2 files changed, 171 insertions, 0 deletions

diff --git a/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8835.patch b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8835.patch
new file mode 100644
index 0000000000..d781d24361
--- /dev/null
+++ b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8835.patch
@@ -0,0 +1,170 @@
+From 8c72f24556b2418f5689713eb706014423473a73 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Tue, 29 Jul 2025 20:16:35 -0700
+Subject: [PATCH] Fixes #400.
+
+Added a check for a missing color component in the jas_image_chclrspc
+function.
+
+CVE: CVE-2025-8835
+Upstream-Status: Backport [https://github.com/jasper-software/jasper/commit/bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/libjasper/base/jas_image.c | 73 ++++++++++++++++++++++++++++------
+ 1 file changed, 61 insertions(+), 12 deletions(-)
+
+diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c
+index 68a94e1..bfbf9e5 100644
+--- a/src/libjasper/base/jas_image.c
++++ b/src/libjasper/base/jas_image.c
+@@ -112,7 +112,8 @@ static long convert(long val, bool oldsgnd, unsigned oldprec, bool newsgnd,
+   unsigned newprec);
+ static void jas_image_calcbbox2(const jas_image_t *image, jas_image_coord_t *tlx,
+   jas_image_coord_t *tly, jas_image_coord_t *brx, jas_image_coord_t *bry);
+-
++static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n);
++static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n);
+ /******************************************************************************\
+ * Global data.
+ \******************************************************************************/
+@@ -409,6 +410,36 @@ static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt)
+        jas_free(cmpt);
+ }
+ 
++static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n)
++{
++       jas_cmcmptfmt_t* cmptfmts;
++       JAS_DBGLOG(10, ("jas_cmcmptfmt_array_create(%d)\n", n));
++       if (!(cmptfmts = jas_alloc2(n, sizeof(jas_cmcmptfmt_t)))) {
++               return 0;
++       }
++       for (int i = 0; i < n; ++i) {
++               cmptfmts[i].buf = 0;
++       }
++       JAS_DBGLOG(10, ("jas_cmcmptfmt_array_create(%d) returning %p\n", n,
++         JAS_CAST(void *, cmptfmts)));
++       return cmptfmts;
++}
++
++static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n)
++{
++       assert(cmptfmts);
++       assert(n > 0);
++       JAS_DBGLOG(10, ("jas_cmcmptfmt_array_destroy(%p, %d)\n",
++         JAS_CAST(void *, cmptfmts), n));
++       for (int i = 0; i < n; ++i) {
++               if (cmptfmts[i].buf) {
++                       jas_free(cmptfmts[i].buf);
++               }
++               cmptfmts[i].buf = 0;
++       }
++       jas_free(cmptfmts);
++}
++
+ /******************************************************************************\
+ * Load and save operations.
+ \******************************************************************************/
+@@ -1470,12 +1501,15 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, const jas_cmprof_t *outprof,
+        jas_cmcmptfmt_t *incmptfmts;
+        jas_cmcmptfmt_t *outcmptfmts;
+ 
++       assert(image);
++       assert(outprof);
++
+ #if 0
+ jas_eprintf("IMAGE\n");
+ jas_image_dump(image, stderr);
+ #endif
+ 
+-       if (image->numcmpts_ == 0)
++       if (!jas_image_numcmpts(image))
+                /* can't work with a file with no components;
+                   continuing would crash because we'd attempt to
+                   obtain information about the first component */
+@@ -1483,6 +1517,8 @@ jas_image_dump(image, stderr);
+ 
+        outimage = 0;
+        xform = 0;
++       incmptfmts = 0;
++       outcmptfmts = 0;
+        if (!(inimage = jas_image_copy(image)))
+                goto error;
+        image = 0;
+@@ -1565,15 +1601,21 @@ jas_image_dump(image, stderr);
+        }
+ 
+        inpixmap.numcmpts = numinclrchans;
+-       if (!(incmptfmts = jas_alloc2(numinclrchans, sizeof(jas_cmcmptfmt_t)))) {
++       assert(numinclrchans != 0);
++       if (!(incmptfmts = jas_cmcmptfmt_array_create(numinclrchans))) {
+                abort();
+        }
+        inpixmap.cmptfmts = incmptfmts;
+        for (unsigned i = 0; i < numinclrchans; ++i) {
+                const int j = jas_image_getcmptbytype(inimage, JAS_IMAGE_CT_COLOR(i));
++               if (j < 0) {
++                       jas_eprintf("missing color component %d\n", i);
++                       goto error;
++               }
+                if (!(incmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) {
+                        goto error;
+                }
++               assert(j >= 0 && j < jas_image_numcmpts(inimage));
+                incmptfmts[i].prec = jas_image_cmptprec(inimage, j);
+                incmptfmts[i].sgnd = jas_image_cmptsgnd(inimage, j);
+                incmptfmts[i].width = width;
+@@ -1581,15 +1623,20 @@ jas_image_dump(image, stderr);
+        }
+ 
+        outpixmap.numcmpts = numoutclrchans;
+-       if (!(outcmptfmts = jas_alloc2(numoutclrchans, sizeof(jas_cmcmptfmt_t)))) {
++       if (!(outcmptfmts = jas_cmcmptfmt_array_create(numoutclrchans))) {
+                abort();
+        }
+        outpixmap.cmptfmts = outcmptfmts;
+ 
+        for (unsigned i = 0; i < numoutclrchans; ++i) {
+                const int j = jas_image_getcmptbytype(outimage, JAS_IMAGE_CT_COLOR(i));
++               if (j < 0) {
++                       jas_eprintf("missing color component %d\n", i);
++                       goto error;
++               }
+                if (!(outcmptfmts[i].buf = jas_alloc2(width, sizeof(long))))
+                        goto error;
++               assert(j >= 0 && j < jas_image_numcmpts(outimage));
+                outcmptfmts[i].prec = jas_image_cmptprec(outimage, j);
+                outcmptfmts[i].sgnd = jas_image_cmptsgnd(outimage, j);
+                outcmptfmts[i].width = width;
+@@ -1612,14 +1659,8 @@ jas_image_dump(image, stderr);
+                }
+        }
+ 
+-       for (unsigned i = 0; i < numoutclrchans; ++i) {
+-               jas_free(outcmptfmts[i].buf);
+-       }
+-       jas_free(outcmptfmts);
+-       for (unsigned i = 0; i < numinclrchans; ++i) {
+-               jas_free(incmptfmts[i].buf);
+-       }
+-       jas_free(incmptfmts);
++       jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans);
++       jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans);
+        jas_cmxform_destroy(xform);
+        jas_image_destroy(inimage);
+ 
+@@ -1631,6 +1672,14 @@ jas_image_dump(outimage, stderr);
+ #endif
+        return outimage;
+ error:
++       if (incmptfmts) {
++               assert(numinclrchans);
++               jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans);
++       }
++       if (outcmptfmts) {
++               assert(numoutclrchans);
++               jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans);
++       }
+        if (xform)
+                jas_cmxform_destroy(xform);
+        if (inimage)
diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
index 522adba93d..c314da539f 100644
--- a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
+++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
 
 SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master \
            file://CVE-2023-51257.patch \
+           file://CVE-2025-8835.patch \
            "
 SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"