summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2024-04-01 10:24:21 +0800
committerSteve Sakoman <steve@sakoman.com>2024-04-05 07:23:59 -0700
commit1921c279467ae185aecfe0e8b91da50b8a38d248 (patch)
treea9c2afee524fdbc324a54e1c9de82b8830d28fe1
parentebebf9d948b21983271c1c92e419a97b7d52e5bf (diff)
downloadpoky-1921c279467ae185aecfe0e8b91da50b8a38d248.tar.gz
tiff: fix CVE-2023-52356 CVE-2023-6277
import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277 import from http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz (From OE-Core rev: 4728df36bb3888df4d3cc0db1fd66138e865c511) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch54
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch178
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch151
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch46
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch93
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.3.0.bb5
6 files changed, 527 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
new file mode 100644
index 0000000000..4eb7d79c8f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
@@ -0,0 +1,54 @@
1CVE: CVE-2023-52356
2Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
3ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
4Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
5
6[Ubuntu note: Backport of the following patch from upstream, with a few changes
7to match the current version of the file in the present Ubuntu release:
8 . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
9-- Rodrigo Figueiredo Zaiden]
10
11Backport of:
12
13From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
14From: Even Rouault <even.rouault@spatialys.com>
15Date: Tue, 31 Oct 2023 15:58:41 +0100
16Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
17 col/row (fixes #622)
18
19---
20 libtiff/tif_getimage.c | 15 +++++++++++++++
21 1 file changed, 15 insertions(+)
22
23
24--- tiff-4.3.0.orig/libtiff/tif_getimage.c
25+++ tiff-4.3.0/libtiff/tif_getimage.c
26@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t
27 }
28
29 if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
30+ if (row >= img.height)
31+ {
32+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
33+ "Invalid row passed to TIFFReadRGBAStrip().");
34+ TIFFRGBAImageEnd(&img);
35+ return (0);
36+ }
37
38 img.row_offset = row;
39 img.col_offset = 0;
40@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t
41 return( 0 );
42 }
43
44+ if (col >= img.width || row >= img.height)
45+ {
46+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
47+ "Invalid row/col passed to TIFFReadRGBATile().");
48+ TIFFRGBAImageEnd(&img);
49+ return (0);
50+ }
51+
52 /*
53 * The TIFFRGBAImageGet() function doesn't allow us to get off the
54 * edge of the image, even to fill an otherwise valid tile. So we
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..453df897ac
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
@@ -0,0 +1,178 @@
1CVE: CVE-2023-6277
2Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
3ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
4Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
5
6[Ubuntu note: Backport of the following patch from upstream, with a few changes
7to match the current version of the file in the present Ubuntu release:
8 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
9 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
10-- Rodrigo Figueiredo Zaiden]
11
12Backport of:
13
14From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
15From: Su Laus <sulau@freenet.de>
16Date: Tue, 31 Oct 2023 15:43:29 +0000
17Subject: [PATCH] Prevent some out-of-memory attacks
18
19Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
20
21At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
22
23See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
24---
25 libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
26 1 file changed, 90 insertions(+), 2 deletions(-)
27
28--- tiff-4.3.0.orig/libtiff/tif_dirread.c
29+++ tiff-4.3.0/libtiff/tif_dirread.c
30@@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead
31 datasize=(*count)*typesize;
32 assert((tmsize_t)datasize>0);
33
34+ /* Before allocating a huge amount of memory for corrupted files, check if
35+ * size of requested memory is not greater than file size.
36+ */
37+ uint64_t filesize = TIFFGetFileSize(tif);
38+ if (datasize > filesize)
39+ {
40+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
41+ "Requested memory size for tag %d (0x%x) %" PRIu32
42+ " is greather than filesize %" PRIu64
43+ ". Memory not allocated, tag not read",
44+ direntry->tdir_tag, direntry->tdir_tag, datasize,
45+ filesize);
46+ return (TIFFReadDirEntryErrAlloc);
47+ }
48+
49 if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
50 return TIFFReadDirEntryErrIo;
51
52@@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
53 if( !_TIFFFillStrilesInternal( tif, 0 ) )
54 return -1;
55
56+ /* Before allocating a huge amount of memory for corrupted files, check if
57+ * size of requested memory is not greater than file size. */
58+ uint64_t filesize = TIFFGetFileSize(tif);
59+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
60+ if (allocsize > filesize)
61+ {
62+ TIFFWarningExt(tif->tif_clientdata, module,
63+ "Requested memory size for StripByteCounts of %" PRIu64
64+ " is greather than filesize %" PRIu64
65+ ". Memory not allocated",
66+ allocsize, filesize);
67+ return -1;
68+ }
69+
70 if (td->td_stripbytecount_p)
71 _TIFFfree(td->td_stripbytecount_p);
72 td->td_stripbytecount_p = (uint64_t*)
73@@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
74
75 if (td->td_compression != COMPRESSION_NONE) {
76 uint64_t space;
77- uint64_t filesize;
78 uint16_t n;
79- filesize = TIFFGetFileSize(tif);
80 if (!(tif->tif_flags&TIFF_BIGTIFF))
81 space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
82 else
83@@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
84 dircount16 = (uint16_t)dircount64;
85 dirsize = 20;
86 }
87+ /* Before allocating a huge amount of memory for corrupted files, check
88+ * if size of requested memory is not greater than file size. */
89+ uint64_t filesize = TIFFGetFileSize(tif);
90+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
91+ if (allocsize > filesize)
92+ {
93+ TIFFWarningExt(
94+ tif->tif_clientdata, module,
95+ "Requested memory size for TIFF directory of %" PRIu64
96+ " is greather than filesize %" PRIu64
97+ ". Memory not allocated, TIFF directory not read",
98+ allocsize, filesize);
99+ return 0;
100+ }
101 origdir = _TIFFCheckMalloc(tif, dircount16,
102 dirsize, "to read TIFF directory");
103 if (origdir == NULL)
104@@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
105 "Sanity check on directory count failed, zero tag directories not supported");
106 return 0;
107 }
108+ /* Before allocating a huge amount of memory for corrupted files, check
109+ * if size of requested memory is not greater than file size. */
110+ uint64_t filesize = TIFFGetFileSize(tif);
111+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
112+ if (allocsize > filesize)
113+ {
114+ TIFFWarningExt(
115+ tif->tif_clientdata, module,
116+ "Requested memory size for TIFF directory of %" PRIu64
117+ " is greather than filesize %" PRIu64
118+ ". Memory not allocated, TIFF directory not read",
119+ allocsize, filesize);
120+ return 0;
121+ }
122 origdir = _TIFFCheckMalloc(tif, dircount16,
123 dirsize,
124 "to read TIFF directory");
125@@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
126 }
127 }
128 }
129+ /* No check against filesize needed here because "dir" should have same size
130+ * than "origdir" checked above. */
131 dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
132 sizeof(TIFFDirEntry),
133 "to read TIFF directory");
134@@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
135 return(0);
136 }
137
138+ /* Before allocating a huge amount of memory for corrupted files, check
139+ * if size of requested memory is not greater than file size. */
140+ uint64_t filesize = TIFFGetFileSize(tif);
141+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
142+ if (allocsize > filesize)
143+ {
144+ TIFFWarningExt(tif->tif_clientdata, module,
145+ "Requested memory size for StripArray of %" PRIu64
146+ " is greather than filesize %" PRIu64
147+ ". Memory not allocated",
148+ allocsize, filesize);
149+ _TIFFfree(data);
150+ return (0);
151+ }
152 resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
153 if (resizeddata==0) {
154 _TIFFfree(data);
155@@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI
156 }
157 bytecount = last_offset + last_bytecount - offset;
158
159+ /* Before allocating a huge amount of memory for corrupted files, check if
160+ * size of StripByteCount and StripOffset tags is not greater than
161+ * file size.
162+ */
163+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
164+ uint64_t filesize = TIFFGetFileSize(tif);
165+ if (allocsize > filesize)
166+ {
167+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
168+ "Requested memory size for StripByteCount and "
169+ "StripOffsets %" PRIu64
170+ " is greather than filesize %" PRIu64
171+ ". Memory not allocated",
172+ allocsize, filesize);
173+ return;
174+ }
175+
176 newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
177 "for chopped \"StripByteCounts\" array");
178 newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
new file mode 100644
index 0000000000..ad39c1c4dd
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
@@ -0,0 +1,151 @@
1CVE: CVE-2023-6277
2Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa
3ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
4Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
5
6[Ubuntu note: Backport of the following patch from upstream, with a few changes
7to match the current version of the file in the present Ubuntu release:
8 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
9-- Rodrigo Figueiredo Zaiden]
10
11Backport of:
12
13From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
14From: Even Rouault <even.rouault@spatialys.com>
15Date: Tue, 31 Oct 2023 19:47:22 +0100
16Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
17 RAM requests
18
19Ammends 5320c9d89c054fa805d037d84c57da874470b01a
20
21This fixes a performance regression caught by the GDAL regression test
22suite.
23---
24 libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
25 1 file changed, 48 insertions(+), 35 deletions(-)
26
27--- tiff-4.3.0.orig/libtiff/tif_dirread.c
28+++ tiff-4.3.0/libtiff/tif_dirread.c
29@@ -866,19 +866,22 @@ static enum TIFFReadDirEntryErr TIFFRead
30 datasize=(*count)*typesize;
31 assert((tmsize_t)datasize>0);
32
33- /* Before allocating a huge amount of memory for corrupted files, check if
34- * size of requested memory is not greater than file size.
35- */
36- uint64_t filesize = TIFFGetFileSize(tif);
37- if (datasize > filesize)
38+ if (datasize > 100 * 1024 * 1024)
39 {
40- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
41- "Requested memory size for tag %d (0x%x) %" PRIu32
42- " is greather than filesize %" PRIu64
43- ". Memory not allocated, tag not read",
44- direntry->tdir_tag, direntry->tdir_tag, datasize,
45- filesize);
46- return (TIFFReadDirEntryErrAlloc);
47+ /* Before allocating a huge amount of memory for corrupted files, check
48+ * if size of requested memory is not greater than file size.
49+ */
50+ const uint64_t filesize = TIFFGetFileSize(tif);
51+ if (datasize > filesize)
52+ {
53+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
54+ "Requested memory size for tag %d (0x%x) %" PRIu32
55+ " is greater than filesize %" PRIu64
56+ ". Memory not allocated, tag not read",
57+ direntry->tdir_tag, direntry->tdir_tag, datasize,
58+ filesize);
59+ return (TIFFReadDirEntryErrAlloc);
60+ }
61 }
62
63 if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
64@@ -4608,18 +4611,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
65 if( !_TIFFFillStrilesInternal( tif, 0 ) )
66 return -1;
67
68- /* Before allocating a huge amount of memory for corrupted files, check if
69- * size of requested memory is not greater than file size. */
70- uint64_t filesize = TIFFGetFileSize(tif);
71- uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
72- if (allocsize > filesize)
73+ const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
74+ uint64_t filesize = 0;
75+ if (allocsize > 100 * 1024 * 1024)
76 {
77- TIFFWarningExt(tif->tif_clientdata, module,
78- "Requested memory size for StripByteCounts of %" PRIu64
79- " is greather than filesize %" PRIu64
80- ". Memory not allocated",
81- allocsize, filesize);
82- return -1;
83+ /* Before allocating a huge amount of memory for corrupted files, check
84+ * if size of requested memory is not greater than file size. */
85+ filesize = TIFFGetFileSize(tif);
86+ if (allocsize > filesize)
87+ {
88+ TIFFWarningExt(
89+ tif->tif_clientdata, module,
90+ "Requested memory size for StripByteCounts of %" PRIu64
91+ " is greater than filesize %" PRIu64 ". Memory not allocated",
92+ allocsize, filesize);
93+ return -1;
94+ }
95 }
96
97 if (td->td_stripbytecount_p)
98@@ -4666,11 +4673,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
99 return -1;
100 space+=datasize;
101 }
102+ if (filesize == 0)
103+ filesize = TIFFGetFileSize(tif);
104 if( filesize < space )
105- /* we should perhaps return in error ? */
106- space = filesize;
107- else
108- space = filesize - space;
109+ /* we should perhaps return in error ? */
110+ space = filesize;
111+ else
112+ space = filesize - space;
113 if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
114 space /= td->td_samplesperpixel;
115 for (strip = 0; strip < td->td_nstrips; strip++)
116@@ -4940,19 +4949,23 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
117 dircount16 = (uint16_t)dircount64;
118 dirsize = 20;
119 }
120- /* Before allocating a huge amount of memory for corrupted files, check
121- * if size of requested memory is not greater than file size. */
122- uint64_t filesize = TIFFGetFileSize(tif);
123- uint64_t allocsize = (uint64_t)dircount16 * dirsize;
124- if (allocsize > filesize)
125+ const uint64_t allocsize = (uint64_t)dircount16 * dirsize;
126+ if (allocsize > 100 * 1024 * 1024)
127 {
128- TIFFWarningExt(
129- tif->tif_clientdata, module,
130- "Requested memory size for TIFF directory of %" PRIu64
131- " is greather than filesize %" PRIu64
132- ". Memory not allocated, TIFF directory not read",
133- allocsize, filesize);
134- return 0;
135+ /* Before allocating a huge amount of memory for corrupted files,
136+ * check if size of requested memory is not greater than file size.
137+ */
138+ const uint64_t filesize = TIFFGetFileSize(tif);
139+ if (allocsize > filesize)
140+ {
141+ TIFFWarningExt(
142+ tif->tif_clientdata, module,
143+ "Requested memory size for TIFF directory of %" PRIu64
144+ " is greater than filesize %" PRIu64
145+ ". Memory not allocated, TIFF directory not read",
146+ allocsize, filesize);
147+ return 0;
148+ }
149 }
150 origdir = _TIFFCheckMalloc(tif, dircount16,
151 dirsize, "to read TIFF directory");
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
new file mode 100644
index 0000000000..71eba2f34e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
1CVE: CVE-2023-6277
2Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3
3ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
4Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
5
6Backport of:
7
8From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
9From: Even Rouault <even.rouault@spatialys.com>
10Date: Tue, 31 Oct 2023 20:13:45 +0100
11Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
12 check
13
14CoverityScan rightly points that the max value for dircount16 * dirsize
15is 4096 * 20. That's small enough not to do any check
16---
17 libtiff/tif_dirread.c | 18 ------------------
18 1 file changed, 18 deletions(-)
19
20--- tiff-4.3.0.orig/libtiff/tif_dirread.c
21+++ tiff-4.3.0/libtiff/tif_dirread.c
22@@ -4949,24 +4949,6 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
23 dircount16 = (uint16_t)dircount64;
24 dirsize = 20;
25 }
26- const uint64_t allocsize = (uint64_t)dircount16 * dirsize;
27- if (allocsize > 100 * 1024 * 1024)
28- {
29- /* Before allocating a huge amount of memory for corrupted files,
30- * check if size of requested memory is not greater than file size.
31- */
32- const uint64_t filesize = TIFFGetFileSize(tif);
33- if (allocsize > filesize)
34- {
35- TIFFWarningExt(
36- tif->tif_clientdata, module,
37- "Requested memory size for TIFF directory of %" PRIu64
38- " is greater than filesize %" PRIu64
39- ". Memory not allocated, TIFF directory not read",
40- allocsize, filesize);
41- return 0;
42- }
43- }
44 origdir = _TIFFCheckMalloc(tif, dircount16,
45 dirsize, "to read TIFF directory");
46 if (origdir == NULL)
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
new file mode 100644
index 0000000000..61f48726e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
@@ -0,0 +1,93 @@
1CVE: CVE-2023-6277
2Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a
3ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
4Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
5
6[Ubuntu note: Backport of the following patch from upstream, with a few changes
7to match the current version of the file in the present Ubuntu release:
8 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
9 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
10-- Rodrigo Figueiredo Zaiden]
11
12Backport of:
13
14From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
15From: Even Rouault <even.rouault@spatialys.com>
16Date: Tue, 31 Oct 2023 21:30:58 +0100
17Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
18 RAM requests
19
20---
21 libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
22 1 file changed, 31 insertions(+), 23 deletions(-)
23
24--- tiff-4.3.0.orig/libtiff/tif_dirread.c
25+++ tiff-4.3.0/libtiff/tif_dirread.c
26@@ -5905,19 +5905,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
27 return(0);
28 }
29
30- /* Before allocating a huge amount of memory for corrupted files, check
31- * if size of requested memory is not greater than file size. */
32- uint64_t filesize = TIFFGetFileSize(tif);
33- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
34- if (allocsize > filesize)
35+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
36+ if (allocsize > 100 * 1024 * 1024)
37 {
38- TIFFWarningExt(tif->tif_clientdata, module,
39- "Requested memory size for StripArray of %" PRIu64
40- " is greather than filesize %" PRIu64
41- ". Memory not allocated",
42- allocsize, filesize);
43- _TIFFfree(data);
44- return (0);
45+ /* Before allocating a huge amount of memory for corrupted files,
46+ * check if size of requested memory is not greater than file size.
47+ */
48+ const uint64_t filesize = TIFFGetFileSize(tif);
49+ if (allocsize > filesize)
50+ {
51+ TIFFWarningExt(
52+ tif->tif_clientdata, module,
53+ "Requested memory size for StripArray of %" PRIu64
54+ " is greater than filesize %" PRIu64
55+ ". Memory not allocated",
56+ allocsize, filesize);
57+ _TIFFfree(data);
58+ return (0);
59+ }
60 }
61 resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
62 if (resizeddata==0) {
63@@ -6018,17 +6023,20 @@ static void allocChoppedUpStripArrays(TI
64 * size of StripByteCount and StripOffset tags is not greater than
65 * file size.
66 */
67- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
68- uint64_t filesize = TIFFGetFileSize(tif);
69- if (allocsize > filesize)
70+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
71+ if (allocsize > 100 * 1024 * 1024)
72 {
73- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
74- "Requested memory size for StripByteCount and "
75- "StripOffsets %" PRIu64
76- " is greather than filesize %" PRIu64
77- ". Memory not allocated",
78- allocsize, filesize);
79- return;
80+ const uint64_t filesize = TIFFGetFileSize(tif);
81+ if (allocsize > filesize)
82+ {
83+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
84+ "Requested memory size for StripByteCount and "
85+ "StripOffsets %" PRIu64
86+ " is greater than filesize %" PRIu64
87+ ". Memory not allocated",
88+ allocsize, filesize);
89+ return;
90+ }
91 }
92
93 newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index d284100ab2..b4af179e76 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -48,6 +48,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
48 file://CVE-2023-40745.patch \ 48 file://CVE-2023-40745.patch \
49 file://CVE-2023-41175.patch \ 49 file://CVE-2023-41175.patch \
50 file://CVE-2023-6228.patch \ 50 file://CVE-2023-6228.patch \
51 file://CVE-2023-52356.patch \
52 file://CVE-2023-6277-1.patch \
53 file://CVE-2023-6277-2.patch \
54 file://CVE-2023-6277-3.patch \
55 file://CVE-2023-6277-4.patch \
51 " 56 "
52 57
53SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" 58SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-08 21:32:28 +0000