Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8835
Pick the patch that is referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../jasper/jasper/CVE-2025-8835.patch | 170 ++++++++++++++++++ .../recipes-graphics/jasper/jasper_2.0.33.bb | 1 + 2 files changed, 171 insertions(+) create mode 100644 meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8835.patch diff --git a/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8835.patch b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8835.patch new file mode 100644 index 0000000000..d781d24361 --- /dev/null +++ b/meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8835.patch @@ -0,0 +1,170 @@ +From 8c72f24556b2418f5689713eb706014423473a73 Mon Sep 17 00:00:00 2001 +From: Michael Adams <[email protected]> +Date: Tue, 29 Jul 2025 20:16:35 -0700 +Subject: [PATCH] Fixes #400. + +Added a check for a missing color component in the jas_image_chclrspc +function. + +CVE: CVE-2025-8835 +Upstream-Status: Backport [https://github.com/jasper-software/jasper/commit/bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52] + +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/libjasper/base/jas_image.c | 73 ++++++++++++++++++++++++++++------ + 1 file changed, 61 insertions(+), 12 deletions(-) + +diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c +index 68a94e1..bfbf9e5 100644 +--- a/src/libjasper/base/jas_image.c ++++ b/src/libjasper/base/jas_image.c +@@ -112,7 +112,8 @@ static long convert(long val, bool oldsgnd, unsigned oldprec, bool newsgnd, + unsigned newprec); + static void jas_image_calcbbox2(const jas_image_t *image, jas_image_coord_t *tlx, + jas_image_coord_t *tly, jas_image_coord_t *brx, jas_image_coord_t *bry); +- ++static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n); ++static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n); + /******************************************************************************\ + * Global data. + \******************************************************************************/ +@@ -409,6 +410,36 @@ static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt) + jas_free(cmpt); + } + ++static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n) ++{ ++ jas_cmcmptfmt_t* cmptfmts; ++ JAS_DBGLOG(10, ("jas_cmcmptfmt_array_create(%d)\n", n)); ++ if (!(cmptfmts = jas_alloc2(n, sizeof(jas_cmcmptfmt_t)))) { ++ return 0; ++ } ++ for (int i = 0; i < n; ++i) { ++ cmptfmts[i].buf = 0; ++ } ++ JAS_DBGLOG(10, ("jas_cmcmptfmt_array_create(%d) returning %p\n", n, ++ JAS_CAST(void *, cmptfmts))); ++ return cmptfmts; ++} ++ ++static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n) ++{ ++ assert(cmptfmts); ++ assert(n > 0); ++ JAS_DBGLOG(10, ("jas_cmcmptfmt_array_destroy(%p, %d)\n", ++ JAS_CAST(void *, cmptfmts), n)); ++ for (int i = 0; i < n; ++i) { ++ if (cmptfmts[i].buf) { ++ jas_free(cmptfmts[i].buf); ++ } ++ cmptfmts[i].buf = 0; ++ } ++ jas_free(cmptfmts); ++} ++ + /******************************************************************************\ + * Load and save operations. + \******************************************************************************/ +@@ -1470,12 +1501,15 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image, const jas_cmprof_t *outprof, + jas_cmcmptfmt_t *incmptfmts; + jas_cmcmptfmt_t *outcmptfmts; + ++ assert(image); ++ assert(outprof); ++ + #if 0 + jas_eprintf("IMAGE\n"); + jas_image_dump(image, stderr); + #endif + +- if (image->numcmpts_ == 0) ++ if (!jas_image_numcmpts(image)) + /* can't work with a file with no components; + continuing would crash because we'd attempt to + obtain information about the first component */ +@@ -1483,6 +1517,8 @@ jas_image_dump(image, stderr); + + outimage = 0; + xform = 0; ++ incmptfmts = 0; ++ outcmptfmts = 0; + if (!(inimage = jas_image_copy(image))) + goto error; + image = 0; +@@ -1565,15 +1601,21 @@ jas_image_dump(image, stderr); + } + + inpixmap.numcmpts = numinclrchans; +- if (!(incmptfmts = jas_alloc2(numinclrchans, sizeof(jas_cmcmptfmt_t)))) { ++ assert(numinclrchans != 0); ++ if (!(incmptfmts = jas_cmcmptfmt_array_create(numinclrchans))) { + abort(); + } + inpixmap.cmptfmts = incmptfmts; + for (unsigned i = 0; i < numinclrchans; ++i) { + const int j = jas_image_getcmptbytype(inimage, JAS_IMAGE_CT_COLOR(i)); ++ if (j < 0) { ++ jas_eprintf("missing color component %d\n", i); ++ goto error; ++ } + if (!(incmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) { + goto error; + } ++ assert(j >= 0 && j < jas_image_numcmpts(inimage)); + incmptfmts[i].prec = jas_image_cmptprec(inimage, j); + incmptfmts[i].sgnd = jas_image_cmptsgnd(inimage, j); + incmptfmts[i].width = width; +@@ -1581,15 +1623,20 @@ jas_image_dump(image, stderr); + } + + outpixmap.numcmpts = numoutclrchans; +- if (!(outcmptfmts = jas_alloc2(numoutclrchans, sizeof(jas_cmcmptfmt_t)))) { ++ if (!(outcmptfmts = jas_cmcmptfmt_array_create(numoutclrchans))) { + abort(); + } + outpixmap.cmptfmts = outcmptfmts; + + for (unsigned i = 0; i < numoutclrchans; ++i) { + const int j = jas_image_getcmptbytype(outimage, JAS_IMAGE_CT_COLOR(i)); ++ if (j < 0) { ++ jas_eprintf("missing color component %d\n", i); ++ goto error; ++ } + if (!(outcmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) + goto error; ++ assert(j >= 0 && j < jas_image_numcmpts(outimage)); + outcmptfmts[i].prec = jas_image_cmptprec(outimage, j); + outcmptfmts[i].sgnd = jas_image_cmptsgnd(outimage, j); + outcmptfmts[i].width = width; +@@ -1612,14 +1659,8 @@ jas_image_dump(image, stderr); + } + } + +- for (unsigned i = 0; i < numoutclrchans; ++i) { +- jas_free(outcmptfmts[i].buf); +- } +- jas_free(outcmptfmts); +- for (unsigned i = 0; i < numinclrchans; ++i) { +- jas_free(incmptfmts[i].buf); +- } +- jas_free(incmptfmts); ++ jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans); ++ jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans); + jas_cmxform_destroy(xform); + jas_image_destroy(inimage); + +@@ -1631,6 +1672,14 @@ jas_image_dump(outimage, stderr); + #endif + return outimage; + error: ++ if (incmptfmts) { ++ assert(numinclrchans); ++ jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans); ++ } ++ if (outcmptfmts) { ++ assert(numoutclrchans); ++ jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans); ++ } + if (xform) + jas_cmxform_destroy(xform); + if (inimage) diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb index 522adba93d..c314da539f 100644 --- a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb +++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb" SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master \ file://CVE-2023-51257.patch \ + file://CVE-2025-8835.patch \ " SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121999): https://lists.openembedded.org/g/openembedded-devel/message/121999 Mute This Topic: https://lists.openembedded.org/mt/116439498/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
