From 2a486ee7cdd88887a671c442db7c632f851a4c97 Mon Sep 17 00:00:00 2001
From: Vijay Anusuri <vanusuri@mvista.com>
Date: Tue, 28 Jan 2025 18:24:12 +0530
Subject: openjpeg: Backport fix CVE-2023-39327

Upstream commit:
https://github.com/uclouvain/openjpeg/commit/c58bc128b4f770e7c89bc8ba3d0273b9a3904aad

Reference:
https://github.com/uclouvain/openjpeg/pull/1547

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../openjpeg/openjpeg/CVE-2023-39327.patch         | 82 ++++++++++++++++++++++
 .../recipes-graphics/openjpeg/openjpeg_2.4.0.bb    |  1 +
 2 files changed, 83 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch
new file mode 100644
index 0000000000..2d485c050d
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch
@@ -0,0 +1,82 @@
+From c58bc128b4f770e7c89bc8ba3d0273b9a3904aad Mon Sep 17 00:00:00 2001
+From: mayeut <mayeut@users.noreply.github.com>
+Date: Sat, 17 Aug 2024 15:59:56 +0200
+Subject: [PATCH] fix: when EPH markers are specified, they are required.
+
+reference from Rec. ITU-T T.800 (06/2019):
+- Table A.13 – Coding style parameter values for the Scod parameter
+- Section A.8.1 Start of packet (SOP)
+- Section A.8.2 End of packet header (EPH)
+
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/c58bc128b4f770e7c89bc8ba3d0273b9a3904aad]
+CVE: CVE-2023-39327
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/lib/openjp2/t2.c                    | 19 +++++++++++++------
+ tests/nonregression/test_suite.ctest.in |  3 +++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
+index 1481e16f..b7ffd5fb 100644
+--- a/src/lib/openjp2/t2.c
++++ b/src/lib/openjp2/t2.c
+@@ -1110,6 +1110,7 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+     /* SOP markers */
+ 
+     if (p_tcp->csty & J2K_CP_CSTY_SOP) {
++        /* SOP markers are allowed (i.e. optional), just warn */
+         if (p_max_length < 6) {
+             opj_event_msg(p_manager, EVT_WARNING,
+                           "Not enough space for expected SOP marker\n");
+@@ -1162,12 +1163,15 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+ 
+         /* EPH markers */
+         if (p_tcp->csty & J2K_CP_CSTY_EPH) {
++            /* EPH markers are required */
+             if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data -
+                     *l_header_data_start)) < 2U) {
+-                opj_event_msg(p_manager, EVT_WARNING,
+-                              "Not enough space for expected EPH marker\n");
++                opj_event_msg(p_manager, EVT_ERROR,
++                              "Not enough space for required EPH marker\n");
++                return OPJ_FALSE;
+             } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) {
+-                opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n");
++                opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n");
++                return OPJ_FALSE;
+             } else {
+                 l_header_data += 2;
+             }
+@@ -1301,12 +1305,15 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+ 
+     /* EPH markers */
+     if (p_tcp->csty & J2K_CP_CSTY_EPH) {
++        /* EPH markers are required */
+         if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data -
+                 *l_header_data_start)) < 2U) {
+-            opj_event_msg(p_manager, EVT_WARNING,
+-                          "Not enough space for expected EPH marker\n");
++            opj_event_msg(p_manager, EVT_ERROR,
++                          "Not enough space for required EPH marker\n");
++            return OPJ_FALSE;
+         } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) {
+-            opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n");
++            opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n");
++            return OPJ_FALSE;
+         } else {
+             l_header_data += 2;
+         }
+diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
+index 72155329..78a7a783 100644
+--- a/tests/nonregression/test_suite.ctest.in
++++ b/tests/nonregression/test_suite.ctest.in
+@@ -647,3 +647,6 @@ opj_decompress -i @INPUT_NR_PATH@/tnsot_zero.jp2 -o @TEMP_PATH@/tnsot_zero.png
+ !opj_decompress -i @INPUT_NR_PATH@/oss-fuzz2785.jp2 -o @TEMP_PATH@/oss-fuzz2785.png
+ 
+ opj_decompress -i @INPUT_NR_PATH@/tnsot_zero_missing_eoc.jp2 -o @TEMP_PATH@/tnsot_zero_missing_eoc.png
++
++# missing EPH Marker
++!opj_decompress -i @INPUT_NR_PATH@/issue1472-bigloop.j2k -o @TEMP_PATH@/issue1472-bigloop.raw
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index 871b324dff..feecb957ba 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -14,6 +14,7 @@ SRC_URI = " \
     file://CVE-2021-3575.patch \
     file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
     file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \
+    file://CVE-2023-39327.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"
-- 
cgit v1.2.3-54-g00ecf