fix two heap buffer overflows CVE-2024-56826 and CVE-2024-52827 (RHEL-72518,RHEL-72520)

Resolves: RHEL-72520
2025-01-23 18:20:47 +01:00 · 2025-01-23 18:20:47 +01:00 · 610ac484af
commit 610ac484af
parent d120e5f2cd
3 changed files with 128 additions and 1 deletions
--- a/openjpeg2-2.5.2-cve-2024-56826.patch
+++ b/openjpeg2-2.5.2-cve-2024-56826.patch
@ -0,0 +1,108 @@
+diff --git a/src/bin/common/color.c b/src/bin/common/color.c
+index ae5d648da..e4924a152 100644
+--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
+@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b;
+     const int *y, *cb, *cr;
+-    size_t maxw, maxh, max, offx, loopmaxw;
+    size_t maxw, maxh, max, offx, loopmaxw, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
+    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            if (j / 2 == comp12w) {
+                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+            } else {
+                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+-            ++cb;
+-            ++cr;
+            if (j / 2 < comp12w) {
+                ++cb;
+                ++cr;
+            }
+         }
+     }
+ 
+@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
+     const int *y, *cb, *cr, *ny;
+-    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
+    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
+    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            if (j / 2 == comp12w) {
+                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+            } else {
+                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+ 
+-            sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+            if (j / 2 == comp12w) {
+                sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
+            } else {
+                sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+            }
+             ++ny;
+             ++nr;
+             ++ng;
+             ++nb;
+-            ++cb;
+-            ++cr;
+            if (j / 2 < comp12w) {
+                ++cb;
+                ++cr;
+            }
+         }
+         y += maxw;
+         r += maxw;
+@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            if (j / 2 == comp12w) {
+                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+            } else {
+                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+            }
+         }
+     }
+ 
--- a/openjpeg2-2.5.2-cve-2024-56827.patch
+++ b/openjpeg2-2.5.2-cve-2024-56827.patch
@ -0,0 +1,14 @@
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 7dc389fa2..b5903a59c 100644
+--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
+@@ -8456,7 +8456,8 @@ static OPJ_BOOL opj_j2k_add_tlmarker(OPJ_UINT32 tileno,
+     if (type == J2K_MS_SOT) {
+         OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno;
+ 
+-        if (cstr_index->tile_index[tileno].tp_index) {
+        if (cstr_index->tile_index[tileno].tp_index &&
+                l_current_tile_part < cstr_index->tile_index[tileno].nb_tps) {
+             cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos;
+         }
+ 
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -14,7 +14,7 @@

 Name:           openjpeg2
 Version:        2.5.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        C-Library for JPEG 2000

 # windirent.h is MIT, the rest is BSD
@ -28,6 +28,8 @@ Source1:        data.tar.xz

 # Rename tool names to avoid conflicts with openjpeg-1.x
 Patch0:         openjpeg2_opj2.patch
+Patch1:         openjpeg2-2.5.2-cve-2024-56826.patch
+Patch2:         openjpeg2-2.5.2-cve-2024-56827.patch


 BuildRequires:  cmake
@ -441,6 +443,9 @@ rm -rf %{buildroot}%{mingw64_datadir}/doc


 %changelog
+* Thu Jan 23 2025 Michal Hlavinka <mhlavink@redhat.com> - 2.5.2-4
+- fix two heap buffer overflows CVE-2024-56826 and CVE-2024-52827 (RHEL-72518,RHEL-72520)
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.5.2-3
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018