openjpeg: Backport fix CVE-2021-3575

Upstream-Status: Backport from https://github.com/uclouvain/openjpeg/commit/7bd884f8750892de4f50bf4642fcfbe7011c6bdf Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2024-03-15 10:50:07 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-03-25 07:11:05 -0400
commit: 9a22be4267b39bcdbcea4d7496a6867a40153c93 (patch)
tree: 7a656f78805fa07fa458db0667189cb17025424c /meta-oe
parent: 1a3b9da20a4744afaae4a74d0f16c47d888fa235 (diff)
download: meta-openembedded-9a22be4267b39bcdbcea4d7496a6867a40153c93.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-3575.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-3575.patch
new file mode 100644
index 0000000000..0322f55cc7
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-3575.patch
@@ -0,0 +1,45 @@
+From 7bd884f8750892de4f50bf4642fcfbe7011c6bdf Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 18 Feb 2024 17:02:25 +0100
+Subject: [PATCH] opj_decompress: fix off-by-one read heap-buffer-overflow in
+ sycc420_to_rgb() when x0 and y0 are odd (CVE-2021-3575, fixes #1347)
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/7bd884f8750892de4f50bf4642fcfbe7011c6bdf]
+CVE: CVE-2021-3575
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/bin/common/color.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/src/bin/common/color.c b/src/bin/common/color.c
+index 27f15f13..ae5d648d 100644
+--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
+@@ -358,7 +358,15 @@ static void sycc420_to_rgb(opj_image_t *img)
+     if (i < loopmaxh) {
+         size_t j;
+-        for (j = 0U; j < (maxw & ~(size_t)1U); j += 2U) {
+        if (offx > 0U) {
+            sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+            ++y;
+            ++r;
+            ++g;
+            ++b;
+        }
+
+        for (j = 0U; j < (loopmaxw & ~(size_t)1U); j += 2U) {
+             sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+             ++y;
+@@ -375,7 +383,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cb;
+             ++cr;
+         }
+-        if (j < maxw) {
+        if (j < loopmaxw) {
+             sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+         }
+     }
+--
+2.39.3
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index 1c090fdea5..a619c07aa4 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -11,6 +11,7 @@ SRC_URI = " \
    file://0001-This-patch-fixed-include-dir-to-usr-include-.-Obviou.patch \
    file://CVE-2021-29338.patch \
    file://CVE-2022-1122.patch \
+    file://CVE-2021-3575.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"
author	Vivek Kumbhar <vkumbhar@mvista.com>	2024-03-15 10:50:07 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-03-25 07:11:05 -0400
commit	9a22be4267b39bcdbcea4d7496a6867a40153c93 (patch)
tree	7a656f78805fa07fa458db0667189cb17025424c /meta-oe
parent	1a3b9da20a4744afaae4a74d0f16c47d888fa235 (diff)
download	meta-openembedded-9a22be4267b39bcdbcea4d7496a6867a40153c93.tar.gz

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-3575.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-3575.patch new file mode 100644 index 0000000000..0322f55cc7 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2021-3575.patch
@@ -0,0 +1,45 @@
		1	From 7bd884f8750892de4f50bf4642fcfbe7011c6bdf Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sun, 18 Feb 2024 17:02:25 +0100
		4	Subject: [PATCH] opj_decompress: fix off-by-one read heap-buffer-overflow in
		5	sycc420_to_rgb() when x0 and y0 are odd (CVE-2021-3575, fixes #1347)
		6
		7	Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/7bd884f8750892de4f50bf4642fcfbe7011c6bdf]
		8	CVE: CVE-2021-3575
		9	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		10	---
		11	src/bin/common/color.c \| 12 ++++++++++--
		12	1 file changed, 10 insertions(+), 2 deletions(-)
		13
		14	diff --git a/src/bin/common/color.c b/src/bin/common/color.c
		15	index 27f15f13..ae5d648d 100644
		16	--- a/src/bin/common/color.c
		17	+++ b/src/bin/common/color.c
		18	@@ -358,7 +358,15 @@ static void sycc420_to_rgb(opj_image_t *img)
		19	if (i < loopmaxh) {
		20	size_t j;
		21
		22	- for (j = 0U; j < (maxw & ~(size_t)1U); j += 2U) {
		23	+ if (offx > 0U) {
		24	+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
		25	+ ++y;
		26	+ ++r;
		27	+ ++g;
		28	+ ++b;
		29	+ }
		30	+
		31	+ for (j = 0U; j < (loopmaxw & ~(size_t)1U); j += 2U) {
		32	sycc_to_rgb(offset, upb, y, cb, *cr, r, g, b);
		33
		34	++y;
		35	@@ -375,7 +383,7 @@ static void sycc420_to_rgb(opj_image_t *img)
		36	++cb;
		37	++cr;
		38	}
		39	- if (j < maxw) {
		40	+ if (j < loopmaxw) {
		41	sycc_to_rgb(offset, upb, y, cb, *cr, r, g, b);
		42	}
		43	}
		44	--
		45	2.39.3


diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb index 1c090fdea5..a619c07aa4 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -11,6 +11,7 @@ SRC_URI = " \
11	file://0001-This-patch-fixed-include-dir-to-usr-include-.-Obviou.patch \	11	file://0001-This-patch-fixed-include-dir-to-usr-include-.-Obviou.patch \
12	file://CVE-2021-29338.patch \	12	file://CVE-2021-29338.patch \
13	file://CVE-2022-1122.patch \	13	file://CVE-2022-1122.patch \
		14	file://CVE-2021-3575.patch \
14	"	15	"
15	SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"	16	SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
16	S = "${WORKDIR}/git"	17	S = "${WORKDIR}/git"