openjpeg: Backport fix CVE-2023-39327

Upstream commit: c58bc128b4 Reference: https://github.com/uclouvain/openjpeg/pull/1547 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-04-02 02:49:12 +00:00 · 2025-01-28 18:24:12 +05:30 · 2025-01-28 18:24:12 +05:30 · 2a486ee7cd
commit 2a486ee7cd
parent de8681b4a2
2 changed files with 83 additions and 0 deletions
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch
@ -0,0 +1,82 @@
+From c58bc128b4f770e7c89bc8ba3d0273b9a3904aad Mon Sep 17 00:00:00 2001
+From: mayeut <mayeut@users.noreply.github.com>
+Date: Sat, 17 Aug 2024 15:59:56 +0200
+Subject: [PATCH] fix: when EPH markers are specified, they are required.
+
+reference from Rec. ITU-T T.800 (06/2019):
+- Table A.13 – Coding style parameter values for the Scod parameter
+- Section A.8.1 Start of packet (SOP)
+- Section A.8.2 End of packet header (EPH)
+
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/c58bc128b4f770e7c89bc8ba3d0273b9a3904aad]
+CVE: CVE-2023-39327
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/lib/openjp2/t2.c                    | 19 +++++++++++++------
+ tests/nonregression/test_suite.ctest.in |  3 +++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
+index 1481e16f..b7ffd5fb 100644
+--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
+@@ -1110,6 +1110,7 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+     /* SOP markers */
+ 
+     if (p_tcp->csty & J2K_CP_CSTY_SOP) {
+        /* SOP markers are allowed (i.e. optional), just warn */
+         if (p_max_length < 6) {
+             opj_event_msg(p_manager, EVT_WARNING,
+                           "Not enough space for expected SOP marker\n");
+@@ -1162,12 +1163,15 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+ 
+         /* EPH markers */
+         if (p_tcp->csty & J2K_CP_CSTY_EPH) {
+            /* EPH markers are required */
+             if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data -
+                     *l_header_data_start)) < 2U) {
+-                opj_event_msg(p_manager, EVT_WARNING,
+-                              "Not enough space for expected EPH marker\n");
+                opj_event_msg(p_manager, EVT_ERROR,
+                              "Not enough space for required EPH marker\n");
+                return OPJ_FALSE;
+             } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) {
+-                opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n");
+                opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n");
+                return OPJ_FALSE;
+             } else {
+                 l_header_data += 2;
+             }
+@@ -1301,12 +1305,15 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
+ 
+     /* EPH markers */
+     if (p_tcp->csty & J2K_CP_CSTY_EPH) {
+        /* EPH markers are required */
+         if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data -
+                 *l_header_data_start)) < 2U) {
+-            opj_event_msg(p_manager, EVT_WARNING,
+-                          "Not enough space for expected EPH marker\n");
+            opj_event_msg(p_manager, EVT_ERROR,
+                          "Not enough space for required EPH marker\n");
+            return OPJ_FALSE;
+         } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) {
+-            opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n");
+            opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n");
+            return OPJ_FALSE;
+         } else {
+             l_header_data += 2;
+         }
+diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
+index 72155329..78a7a783 100644
+--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
+@@ -647,3 +647,6 @@ opj_decompress -i @INPUT_NR_PATH@/tnsot_zero.jp2 -o @TEMP_PATH@/tnsot_zero.png
+ !opj_decompress -i @INPUT_NR_PATH@/oss-fuzz2785.jp2 -o @TEMP_PATH@/oss-fuzz2785.png
+ 
+ opj_decompress -i @INPUT_NR_PATH@/tnsot_zero_missing_eoc.jp2 -o @TEMP_PATH@/tnsot_zero_missing_eoc.png
+
+# missing EPH Marker
+!opj_decompress -i @INPUT_NR_PATH@/issue1472-bigloop.j2k -o @TEMP_PATH@/issue1472-bigloop.raw
+-- 
+2.25.1
+
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@ -14,6 +14,7 @@ SRC_URI = " \
    file://CVE-2021-3575.patch \
    file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
    file://0001-opj_j2k_add_tlmarker-validate-that-current-tile-part.patch \
+    file://CVE-2023-39327.patch \
 "
 SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
 S = "${WORKDIR}/git"