2 files changed, 33 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch
new file mode 100644
index 0000000000..6d16b37980
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch
@@ -0,0 +1,32 @@
+From d903fbb4ab9ccf9b96c8bc7398fafc0007505a37 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 18 Feb 2024 17:17:00 +0100
+Subject: [PATCH] opj_dwt_decode_tile(): avoid potential
+ UndefinedBehaviorSanitizer 'applying zero offset to null pointer' (fixes
+ #1505)
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/d903fbb4ab9ccf9b96c8bc7398fafc0007505a37]
+CVE: CVE-2025-50952
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/lib/openjp2/dwt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
+index 4164ba09..f42c47b6 100644
+--- a/src/lib/openjp2/dwt.c
+++ b/src/lib/openjp2/dwt.c
+@@ -2080,7 +2080,9 @@ static OPJ_BOOL opj_dwt_decode_tile(opj_thread_pool_t* tp,
+     OPJ_SIZE_T h_mem_size;
+     int num_threads;
+ 
+-    if (numres == 1U) {
+    /* Not entirely sure for the return code of w == 0 which is triggered per */
+    /* https://github.com/uclouvain/openjpeg/issues/1505 */
+    if (numres == 1U || w == 0) {
+         return OPJ_TRUE;
+     }
+     num_threads = opj_thread_pool_get_thread_count(tp);
+-- 
+2.25.1
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index feecb957ba..fbfbab7aaf 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
    file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
    file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \
    file://CVE-2023-39327.patch \
+    file://CVE-2025-50952.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch new file mode 100644 index 0000000000..6d16b37980 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch
@@ -0,0 +1,32 @@
		1	From d903fbb4ab9ccf9b96c8bc7398fafc0007505a37 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sun, 18 Feb 2024 17:17:00 +0100
		4	Subject: [PATCH] opj_dwt_decode_tile(): avoid potential
		5	UndefinedBehaviorSanitizer 'applying zero offset to null pointer' (fixes
		6	#1505)
		7
		8	Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/d903fbb4ab9ccf9b96c8bc7398fafc0007505a37]
		9	CVE: CVE-2025-50952
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	src/lib/openjp2/dwt.c \| 4 +++-
		13	1 file changed, 3 insertions(+), 1 deletion(-)
		14
		15	diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
		16	index 4164ba09..f42c47b6 100644
		17	--- a/src/lib/openjp2/dwt.c
		18	+++ b/src/lib/openjp2/dwt.c
		19	@@ -2080,7 +2080,9 @@ static OPJ_BOOL opj_dwt_decode_tile(opj_thread_pool_t* tp,
		20	OPJ_SIZE_T h_mem_size;
		21	int num_threads;
		22
		23	- if (numres == 1U) {
		24	+ /* Not entirely sure for the return code of w == 0 which is triggered per */
		25	+ /* https://github.com/uclouvain/openjpeg/issues/1505 */
		26	+ if (numres == 1U \|\| w == 0) {
		27	return OPJ_TRUE;
		28	}
		29	num_threads = opj_thread_pool_get_thread_count(tp);
		30	--
		31	2.25.1
		32


diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb index feecb957ba..fbfbab7aaf 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
15	file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \	15	file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
16	file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \	16	file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \
17	file://CVE-2023-39327.patch \	17	file://CVE-2023-39327.patch \
		18	file://CVE-2025-50952.patch \
18	"	19	"
19	SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"	20	SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
20	S = "${WORKDIR}/git"	21	S = "${WORKDIR}/git"