!119 fix CVE-2024-56826

From: @zppzhangpan Reviewed-by: @weidongkl Signed-off-by: @weidongkl
2025-01-07 06:04:24 +00:00 · 2025-01-07 06:04:24 +00:00 · 331e9a8d58
commit 331e9a8d58
parent 8224414333 0aa8067bb8
2 changed files with 127 additions and 1 deletions
--- a/backport-CVE-2024-56826.patch
+++ b/backport-CVE-2024-56826.patch
@ -0,0 +1,122 @@
 From 98592ee6d6904f1b48e8207238779b89a63befa2 Mon Sep 17 00:00:00 2001
 From: Even Rouault <even.rouault@spatialys.com>
 Date: Mon, 25 Nov 2024 23:11:24 +0100
 Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 *
 width_component_1_or_2 + 1 == with_component_0
 Fixes #1563
 Also adjusts sycc420_to_rgb() for potential similar issue (amending
 commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf)
 ---
 src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++----------
 1 file changed, 32 insertions(+), 10 deletions(-)
 diff --git a/src/bin/common/color.c b/src/bin/common/color.c
 index ae5d648da..e4924a152 100644
 --- a/src/bin/common/color.c
 +++ b/src/bin/common/color.c
@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
 {
     int *d0, *d1, *d2, *r, *g, *b;
     const int *y, *cb, *cr;
 -    size_t maxw, maxh, max, offx, loopmaxw;
 +    size_t maxw, maxh, max, offx, loopmaxw, comp12w;
     int offset, upb;
     size_t i;
@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
     upb = (1 << upb) - 1;
     maxw = (size_t)img->comps[0].w;
 +    comp12w = (size_t)img->comps[1].w;
     maxh = (size_t)img->comps[0].h;
     max = maxw * maxh;
@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
             ++cr;
         }
         if (j < loopmaxw) {
 -            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
 +            if (j / 2 == comp12w) {
 +                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
 +            } else {
 +                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
 +            }
             ++y;
             ++r;
             ++g;
             ++b;
 -            ++cb;
 -            ++cr;
 +            if (j / 2 < comp12w) {
 +                ++cb;
 +                ++cr;
 +            }
         }
     }
@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
 {
     int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
     const int *y, *cb, *cr, *ny;
 -    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
 +    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
     int offset, upb;
     size_t i;
@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
     upb = (1 << upb) - 1;
     maxw = (size_t)img->comps[0].w;
 +    comp12w = (size_t)img->comps[1].w;
     maxh = (size_t)img->comps[0].h;
     max = maxw * maxh;
@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
             ++cr;
         }
         if (j < loopmaxw) {
 -            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
 +            if (j / 2 == comp12w) {
 +                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
 +            } else {
 +                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
 +            }
             ++y;
             ++r;
             ++g;
             ++b;
 -            sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
 +            if (j / 2 == comp12w) {
 +                sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
 +            } else {
 +                sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
 +            }
             ++ny;
             ++nr;
             ++ng;
             ++nb;
 -            ++cb;
 -            ++cr;
 +            if (j / 2 < comp12w) {
 +                ++cb;
 +                ++cr;
 +            }
         }
         y += maxw;
         r += maxw;
@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
             ++cr;
         }
         if (j < loopmaxw) {
 -            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
 +            if (j / 2 == comp12w) {
 +                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
 +            } else {
 +                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
 +            }
         }
     }
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -2,7 +2,7 @@
 Name:           openjpeg2
 Version:        2.5.0
-Release:        5
+Release:        6
 Summary:        C-Library for JPEG 2000
 License:        BSD and MIT
 URL:            https://github.com/uclouvain/openjpeg
@ -11,6 +11,7 @@ Source0:        https://github.com/uclouvain/openjpeg/archive/v%{version}/openjp
 Patch0:         openjpeg2_opj2.patch
 Patch1:         backport-CVE-2023-39328.patch
 Patch2:         backport-CVE-2021-3575.patch
 Patch3:         backport-CVE-2024-56826.patch
 BuildRequires:  cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen java-devel
 BuildRequires:  jbigkit-devel libjpeg-turbo-devel
@ -101,6 +102,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.
 %{_bindir}/opj2_dump
 %changelog
 * Tue Jan 7 2025 zhangpan <zhangpan103@h-partners.com> - 2.5.0-6
 - fix CVE-2024-56826
 * Tue Oct 29 2024 zhangpan <zhangpan103@h-partners.com> - 2.5.0-5
 - fix CVE-2021-3575