From 610ac484af0630cdbb8154659505331600215ce7 Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Thu, 23 Jan 2025 18:20:47 +0100
Subject: [PATCH] fix two heap buffer overflows CVE-2024-56826 and
 CVE-2024-52827 (RHEL-72518,RHEL-72520)

Resolves: RHEL-72520
---
 openjpeg2-2.5.2-cve-2024-56826.patch | 108 +++++++++++++++++++++++++++
 openjpeg2-2.5.2-cve-2024-56827.patch |  14 ++++
 openjpeg2.spec                       |   7 +-
 3 files changed, 128 insertions(+), 1 deletion(-)
 create mode 100644 openjpeg2-2.5.2-cve-2024-56826.patch
 create mode 100644 openjpeg2-2.5.2-cve-2024-56827.patch

diff --git a/openjpeg2-2.5.2-cve-2024-56826.patch b/openjpeg2-2.5.2-cve-2024-56826.patch
new file mode 100644
index 0000000..32807be
--- /dev/null
+++ b/openjpeg2-2.5.2-cve-2024-56826.patch
@@ -0,0 +1,108 @@
+diff --git a/src/bin/common/color.c b/src/bin/common/color.c
+index ae5d648da..e4924a152 100644
+--- a/src/bin/common/color.c
++++ b/src/bin/common/color.c
+@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b;
+     const int *y, *cb, *cr;
+-    size_t maxw, maxh, max, offx, loopmaxw;
++    size_t maxw, maxh, max, offx, loopmaxw, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
++    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+-            ++cb;
+-            ++cr;
++            if (j / 2 < comp12w) {
++                ++cb;
++                ++cr;
++            }
+         }
+     }
+ 
+@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
+     const int *y, *cb, *cr, *ny;
+-    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
++    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
++    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+ 
+-            sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
++            } else {
++                sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
++            }
+             ++ny;
+             ++nr;
+             ++ng;
+             ++nb;
+-            ++cb;
+-            ++cr;
++            if (j / 2 < comp12w) {
++                ++cb;
++                ++cr;
++            }
+         }
+         y += maxw;
+         r += maxw;
+@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+         }
+     }
+ 
diff --git a/openjpeg2-2.5.2-cve-2024-56827.patch b/openjpeg2-2.5.2-cve-2024-56827.patch
new file mode 100644
index 0000000..adc0127
--- /dev/null
+++ b/openjpeg2-2.5.2-cve-2024-56827.patch
@@ -0,0 +1,14 @@
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 7dc389fa2..b5903a59c 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -8456,7 +8456,8 @@ static OPJ_BOOL opj_j2k_add_tlmarker(OPJ_UINT32 tileno,
+     if (type == J2K_MS_SOT) {
+         OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno;
+ 
+-        if (cstr_index->tile_index[tileno].tp_index) {
++        if (cstr_index->tile_index[tileno].tp_index &&
++                l_current_tile_part < cstr_index->tile_index[tileno].nb_tps) {
+             cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos;
+         }
+ 
diff --git a/openjpeg2.spec b/openjpeg2.spec
index b9e01d8..865f8a2 100644
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@@ -14,7 +14,7 @@
 
 Name:           openjpeg2
 Version:        2.5.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        C-Library for JPEG 2000
 
 # windirent.h is MIT, the rest is BSD
@@ -28,6 +28,8 @@ Source1:        data.tar.xz
 
 # Rename tool names to avoid conflicts with openjpeg-1.x
 Patch0:         openjpeg2_opj2.patch
+Patch1:         openjpeg2-2.5.2-cve-2024-56826.patch
+Patch2:         openjpeg2-2.5.2-cve-2024-56827.patch
 
 
 BuildRequires:  cmake
@@ -441,6 +443,9 @@ rm -rf %{buildroot}%{mingw64_datadir}/doc
 
 
 %changelog
+* Thu Jan 23 2025 Michal Hlavinka <mhlavink@redhat.com> - 2.5.2-4
+- fix two heap buffer overflows CVE-2024-56826 and CVE-2024-52827 (RHEL-72518,RHEL-72520)
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.5.2-3
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018