From 60da39aeca09aece3d9a2f5237cdbbc82629860f Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Sat, 28 Feb 2026 21:24:26 +0100
Subject: [PATCH] exiv2: patch CVE-2021-37618

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37618

Pick the patch from the PR that is referenced by the NVD advisory.

Note that the regression test was not backported, because it contains
a binary patch, that I couldn't apply with any of the patchtools
in the do_patch step. Before submission however I have applied the
patches, and ran all the tests successfully.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../exiv2/exiv2/CVE-2021-37618.patch          | 32 +++++++++++++++++++
 meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37618.patch

diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37618.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37618.patch
new file mode 100644
index 0000000000..8799876232
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37618.patch
@@ -0,0 +1,32 @@
+From 37e0d4dac7c8b1a9e01448c359bf013ead53904a Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 5 Jul 2021 10:40:03 +0100
+Subject: [PATCH] Better bounds checking in Jp2Image::printStructure
+
+CVE: CVE-2021-37618
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/0fcdde80997913dde284ea98f06f9305d06cb160]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/jp2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index e14919c..2da69f1 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m)
+ 
+                             if (subBox.type == kJp2BoxTypeColorHeader) {
+                                 long pad = 3;  // don't know why there are 3 padding bytes
++                                enforce(data.size_ >= pad, kerCorruptedMetadata);
+                                 if (bPrint) {
+                                     out << " | pad:";
+                                     for (int i = 0; i < 3; i++)
+@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m)
+                                 if (bPrint) {
+                                     out << " | iccLength:" << iccLength;
+                                 }
++                                enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
+                                 if (bICC) {
+                                     out.write((const char*)data.pData_ + pad, iccLength);
+                                 }
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index bb69dd7ccd..213a47eed1 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source
            file://CVE-2021-34335-2.patch \
            file://CVE-2021-37615-1.patch \
            file://CVE-2021-37615-2.patch \
+           file://CVE-2021-37618.patch \
            "
 SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"