Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
16---
17 src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++----------
18 1 file changed, 32 insertions(+), 10 deletions(-)
19
20diff --git a/src/bin/common/color.c b/src/bin/common/color.c
21index ae5d648d..e4924a15 100644
22--- a/src/bin/common/color.c
23+++ b/src/bin/common/color.c
24@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
25 {
26 int *d0, *d1, *d2, *r, *g, *b;
27 const int *y, *cb, *cr;
28- size_t maxw, maxh, max, offx, loopmaxw;
29+ size_t maxw, maxh, max, offx, loopmaxw, comp12w;
30 int offset, upb;
31 size_t i;
32
33@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
34 upb = (1 << upb) - 1;
35
36 maxw = (size_t)img->comps[0].w;
37+ comp12w = (size_t)img->comps[1].w;
38 maxh = (size_t)img->comps[0].h;
39 max = maxw * maxh;
40
41@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
42 ++cr;
43 }
44 if (j < loopmaxw) {
45- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
46+ if (j / 2 == comp12w) {
47+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
48+ } else {
49+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
50+ }
51 ++y;
52 ++r;
53 ++g;
54 ++b;
55- ++cb;
56- ++cr;
57+ if (j / 2 < comp12w) {
58+ ++cb;
59+ ++cr;
60+ }
61 }
62 }
63
64@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
65 {
66 int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
67 const int *y, *cb, *cr, *ny;
68- size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
69+ size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
70 int offset, upb;
71 size_t i;
72
73@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
74 upb = (1 << upb) - 1;
75
76 maxw = (size_t)img->comps[0].w;
77+ comp12w = (size_t)img->comps[1].w;
78 maxh = (size_t)img->comps[0].h;
79 max = maxw * maxh;
80
81@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
82 ++cr;
83 }
84 if (j < loopmaxw) {
85- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
86+ if (j / 2 == comp12w) {
87+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
88+ } else {
89+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
90+ }
91 ++y;
92 ++r;
93 ++g;
94 ++b;
95
96- sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
97+ if (j / 2 == comp12w) {
98+ sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
99+ } else {
100+ sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
101+ }
102 ++ny;
103 ++nr;
104 ++ng;
105 ++nb;
106- ++cb;
107- ++cr;
108+ if (j / 2 < comp12w) {
109+ ++cb;
110+ ++cr;
111+ }
112 }
113 y += maxw;
114 r += maxw;
115@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
116 ++cr;
117 }
118 if (j < loopmaxw) {
119- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
120+ if (j / 2 == comp12w) {
121+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
122+ } else {
123+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
124+ }
125 }
126 }
127
128--
1292.39.4
130
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index a619c07aa4..9c0fe0e30f 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -12,6 +12,7 @@ SRC_URI = " \
12 file://CVE-2021-29338.patch \ 12 file://CVE-2021-29338.patch \
13 file://CVE-2022-1122.patch \ 13 file://CVE-2022-1122.patch \
14 file://CVE-2021-3575.patch \ 14 file://CVE-2021-3575.patch \
15 file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
15" 16"
16SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505" 17SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
17S = "${WORKDIR}/git" 18S = "${WORKDIR}/git"