new file mode 100644
@@ -0,0 +1,130 @@
+From 2bed72075bd17518907a6a57e3411669188e49bd Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 25 Nov 2024 23:11:24 +0100
+Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 *
+ width_component_1_or_2 + 1 == with_component_0
+
+Fixes #1563
+
+Also adjusts sycc420_to_rgb() for potential similar issue (amending
+commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf)
+
+CVE: CVE-2024-56826
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++----------
+ 1 file changed, 32 insertions(+), 10 deletions(-)
+
+diff --git a/src/bin/common/color.c b/src/bin/common/color.c
+index ae5d648d..e4924a15 100644
+--- a/src/bin/common/color.c
++++ b/src/bin/common/color.c
+@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+ {
+ int *d0, *d1, *d2, *r, *g, *b;
+ const int *y, *cb, *cr;
+- size_t maxw, maxh, max, offx, loopmaxw;
++ size_t maxw, maxh, max, offx, loopmaxw, comp12w;
+ int offset, upb;
+ size_t i;
+
+@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img)
+ upb = (1 << upb) - 1;
+
+ maxw = (size_t)img->comps[0].w;
++ comp12w = (size_t)img->comps[1].w;
+ maxh = (size_t)img->comps[0].h;
+ max = maxw * maxh;
+
+@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img)
+ ++cr;
+ }
+ if (j < loopmaxw) {
+- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++ if (j / 2 == comp12w) {
++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++ } else {
++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++ }
+ ++y;
+ ++r;
+ ++g;
+ ++b;
+- ++cb;
+- ++cr;
++ if (j / 2 < comp12w) {
++ ++cb;
++ ++cr;
++ }
+ }
+ }
+
+@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+ {
+ int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
+ const int *y, *cb, *cr, *ny;
+- size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
++ size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
+ int offset, upb;
+ size_t i;
+
+@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img)
+ upb = (1 << upb) - 1;
+
+ maxw = (size_t)img->comps[0].w;
++ comp12w = (size_t)img->comps[1].w;
+ maxh = (size_t)img->comps[0].h;
+ max = maxw * maxh;
+
+@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img)
+ ++cr;
+ }
+ if (j < loopmaxw) {
+- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++ if (j / 2 == comp12w) {
++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++ } else {
++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++ }
+ ++y;
+ ++r;
+ ++g;
+ ++b;
+
+- sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
++ if (j / 2 == comp12w) {
++ sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
++ } else {
++ sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
++ }
+ ++ny;
+ ++nr;
+ ++ng;
+ ++nb;
+- ++cb;
+- ++cr;
++ if (j / 2 < comp12w) {
++ ++cb;
++ ++cr;
++ }
+ }
+ y += maxw;
+ r += maxw;
+@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img)
+ ++cr;
+ }
+ if (j < loopmaxw) {
+- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++ if (j / 2 == comp12w) {
++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
++ } else {
++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
++ }
+ }
+ }
+
+--
+2.39.4
+
@@ -12,6 +12,7 @@ SRC_URI = " \
file://CVE-2021-29338.patch \
file://CVE-2022-1122.patch \
file://CVE-2021-3575.patch \
+ file://0001-sycc422_to_rgb-fix-out-of-bounds-read-accesses-when-.patch \
"
SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
S = "${WORKDIR}/git"