!119 fix CVE-2024-56826

From: @zppzhangpan Reviewed-by: @weidongkl Signed-off-by: @weidongkl
2025-01-07 06:04:24 +00:00 · 2025-01-07 06:04:24 +00:00 · 331e9a8d58
commit 331e9a8d58
parent 8224414333 0aa8067bb8
2 changed files with 127 additions and 1 deletions
--- a/backport-CVE-2024-56826.patch
+++ b/backport-CVE-2024-56826.patch
@ -0,0 +1,122 @@
+From 98592ee6d6904f1b48e8207238779b89a63befa2 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 25 Nov 2024 23:11:24 +0100
+Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 *
+ width_component_1_or_2 + 1 == with_component_0
+
+Fixes #1563
+
+Also adjusts sycc420_to_rgb() for potential similar issue (amending
+commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf)
+---
+ src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++----------
+ 1 file changed, 32 insertions(+), 10 deletions(-)
+
+diff --git a/src/bin/common/color.c b/src/bin/common/color.c
+index ae5d648da..e4924a152 100644
+--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
+@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b;
+     const int *y, *cb, *cr;
+-    size_t maxw, maxh, max, offx, loopmaxw;
+    size_t maxw, maxh, max, offx, loopmaxw, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
+    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            if (j / 2 == comp12w) {
+                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+            } else {
+                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+-            ++cb;
+-            ++cr;
+            if (j / 2 < comp12w) {
+                ++cb;
+                ++cr;
+            }
+         }
+     }
+ 
+@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
+     const int *y, *cb, *cr, *ny;
+-    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
+    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
+    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            if (j / 2 == comp12w) {
+                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+            } else {
+                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+ 
+-            sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+            if (j / 2 == comp12w) {
+                sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
+            } else {
+                sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+            }
+             ++ny;
+             ++nr;
+             ++ng;
+             ++nb;
+-            ++cb;
+-            ++cr;
+            if (j / 2 < comp12w) {
+                ++cb;
+                ++cr;
+            }
+         }
+         y += maxw;
+         r += maxw;
+@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            if (j / 2 == comp12w) {
+                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+            } else {
+                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            }
+         }
+     }
+ 
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -2,7 +2,7 @@

 Name:           openjpeg2
 Version:        2.5.0
-Release:        5
+Release:        6
 Summary:        C-Library for JPEG 2000
 License:        BSD and MIT
 URL:            https://github.com/uclouvain/openjpeg
@ -11,6 +11,7 @@ Source0:        https://github.com/uclouvain/openjpeg/archive/v%{version}/openjp
 Patch0:         openjpeg2_opj2.patch
 Patch1:         backport-CVE-2023-39328.patch
 Patch2:         backport-CVE-2021-3575.patch
+Patch3:         backport-CVE-2024-56826.patch

 BuildRequires:  cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen java-devel
 BuildRequires:  jbigkit-devel libjpeg-turbo-devel
@ -101,6 +102,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.
 %{_bindir}/opj2_dump

 %changelog
+* Tue Jan 7 2025 zhangpan <zhangpan103@h-partners.com> - 2.5.0-6
+- fix CVE-2024-56826
+
 * Tue Oct 29 2024 zhangpan <zhangpan103@h-partners.com> - 2.5.0-5
 - fix CVE-2021-3575