new file mode 100644
@@ -0,0 +1,78 @@
+From 0e045908b1fec6748688cbc13bd3dc3703ddb17e Mon Sep 17 00:00:00 2001
+From: Michael Adams <mdadams@ece.uvic.ca>
+Date: Sat, 2 Aug 2025 18:00:39 -0700
+Subject: [PATCH] Fixes #401.
+
+JPEG-2000 (JPC) Encoder:
+- Added some missing range checking on several coding parameters
+ (e.g., precint width/height and codeblock width/height).
+
+CVE: CVE-2025-8836
+Upstream-Status: Backport [https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/libjasper/jpc/jpc_enc.c | 30 ++++++++++++++++++++++++------
+ src/libjasper/jpc/jpc_t2dec.c | 3 ++-
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
+index 93013f9..c957e3f 100644
+--- a/src/libjasper/jpc/jpc_enc.c
++++ b/src/libjasper/jpc/jpc_enc.c
+@@ -474,18 +474,36 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image)
+ cp->tileheight = atoi(jas_tvparser_getval(tvp));
+ break;
+ case OPT_PRCWIDTH:
+- prcwidthexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
++ i = atoi(jas_tvparser_getval(tvp));
++ if (i <= 0) {
++ jas_eprintf("invalid precinct width (%d)\n", i);
++ goto error;
++ }
++ prcwidthexpn = jpc_floorlog2(i);
+ break;
+ case OPT_PRCHEIGHT:
+- prcheightexpn = jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
++ i = atoi(jas_tvparser_getval(tvp));
++ if (i <= 0) {
++ jas_eprintf("invalid precinct height (%d)\n", i);
++ goto error;
++ }
++ prcheightexpn = jpc_floorlog2(i);
+ break;
+ case OPT_CBLKWIDTH:
+- tccp->cblkwidthexpn =
+- jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
++ i = atoi(jas_tvparser_getval(tvp));
++ if (i <= 0) {
++ jas_eprintf("invalid code block width (%d)\n", i);
++ goto error;
++ }
++ tccp->cblkwidthexpn = jpc_floorlog2(i);
+ break;
+ case OPT_CBLKHEIGHT:
+- tccp->cblkheightexpn =
+- jpc_floorlog2(atoi(jas_tvparser_getval(tvp)));
++ i = atoi(jas_tvparser_getval(tvp));
++ if (i <= 0) {
++ jas_eprintf("invalid code block height (%d)\n", i);
++ goto error;
++ }
++ tccp->cblkheightexpn = jpc_floorlog2(i);
+ break;
+ case OPT_MODE:
+ if ((tagid = jas_taginfo_nonull(jas_taginfos_lookup(modetab,
+diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
+index e52b549..6e1f1f7 100644
+--- a/src/libjasper/jpc/jpc_t2dec.c
++++ b/src/libjasper/jpc/jpc_t2dec.c
+@@ -337,7 +337,8 @@ static int jpc_dec_decodepkt(jpc_dec_t *dec, jas_stream_t *pkthdrstream, jas_str
+ const unsigned n = JAS_MIN((unsigned)numnewpasses, maxpasses);
+ mycounter += n;
+ numnewpasses -= n;
+- if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
++ if ((len = jpc_bitstream_getbits(inb,
++ cblk->numlenbits + jpc_floorlog2(n))) < 0) {
+ jpc_bitstream_close(inb);
+ return -1;
+ }
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master \
file://CVE-2023-51257.patch \
file://CVE-2025-8835.patch \
+ file://CVE-2025-8836.patch \
"
SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836 Pick the patch that is referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../jasper/jasper/CVE-2025-8836.patch | 78 +++++++++++++++++++ .../recipes-graphics/jasper/jasper_2.0.33.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta-oe/recipes-graphics/jasper/jasper/CVE-2025-8836.patch