openjpeg: fix CVE-2024-56826

CVE-2024-56826:
A flaw was found in the OpenJPEG project. A heap buffer overflow
condition may be triggered when certain options are specified while
using the opj_decompress utility. This can lead to an application crash
or other undefined behavior.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-56826]
[https://github.com/uclouvain/openjpeg/issues/1563]

Upstream patches:
[https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-oe/recipes-graphics/openjpeg/openjpeg/0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch

@@ -0,0 +1,130 @@
+From 2bed72075bd17518907a6a57e3411669188e49bd Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 25 Nov 2024 23:11:24 +0100
+Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 *
+ width_component_1_or_2 + 1 == with_component_0
+
+Fixes #1563
+
+Also adjusts sycc420_to_rgb() for potential similar issue (amending
+commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf)
+
+CVE: CVE-2024-56826
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++----------
+ 1 file changed, 32 insertions(+), 10 deletions(-)
+
+diff --git a/src/bin/common/color.c b/src/bin/common/color.c
+index ae5d648d..e4924a15 100644
+--- a/src/bin/common/color.c
++++ b/src/bin/common/color.c
+@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b;
+     const int *y, *cb, *cr;
+-    size_t maxw, maxh, max, offx, loopmaxw;
++    size_t maxw, maxh, max, offx, loopmaxw, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
++    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+-            ++cb;
+-            ++cr;
++            if (j / 2 < comp12w) {
++                ++cb;
++                ++cr;
++            }
+         }
+     }
+ 
+@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
+     const int *y, *cb, *cr, *ny;
+-    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
++    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
++    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+ 
+-            sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
++            } else {
++                sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
++            }
+             ++ny;
+             ++nr;
+             ++ng;
+             ++nb;
+-            ++cb;
+-            ++cr;
++            if (j / 2 < comp12w) {
++                ++cb;
++                ++cr;
++            }
+         }
+         y += maxw;
+         r += maxw;
+@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+         }
+     }
+ 
+-- 
+2.39.4
+

meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb

@@ -12,6 +12,7 @@ SRC_URI = " \
     file://CVE-2021-29338.patch \
     file://CVE-2022-1122.patch \
     file://CVE-2021-3575.patch \
+    file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"