new file mode 100644
@@ -0,0 +1,88 @@
+commit ccc277247ac1a7aef0a90353edcdec35fbc5903c
+Author: Nano <nanoapezlk@gmail.com>
+Date: Wed Apr 26 15:09:52 2023 +0800
+
+ fix(wechat_qrcode): Init nBytes after the count value is determined (#3480)
+
+ * fix(wechat_qrcode): Initialize nBytes after the count value is determined
+
+ * fix(wechat_qrcode): Incorrect count data repair
+
+ * chore: format expr
+
+ * fix(wechat_qrcode): Avoid null pointer exception
+
+ * fix(wechat_qrcode): return when bytes_ is empty
+
+ * test(wechat_qrcode): add test case
+
+ ---------
+
+ Co-authored-by: GZTime <Time.GZ@outlook.com>
+
+CVE: CVE-2023-2617
+
+Upstream-Status: Backport [https://github.com/opencv/opencv_contrib/commit/ccc277247ac1a7aef0a90353edcdec35fbc5903c]
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+
+diff --git a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+index 05de793c..b3a0a69c 100644
+--- a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
++++ b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+@@ -65,7 +65,8 @@ void DecodedBitStreamParser::append(std::string& result, string const& in,
+
+ void DecodedBitStreamParser::append(std::string& result, const char* bufIn, size_t nIn,
+ ErrorHandler& err_handler) {
+- if (err_handler.ErrCode()) return;
++ // avoid null pointer exception
++ if (err_handler.ErrCode() || bufIn == nullptr) return;
+ #ifndef NO_ICONV_INSIDE
+ if (nIn == 0) {
+ return;
+@@ -190,16 +191,20 @@ void DecodedBitStreamParser::decodeByteSegment(Ref<BitSource> bits_, string& res
+ CharacterSetECI* currentCharacterSetECI,
+ ArrayRef<ArrayRef<char> >& byteSegments,
+ ErrorHandler& err_handler) {
+- int nBytes = count;
+ BitSource& bits(*bits_);
+ // Don't crash trying to read more bits than we have available.
+ int available = bits.available();
+ // try to repair count data if count data is invalid
+ if (count * 8 > available) {
+- count = (available + 7 / 8);
++ count = (available + 7) / 8;
+ }
++ size_t nBytes = count;
++
++ ArrayRef<char> bytes_(nBytes);
++ // issue https://github.com/opencv/opencv_contrib/issues/3478
++ if (bytes_->empty())
++ return;
+
+- ArrayRef<char> bytes_(count);
+ char* readBytes = &(*bytes_)[0];
+ for (int i = 0; i < count; i++) {
+ // readBytes[i] = (char) bits.readBits(8);
+diff --git a/modules/wechat_qrcode/test/test_qrcode.cpp b/modules/wechat_qrcode/test/test_qrcode.cpp
+index d59932b8..ec2559b0 100644
+--- a/modules/wechat_qrcode/test/test_qrcode.cpp
++++ b/modules/wechat_qrcode/test/test_qrcode.cpp
+@@ -289,5 +289,16 @@ TEST_P(Objdetect_QRCode_Multi, regression) {
+ INSTANTIATE_TEST_CASE_P(/**/, Objdetect_QRCode_Curved, testing::ValuesIn(qrcode_images_curved));
+ // INSTANTIATE_TEST_CASE_P(/**/, Objdetect_QRCode_Multi, testing::ValuesIn(qrcode_images_multiple));
+
++TEST(Objdetect_QRCode_bug, issue_3478) {
++ auto detector = wechat_qrcode::WeChatQRCode();
++ std::string image_path = findDataFile("qrcode/issue_3478.png");
++ Mat src = imread(image_path, IMREAD_GRAYSCALE);
++ ASSERT_FALSE(src.empty()) << "Can't read image: " << image_path;
++ std::vector<std::string> outs = detector.detectAndDecode(src);
++ ASSERT_EQ(1, (int) outs.size());
++ ASSERT_EQ(16, (int) outs[0].size());
++ ASSERT_EQ("KFCVW50 ", outs[0]);
++}
++
+ } // namespace
+ } // namespace opencv_test
@@ -52,6 +52,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol
file://download.patch \
file://0001-Make-ts-module-external.patch \
file://0001-core-vsx-update-vec_absd-workaround-condition.patch \
+ file://CVE-2023-2617.patch;patchdir=../contrib \
"
SRC_URI:append:riscv64 = " file://0001-Use-Os-to-compile-tinyxml2.cpp.patch;patchdir=../contrib"
A vulnerability classified as problematic was found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this vulnerability is the function DecodedBitStreamParser::decodeByteSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-228547. Signed-off-by: Soumya <soumya.sambu@windriver.com> --- .../opencv/opencv/CVE-2023-2617.patch | 88 +++++++++++++++++++ .../recipes-support/opencv/opencv_4.5.5.bb | 1 + 2 files changed, 89 insertions(+) create mode 100644 meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch