File openjpeg2-CVE-2024-56826.patch of Package openjpeg2.36921
From 98592ee6d6904f1b48e8207238779b89a63befa2 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 25 Nov 2024 23:11:24 +0100
Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 *
width_component_1_or_2 + 1 == with_component_0
Fixes #1563
Also adjusts sycc420_to_rgb() for potential similar issue (amending
commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf)
---
src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++----------
1 file changed, 32 insertions(+), 10 deletions(-)
Index: openjpeg-2.1.0/src/bin/common/color.c
===================================================================
--- openjpeg-2.1.0.orig/src/bin/common/color.c
+++ openjpeg-2.1.0/src/bin/common/color.c
@@ -124,7 +124,7 @@ static void sycc422_to_rgb(opj_image_t *
{
int *d0, *d1, *d2, *r, *g, *b;
const int *y, *cb, *cr;
- size_t maxw, maxh, max, offx, loopmaxw;
+ size_t maxw, maxh, max, offx, loopmaxw, comp12w;
int offset, upb;
size_t i, j;
@@ -132,6 +132,7 @@ static void sycc422_to_rgb(opj_image_t *
offset = 1<<(i - 1); upb = (1<<i)-1;
maxw = (size_t)img->comps[0].w; maxh = (size_t)img->comps[0].h;
+ comp12w = (size_t)img->comps[1].w;
max = maxw * maxh;
y = img->comps[0].data;
@@ -165,8 +166,16 @@ static void sycc422_to_rgb(opj_image_t *
}
if (j < loopmaxw) {
- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
- ++y; ++r; ++g; ++b; ++cb; ++cr;
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
+ ++y; ++r; ++g; ++b;
+ if (j / 2 < comp12w) {
+ ++cb;
+ ++cr;
+ }
}
}
free(img->comps[0].data); img->comps[0].data = d0;
@@ -186,7 +195,7 @@ static void sycc420_to_rgb(opj_image_t *
{
int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
const int *y, *cb, *cr, *ny;
- size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
+ size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
int offset, upb;
size_t i, j;
@@ -194,6 +203,7 @@ static void sycc420_to_rgb(opj_image_t *
offset = 1<<(upb - 1); upb = (1<<upb)-1;
maxw = (size_t)img->comps[0].w; maxh = (size_t)img->comps[0].h;
+ comp12w = (size_t)img->comps[1].w;
max = maxw * maxh;
y = img->comps[0].data;
@@ -251,11 +261,23 @@ static void sycc420_to_rgb(opj_image_t *
}
if (j < loopmaxw) {
- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
++y; ++r; ++g; ++b;
- sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
- ++ny; ++nr; ++ng; ++nb; ++cb; ++cr;
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
+ } else {
+ sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+ }
+ ++ny; ++nr; ++ng; ++nb;
+ if (j / 2 < comp12w) {
+ ++cb;
+ ++cr;
+ }
}
y += maxw; r += maxw; g += maxw; b += maxw;
@@ -270,7 +292,11 @@ static void sycc420_to_rgb(opj_image_t *
++y; ++r; ++g; ++b; ++cb; ++cr;
}
if (j < maxw) {
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
}
}
Index: openjpeg-2.1.0/src/lib/openjp2/j2k.c
===================================================================
--- openjpeg-2.1.0.orig/src/lib/openjp2/j2k.c
+++ openjpeg-2.1.0/src/lib/openjp2/j2k.c
@@ -6611,7 +6611,8 @@ static OPJ_BOOL opj_j2k_add_tlmarker(OPJ
if (type == J2K_MS_SOT) {
OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno;
- if (cstr_index->tile_index[tileno].tp_index)
+ if (cstr_index->tile_index[tileno].tp_index &&
+ l_current_tile_part < cstr_index->tile_index[tileno].nb_tps)
cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos;
}
