From b851789ab0f7ae545da7292b04c8cd2aad12bff4 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Tue, 14 Jan 2025 12:32:40 +0100
Subject: [PATCH] openjpeg: apply patches for CVE-2024-56826

Preferred to apply patches instead of bumping to 2.5.3
until the upgrade can be dealt with, see https://github.com/NixOS/nixpkgs/pull/370072
for the last attempt.
---
 pkgs/by-name/op/openjpeg/package.nix | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/pkgs/by-name/op/openjpeg/package.nix b/pkgs/by-name/op/openjpeg/package.nix
index 15296d33b85d5..d0ccfe04924ec 100644
--- a/pkgs/by-name/op/openjpeg/package.nix
+++ b/pkgs/by-name/op/openjpeg/package.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake, pkg-config
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, pkg-config
 , libpng, libtiff, zlib, lcms2
 , jpipLibSupport ? false # JPIP library & executables
 , jpipServerSupport ? false, curl, fcgi # JPIP Server
@@ -38,6 +38,21 @@ stdenv.mkDerivation rec {
     hash = "sha256-mQ9B3MJY2/bg0yY/7jUJrAXM6ozAHT5fmwES5Q1SGxw=";
   };
 
+  patches = [
+    (fetchpatch {
+      # https://github.com/uclouvain/openjpeg/issues/1564
+      name = "CVE-2024-56826_ISSUE1564.patch";
+      url = "https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8.patch";
+      hash = "sha256-v+odu4/MXRA+RKOlPO+m/Xk66BMH6mOcEN4ScHn3VAo=";
+    })
+    (fetchpatch {
+      # https://github.com/uclouvain/openjpeg/issues/1563
+      name = "CVE-2024-56826_ISSUE1563.patch";
+      url = "https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2.patch";
+      hash = "sha256-1ScnEZAPuvclyRME5kbeo7dBMG31Njs5CaYC4sGyx08=";
+    })
+  ];
+
   outputs = [ "out" "dev" ];
 
   cmakeFlags = [