From 754e02c668a1130e3808cdaa4dbd5c7954e99890 Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Mon, 20 Apr 2026 08:27:41 +0200
Subject: [PATCH] libgphoto2: patch CVE-2026-40333

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40333

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
---
 .../gphoto2/libgphoto2/CVE-2026-40333.patch   | 150 ++++++++++++++++++
 .../gphoto2/libgphoto2_2.5.33.bb              |   5 +-
 2 files changed, 153 insertions(+), 2 deletions(-)
 create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch

diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch
new file mode 100644
index 0000000000..77c307e88d
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch
@@ -0,0 +1,150 @@
+From 8fefd2da7b9e2c7c448086cd251b108c0ebf1262 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Wed, 8 Apr 2026 15:18:42 +0200
+Subject: [PATCH] Fixed EOS ImageFormat/CustomFuncEx Parsers Lack Length
+ Parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() accept
+const unsigned char** data but no length/size parameter. They perform
+unbounded reads via dtoh32o calls (up to 36 bytes for ImageFormat,
+up to 1024 bytes for CustomFuncEx). Callers in ptp_unpack_EOS_events()
+have xsize available but never pass it.
+
+ CVE-2026-40333
+
+Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
+
+CVE: CVE-2026-40333
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 53 ++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 44 insertions(+), 9 deletions(-)
+
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index 09421b7..09dcc24 100644
+--- a/camlibs/ptp2/ptp-pack.c
++++ b/camlibs/ptp2/ptp-pack.c
+@@ -1448,7 +1448,7 @@ ptp_unpack_Canon_EOS_FE (PTPParams *params, const unsigned char* data, unsigned
+ 
+ 
+ static inline uint16_t
+-ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
++ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data, unsigned int *size )
+ {
+ 	/*
+ 	  EOS ImageFormat entries look are a sequence of u32 values:
+@@ -1492,30 +1492,57 @@ ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
+ 
+ 	const uint8_t* d = *data;
+ 	uint32_t offset = 0;
+-	uint32_t n = dtoh32o (d, offset);
++	uint32_t n;
+ 	uint32_t l, t1, s1, c1, t2 = 0, s2 = 0, c2 = 0;
+ 
++	if (*size < sizeof(uint32_t)) {
++		ptp_debug (params, "parsing EOS ImageFormat property failed 1 (size %d)", *size);
++		return 0;
++	}
++	n = dtoh32o (d, offset);
++	*size -= sizeof(uint32_t);
++
+ 	if (n != 1 && n !=2) {
+ 		ptp_debug (params, "parsing EOS ImageFormat property failed (n != 1 && n != 2: %d)", n);
+ 		return 0;
+ 	}
+-
++	if (*size < sizeof(uint32_t)) {
++		ptp_debug (params, "parsing EOS ImageFormat property failed 2 (size %d)", *size);
++		return 0;
++	}
+ 	l = dtoh32o (d, offset);
++	*size -= sizeof(uint32_t);
++
+ 	if (l != 0x10) {
+ 		ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
+ 		return 0;
+ 	}
+ 
++	if (*size < 3*sizeof(uint32_t)) {
++		ptp_debug (params, "parsing EOS ImageFormat property failed 3 (size %d)", *size);
++		return 0;
++	}
+ 	t1 = dtoh32o (d, offset);
+ 	s1 = dtoh32o (d, offset);
+ 	c1 = dtoh32o (d, offset);
++	*size -= 3*sizeof(uint32_t);
+ 
+ 	if (n == 2) {
++		if (*size < sizeof(uint32_t)) {
++			ptp_debug (params, "parsing EOS ImageFormat property failed 4 (size %d)", *size);
++			return 0;
++		}
+ 		l = dtoh32o (d, offset);
++		*size -= sizeof(uint32_t);
++
+ 		if (l != 0x10) {
+ 			ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
+ 			return 0;
+ 		}
++		if (*size < 3*sizeof(uint32_t)) {
++			ptp_debug (params, "parsing EOS ImageFormat property failed 5 (size %d)", *size);
++			return 0;
++		}
+ 		t2 = dtoh32o (d, offset);
+ 		s2 = dtoh32o (d, offset);
+ 		c2 = dtoh32o (d, offset);
+@@ -1668,12 +1695,20 @@ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint3
+ 
+ 
+ static inline char*
+-ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data )
++ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data, unsigned int *size )
+ {
+-	uint32_t s = dtoh32a( *data );
+-	uint32_t n = s/4, i;
++	uint32_t s, n, i;
+ 	char	*str, *p;
+ 
++	if (*size < sizeof(uint32_t))
++		return strdup("bad length");
++
++	s = dtoh32a( *data );
++	n = s/4;
++
++	if (*size < 4+s)
++		return strdup("bad length");
++
+ 	if (s > 1024) {
+ 		ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
+ 		return strdup("bad length");
+@@ -1962,7 +1997,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
+ 			case PTP_DPC_CANON_EOS_ImageFormatExtHD:
+ 				/* special handling of ImageFormat properties */
+ 				for (j=0;j<dpd_count;j++) {
+-					dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
++					dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
+ 					ptp_debug (params, INDENT "prop %x option[%2d] == 0x%04x", dpc, j, dpd->FORM.Enum.SupportedValue[j].u16);
+ 				}
+ 				break;
+@@ -2267,7 +2302,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
+ 			case PTP_DPC_CANON_EOS_ImageFormatSD:
+ 			case PTP_DPC_CANON_EOS_ImageFormatExtHD:
+ 				dpd->DataType = PTP_DTC_UINT16;
+-				dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
++				dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
+ 				dpd->CurrentValue.u16 = dpd->DefaultValue.u16;
+ 				ptp_debug (params, INDENT "prop %x value == 0x%04x (u16)", dpc, dpd->CurrentValue.u16);
+ 				break;
+@@ -2275,7 +2310,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
+ 				dpd->DataType = PTP_DTC_STR;
+ 				free (dpd->DefaultValue.str);
+ 				free (dpd->CurrentValue.str);
+-				dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata );
++				dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata, &xsize );
+ 				dpd->CurrentValue.str = strdup( (char*)dpd->DefaultValue.str );
+ 				ptp_debug (params, INDENT "prop %x value == %s", dpc, dpd->CurrentValue.str);
+ 				break;
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
index 3644bd9bf4..ac7892151f 100644
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
@@ -12,8 +12,9 @@ DEPENDS = "libtool jpeg virtual/libusb0 libexif zlib libxml2"
 SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \
            file://40-libgphoto2.rules \
            file://0001-configure-Filter-out-buildpaths-from-CC.patch \
-		   file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \
-"
+           file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \
+           file://CVE-2026-40333.patch \
+           "
 SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"
 
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/"