2 files changed, 79 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
new file mode 100644
index 0000000000..b4d5e6dc44
--- /dev/null
+++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
@@ -0,0 +1,78 @@
+From f42d5399aac80d371b17d689851406669c9b9111 Mon Sep 17 00:00:00 2001
+From: Alexander Alekhin <alexander.alekhin@intel.com>
+Date: Thu, 7 Nov 2019 14:01:51 +0300
+Subject: [PATCH] core(persistence): add more checks for implementation
+ limitations
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ modules/core/src/persistence_json.cpp | 8 ++++++++
+ modules/core/src/persistence_xml.cpp  | 6 ++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+---
+CVE: CVE-2019-5063
+CVE: CVE-2019-5064
+Upstream-Status: Backport [https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch]
+---
+diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp
+index 89914e6534f..2efdf17d3f5 100644
+--- a/modules/core/src/persistence_json.cpp
+++ b/modules/core/src/persistence_json.cpp
+@@ -578,10 +578,14 @@ class JSONParser : public FileStorageParser
+                             sz = (int)(ptr - beg);
+                             if( sz > 0 )
+                             {
+                                if (i + sz >= CV_FS_MAX_LEN)
+                                    CV_PARSE_ERROR_CPP("string is too long");
+                                 memcpy(buf + i, beg, sz);
+                                 i += sz;
+                             }
+                             ptr++;
+                            if (i + 1 >= CV_FS_MAX_LEN)
+                                CV_PARSE_ERROR_CPP("string is too long");
+                             switch ( *ptr )
+                             {
+                             case '\\':
+@@ -605,6 +609,8 @@ class JSONParser : public FileStorageParser
+                             sz = (int)(ptr - beg);
+                             if( sz > 0 )
+                             {
+                                if (i + sz >= CV_FS_MAX_LEN)
+                                    CV_PARSE_ERROR_CPP("string is too long");
+                                 memcpy(buf + i, beg, sz);
+                                 i += sz;
+                             }
+@@ -620,6 +626,8 @@ class JSONParser : public FileStorageParser
+                             sz = (int)(ptr - beg);
+                             if( sz > 0 )
+                             {
+                                if (i + sz >= CV_FS_MAX_LEN)
+                                    CV_PARSE_ERROR_CPP("string is too long");
+                                 memcpy(buf + i, beg, sz);
+                                 i += sz;
+                             }
+diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp
+index 89876dd3da8..52b53744254 100644
+--- a/modules/core/src/persistence_xml.cpp
+++ b/modules/core/src/persistence_xml.cpp
+@@ -627,6 +627,8 @@ class XMLParser : public FileStorageParser
+                                         c = '\"';
+                                     else
+                                     {
+                                        if (len + 2 + i >= CV_FS_MAX_LEN)
+                                            CV_PARSE_ERROR_CPP("string is too long");
+                                         memcpy( strbuf + i, ptr-1, len + 2 );
+                                         i += len + 2;
+                                     }
+@@ -635,9 +637,9 @@ class XMLParser : public FileStorageParser
+                                 CV_PERSISTENCE_CHECK_END_OF_BUFFER_BUG_CPP();
+                             }
+                         }
+                        if (i + 1 >= CV_FS_MAX_LEN)
+                            CV_PARSE_ERROR_CPP("Too long string literal");
+                         strbuf[i++] = c;
+-                        if( i >= CV_FS_MAX_LEN )
+-                            CV_PARSE_ERROR_CPP( "Too long string literal" );
+                     }
+                     elem->setValue(FileNode::STRING, strbuf, i);
+                 }
diff --git a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
index de708fd06d..19d5d0c891 100644
--- a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
+++ b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \
           file://CVE-2019-14493.patch \
           file://CVE-2019-15939.patch \
           file://CVE-2019-19624.patch \
+           file://CVE-2019-5063_and_2019-5064.patch \
           "
 PV = "4.1.0"

diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch new file mode 100644 index 0000000000..b4d5e6dc44 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch
@@ -0,0 +1,78 @@
		1	From f42d5399aac80d371b17d689851406669c9b9111 Mon Sep 17 00:00:00 2001
		2	From: Alexander Alekhin <alexander.alekhin@intel.com>
		3	Date: Thu, 7 Nov 2019 14:01:51 +0300
		4	Subject: [PATCH] core(persistence): add more checks for implementation
		5	limitations
		6
		7	Signed-off-by: akash hadke <akash.hadke@kpit.com>
		8	---
		9	modules/core/src/persistence_json.cpp \| 8 ++++++++
		10	modules/core/src/persistence_xml.cpp \| 6 ++++--
		11	2 files changed, 12 insertions(+), 2 deletions(-)
		12	---
		13	CVE: CVE-2019-5063
		14	CVE: CVE-2019-5064
		15	Upstream-Status: Backport [https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch]
		16	---
		17	diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp
		18	index 89914e6534f..2efdf17d3f5 100644
		19	--- a/modules/core/src/persistence_json.cpp
		20	+++ b/modules/core/src/persistence_json.cpp
		21	@@ -578,10 +578,14 @@ class JSONParser : public FileStorageParser
		22	sz = (int)(ptr - beg);
		23	if( sz > 0 )
		24	{
		25	+ if (i + sz >= CV_FS_MAX_LEN)
		26	+ CV_PARSE_ERROR_CPP("string is too long");
		27	memcpy(buf + i, beg, sz);
		28	i += sz;
		29	}
		30	ptr++;
		31	+ if (i + 1 >= CV_FS_MAX_LEN)
		32	+ CV_PARSE_ERROR_CPP("string is too long");
		33	switch ( *ptr )
		34	{
		35	case '\\':
		36	@@ -605,6 +609,8 @@ class JSONParser : public FileStorageParser
		37	sz = (int)(ptr - beg);
		38	if( sz > 0 )
		39	{
		40	+ if (i + sz >= CV_FS_MAX_LEN)
		41	+ CV_PARSE_ERROR_CPP("string is too long");
		42	memcpy(buf + i, beg, sz);
		43	i += sz;
		44	}
		45	@@ -620,6 +626,8 @@ class JSONParser : public FileStorageParser
		46	sz = (int)(ptr - beg);
		47	if( sz > 0 )
		48	{
		49	+ if (i + sz >= CV_FS_MAX_LEN)
		50	+ CV_PARSE_ERROR_CPP("string is too long");
		51	memcpy(buf + i, beg, sz);
		52	i += sz;
		53	}
		54	diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp
		55	index 89876dd3da8..52b53744254 100644
		56	--- a/modules/core/src/persistence_xml.cpp
		57	+++ b/modules/core/src/persistence_xml.cpp
		58	@@ -627,6 +627,8 @@ class XMLParser : public FileStorageParser
		59	c = '\"';
		60	else
		61	{
		62	+ if (len + 2 + i >= CV_FS_MAX_LEN)
		63	+ CV_PARSE_ERROR_CPP("string is too long");
		64	memcpy( strbuf + i, ptr-1, len + 2 );
		65	i += len + 2;
		66	}
		67	@@ -635,9 +637,9 @@ class XMLParser : public FileStorageParser
		68	CV_PERSISTENCE_CHECK_END_OF_BUFFER_BUG_CPP();
		69	}
		70	}
		71	+ if (i + 1 >= CV_FS_MAX_LEN)
		72	+ CV_PARSE_ERROR_CPP("Too long string literal");
		73	strbuf[i++] = c;
		74	- if( i >= CV_FS_MAX_LEN )
		75	- CV_PARSE_ERROR_CPP( "Too long string literal" );
		76	}
		77	elem->setValue(FileNode::STRING, strbuf, i);
		78	}


diff --git a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb index de708fd06d..19d5d0c891 100644 --- a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb +++ b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \
54	file://CVE-2019-14493.patch \	54	file://CVE-2019-14493.patch \
55	file://CVE-2019-15939.patch \	55	file://CVE-2019-15939.patch \
56	file://CVE-2019-19624.patch \	56	file://CVE-2019-19624.patch \
		57	file://CVE-2019-5063_and_2019-5064.patch \
57	"	58	"
58	PV = "4.1.0"	59	PV = "4.1.0"
59		60