3 files changed, 66 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
new file mode 100644
index 0000000000..2ed8e9f587
--- /dev/null
+++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
@@ -0,0 +1,28 @@
+From c83cfcd249d06950a307cee8d1e22b7f6a78a8a7 Mon Sep 17 00:00:00 2001
+From: Marti Maria <marti.maria@littlecms.com>
+Date: Thu, 19 Feb 2026 09:07:20 +0100
+Subject: [PATCH] Fix integer overflow in CubeSize()
+Thanks to @zerojackyi for reporting
+CVE: CVE-2026-41254
+Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/cmslut.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/cmslut.c b/src/cmslut.c
+index 1089148..b245209 100644
+--- a/src/cmslut.c
+++ b/src/cmslut.c
+@@ -460,7 +460,8 @@ void EvaluateCLUTfloatIn16(const cmsFloat32Number In[], cmsFloat32Number Out[],
+ static
+ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
+ {
+-    cmsUInt32Number rv, dim;
+    cmsUInt32Number dim;
+    cmsUInt64Number rv;
+ 
+     _cmsAssert(Dims != NULL);
+ 
diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch
new file mode 100644
index 0000000000..be8c759a6f
--- /dev/null
+++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch
@@ -0,0 +1,34 @@
+From f5994aea02d5620f3182cafdcf116ffe9d6c9fd2 Mon Sep 17 00:00:00 2001
+From: Marti Maria <marti.maria@littlecms.com>
+Date: Thu, 12 Mar 2026 22:57:35 +0100
+Subject: [PATCH] check for overflow
+Thanks to Guanni Qu for detecting & reporting the issue
+CVE: CVE-2026-41254
+Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/cmslut.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/src/cmslut.c b/src/cmslut.c
+index b245209..c1dbb32 100644
+--- a/src/cmslut.c
+++ b/src/cmslut.c
+@@ -468,12 +468,12 @@ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
+     for (rv = 1; b > 0; b--) {
+ 
+         dim = Dims[b-1];
+-        if (dim <= 1) return 0;  // Error
+-
+-        rv *= dim;
+        if (dim <= 1) return 0;  
+ 
+         // Check for overflow
+         if (rv > UINT_MAX / dim) return 0;
+
+        rv *= dim;
+     }
+ 
+     // Again, prevent overflow
diff --git a/meta-oe/recipes-support/lcms/lcms_2.18.bb b/meta-oe/recipes-support/lcms/lcms_2.18.bb
index 79e4a6f694..1ff3b3908f 100644
--- a/meta-oe/recipes-support/lcms/lcms_2.18.bb
+++ b/meta-oe/recipes-support/lcms/lcms_2.18.bb
@@ -3,7 +3,10 @@ SECTION = "libs"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"
-SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \
+           file://CVE-2026-41254_1.patch \
+           file://CVE-2026-41254_2.patch \
+           "
 SRC_URI[sha256sum] = "ee67be3566f459362c1ee094fde2c159d33fa0390aa4ed5f5af676f9e5004347"
 DEPENDS = "tiff"

diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch new file mode 100644 index 0000000000..2ed8e9f587 --- /dev/null +++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
@@ -0,0 +1,28 @@
		1	From c83cfcd249d06950a307cee8d1e22b7f6a78a8a7 Mon Sep 17 00:00:00 2001
		2	From: Marti Maria <marti.maria@littlecms.com>
		3	Date: Thu, 19 Feb 2026 09:07:20 +0100
		4	Subject: [PATCH] Fix integer overflow in CubeSize()
		5
		6	Thanks to @zerojackyi for reporting
		7
		8	CVE: CVE-2026-41254
		9	Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0]
		10	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		11	---
		12	src/cmslut.c \| 3 ++-
		13	1 file changed, 2 insertions(+), 1 deletion(-)
		14
		15	diff --git a/src/cmslut.c b/src/cmslut.c
		16	index 1089148..b245209 100644
		17	--- a/src/cmslut.c
		18	+++ b/src/cmslut.c
		19	@@ -460,7 +460,8 @@ void EvaluateCLUTfloatIn16(const cmsFloat32Number In[], cmsFloat32Number Out[],
		20	static
		21	cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
		22	{
		23	- cmsUInt32Number rv, dim;
		24	+ cmsUInt32Number dim;
		25	+ cmsUInt64Number rv;
		26
		27	_cmsAssert(Dims != NULL);
		28


diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch new file mode 100644 index 0000000000..be8c759a6f --- /dev/null +++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch
@@ -0,0 +1,34 @@
		1	From f5994aea02d5620f3182cafdcf116ffe9d6c9fd2 Mon Sep 17 00:00:00 2001
		2	From: Marti Maria <marti.maria@littlecms.com>
		3	Date: Thu, 12 Mar 2026 22:57:35 +0100
		4	Subject: [PATCH] check for overflow
		5
		6	Thanks to Guanni Qu for detecting & reporting the issue
		7
		8	CVE: CVE-2026-41254
		9	Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc]
		10	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		11	---
		12	src/cmslut.c \| 6 +++---
		13	1 file changed, 3 insertions(+), 3 deletions(-)
		14
		15	diff --git a/src/cmslut.c b/src/cmslut.c
		16	index b245209..c1dbb32 100644
		17	--- a/src/cmslut.c
		18	+++ b/src/cmslut.c
		19	@@ -468,12 +468,12 @@ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
		20	for (rv = 1; b > 0; b--) {
		21
		22	dim = Dims[b-1];
		23	- if (dim <= 1) return 0; // Error
		24	-
		25	- rv *= dim;
		26	+ if (dim <= 1) return 0;
		27
		28	// Check for overflow
		29	if (rv > UINT_MAX / dim) return 0;
		30	+
		31	+ rv *= dim;
		32	}
		33
		34	// Again, prevent overflow


diff --git a/meta-oe/recipes-support/lcms/lcms_2.18.bb b/meta-oe/recipes-support/lcms/lcms_2.18.bb index 79e4a6f694..1ff3b3908f 100644 --- a/meta-oe/recipes-support/lcms/lcms_2.18.bb +++ b/meta-oe/recipes-support/lcms/lcms_2.18.bb
@@ -3,7 +3,10 @@ SECTION = "libs"
3	LICENSE = "MIT"	3	LICENSE = "MIT"
4	LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"
5		5
6	SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz"	6	SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \
		7	file://CVE-2026-41254_1.patch \
		8	file://CVE-2026-41254_2.patch \
		9	"
7	SRC_URI[sha256sum] = "ee67be3566f459362c1ee094fde2c159d33fa0390aa4ed5f5af676f9e5004347"	10	SRC_URI[sha256sum] = "ee67be3566f459362c1ee094fde2c159d33fa0390aa4ed5f5af676f9e5004347"
8		11
9	DEPENDS = "tiff"	12	DEPENDS = "tiff"