3 files changed, 70 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
new file mode 100644
index 0000000000..7bf46706e5
--- /dev/null
+++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
@@ -0,0 +1,30 @@
+From 524f3df7511b49543a65a7de2a08640777c1b29c Mon Sep 17 00:00:00 2001
+From: Marti Maria <marti.maria@littlecms.com>
+Date: Thu, 19 Feb 2026 09:07:20 +0100
+Subject: [PATCH] Fix integer overflow in CubeSize()
+Thanks to @zerojackyi for reporting
+(cherry picked from commit da6110b1d14abc394633a388209abd5ebedd7ab0)
+CVE: CVE-2026-41254
+Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/cmslut.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/cmslut.c b/src/cmslut.c
+index 1ea61a8..3488d0c 100644
+--- a/src/cmslut.c
+++ b/src/cmslut.c
+@@ -460,7 +460,8 @@ void EvaluateCLUTfloatIn16(const cmsFloat32Number In[], cmsFloat32Number Out[],
+ static
+ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
+ {
+-    cmsUInt32Number rv, dim;
+    cmsUInt32Number dim;
+    cmsUInt64Number rv;
+ 
+     _cmsAssert(Dims != NULL);
+ 
diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch
new file mode 100644
index 0000000000..0602258ef5
--- /dev/null
+++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch
@@ -0,0 +1,36 @@
+From 73ffd45705d368c159bb819ab0b1a033638c3ffe Mon Sep 17 00:00:00 2001
+From: Marti Maria <marti.maria@littlecms.com>
+Date: Thu, 12 Mar 2026 22:57:35 +0100
+Subject: [PATCH] check for overflow
+Thanks to Guanni Qu for detecting & reporting the issue
+(cherry picked from commit e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc)
+CVE: CVE-2026-41254
+Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/cmslut.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/src/cmslut.c b/src/cmslut.c
+index 3488d0c..f2d0ec4 100644
+--- a/src/cmslut.c
+++ b/src/cmslut.c
+@@ -468,12 +468,12 @@ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
+     for (rv = 1; b > 0; b--) {
+ 
+         dim = Dims[b-1];
+-        if (dim <= 1) return 0;  // Error
+-
+-        rv *= dim;
+        if (dim <= 1) return 0;  
+ 
+         // Check for overflow
+         if (rv > UINT_MAX / dim) return 0;
+
+        rv *= dim;
+     }
+ 
+     // Again, prevent overflow
diff --git a/meta-oe/recipes-support/lcms/lcms_2.16.bb b/meta-oe/recipes-support/lcms/lcms_2.16.bb
index 9422c7330b..c67653757f 100644
--- a/meta-oe/recipes-support/lcms/lcms_2.16.bb
+++ b/meta-oe/recipes-support/lcms/lcms_2.16.bb
@@ -3,7 +3,10 @@ SECTION = "libs"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"
-SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \
+        file://CVE-2026-41254_1.patch \
+        file://CVE-2026-41254_2.patch \
+"
 SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51"
 DEPENDS = "tiff"

diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch new file mode 100644 index 0000000000..7bf46706e5 --- /dev/null +++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
@@ -0,0 +1,30 @@
		1	From 524f3df7511b49543a65a7de2a08640777c1b29c Mon Sep 17 00:00:00 2001
		2	From: Marti Maria <marti.maria@littlecms.com>
		3	Date: Thu, 19 Feb 2026 09:07:20 +0100
		4	Subject: [PATCH] Fix integer overflow in CubeSize()
		5
		6	Thanks to @zerojackyi for reporting
		7
		8	(cherry picked from commit da6110b1d14abc394633a388209abd5ebedd7ab0)
		9
		10	CVE: CVE-2026-41254
		11	Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0]
		12	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
		13	---
		14	src/cmslut.c \| 3 ++-
		15	1 file changed, 2 insertions(+), 1 deletion(-)
		16
		17	diff --git a/src/cmslut.c b/src/cmslut.c
		18	index 1ea61a8..3488d0c 100644
		19	--- a/src/cmslut.c
		20	+++ b/src/cmslut.c
		21	@@ -460,7 +460,8 @@ void EvaluateCLUTfloatIn16(const cmsFloat32Number In[], cmsFloat32Number Out[],
		22	static
		23	cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
		24	{
		25	- cmsUInt32Number rv, dim;
		26	+ cmsUInt32Number dim;
		27	+ cmsUInt64Number rv;
		28
		29	_cmsAssert(Dims != NULL);
		30


diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch new file mode 100644 index 0000000000..0602258ef5 --- /dev/null +++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch
@@ -0,0 +1,36 @@
		1	From 73ffd45705d368c159bb819ab0b1a033638c3ffe Mon Sep 17 00:00:00 2001
		2	From: Marti Maria <marti.maria@littlecms.com>
		3	Date: Thu, 12 Mar 2026 22:57:35 +0100
		4	Subject: [PATCH] check for overflow
		5
		6	Thanks to Guanni Qu for detecting & reporting the issue
		7
		8	(cherry picked from commit e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc)
		9
		10	CVE: CVE-2026-41254
		11	Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc]
		12	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
		13	---
		14	src/cmslut.c \| 6 +++---
		15	1 file changed, 3 insertions(+), 3 deletions(-)
		16
		17	diff --git a/src/cmslut.c b/src/cmslut.c
		18	index 3488d0c..f2d0ec4 100644
		19	--- a/src/cmslut.c
		20	+++ b/src/cmslut.c
		21	@@ -468,12 +468,12 @@ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
		22	for (rv = 1; b > 0; b--) {
		23
		24	dim = Dims[b-1];
		25	- if (dim <= 1) return 0; // Error
		26	-
		27	- rv *= dim;
		28	+ if (dim <= 1) return 0;
		29
		30	// Check for overflow
		31	if (rv > UINT_MAX / dim) return 0;
		32	+
		33	+ rv *= dim;
		34	}
		35
		36	// Again, prevent overflow


diff --git a/meta-oe/recipes-support/lcms/lcms_2.16.bb b/meta-oe/recipes-support/lcms/lcms_2.16.bb index 9422c7330b..c67653757f 100644 --- a/meta-oe/recipes-support/lcms/lcms_2.16.bb +++ b/meta-oe/recipes-support/lcms/lcms_2.16.bb
@@ -3,7 +3,10 @@ SECTION = "libs"
3	LICENSE = "MIT"	3	LICENSE = "MIT"
4	LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"
5		5
6	SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz"	6	SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \
		7	file://CVE-2026-41254_1.patch \
		8	file://CVE-2026-41254_2.patch \
		9	"
7	SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51"	10	SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51"
8		11
9	DEPENDS = "tiff"	12	DEPENDS = "tiff"