From 291fc3e7fc87ab62397b1e87c49bd79f87436235 Mon Sep 17 00:00:00 2001 From: Zhang Peng Date: Tue, 14 Jan 2025 18:09:10 +0800 Subject: openjpeg: fix CVE-2024-56827 CVE-2024-56827: A flaw was found in the OpenJPEG project. A heap buffer overflow condition may be triggered when certain options are specified while using the opj_decompress utility. This can lead to an application crash or other undefined behavior. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-56827] [https://github.com/uclouvain/openjpeg/issues/1564] Upstream patches: [https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8] Signed-off-by: Zhang Peng Signed-off-by: Armin Kuster --- ..._tlmarker-validate-that-current-tile-part.patch | 33 ++++++++++++++++++++++ .../recipes-graphics/openjpeg/openjpeg_2.4.0.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch new file mode 100644 index 0000000000..f959a65d94 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch @@ -0,0 +1,33 @@ +From b343d72eb4c4b776b4925b441d18abf6a20b42a7 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 25 Nov 2024 22:02:54 +0100 +Subject: [PATCH] opj_j2k_add_tlmarker(): validate that current tile-part + number if smaller that total number of tile-parts + +Fixes #1564 + +CVE: CVE-2024-56827 +Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8] + +Signed-off-by: Zhang Peng +--- + src/lib/openjp2/j2k.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 8e343ab2..08f771a5 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -8227,7 +8227,8 @@ static OPJ_BOOL opj_j2k_add_tlmarker(OPJ_UINT32 tileno, + if (type == J2K_MS_SOT) { + OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno; + +- if (cstr_index->tile_index[tileno].tp_index) { ++ if (cstr_index->tile_index[tileno].tp_index && ++ l_current_tile_part < cstr_index->tile_index[tileno].nb_tps) { + cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos; + } + +-- +2.39.4 + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb index 9c0fe0e30f..871b324dff 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb @@ -13,6 +13,7 @@ SRC_URI = " \ file://CVE-2022-1122.patch \ file://CVE-2021-3575.patch \ file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \ + file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \ " SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505" S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf