From 10b6475cf2efa26f9caf98a3a6e4ebd54875a75e Mon Sep 17 00:00:00 2001
From: Vijay Anusuri <vanusuri@mvista.com>
Date: Tue, 2 Sep 2025 10:24:17 +0530
Subject: openjpeg: Fix CVE-2025-50952

Upstream commit:
https://github.com/uclouvain/openjpeg/commit/d903fbb4ab9ccf9b96c8bc7398fafc0007505a37

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../openjpeg/openjpeg/CVE-2025-50952.patch         | 32 ++++++++++++++++++++++
 .../recipes-graphics/openjpeg/openjpeg_2.4.0.bb    |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch
new file mode 100644
index 0000000000..6d16b37980
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-50952.patch
@@ -0,0 +1,32 @@
+From d903fbb4ab9ccf9b96c8bc7398fafc0007505a37 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 18 Feb 2024 17:17:00 +0100
+Subject: [PATCH] opj_dwt_decode_tile(): avoid potential
+ UndefinedBehaviorSanitizer 'applying zero offset to null pointer' (fixes
+ #1505)
+
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/d903fbb4ab9ccf9b96c8bc7398fafc0007505a37]
+CVE: CVE-2025-50952
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/lib/openjp2/dwt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
+index 4164ba09..f42c47b6 100644
+--- a/src/lib/openjp2/dwt.c
++++ b/src/lib/openjp2/dwt.c
+@@ -2080,7 +2080,9 @@ static OPJ_BOOL opj_dwt_decode_tile(opj_thread_pool_t* tp,
+     OPJ_SIZE_T h_mem_size;
+     int num_threads;
+ 
+-    if (numres == 1U) {
++    /* Not entirely sure for the return code of w == 0 which is triggered per */
++    /* https://github.com/uclouvain/openjpeg/issues/1505 */
++    if (numres == 1U || w == 0) {
+         return OPJ_TRUE;
+     }
+     num_threads = opj_thread_pool_get_thread_count(tp);
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index feecb957ba..fbfbab7aaf 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
     file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
     file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \
     file://CVE-2023-39327.patch \
+    file://CVE-2025-50952.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"
-- 
cgit v1.2.3-54-g00ecf