From a8701aa7b39d993819c67b1ac5a352b7755fa81b Mon Sep 17 00:00:00 2001
From: wubijie <wubijie@kylinos.cn>
Date: Mon, 11 Aug 2025 20:38:21 +0800
Subject: [PATCH] fix CVE-2025-8835

---
 backport-CVE-2025-8835.patch | 180 +++++++++++++++++++++++++++++++++++
 jasper.spec                  |   8 +-
 poc_400.pnm                  | Bin 0 -> 16 bytes
 3 files changed, 187 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-8835.patch
 create mode 100644 poc_400.pnm

diff --git a/backport-CVE-2025-8835.patch b/backport-CVE-2025-8835.patch
new file mode 100644
index 0000000..6d6a561
--- /dev/null
+++ b/backport-CVE-2025-8835.patch
@@ -0,0 +1,180 @@
+From bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52 Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Tue, 29 Jul 2025 20:16:35 -0700
+Subject: [PATCH] Fixes #400.
+
+Added a check for a missing color component in the jas_image_chclrspc
+function.
+---
+ data/test/other/poc_400.pnm    | Bin 0 -> 16 bytes
+ src/libjasper/base/jas_image.c |  72 ++++++++++++++++++++++++++++-----
+ 2 files changed, 61 insertions(+), 11 deletions(-)
+ create mode 100644 data/test/other/poc_400.pnm
+
+diff --git a/data/test/other/poc_400.pnm b/data/test/other/poc_400.pnm
+new file mode 100644
+index 0000000000000000000000000000000000000000..a8c11b785ad09db328d932085edbb6d204f76b56
+GIT binary patch
+literal 16
+UcmWGAGvqSj24QY)HU<X<026Hi(*OVf
+
+literal 0
+HcmV?d00001
+
+diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c
+index 1ed09058..c8aa42b4 100644
+--- a/src/libjasper/base/jas_image.c
++++ b/src/libjasper/base/jas_image.c
+@@ -118,6 +118,8 @@ static void jas_image_calcbbox2(const jas_image_t *image,
+   jas_image_coord_t *bry);
+ static void jas_image_fmtinfo_init(jas_image_fmtinfo_t *fmtinfo);
+ static void jas_image_fmtinfo_cleanup(jas_image_fmtinfo_t *fmtinfo);
++static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n);
++static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n);
+ 
+ /******************************************************************************\
+ * Create and destroy operations.
+@@ -413,6 +415,36 @@ static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt)
+ 	jas_free(cmpt);
+ }
+ 
++static jas_cmcmptfmt_t* jas_cmcmptfmt_array_create(int n)
++{
++	jas_cmcmptfmt_t* cmptfmts;
++	JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_create(%d)\n", n);
++	if (!(cmptfmts = jas_alloc2(n, sizeof(jas_cmcmptfmt_t)))) {
++		return 0;
++	}
++	for (int i = 0; i < n; ++i) {
++		cmptfmts[i].buf = 0;
++	}
++	JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_create(%d) returning %p\n", n,
++	  JAS_CAST(void *, cmptfmts));
++	return cmptfmts;
++}
++
++static void jas_cmcmptfmt_array_destroy(jas_cmcmptfmt_t* cmptfmts, int n)
++{
++	assert(cmptfmts);
++	assert(n > 0);
++	JAS_LOGDEBUGF(10, "jas_cmcmptfmt_array_destroy(%p, %d)\n",
++	  JAS_CAST(void *, cmptfmts), n);
++	for (int i = 0; i < n; ++i) {
++		if (cmptfmts[i].buf) {
++			jas_free(cmptfmts[i].buf);
++		}
++		cmptfmts[i].buf = 0;
++	}
++	jas_free(cmptfmts);
++}
++
+ /******************************************************************************\
+ * Load and save operations.
+ \******************************************************************************/
+@@ -1588,12 +1620,15 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
+ 	jas_cmcmptfmt_t *incmptfmts;
+ 	jas_cmcmptfmt_t *outcmptfmts;
+ 
++	assert(image);
++	assert(outprof);
++
+ #if 0
+ 	jas_eprintf("IMAGE\n");
+ 	jas_image_dump(image, stderr);
+ #endif
+ 
+-	if (image->numcmpts_ == 0) {
++	if (!jas_image_numcmpts(image)) {
+ 		/*
+ 		can't work with a file with no components;
+ 		continuing would crash because we'd attempt to
+@@ -1604,6 +1639,8 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
+ 
+ 	outimage = 0;
+ 	xform = 0;
++	incmptfmts = 0;
++	outcmptfmts = 0;
+ 	if (!(inimage = jas_image_copy(image))) {
+ 		goto error;
+ 	}
+@@ -1694,16 +1731,22 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
+ 	}
+ 
+ 	inpixmap.numcmpts = numinclrchans;
+-	if (!(incmptfmts = jas_alloc2(numinclrchans, sizeof(jas_cmcmptfmt_t)))) {
++	assert(numinclrchans != 0);
++	if (!(incmptfmts = jas_cmcmptfmt_array_create(numinclrchans))) {
+ 		// formerly call to abort()
+ 		goto error;
+ 	}
+ 	inpixmap.cmptfmts = incmptfmts;
+ 	for (unsigned i = 0; i < numinclrchans; ++i) {
+ 		const int j = jas_image_getcmptbytype(inimage, JAS_IMAGE_CT_COLOR(i));
++		if (j < 0) {
++			jas_logerrorf("missing color component %d\n", i);
++			goto error;
++		}
+ 		if (!(incmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) {
+ 			goto error;
+ 		}
++		assert(j >= 0 && j < jas_image_numcmpts(inimage));
+ 		incmptfmts[i].prec = jas_image_cmptprec(inimage, j);
+ 		incmptfmts[i].sgnd = jas_image_cmptsgnd(inimage, j);
+ 		incmptfmts[i].width = width;
+@@ -1711,7 +1754,7 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
+ 	}
+ 
+ 	outpixmap.numcmpts = numoutclrchans;
+-	if (!(outcmptfmts = jas_alloc2(numoutclrchans, sizeof(jas_cmcmptfmt_t)))) {
++	if (!(outcmptfmts = jas_cmcmptfmt_array_create(numoutclrchans))) {
+ 		// formerly call to abort()
+ 		goto error;
+ 	}
+@@ -1719,9 +1762,14 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
+ 
+ 	for (unsigned i = 0; i < numoutclrchans; ++i) {
+ 		const int j = jas_image_getcmptbytype(outimage, JAS_IMAGE_CT_COLOR(i));
++		if (j < 0) {
++			jas_logerrorf("missing color component %d\n", i);
++			goto error;
++		}
+ 		if (!(outcmptfmts[i].buf = jas_alloc2(width, sizeof(long)))) {
+ 			goto error;
+ 		}
++		assert(j >= 0 && j < jas_image_numcmpts(outimage));
+ 		outcmptfmts[i].prec = jas_image_cmptprec(outimage, j);
+ 		outcmptfmts[i].sgnd = jas_image_cmptsgnd(outimage, j);
+ 		outcmptfmts[i].width = width;
+@@ -1746,14 +1794,8 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
+ 		}
+ 	}
+ 
+-	for (unsigned i = 0; i < numoutclrchans; ++i) {
+-		jas_free(outcmptfmts[i].buf);
+-	}
+-	jas_free(outcmptfmts);
+-	for (unsigned i = 0; i < numinclrchans; ++i) {
+-		jas_free(incmptfmts[i].buf);
+-	}
+-	jas_free(incmptfmts);
++	jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans);
++	jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans);
+ 	jas_cmxform_destroy(xform);
+ 	jas_image_destroy(inimage);
+ 
+@@ -1765,6 +1807,14 @@ jas_image_t *jas_image_chclrspc(jas_image_t *image,
+ #endif
+ 	return outimage;
+ error:
++	if (incmptfmts) {
++		assert(numinclrchans);
++		jas_cmcmptfmt_array_destroy(incmptfmts, numinclrchans);
++	}
++	if (outcmptfmts) {
++		assert(numoutclrchans);
++		jas_cmcmptfmt_array_destroy(outcmptfmts, numoutclrchans);
++	}
+ 	if (xform) {
+ 		jas_cmxform_destroy(xform);
+ 	}
+
diff --git a/jasper.spec b/jasper.spec
index 9411750..697c7b8 100644
--- a/jasper.spec
+++ b/jasper.spec
@@ -1,10 +1,12 @@
 Name:                jasper
 Version:             4.2.5
-Release:             1
+Release:             2
 Summary:             Reference implementation of the codec specified in the JPEG-2000 standard, Part 1
 License:             JasPer-2.0
 URL:                 https://www.ece.uvic.ca/~frodo/jasper/
 Source0:             https://github.com/jasper-software/jasper/releases/download/version-%{version}/%{name}-%{version}.tar.gz
+Source1:             poc_400.pnm
+Patch0:      backport-CVE-2025-8835.patch
 
 BuildRequires:       cmake freeglut-devel libGLU-devel libjpeg-devel libXmu-devel libXi-devel
 BuildRequires:       pkgconfig doxygen mesa-libGL-devel
@@ -36,6 +38,7 @@ Nonessential utilities of jasper, including jiv and tmrdemo.
 
 %prep
 %autosetup -n  %{name}-%{version} -p1
+mv Source1 %_builddir/data/test/other/poc_400.pnm
 
 %build
 %cmake \
@@ -77,6 +80,9 @@ export LD_LIBRARY_PATH="`pwd`/%{__cmake_builddir}/src/libjasper/"
 %doc README.md
 
 %changelog
+* Mon Aug 11 2025 wubijie <wubijie@kylinos.cn> - 4.2.5-2
+- fix CVE-2025-8835
+
 * Sun Apr 06 2025 Funda Wang <fundawang@yeah.net> - 4.2.5-1
 - update to 4.2.5
 
diff --git a/poc_400.pnm b/poc_400.pnm
new file mode 100644
index 0000000000000000000000000000000000000000..a8c11b785ad09db328d932085edbb6d204f76b56
GIT binary patch
literal 16
UcmWGAGvqSj24QY)HU<X<026Hi(*OVf

literal 0
HcmV?d00001

-- 
Gitee