openjpeg: fix CVE-2024-56827

Source: meta-openembedded MR: 171655, 170728 Type: Security Fix Disposition: Merged from meta-openembedded ChangeID: 291fc3e Description: CVE-2024-56827: A flaw was found in the OpenJPEG project. A heap buffer overflow condition may be triggered when certain options are specified while using the opj_decompress utility. This can lead to an application crash or other undefined behavior. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-56827] [uclouvain/openjpeg#1564] Upstream patches: [uclouvain/openjpeg@e492644] Signed-off-by: Zhang Peng <[email protected]> Signed-off-by: Armin Kuster <[email protected]> Signed-off-by: Jeremy A. Puhlman <[email protected]>
MontaVista-OpenSourceTechnology · Jan 27, 2025 · 49271c2 · 49271c2
1 parent 003f42b
commit 49271c2
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/...raphics/openjpeg/openjpeg/0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch b/...raphics/openjpeg/openjpeg/0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch
@@ -0,0 +1,33 @@
+From b343d72eb4c4b776b4925b441d18abf6a20b42a7 Mon Sep 17 00:00:00 2001
+From: Even Rouault <[email protected]>
+Date: Mon, 25 Nov 2024 22:02:54 +0100
+Subject: [PATCH] opj_j2k_add_tlmarker(): validate that current tile-part
+ number if smaller that total number of tile-parts
+
+Fixes #1564
+
+CVE: CVE-2024-56827
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8]
+
+Signed-off-by: Zhang Peng <[email protected]>
+---
+ src/lib/openjp2/j2k.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 8e343ab2..08f771a5 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -8227,7 +8227,8 @@ static OPJ_BOOL opj_j2k_add_tlmarker(OPJ_UINT32 tileno,
+     if (type == J2K_MS_SOT) {
+         OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno;
+
+-        if (cstr_index->tile_index[tileno].tp_index) {
++        if (cstr_index->tile_index[tileno].tp_index &&
++                l_current_tile_part < cstr_index->tile_index[tileno].nb_tps) {
+             cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos;
+         }
+
+-- 
+2.39.4
+
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -13,6 +13,7 @@ SRC_URI = " \
     file://CVE-2022-1122.patch \
     file://CVE-2021-3575.patch \
     file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
+    file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"