From 646f70aa4cc875c672214ac08a3964d0b7e59930 Mon Sep 17 00:00:00 2001
From: zhangpan <zp1224248514@163.com>
Date: Tue, 7 Jan 2025 01:47:00 +0000
Subject: [PATCH] fix CVE-2024-56826

(cherry picked from commit d7aa1eb0179e91ee39122bace62d610758f8b489)
---
 backport-CVE-2024-56826.patch | 122 ++++++++++++++++++++++++++++++++++
 openjpeg2.spec                |   6 +-
 2 files changed, 127 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-56826.patch

diff --git a/backport-CVE-2024-56826.patch b/backport-CVE-2024-56826.patch
new file mode 100644
index 0000000..1d9d3ab
--- /dev/null
+++ b/backport-CVE-2024-56826.patch
@@ -0,0 +1,122 @@
+From 98592ee6d6904f1b48e8207238779b89a63befa2 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 25 Nov 2024 23:11:24 +0100
+Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 *
+ width_component_1_or_2 + 1 == with_component_0
+
+Fixes #1563
+
+Also adjusts sycc420_to_rgb() for potential similar issue (amending
+commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf)
+---
+ src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++----------
+ 1 file changed, 32 insertions(+), 10 deletions(-)
+
+diff --git a/src/bin/common/color.c b/src/bin/common/color.c
+index ae5d648da..e4924a152 100644
+--- a/src/bin/common/color.c
++++ b/src/bin/common/color.c
+@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b;
+     const int *y, *cb, *cr;
+-    size_t maxw, maxh, max, offx, loopmaxw;
++    size_t maxw, maxh, max, offx, loopmaxw, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
++    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+-            ++cb;
+-            ++cr;
++            if (j / 2 < comp12w) {
++                ++cb;
++                ++cr;
++            }
+         }
+     }
+ 
+@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+ {
+     int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
+     const int *y, *cb, *cr, *ny;
+-    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
++    size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
+     int offset, upb;
+     size_t i;
+ 
+@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+     upb = (1 << upb) - 1;
+ 
+     maxw = (size_t)img->comps[0].w;
++    comp12w = (size_t)img->comps[1].w;
+     maxh = (size_t)img->comps[0].h;
+     max = maxw * maxh;
+ 
+@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+             ++y;
+             ++r;
+             ++g;
+             ++b;
+ 
+-            sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
++            } else {
++                sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
++            }
+             ++ny;
+             ++nr;
+             ++ng;
+             ++nb;
+-            ++cb;
+-            ++cr;
++            if (j / 2 < comp12w) {
++                ++cb;
++                ++cr;
++            }
+         }
+         y += maxw;
+         r += maxw;
+@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
+             ++cr;
+         }
+         if (j < loopmaxw) {
+-            sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            if (j / 2 == comp12w) {
++                sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++            } else {
++                sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++            }
+         }
+     }
+ 
diff --git a/openjpeg2.spec b/openjpeg2.spec
index 5bae5fe..a1595f7 100644
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@@ -1,6 +1,6 @@
 Name:           openjpeg2
 Version:        2.5.0
-Release:        4
+Release:        5
 Summary:        C-Library for JPEG 2000
 License:        BSD and MIT
 URL:            https://github.com/uclouvain/openjpeg
@@ -9,6 +9,7 @@ Source0:        https://github.com/uclouvain/openjpeg/archive/v%{version}/openjp
 Patch0:         openjpeg2_opj2.patch
 Patch1:         backport-CVE-2023-39328.patch
 Patch2:         backport-CVE-2021-3575.patch
+Patch3:         backport-CVE-2024-56826.patch
 
 BuildRequires:  cmake gcc-c++ make zlib-devel libpng-devel libtiff-devel lcms2-devel doxygen java-devel
 BuildRequires:  jbigkit-devel libjpeg-turbo-devel
@@ -99,6 +100,9 @@ mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.
 %{_bindir}/opj2_dump
 
 %changelog
+* Tue Jan 7 2025 zhangpan <zhangpan103@h-partners.com> - 2.5.0-5
+- fix CVE-2024-56826
+
 * Tue Oct 29 2024 zhangpan <zhangpan103@h-partners.com> - 2.5.0-4
 - fix CVE-2021-3575
 
-- 
Gitee