From 10196085ab9dbd9ce688a093a7c500c1b9919264 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Thu, 9 Oct 2025 20:09:51 +0200 Subject: [PATCH] jasper: patch CVE-2025-8836 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836 Pick the patch mentioned in the details of the above link. Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal --- .../jasper/jasper/0001-Fixes-401.patch | 78 +++++++++++++++++++ .../recipes-graphics/jasper/jasper_4.1.1.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-401.patch diff --git a/meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-401.patch b/meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-401.patch new file mode 100644 index 0000000000..d7e40c8493 --- /dev/null +++ b/meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-401.patch @@ -0,0 +1,78 @@ +From 823034b2b47be037278e612177180783b04fb687 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Sat, 2 Aug 2025 18:00:39 -0700 +Subject: [PATCH] Fixes #401. + +JPEG-2000 (JPC) Encoder: +- Added some missing range checking on several coding parameters + (e.g., precint width/height and codeblock width/height). + +CVE: CVE-2025-8836 +Upstream-Status: Backport [https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4] +Signed-off-by: Gyorgy Sarvari +--- + src/libjasper/jpc/jpc_enc.c | 30 ++++++++++++++++++++++++------ + src/libjasper/jpc/jpc_t2dec.c | 3 ++- + 2 files changed, 26 insertions(+), 7 deletions(-) + +diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c +index 64f8aa5..4fb23d4 100644 +--- a/src/libjasper/jpc/jpc_enc.c ++++ b/src/libjasper/jpc/jpc_enc.c +@@ -484,18 +484,36 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image) + cp->tileheight = atoi(jas_tvparser_getval(tvp)); + break; + case OPT_PRCWIDTH: +- prcwidthexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp))); ++ i = atoi(jas_tvparser_getval(tvp)); ++ if (i <= 0) { ++ jas_logerrorf("invalid precinct width (%d)\n", i); ++ goto error; ++ } ++ prcwidthexpn = jpc_floorlog2(i); + break; + case OPT_PRCHEIGHT: +- prcheightexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp))); ++ i = atoi(jas_tvparser_getval(tvp)); ++ if (i <= 0) { ++ jas_logerrorf("invalid precinct height (%d)\n", i); ++ goto error; ++ } ++ prcheightexpn = jpc_floorlog2(i); + break; + case OPT_CBLKWIDTH: +- tccp->cblkwidthexpn = +- jpc_floorlog2(atoi(jas_tvparser_getval(tvp))); ++ i = atoi(jas_tvparser_getval(tvp)); ++ if (i <= 0) { ++ jas_logerrorf("invalid code block width (%d)\n", i); ++ goto error; ++ } ++ tccp->cblkwidthexpn = jpc_floorlog2(i); + break; + case OPT_CBLKHEIGHT: +- tccp->cblkheightexpn = +- jpc_floorlog2(atoi(jas_tvparser_getval(tvp))); ++ i = atoi(jas_tvparser_getval(tvp)); ++ if (i <= 0) { ++ jas_logerrorf("invalid code block height (%d)\n", i); ++ goto error; ++ } ++ tccp->cblkheightexpn = jpc_floorlog2(i); + break; + case OPT_MODE: + if ((tagid = jas_taginfo_nonull(jas_taginfos_lookup(modetab, +diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c +index de77623..1eff88a 100644 +--- a/src/libjasper/jpc/jpc_t2dec.c ++++ b/src/libjasper/jpc/jpc_t2dec.c +@@ -348,7 +348,8 @@ static int jpc_dec_decodepkt(jpc_dec_t *dec, jas_stream_t *pkthdrstream, jas_str + const unsigned n = JAS_MIN((unsigned)numnewpasses, maxpasses); + mycounter += n; + numnewpasses -= n; +- if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) { ++ if ((len = jpc_bitstream_getbits(inb, ++ cblk->numlenbits + jpc_floorlog2(n))) < 0) { + jpc_bitstream_close(inb); + jas_logerrorf("cannot get bits\n"); + return -1; diff --git a/meta-oe/recipes-graphics/jasper/jasper_4.1.1.bb b/meta-oe/recipes-graphics/jasper/jasper_4.1.1.bb index 82867c0a1e..e3fbb87708 100644 --- a/meta-oe/recipes-graphics/jasper/jasper_4.1.1.bb +++ b/meta-oe/recipes-graphics/jasper/jasper_4.1.1.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a80440d1d8f17d041c71c7271d6e06eb" SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master \ file://0001-Fixes-400.patch \ + file://0001-Fixes-401.patch \ " SRCREV = "917f7708b755d8434f70618108c1a76f1b6a0a82"