opencv: Fix for CVE-2023-2617

A vulnerability classified as problematic was found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this vulnerability is the function DecodedBitStreamParser::decodeByteSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-228547. Signed-off-by: Soumya <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-01 13:58:06 +00:00 · 2023-06-15 16:04:45 +00:00 · 2023-06-15 16:04:45 +00:00 · 9eaadb6a67
commit 9eaadb6a67
parent 54ec73da43
2 changed files with 89 additions and 0 deletions
--- a/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch
+++ b/meta-oe/recipes-support/opencv/opencv/CVE-2023-2617.patch
@ -0,0 +1,88 @@
+commit ccc277247ac1a7aef0a90353edcdec35fbc5903c
+Author: Nano <nanoapezlk@gmail.com>
+Date:   Wed Apr 26 15:09:52 2023 +0800
+
+    fix(wechat_qrcode): Init nBytes after the count value is determined (#3480)
+
+    * fix(wechat_qrcode): Initialize nBytes after the count value is determined
+
+    * fix(wechat_qrcode): Incorrect count data repair
+
+    * chore: format expr
+
+    * fix(wechat_qrcode): Avoid null pointer exception
+
+    * fix(wechat_qrcode): return when bytes_ is empty
+
+    * test(wechat_qrcode): add test case
+
+    ---------
+
+    Co-authored-by: GZTime <Time.GZ@outlook.com>
+
+CVE: CVE-2023-2617
+
+Upstream-Status: Backport [https://github.com/opencv/opencv_contrib/commit/ccc277247ac1a7aef0a90353edcdec35fbc5903c]
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+
+diff --git a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+index 05de793c..b3a0a69c 100644
+--- a/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+++ b/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp
+@@ -65,7 +65,8 @@ void DecodedBitStreamParser::append(std::string& result, string const& in,
+
+ void DecodedBitStreamParser::append(std::string& result, const char* bufIn, size_t nIn,
+                                     ErrorHandler& err_handler) {
+-    if (err_handler.ErrCode()) return;
+    // avoid null pointer exception
+    if (err_handler.ErrCode() || bufIn == nullptr) return;
+ #ifndef NO_ICONV_INSIDE
+     if (nIn == 0) {
+         return;
+@@ -190,16 +191,20 @@ void DecodedBitStreamParser::decodeByteSegment(Ref<BitSource> bits_, string& res
+                                                CharacterSetECI* currentCharacterSetECI,
+                                                ArrayRef<ArrayRef<char> >& byteSegments,
+                                                ErrorHandler& err_handler) {
+-    int nBytes = count;
+     BitSource& bits(*bits_);
+     // Don't crash trying to read more bits than we have available.
+     int available = bits.available();
+     // try to repair count data if count data is invalid
+     if (count * 8 > available) {
+-        count = (available + 7 / 8);
+        count = (available + 7) / 8;
+     }
+    size_t nBytes = count;
+
+    ArrayRef<char> bytes_(nBytes);
+    // issue https://github.com/opencv/opencv_contrib/issues/3478
+    if (bytes_->empty())
+        return;
+
+-    ArrayRef<char> bytes_(count);
+     char* readBytes = &(*bytes_)[0];
+     for (int i = 0; i < count; i++) {
+         //    readBytes[i] = (char) bits.readBits(8);
+diff --git a/modules/wechat_qrcode/test/test_qrcode.cpp b/modules/wechat_qrcode/test/test_qrcode.cpp
+index d59932b8..ec2559b0 100644
+--- a/modules/wechat_qrcode/test/test_qrcode.cpp
+++ b/modules/wechat_qrcode/test/test_qrcode.cpp
+@@ -455,5 +455,16 @@ TEST_P(Objdetect_QRCode_Easy_Multi, regression) {
+ std::string qrcode_model_path[] = {"", "dnn/wechat_2021-01"};
+ INSTANTIATE_TEST_CASE_P(/**/, Objdetect_QRCode_Easy_Multi, testing::ValuesIn(qrcode_model_path));
+
+TEST(Objdetect_QRCode_bug, issue_3478) {
+    auto detector = wechat_qrcode::WeChatQRCode();
+    std::string image_path = findDataFile("qrcode/issue_3478.png");
+    Mat src = imread(image_path, IMREAD_GRAYSCALE);
+    ASSERT_FALSE(src.empty()) << "Can't read image: " << image_path;
+    std::vector<std::string> outs = detector.detectAndDecode(src);
+    ASSERT_EQ(1, (int) outs.size());
+    ASSERT_EQ(16, (int) outs[0].size());
+    ASSERT_EQ("KFCVW50         ", outs[0]);
+}
+
+ }  // namespace
+ }  // namespace opencv_test
--- a/meta-oe/recipes-support/opencv/opencv_4.7.0.bb
+++ b/meta-oe/recipes-support/opencv/opencv_4.7.0.bb
@ -31,6 +31,7 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol
           file://download.patch \
           file://0001-Make-ts-module-external.patch \
           file://0008-Do-not-embed-build-directory-in-binaries.patch \
+           file://CVE-2023-2617.patch;patchdir=contrib \
           "
 SRC_URI:append:riscv64 = " file://0001-Use-Os-to-compile-tinyxml2.cpp.patch;patchdir=contrib"