From: Zhang Peng <[email protected]> CVE-2024-56826: A flaw was found in the OpenJPEG project. A heap buffer overflow condition may be triggered when certain options are specified while using the opj_decompress utility. This can lead to an application crash or other undefined behavior.
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-56826] [https://github.com/uclouvain/openjpeg/issues/1563] Upstream patches: [https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2] Signed-off-by: Zhang Peng <[email protected]> --- ...ix-out-of-bounds-read-accesses-when-.patch | 130 ++++++++++++++++++ .../openjpeg/openjpeg_2.4.0.bb | 1 + 2 files changed, 131 insertions(+) create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch new file mode 100644 index 000000000..1943cf4cc --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch @@ -0,0 +1,130 @@ +From 2bed72075bd17518907a6a57e3411669188e49bd Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Mon, 25 Nov 2024 23:11:24 +0100 +Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 * + width_component_1_or_2 + 1 == with_component_0 + +Fixes #1563 + +Also adjusts sycc420_to_rgb() for potential similar issue (amending +commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf) + +CVE: CVE-2024-56826 +Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2] + +Signed-off-by: Zhang Peng <[email protected]> +--- + src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++---------- + 1 file changed, 32 insertions(+), 10 deletions(-) + +diff --git a/src/bin/common/color.c b/src/bin/common/color.c +index ae5d648d..e4924a15 100644 +--- a/src/bin/common/color.c ++++ b/src/bin/common/color.c +@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img) + { + int *d0, *d1, *d2, *r, *g, *b; + const int *y, *cb, *cr; +- size_t maxw, maxh, max, offx, loopmaxw; ++ size_t maxw, maxh, max, offx, loopmaxw, comp12w; + int offset, upb; + size_t i; + +@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img) + upb = (1 << upb) - 1; + + maxw = (size_t)img->comps[0].w; ++ comp12w = (size_t)img->comps[1].w; + maxh = (size_t)img->comps[0].h; + max = maxw * maxh; + +@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img) + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + ++y; + ++r; + ++g; + ++b; +- ++cb; +- ++cr; ++ if (j / 2 < comp12w) { ++ ++cb; ++ ++cr; ++ } + } + } + +@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img) + { + int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb; + const int *y, *cb, *cr, *ny; +- size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh; ++ size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w; + int offset, upb; + size_t i; + +@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img) + upb = (1 << upb) - 1; + + maxw = (size_t)img->comps[0].w; ++ comp12w = (size_t)img->comps[1].w; + maxh = (size_t)img->comps[0].h; + max = maxw * maxh; + +@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img) + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + ++y; + ++r; + ++g; + ++b; + +- sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb); ++ } else { ++ sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb); ++ } + ++ny; + ++nr; + ++ng; + ++nb; +- ++cb; +- ++cr; ++ if (j / 2 < comp12w) { ++ ++cb; ++ ++cr; ++ } + } + y += maxw; + r += maxw; +@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img) + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + } + } + +-- +2.39.4 + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb index a619c07aa..9c0fe0e30 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb @@ -12,6 +12,7 @@ SRC_URI = " \ file://CVE-2021-29338.patch \ file://CVE-2022-1122.patch \ file://CVE-2021-3575.patch \ + file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \ " SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505" S = "${WORKDIR}/git" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#114878): https://lists.openembedded.org/g/openembedded-devel/message/114878 Mute This Topic: https://lists.openembedded.org/mt/110604937/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
