mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-01-12 03:24:08 +00:00
jasper: patch CVE-2025-8835
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8835 Pick the patch from the details of the above link. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
173
meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-400.patch
Normal file
173
meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-400.patch
Normal file
@@ -0,0 +1,173 @@
|
||||
From 8c6da904432451aec2a9e4d6169ad771dbe72820 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Adams <mdadams@ece.uvic.ca>
|
||||
Date: Tue, 29 Jul 2025 20:16:35 -0700
|
||||
Subject: [PATCH] Fixes #400.
|
||||
|
||||
Added a check for a missing color component in the jas_image_chclrspc
|
||||
function.
|
||||
|
||||
CVE: CVE-2025-8835
|
||||
Upstream-Status: Backport [https://github.com/jasper-software/jasper/commit/bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52]
|
||||
|
||||
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||
---
|
||||
src/libjasper/base/jas_image.c | 72 ++++++++++++++++++++++++++++-----
|
||||
1 file changed, 61 insertions(+), 11 deletions(-)
|
||||
create mode 100644 data/test/other/poc_400.pnm
|
||||
|
||||
diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c
|
||||
index 1ed0905..c8aa42b 100644
|
||||
--- a/src/libjasper/base/jas_image.c
|
||||
+++ b/src/libjasper/base/jas_image.c
|
||||
@@ -118,6 +118,8 @@ static void jas_image_calcbbox2(const jas_image_t *image,
|
||||
jas_image_coord_t *bry);
|
||||
static void jas_image_fmtinfo_init(jas_image_fmtinfo_t *fmtinfo);
|
||||
static void jas_image_fmtinfo_cleanup(jas_image_fmtinfo_t *fmtinfo);
|
||||
+static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n);
|
||||
+static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n);
|
||||
|
||||
/******************************************************************************\
|
||||
* Create and destroy operations.
|
||||
@@ -413,6 +415,36 @@ static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt)
|
||||
jas_free(cmpt);
|
||||
}
|
||||
|
||||
+static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n)
|
||||
+{
|
||||
+ jas_cmcmptfmt_t* cmptfmts;
|
||||
+ JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_create(%d)\n", n);
|
||||
+ if (!(cmptfmts = jas_alloc2(n, sizeof(jas_cmcmptfmt_t)))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ for (int i = 0; i < n; ++i) {
|
||||
+ cmptfmts[i].buf = 0;
|
||||
+ }
|
||||
+ JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_create(%d) returning %p\n", n,
|
||||
+ JAS_CAST(void *, cmptfmts));
|
||||
+ return cmptfmts;
|
||||
+}
|
||||
+
|
||||
+static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n)
|
||||
+{
|
||||
+ assert(cmptfmts);
|
||||
+ assert(n > 0);
|
||||
+ JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_destroy(%p, %d)\n",
|
||||
+ JAS_CAST(void *, cmptfmts), n);
|
||||
+ for (int i = 0; i < n; ++i) {
|
||||
+ if (cmptfmts[i].buf) {
|
||||
+ jas_free(cmptfmts[i].buf);
|
||||
+ }
|
||||
+ cmptfmts[i].buf = 0;
|
||||
+ }
|
||||
+ jas_free(cmptfmts);
|
||||
+}
|
||||
+
|
||||
/******************************************************************************\
|
||||
* Load and save operations.
|
||||
\******************************************************************************/
|
||||
@@ -1588,12 +1620,15 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
|
||||
jas_cmcmptfmt_t *incmptfmts;
|
||||
jas_cmcmptfmt_t *outcmptfmts;
|
||||
|
||||
+ assert(image);
|
||||
+ assert(outprof);
|
||||
+
|
||||
#if 0
|
||||
jas_eprintf("IMAGE\n");
|
||||
jas_image_dump(image, stderr);
|
||||
#endif
|
||||
|
||||
- if (image->numcmpts_ == 0) {
|
||||
+ if (!jas_image_numcmpts(image)) {
|
||||
/*
|
||||
can't work with a file with no components;
|
||||
continuing would crash because we'd attempt to
|
||||
@@ -1604,6 +1639,8 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
|
||||
|
||||
outimage = 0;
|
||||
xform = 0;
|
||||
+ incmptfmts = 0;
|
||||
+ outcmptfmts = 0;
|
||||
if (!(inimage = jas_image_copy(image))) {
|
||||
goto error;
|
||||
}
|
||||
@@ -1694,16 +1731,22 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
|
||||
}
|
||||
|
||||
inpixmap.numcmpts = numinclrchans;
|
||||
- if (!(incmptfmts = jas_alloc2(numinclrchans, sizeof(jas_cmcmptfmt_t)))) {
|
||||
+ assert(numinclrchans != 0);
|
||||
+ if (!(incmptfmts = jas_cmcmptfmt_array_create(numinclrchans))) {
|
||||
// formerly call to abort()
|
||||
goto error;
|
||||
}
|
||||
inpixmap.cmptfmts = incmptfmts;
|
||||
for (unsigned i = 0; i < numinclrchans; ++i) {
|
||||
const int j = jas_image_getcmptbytype(inimage, JAS_IMAGE_CT_COLOR(i));
|
||||
+ if (j < 0) {
|
||||
+ jas_logerrorf("missing color component %d\n", i);
|
||||
+ goto error;
|
||||
+ }
|
||||
if (!(incmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) {
|
||||
goto error;
|
||||
}
|
||||
+ assert(j >= 0 && j < jas_image_numcmpts(inimage));
|
||||
incmptfmts[i].prec = jas_image_cmptprec(inimage, j);
|
||||
incmptfmts[i].sgnd = jas_image_cmptsgnd(inimage, j);
|
||||
incmptfmts[i].width = width;
|
||||
@@ -1711,7 +1754,7 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
|
||||
}
|
||||
|
||||
outpixmap.numcmpts = numoutclrchans;
|
||||
- if (!(outcmptfmts = jas_alloc2(numoutclrchans, sizeof(jas_cmcmptfmt_t)))) {
|
||||
+ if (!(outcmptfmts = jas_cmcmptfmt_array_create(numoutclrchans))) {
|
||||
// formerly call to abort()
|
||||
goto error;
|
||||
}
|
||||
@@ -1719,9 +1762,14 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
|
||||
|
||||
for (unsigned i = 0; i < numoutclrchans; ++i) {
|
||||
const int j = jas_image_getcmptbytype(outimage, JAS_IMAGE_CT_COLOR(i));
|
||||
+ if (j < 0) {
|
||||
+ jas_logerrorf("missing color component %d\n", i);
|
||||
+ goto error;
|
||||
+ }
|
||||
if (!(outcmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) {
|
||||
goto error;
|
||||
}
|
||||
+ assert(j >= 0 && j < jas_image_numcmpts(outimage));
|
||||
outcmptfmts[i].prec = jas_image_cmptprec(outimage, j);
|
||||
outcmptfmts[i].sgnd = jas_image_cmptsgnd(outimage, j);
|
||||
outcmptfmts[i].width = width;
|
||||
@@ -1746,14 +1794,8 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
|
||||
}
|
||||
}
|
||||
|
||||
- for (unsigned i = 0; i < numoutclrchans; ++i) {
|
||||
- jas_free(outcmptfmts[i].buf);
|
||||
- }
|
||||
- jas_free(outcmptfmts);
|
||||
- for (unsigned i = 0; i < numinclrchans; ++i) {
|
||||
- jas_free(incmptfmts[i].buf);
|
||||
- }
|
||||
- jas_free(incmptfmts);
|
||||
+ jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans);
|
||||
+ jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans);
|
||||
jas_cmxform_destroy(xform);
|
||||
jas_image_destroy(inimage);
|
||||
|
||||
@@ -1765,6 +1807,14 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
|
||||
#endif
|
||||
return outimage;
|
||||
error:
|
||||
+ if (incmptfmts) {
|
||||
+ assert(numinclrchans);
|
||||
+ jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans);
|
||||
+ }
|
||||
+ if (outcmptfmts) {
|
||||
+ assert(numoutclrchans);
|
||||
+ jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans);
|
||||
+ }
|
||||
if (xform) {
|
||||
jas_cmxform_destroy(xform);
|
||||
}
|
||||
@@ -3,7 +3,9 @@ HOMEPAGE = "https://jasper-software.github.io/jasper/"
|
||||
LICENSE = "MIT"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a80440d1d8f17d041c71c7271d6e06eb"
|
||||
|
||||
SRC_URI = "https://github.com/jasper-software/${BPN}/releases/download/version-${PV}/${BP}.tar.gz"
|
||||
SRC_URI = "https://github.com/jasper-software/${BPN}/releases/download/version-${PV}/${BP}.tar.gz \
|
||||
file://0001-Fixes-400.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "6a597613d8d84c500b5b83bf0eec06cd3707c23d19957f70354ac2394c9914e7"
|
||||
|
||||
CVE_STATUS[CVE-2015-8751] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
|
||||
|
||||
Reference in New Issue
Block a user