[oe] [meta-oe][kirkstone][PATCH 3/4] jasper: patch CVE-2025-8836

Sun, 23 Nov 2025 09:43:19 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836

Pick the patch that is referenced by the nvd report.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../jasper/jasper/CVE-2025-8836.patch         | 78 +++++++++++++++++++
 .../recipes-graphics/jasper/jasper_2.0.33.bb  |  1 +
 2 files changed, 79 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch

diff --git a/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch 
b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch
new file mode 100644
index 0000000000..247d1064ca
--- /dev/null
+++ b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch
@@ -0,0 +1,78 @@
+From 0e045908b1fec6748688cbc13bd3dc3703ddb17e Mon Sep 17 00:00:00 2001
+From: Michael Adams <[email protected]>
+Date: Sat, 2 Aug 2025 18:00:39 -0700
+Subject: [PATCH] Fixes #401.
+
+JPEG-2000 (JPC) Encoder:
+- Added some missing range checking on several coding parameters
+  (e.g., precint width/height and codeblock width/height).
+
+CVE: CVE-2025-8836
+Upstream-Status: Backport 
[https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ src/libjasper/jpc/jpc_enc.c   | 30 ++++++++++++++++++++++++------
+ src/libjasper/jpc/jpc_t2dec.c |  3 ++-
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
+index 93013f9..c957e3f 100644
+--- a/src/libjasper/jpc/jpc_enc.c
++++ b/src/libjasper/jpc/jpc_enc.c
+@@ -474,18 +474,36 @@ static jpc_enc_cp_t *cp_create(const char *optstr, 
jas_image_t *image)
+                       cp->tileheight = atoi(jas_tvparser_getval(tvp));
+                       break;
+               case OPT_PRCWIDTH:
+-                      prcwidthexpn = 
jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
++                      i = atoi(jas_tvparser_getval(tvp));
++                      if (i <= 0) {
++                              jas_eprintf("invalid precinct width (%d)\n", i);
++                              goto error;
++                      }
++                      prcwidthexpn = jpc_floorlog2(i);
+                       break;
+               case OPT_PRCHEIGHT:
+-                      prcheightexpn = 
jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
++                      i = atoi(jas_tvparser_getval(tvp));
++                      if (i <= 0) {
++                              jas_eprintf("invalid precinct height (%d)\n", 
i);
++                              goto error;
++                      }
++                      prcheightexpn = jpc_floorlog2(i);
+                       break;
+               case OPT_CBLKWIDTH:
+-                      tccp->cblkwidthexpn =
+-                        jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
++                      i = atoi(jas_tvparser_getval(tvp));
++                      if (i <= 0) {
++                              jas_eprintf("invalid code block width (%d)\n", 
i);
++                              goto error;
++                      }
++                      tccp->cblkwidthexpn = jpc_floorlog2(i);
+                       break;
+               case OPT_CBLKHEIGHT:
+-                      tccp->cblkheightexpn =
+-                        jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
++                      i = atoi(jas_tvparser_getval(tvp));
++                      if (i <= 0) {
++                              jas_eprintf("invalid code block height (%d)\n", 
i);
++                              goto error;
++                      }
++                      tccp->cblkheightexpn = jpc_floorlog2(i);
+                       break;
+               case OPT_MODE:
+                       if ((tagid = 
jas_taginfo_nonull(jas_taginfos_lookup(modetab,
+diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
+index e52b549..6e1f1f7 100644
+--- a/src/libjasper/jpc/jpc_t2dec.c
++++ b/src/libjasper/jpc/jpc_t2dec.c
+@@ -337,7 +337,8 @@ static int jpc_dec_decodepkt(jpc_dec_t *dec, jas_stream_t 
*pkthdrstream, jas_str
+                                               const unsigned n = 
JAS_MIN((unsigned)numnewpasses, maxpasses);
+                                               mycounter += n;
+                                               numnewpasses -= n;
+-                                              if ((len = 
jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
++                                              if ((len = 
jpc_bitstream_getbits(inb,
++                                                cblk->numlenbits + 
jpc_floorlog2(n))) < 0) {
+                                                       
jpc_bitstream_close(inb);
+                                                       return -1;
+                                               }
diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb 
b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
index c314da539f..d78250306b 100644
--- a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
+++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
 SRC_URI = 
"git://github.com/jasper-software/jasper.git;protocol=https;branch=master \
            file://CVE-2023-51257.patch \
            file://CVE-2025-8835.patch \
+           file://CVE-2025-8836.patch \
            "
 SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"
 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#122000): 
https://lists.openembedded.org/g/openembedded-devel/message/122000
Mute This Topic: https://lists.openembedded.org/mt/116439500/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to