This was now merged to dunfell branch and it doesn't apply cleanly:
WARNING: opencv-4.1.0-r0 do_patch: Fuzz detected:
Applying patch CVE-2019-14491.patch
patching file modules/objdetect/src/cascadedetect.cpp
Hunk #1 succeeded at 46 with fuzz 1 (offset -1 lines).
Hunk #2 succeeded at 540 (offset -1 lines).
Hunk #3 succeeded at 552 (offset -1 lines).
Hunk #4 succeeded at 613 (offset -1 lines).
Hunk #5 succeeded at 774 (offset -1 lines).
Hunk #6 succeeded at 825 (offset -1 lines).
Hunk #7 succeeded at 1470 (offset -36 lines).
patching file modules/objdetect/src/cascadedetect.hpp
The context lines in the patches can be updated with devtool:
devtool modify opencv
devtool finish --force-patch-refresh opencv <layer_path>
Don't forget to review changes done by devtool!
WARNING: opencv-4.1.0-r0 do_patch: QA Issue: Patch log indicates that
patches do not apply cleanly. [patch-fuzz]
Can you please update the patches to apply cleanly?
On Tue, Mar 9, 2021 at 5:40 PM Neetika.Singh <[email protected]> wrote:
> From: Neetika Singh <[email protected]>
>
> Added patches to fix below CVE's:
>
> 1. CVE-2019-14491, CVE-2019-14492
> Link:
> https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed
>
> 2. CVE-2019-14493
> Link:
> https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023
>
> 3. CVE-2019-15939
> Link:
> https://github.com/opencv/opencv/commit/5a497077f109d543ab86dfdf8add1c76c0e47d29
>
> 4. CVE-2019-19624
> Link:
> https://github.com/opencv/opencv/commit/d1615ba11a93062b1429fce9f0f638d1572d3418
>
> Signed-off-by: Neetika.Singh <[email protected]>
> ---
> .../opencv/opencv/CVE-2019-14491.patch | 148 +++++++++++++
> .../opencv/opencv/CVE-2019-14493.patch | 237
> +++++++++++++++++++++
> .../opencv/opencv/CVE-2019-15939.patch | 73 +++++++
> .../opencv/opencv/CVE-2019-19624.patch | 157 ++++++++++++++
> meta-oe/recipes-support/opencv/opencv_4.1.0.bb | 4 +
> 5 files changed, 619 insertions(+)
> create mode 100644
> meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch
> create mode 100644
> meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch
> create mode 100644
> meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch
> create mode 100644
> meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch
>
> diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch
> b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch
> new file mode 100644
> index 0000000..b82bea5
> --- /dev/null
> +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch
> @@ -0,0 +1,148 @@
> +From 321c74ccd6077bdea1d47450ca4fe955cb5b6330 Mon Sep 17 00:00:00 2001
> +From: Alexander Alekhin <[email protected]>
> +Date: Thu, 25 Jul 2019 17:15:59 +0300
> +Subject: [PATCH] objdetect: validate feature rectangle on reading
> +
> +CVE: CVE-2019-14491
> +CVE: CVE-2019-14492
> +Upstream-Status: Backport [
> https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed.patch
> ]
> +Comment: No changes in any hunk
> +
> +Signed-off-by: Neetika Singh <[email protected]>
> +---
> + modules/objdetect/src/cascadedetect.cpp | 43 +++++++++++++++++++++----
> + modules/objdetect/src/cascadedetect.hpp | 6 ++--
> + 2 files changed, 40 insertions(+), 9 deletions(-)
> +
> +diff --git a/modules/objdetect/src/cascadedetect.cpp
> b/modules/objdetect/src/cascadedetect.cpp
> +index 4b2078306fe..bd62cd21a1b 100644
> +--- a/modules/objdetect/src/cascadedetect.cpp
> ++++ b/modules/objdetect/src/cascadedetect.cpp
> +@@ -47,6 +47,10 @@
> + #include "opencv2/objdetect/objdetect_c.h"
> + #include "opencl_kernels_objdetect.hpp"
> +
> ++#if defined(_MSC_VER)
> ++# pragma warning(disable:4458) // declaration of 'origWinSize' hides
> class member
> ++#endif
> ++
> + namespace cv
> + {
> +
> +@@ -537,7 +541,7 @@ bool FeatureEvaluator::setImage( InputArray _image,
> const std::vector<float>& _s
> +
> + //---------------------------------------------- HaarEvaluator
> ---------------------------------------
> +
> +-bool HaarEvaluator::Feature :: read( const FileNode& node )
> ++bool HaarEvaluator::Feature::read(const FileNode& node, const Size&
> origWinSize)
> + {
> + FileNode rnode = node[CC_RECTS];
> + FileNodeIterator it = rnode.begin(), it_end = rnode.end();
> +@@ -549,11 +553,23 @@ bool HaarEvaluator::Feature :: read( const
> FileNode& node )
> + rect[ri].weight = 0.f;
> + }
> +
> ++ const int W = origWinSize.width;
> ++ const int H = origWinSize.height;
> ++
> + for(ri = 0; it != it_end; ++it, ri++)
> + {
> + FileNodeIterator it2 = (*it).begin();
> +- it2 >> rect[ri].r.x >> rect[ri].r.y >>
> +- rect[ri].r.width >> rect[ri].r.height >> rect[ri].weight;
> ++ Feature::RectWeigth& rw = rect[ri];
> ++ it2 >> rw.r.x >> rw.r.y >> rw.r.width >> rw.r.height >>
> rw.weight;
> ++ // input validation
> ++ {
> ++ CV_CheckGE(rw.r.x, 0, "Invalid HAAR feature");
> ++ CV_CheckGE(rw.r.y, 0, "Invalid HAAR feature");
> ++ CV_CheckLT(rw.r.x, W, "Invalid HAAR feature"); // necessary
> for overflow checks
> ++ CV_CheckLT(rw.r.y, H, "Invalid HAAR feature"); // necessary
> for overflow checks
> ++ CV_CheckLE(rw.r.x + rw.r.width, W, "Invalid HAAR feature");
> ++ CV_CheckLE(rw.r.y + rw.r.height, H, "Invalid HAAR feature");
> ++ }
> + }
> +
> + tilted = (int)node[CC_TILTED] != 0;
> +@@ -598,7 +614,7 @@ bool HaarEvaluator::read(const FileNode& node, Size
> _origWinSize)
> +
> + for(i = 0; i < n; i++, ++it)
> + {
> +- if(!ff[i].read(*it))
> ++ if(!ff[i].read(*it, _origWinSize))
> + return false;
> + if( ff[i].tilted )
> + hasTiltedFeatures = true;
> +@@ -759,11 +775,24 @@ int HaarEvaluator::getSquaresOffset() const
> + }
> +
> + //---------------------------------------------- LBPEvaluator
> -------------------------------------
> +-bool LBPEvaluator::Feature :: read(const FileNode& node )
> ++bool LBPEvaluator::Feature::read(const FileNode& node, const Size&
> origWinSize)
> + {
> + FileNode rnode = node[CC_RECT];
> + FileNodeIterator it = rnode.begin();
> + it >> rect.x >> rect.y >> rect.width >> rect.height;
> ++
> ++ const int W = origWinSize.width;
> ++ const int H = origWinSize.height;
> ++ // input validation
> ++ {
> ++ CV_CheckGE(rect.x, 0, "Invalid LBP feature");
> ++ CV_CheckGE(rect.y, 0, "Invalid LBP feature");
> ++ CV_CheckLT(rect.x, W, "Invalid LBP feature");
> ++ CV_CheckLT(rect.y, H, "Invalid LBP feature");
> ++ CV_CheckLE(rect.x + rect.width, W, "Invalid LBP feature");
> ++ CV_CheckLE(rect.y + rect.height, H, "Invalid LBP feature");
> ++ }
> ++
> + return true;
> + }
> +
> +@@ -797,7 +826,7 @@ bool LBPEvaluator::read( const FileNode& node, Size
> _origWinSize )
> + std::vector<Feature>& ff = *features;
> + for(int i = 0; it != it_end; ++it, i++)
> + {
> +- if(!ff[i].read(*it))
> ++ if(!ff[i].read(*it, _origWinSize))
> + return false;
> + }
> + nchannels = 1;
> +@@ -1477,6 +1506,8 @@ bool CascadeClassifierImpl::Data::read(const
> FileNode &root)
> + origWinSize.width = (int)root[CC_WIDTH];
> + origWinSize.height = (int)root[CC_HEIGHT];
> + CV_Assert( origWinSize.height > 0 && origWinSize.width > 0 );
> ++ CV_CheckLE(origWinSize.width, 1000000, "Invalid window size (too
> large)");
> ++ CV_CheckLE(origWinSize.height, 1000000, "Invalid window size (too
> large)");
> +
> + // load feature params
> + FileNode fn = root[CC_FEATURE_PARAMS];
> +diff --git a/modules/objdetect/src/cascadedetect.hpp
> b/modules/objdetect/src/cascadedetect.hpp
> +index f9910530b94..d9a288fcdda 100644
> +--- a/modules/objdetect/src/cascadedetect.hpp
> ++++ b/modules/objdetect/src/cascadedetect.hpp
> +@@ -317,12 +317,12 @@ class HaarEvaluator CV_FINAL : public
> FeatureEvaluator
> + struct Feature
> + {
> + Feature();
> +- bool read( const FileNode& node );
> ++ bool read(const FileNode& node, const Size& origWinSize);
> +
> + bool tilted;
> +
> + enum { RECT_NUM = 3 };
> +- struct
> ++ struct RectWeigth
> + {
> + Rect r;
> + float weight;
> +@@ -412,7 +412,7 @@ class LBPEvaluator CV_FINAL : public FeatureEvaluator
> + Feature( int x, int y, int _block_w, int _block_h ) :
> + rect(x, y, _block_w, _block_h) {}
> +
> +- bool read(const FileNode& node );
> ++ bool read(const FileNode& node, const Size& origWinSize);
> +
> + Rect rect; // weight and height for block
> + };
> +
> diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch
> b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch
> new file mode 100644
> index 0000000..88d6a7f
> --- /dev/null
> +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch
> @@ -0,0 +1,237 @@
> +From 5691d998ead1d9b0542bcfced36c2dceb3a59023 Mon Sep 17 00:00:00 2001
> +From: Alexander Alekhin <[email protected]>
> +Date: Thu, 25 Jul 2019 15:14:22 +0300
> +Subject: [PATCH] core(persistence): added null ptr checks
> +
> +CVE: CVE-2019-14493
> +Upstream-Status: Backport [
> https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023.patch
> ]
> +Comment: No changes in any hunk
> +
> +Signed-off-by: Neetika Singh <[email protected]>
> +---
> + modules/core/src/persistence_json.cpp | 12 ++++++++++++
> + modules/core/src/persistence_xml.cpp | 21 +++++++++++++++++++++
> + modules/core/src/persistence_yml.cpp | 21 +++++++++++++++++++++
> + 3 files changed, 54 insertions(+)
> +
> +diff --git a/modules/core/src/persistence_json.cpp
> b/modules/core/src/persistence_json.cpp
> +index ae678e1b8b1..89914e6534f 100644
> +--- a/modules/core/src/persistence_json.cpp
> ++++ b/modules/core/src/persistence_json.cpp
> +@@ -296,6 +296,8 @@ class JSONParser : public FileStorageParser
> +
> + while ( is_eof == false && is_completed == false )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> + switch ( *ptr )
> + {
> + /* comment */
> +@@ -381,6 +383,7 @@ class JSONParser : public FileStorageParser
> + if ( is_eof || !is_completed )
> + {
> + ptr = fs->bufferStart();
> ++ CV_Assert(ptr);
> + *ptr = '\0';
> + fs->setEof();
> + if( !is_completed )
> +@@ -392,6 +395,9 @@ class JSONParser : public FileStorageParser
> +
> + char* parseKey( char* ptr, FileNode& collection, FileNode&
> value_placeholder )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + if( *ptr != '"' )
> + CV_PARSE_ERROR_CPP( "Key must start with \'\"\'" );
> +
> +@@ -430,6 +436,9 @@ class JSONParser : public FileStorageParser
> +
> + char* parseValue( char* ptr, FileNode& node )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid value input");
> ++
> + ptr = skipSpaces( ptr );
> + if( !ptr || !*ptr )
> + CV_PARSE_ERROR_CPP( "Unexpected End-Of-File" );
> +@@ -817,6 +826,9 @@ class JSONParser : public FileStorageParser
> +
> + bool parse( char* ptr )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + ptr = skipSpaces( ptr );
> + if ( !ptr || !*ptr )
> + return false;
> +diff --git a/modules/core/src/persistence_xml.cpp
> b/modules/core/src/persistence_xml.cpp
> +index fb30d90896e..89876dd3da8 100644
> +--- a/modules/core/src/persistence_xml.cpp
> ++++ b/modules/core/src/persistence_xml.cpp
> +@@ -360,6 +360,9 @@ class XMLParser : public FileStorageParser
> +
> + char* skipSpaces( char* ptr, int mode )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + int level = 0;
> +
> + for(;;)
> +@@ -441,6 +444,9 @@ class XMLParser : public FileStorageParser
> +
> + char* parseValue( char* ptr, FileNode& node )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + FileNode new_elem;
> + bool have_space = true;
> + int value_type = node.type();
> +@@ -456,6 +462,8 @@ class XMLParser : public FileStorageParser
> + (c == '<' && ptr[1] == '!' && ptr[2] == '-') )
> + {
> + ptr = skipSpaces( ptr, 0 );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> + have_space = true;
> + c = *ptr;
> + }
> +@@ -502,6 +510,8 @@ class XMLParser : public FileStorageParser
> + {
> + ptr = fs->parseBase64( ptr, 0, new_elem);
> + ptr = skipSpaces( ptr, 0 );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> + }
> +
> + ptr = parseTag( ptr, key2, type_name, tag_type );
> +@@ -645,6 +655,9 @@ class XMLParser : public FileStorageParser
> + char* parseTag( char* ptr, std::string& tag_name,
> + std::string& type_name, int& tag_type )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid tag input");
> ++
> + if( *ptr == '\0' )
> + CV_PARSE_ERROR_CPP( "Unexpected end of the stream" );
> +
> +@@ -702,6 +715,8 @@ class XMLParser : public FileStorageParser
> + if( *ptr != '=' )
> + {
> + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid attribute");
> + if( *ptr != '=' )
> + CV_PARSE_ERROR_CPP( "Attribute name should be
> followed by \'=\'" );
> + }
> +@@ -740,6 +755,8 @@ class XMLParser : public FileStorageParser
> + if( c != '>' )
> + {
> + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> + c = *ptr;
> + }
> +
> +@@ -781,6 +798,8 @@ class XMLParser : public FileStorageParser
> +
> + // CV_XML_INSIDE_TAG is used to prohibit leading comments
> + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> +
> + if( memcmp( ptr, "<?xml", 5 ) != 0 ) // FIXIT ptr[1..] - out of
> bounds read without check
> + CV_PARSE_ERROR_CPP( "Valid XML should start with \'<?xml
> ...?>\'" );
> +@@ -791,6 +810,8 @@ class XMLParser : public FileStorageParser
> + while( ptr && *ptr != '\0' )
> + {
> + ptr = skipSpaces( ptr, 0 );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> +
> + if( *ptr != '\0' )
> + {
> +diff --git a/modules/core/src/persistence_yml.cpp
> b/modules/core/src/persistence_yml.cpp
> +index 4129ca1dc57..7742e827701 100644
> +--- a/modules/core/src/persistence_yml.cpp
> ++++ b/modules/core/src/persistence_yml.cpp
> +@@ -330,6 +330,9 @@ class YAMLParser : public FileStorageParser
> +
> + char* skipSpaces( char* ptr, int min_indent, int max_comment_indent )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + for(;;)
> + {
> + while( *ptr == ' ' )
> +@@ -374,6 +377,9 @@ class YAMLParser : public FileStorageParser
> +
> + bool getBase64Row(char* ptr, int indent, char* &beg, char* &end)
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + beg = end = ptr = skipSpaces(ptr, 0, INT_MAX);
> + if (!ptr || !*ptr)
> + return false; // end of file
> +@@ -394,6 +400,9 @@ class YAMLParser : public FileStorageParser
> +
> + char* parseKey( char* ptr, FileNode& map_node, FileNode&
> value_placeholder )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + char c;
> + char *endptr = ptr - 1, *saveptr;
> +
> +@@ -422,6 +431,9 @@ class YAMLParser : public FileStorageParser
> +
> + char* parseValue( char* ptr, FileNode& node, int min_indent, bool
> is_parent_flow )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + char* endptr = 0;
> + char c = ptr[0], d = ptr[1];
> + int value_type = FileNode::NONE;
> +@@ -508,6 +520,8 @@ class YAMLParser : public FileStorageParser
> +
> + *endptr = d;
> + ptr = skipSpaces( endptr, min_indent, INT_MAX );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> +
> + c = *ptr;
> +
> +@@ -634,6 +648,8 @@ class YAMLParser : public FileStorageParser
> + FileNode elem;
> +
> + ptr = skipSpaces( ptr, new_min_indent, INT_MAX );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> + if( *ptr == '}' || *ptr == ']' )
> + {
> + if( *ptr != d )
> +@@ -647,6 +663,8 @@ class YAMLParser : public FileStorageParser
> + if( *ptr != ',' )
> + CV_PARSE_ERROR_CPP( "Missing , between the
> elements" );
> + ptr = skipSpaces( ptr + 1, new_min_indent, INT_MAX );
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> + }
> +
> + if( struct_type == FileNode::MAP )
> +@@ -746,6 +764,9 @@ class YAMLParser : public FileStorageParser
> +
> + bool parse( char* ptr )
> + {
> ++ if (!ptr)
> ++ CV_PARSE_ERROR_CPP("Invalid input");
> ++
> + bool first = true;
> + bool ok = true;
> + FileNode root_collection(fs->getFS(), 0, 0);
> +
> diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch
> b/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch
> new file mode 100644
> index 0000000..35d62cf
> --- /dev/null
> +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch
> @@ -0,0 +1,73 @@
> +From 5a497077f109d543ab86dfdf8add1c76c0e47d29 Mon Sep 17 00:00:00 2001
> +From: Alexander Alekhin <[email protected]>
> +Date: Fri, 23 Aug 2019 16:14:53 +0300
> +Subject: [PATCH] objdetect: add input check in HOG detector
> +
> +CVE: CVE-2019-15939
> +Upstream-Status: Backport [
> https://github.com/opencv/opencv/commit/5a497077f109d543ab86dfdf8add1c76c0e47d29.patch
> ]
> +Comment: No changes in any hunk
> +
> +Signed-off-by: Neetika Singh <[email protected]>
> +---
> + modules/objdetect/src/hog.cpp | 19 ++++++++++++-------
> + 1 file changed, 12 insertions(+), 7 deletions(-)
> +
> +diff --git a/modules/objdetect/src/hog.cpp b/modules/objdetect/src/hog.cpp
> +index 9524851eebb..378bab30876 100644
> +--- a/modules/objdetect/src/hog.cpp
> ++++ b/modules/objdetect/src/hog.cpp
> +@@ -68,6 +68,7 @@ enum {DESCR_FORMAT_COL_BY_COL, DESCR_FORMAT_ROW_BY_ROW};
> +
> + static int numPartsWithin(int size, int part_size, int stride)
> + {
> ++ CV_Assert(stride != 0);
> + return (size - part_size + stride) / stride;
> + }
> +
> +@@ -80,13 +81,17 @@ static Size numPartsWithin(cv::Size size, cv::Size
> part_size,
> +
> + static size_t getBlockHistogramSize(Size block_size, Size cell_size, int
> nbins)
> + {
> ++ CV_Assert(!cell_size.empty());
> + Size cells_per_block = Size(block_size.width / cell_size.width,
> +- block_size.height / cell_size.height);
> ++ block_size.height / cell_size.height);
> + return (size_t)(nbins * cells_per_block.area());
> + }
> +
> + size_t HOGDescriptor::getDescriptorSize() const
> + {
> ++ CV_Assert(!cellSize.empty());
> ++ CV_Assert(!blockStride.empty());
> ++
> + CV_Assert(blockSize.width % cellSize.width == 0 &&
> + blockSize.height % cellSize.height == 0);
> + CV_Assert((winSize.width - blockSize.width) % blockStride.width == 0
> &&
> +@@ -144,20 +149,20 @@ bool HOGDescriptor::read(FileNode& obj)
> + if( !obj.isMap() )
> + return false;
> + FileNodeIterator it = obj["winSize"].begin();
> +- it >> winSize.width >> winSize.height;
> ++ it >> winSize.width >> winSize.height; CV_Assert(!winSize.empty());
> + it = obj["blockSize"].begin();
> +- it >> blockSize.width >> blockSize.height;
> ++ it >> blockSize.width >> blockSize.height;
> CV_Assert(!blockSize.empty());
> + it = obj["blockStride"].begin();
> +- it >> blockStride.width >> blockStride.height;
> ++ it >> blockStride.width >> blockStride.height;
> CV_Assert(!blockStride.empty());
> + it = obj["cellSize"].begin();
> +- it >> cellSize.width >> cellSize.height;
> +- obj["nbins"] >> nbins;
> ++ it >> cellSize.width >> cellSize.height;
> CV_Assert(!cellSize.empty());
> ++ obj["nbins"] >> nbins; CV_Assert(nbins > 0);
> + obj["derivAperture"] >> derivAperture;
> + obj["winSigma"] >> winSigma;
> + obj["histogramNormType"] >> histogramNormType;
> + obj["L2HysThreshold"] >> L2HysThreshold;
> + obj["gammaCorrection"] >> gammaCorrection;
> +- obj["nlevels"] >> nlevels;
> ++ obj["nlevels"] >> nlevels; CV_Assert(nlevels > 0);
> + if (obj["signedGradient"].empty())
> + signedGradient = false;
> + else
> +
> diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch
> b/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch
> new file mode 100644
> index 0000000..923ca2a
> --- /dev/null
> +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch
> @@ -0,0 +1,157 @@
> +From d1615ba11a93062b1429fce9f0f638d1572d3418 Mon Sep 17 00:00:00 2001
> +From: Thang Tran <[email protected]>
> +Date: Mon, 27 May 2019 08:18:26 +0200
> +Subject: [PATCH] video:fixed DISOpticalFlow segfault from small img
> +
> +CVE: CVE-2019-19624
> +Upstream-Status: Backport [
> https://github.com/opencv/opencv/commit/d1615ba11a93062b1429fce9f0f638d1572d3418.patch
> ]
> +Comment: No changes in any hunk
> +
> +Signed-off-by: Neetika Singh <[email protected]>
> +---
> + modules/video/src/dis_flow.cpp | 67 ++++++++++++++++++++++++-
> + modules/video/test/test_OF_accuracy.cpp | 28 +++++++++++
> + 2 files changed, 93 insertions(+), 2 deletions(-)
> +
> +diff --git a/modules/video/src/dis_flow.cpp
> b/modules/video/src/dis_flow.cpp
> +index a453d8b2b51..806d6f1ddaf 100644
> +--- a/modules/video/src/dis_flow.cpp
> ++++ b/modules/video/src/dis_flow.cpp
> +@@ -140,6 +140,8 @@ class DISOpticalFlowImpl CV_FINAL : public
> DISOpticalFlow
> + void prepareBuffers(Mat &I0, Mat &I1, Mat &flow, bool use_flow);
> + void precomputeStructureTensor(Mat &dst_I0xx, Mat &dst_I0yy, Mat
> &dst_I0xy, Mat &dst_I0x, Mat &dst_I0y, Mat &I0x,
> + Mat &I0y);
> ++ int autoSelectCoarsestScale(int img_width);
> ++ void autoSelectPatchSizeAndScales(int img_width);
> +
> + struct PatchInverseSearch_ParBody : public ParallelLoopBody
> + {
> +@@ -435,6 +437,44 @@ void
> DISOpticalFlowImpl::precomputeStructureTensor(Mat &dst_I0xx, Mat &dst_I0yy,
> + }
> + }
> +
> ++int DISOpticalFlowImpl::autoSelectCoarsestScale(int img_width)
> ++{
> ++ const int fratio = 5;
> ++ return std::max(0, (int)std::floor(log2((2.0f*(float)img_width) /
> ((float)fratio * (float)patch_size))));
> ++}
> ++
> ++void DISOpticalFlowImpl::autoSelectPatchSizeAndScales(int img_width)
> ++{
> ++ switch (finest_scale)
> ++ {
> ++ case 1:
> ++ patch_size = 8;
> ++ coarsest_scale = autoSelectCoarsestScale(img_width);
> ++ finest_scale = std::max(coarsest_scale-2, 0);
> ++ break;
> ++
> ++ case 3:
> ++ patch_size = 12;
> ++ coarsest_scale = autoSelectCoarsestScale(img_width);
> ++ finest_scale = std::max(coarsest_scale-4, 0);
> ++ break;
> ++
> ++ case 4:
> ++ patch_size = 12;
> ++ coarsest_scale = autoSelectCoarsestScale(img_width);
> ++ finest_scale = std::max(coarsest_scale-5, 0);
> ++ break;
> ++
> ++ // default case, fall-through.
> ++ case 2:
> ++ default:
> ++ patch_size = 8;
> ++ coarsest_scale = autoSelectCoarsestScale(img_width);
> ++ finest_scale = std::max(coarsest_scale-2, 0);
> ++ break;
> ++ }
> ++}
> ++
> +
> DISOpticalFlowImpl::PatchInverseSearch_ParBody::PatchInverseSearch_ParBody(DISOpticalFlowImpl
> &_dis, int _nstripes,
> +
> int _hs, Mat &dst_Sx, Mat &dst_Sy,
> +
> Mat &src_Ux, Mat &src_Uy, Mat &_I0, Mat &_I1,
> +@@ -1318,9 +1358,20 @@ bool DISOpticalFlowImpl::ocl_calc(InputArray I0,
> InputArray I1, InputOutputArray
> + else
> + flow.create(I1Mat.size(), CV_32FC2);
> + UMat &u_flowMat = flow.getUMatRef();
> +- coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 *
> patch_size)) / log(2.0) + 0.5), /* Original code serach for maximal
> movement of width/4 */
> ++ coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 *
> patch_size)) / log(2.0) + 0.5), /* Original code search for maximal
> movement of width/4 */
> + (int)(log(min(I0Mat.cols, I0Mat.rows) /
> patch_size) / log(2.0))); /* Deepest pyramid level greater or
> equal than patch*/
> +
> ++ if (coarsest_scale<0)
> ++ CV_Error(cv::Error::StsBadSize, "The input image must have
> either width or height >= 12");
> ++
> ++ if (coarsest_scale<finest_scale)
> ++ {
> ++ // choose the finest level based on coarsest level.
> ++ // Refs:
> https://github.com/tikroeger/OF_DIS/blob/2c9f2a674f3128d3a41c10e41cc9f3a35bb1b523/run_dense.cpp#L239
> ++ int original_img_width = I0.size().width;
> ++ autoSelectPatchSizeAndScales(original_img_width);
> ++ }
> ++
> + ocl_prepareBuffers(I0Mat, I1Mat, u_flowMat, use_input_flow);
> + u_Ux[coarsest_scale].setTo(0.0f);
> + u_Uy[coarsest_scale].setTo(0.0f);
> +@@ -1385,8 +1436,20 @@ void DISOpticalFlowImpl::calc(InputArray I0,
> InputArray I1, InputOutputArray flo
> + else
> + flow.create(I1Mat.size(), CV_32FC2);
> + Mat flowMat = flow.getMat();
> +- coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 *
> patch_size)) / log(2.0) + 0.5), /* Original code serach for maximal
> movement of width/4 */
> ++ coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 *
> patch_size)) / log(2.0) + 0.5), /* Original code search for maximal
> movement of width/4 */
> + (int)(log(min(I0Mat.cols, I0Mat.rows) /
> patch_size) / log(2.0))); /* Deepest pyramid level greater or
> equal than patch*/
> ++
> ++ if (coarsest_scale<0)
> ++ CV_Error(cv::Error::StsBadSize, "The input image must have
> either width or height >= 12");
> ++
> ++ if (coarsest_scale<finest_scale)
> ++ {
> ++ // choose the finest level based on coarsest level.
> ++ // Refs:
> https://github.com/tikroeger/OF_DIS/blob/2c9f2a674f3128d3a41c10e41cc9f3a35bb1b523/run_dense.cpp#L239
> ++ int original_img_width = I0.size().width;
> ++ autoSelectPatchSizeAndScales(original_img_width);
> ++ }
> ++
> + int num_stripes = getNumThreads();
> +
> + prepareBuffers(I0Mat, I1Mat, flowMat, use_input_flow);
> +diff --git a/modules/video/test/test_OF_accuracy.cpp
> b/modules/video/test/test_OF_accuracy.cpp
> +index affbab65866..b99ffce2a8b 100644
> +--- a/modules/video/test/test_OF_accuracy.cpp
> ++++ b/modules/video/test/test_OF_accuracy.cpp
> +@@ -121,6 +121,34 @@ TEST(DenseOpticalFlow_DIS, ReferenceAccuracy)
> + }
> + }
> +
> ++TEST(DenseOpticalFlow_DIS, InvalidImgSize_CoarsestLevelLessThanZero)
> ++{
> ++ cv::Ptr<cv::DISOpticalFlow> of = cv::DISOpticalFlow::create();
> ++ const int mat_size = 10;
> ++
> ++ cv::Mat x(mat_size, mat_size, CV_8UC1, 42);
> ++ cv::Mat y(mat_size, mat_size, CV_8UC1, 42);
> ++ cv::Mat flow;
> ++
> ++ ASSERT_THROW(of->calc(x, y, flow), cv::Exception);
> ++}
> ++
> ++// make sure that autoSelectPatchSizeAndScales() works properly.
> ++TEST(DenseOpticalFlow_DIS,
> InvalidImgSize_CoarsestLevelLessThanFinestLevel)
> ++{
> ++ cv::Ptr<cv::DISOpticalFlow> of = cv::DISOpticalFlow::create();
> ++ const int mat_size = 80;
> ++
> ++ cv::Mat x(mat_size, mat_size, CV_8UC1, 42);
> ++ cv::Mat y(mat_size, mat_size, CV_8UC1, 42);
> ++ cv::Mat flow;
> ++
> ++ of->calc(x, y, flow);
> ++
> ++ ASSERT_EQ(flow.rows, mat_size);
> ++ ASSERT_EQ(flow.cols, mat_size);
> ++}
> ++
> + TEST(DenseOpticalFlow_VariationalRefinement, ReferenceAccuracy)
> + {
> + Mat frame1, frame2, GT;
> +
> diff --git a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
> b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
> index d781da6..de708fd 100644
> --- a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
> +++ b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
> @@ -50,6 +50,10 @@ SRC_URI = "git://
> github.com/opencv/opencv.git;name=opencv \
> file://0001-Dont-use-isystem.patch \
>
> file://0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch \
> file://download.patch \
> + file://CVE-2019-14491.patch \
> + file://CVE-2019-14493.patch \
> + file://CVE-2019-15939.patch \
> + file://CVE-2019-19624.patch \
> "
> PV = "4.1.0"
>
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#90232):
https://lists.openembedded.org/g/openembedded-devel/message/90232
Mute This Topic: https://lists.openembedded.org/mt/81205453/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
