diff options
author | Ross Burton <ross.burton@arm.com> | 2022-11-28 20:01:52 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-07 15:02:45 +0000 |
commit | 0f37d51b2c11b35a7679818c05e039d55e7cd315 (patch) | |
tree | 3f258b250cc9e4dfbe506c73c953926619202ceb | |
parent | 809591e49c51a3a362707c88d25ff0ae87cbaa00 (diff) | |
download | poky-0f37d51b2c11b35a7679818c05e039d55e7cd315.tar.gz |
tiff: fix a number of CVEs
Backport fixes from upstream for the following CVEs:
- CVE-2022-3599
- CVE-2022-3597
- CVE-2022-3626
- CVE-2022-3627
- CVE-2022-3570
- CVE-2022-3598
(From OE-Core rev: ad0780059a105b74313eb6a357360f5ad32333a4)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
5 files changed, 1005 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch new file mode 100644 index 0000000000..37859c9192 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch | |||
@@ -0,0 +1,266 @@ | |||
1 | From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Tue, 30 Aug 2022 16:56:48 +0200 | ||
4 | Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related | ||
5 | TIFFTAG_NUMBEROFINKS value | ||
6 | |||
7 | In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: | ||
8 | |||
9 | Behaviour for writing: | ||
10 | `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. | ||
11 | `NumberOfInks` is automatically set when `InkNames` is set. | ||
12 | If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. | ||
13 | If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. | ||
14 | |||
15 | Behaviour for reading: | ||
16 | When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. | ||
17 | If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. | ||
18 | If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. | ||
19 | |||
20 | This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow | ||
21 | |||
22 | This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. | ||
23 | |||
24 | It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. | ||
25 | |||
26 | CVE: CVE-2022-3599 | ||
27 | Upstream-Status: Backport | ||
28 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
29 | --- | ||
30 | libtiff/tif_dir.c | 119 ++++++++++++++++++++++++----------------- | ||
31 | libtiff/tif_dir.h | 2 + | ||
32 | libtiff/tif_dirinfo.c | 2 +- | ||
33 | libtiff/tif_dirwrite.c | 5 ++ | ||
34 | libtiff/tif_print.c | 4 ++ | ||
35 | 5 files changed, 82 insertions(+), 50 deletions(-) | ||
36 | |||
37 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
38 | index 793e8a79..816f7756 100644 | ||
39 | --- a/libtiff/tif_dir.c | ||
40 | +++ b/libtiff/tif_dir.c | ||
41 | @@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v) | ||
42 | } | ||
43 | |||
44 | /* | ||
45 | - * Confirm we have "samplesperpixel" ink names separated by \0. Returns | ||
46 | + * Count ink names separated by \0. Returns | ||
47 | * zero if the ink names are not as expected. | ||
48 | */ | ||
49 | -static uint32_t | ||
50 | -checkInkNamesString(TIFF* tif, uint32_t slen, const char* s) | ||
51 | +static uint16_t | ||
52 | +countInkNamesString(TIFF *tif, uint32_t slen, const char *s) | ||
53 | { | ||
54 | - TIFFDirectory* td = &tif->tif_dir; | ||
55 | - uint16_t i = td->td_samplesperpixel; | ||
56 | + uint16_t i = 0; | ||
57 | + const char *ep = s + slen; | ||
58 | + const char *cp = s; | ||
59 | |||
60 | if (slen > 0) { | ||
61 | - const char* ep = s+slen; | ||
62 | - const char* cp = s; | ||
63 | - for (; i > 0; i--) { | ||
64 | + do { | ||
65 | for (; cp < ep && *cp != '\0'; cp++) {} | ||
66 | if (cp >= ep) | ||
67 | goto bad; | ||
68 | cp++; /* skip \0 */ | ||
69 | - } | ||
70 | - return ((uint32_t)(cp - s)); | ||
71 | + i++; | ||
72 | + } while (cp < ep); | ||
73 | + return (i); | ||
74 | } | ||
75 | bad: | ||
76 | TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", | ||
77 | - "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16, | ||
78 | - tif->tif_name, | ||
79 | - td->td_samplesperpixel, | ||
80 | - (uint16_t)(td->td_samplesperpixel-i)); | ||
81 | + "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink", | ||
82 | + tif->tif_name, slen, i); | ||
83 | return (0); | ||
84 | } | ||
85 | |||
86 | @@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) | ||
87 | _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); | ||
88 | break; | ||
89 | case TIFFTAG_INKNAMES: | ||
90 | - v = (uint16_t) va_arg(ap, uint16_vap); | ||
91 | - s = va_arg(ap, char*); | ||
92 | - v = checkInkNamesString(tif, v, s); | ||
93 | - status = v > 0; | ||
94 | - if( v > 0 ) { | ||
95 | - _TIFFsetNString(&td->td_inknames, s, v); | ||
96 | - td->td_inknameslen = v; | ||
97 | + { | ||
98 | + v = (uint16_t) va_arg(ap, uint16_vap); | ||
99 | + s = va_arg(ap, char*); | ||
100 | + uint16_t ninksinstring; | ||
101 | + ninksinstring = countInkNamesString(tif, v, s); | ||
102 | + status = ninksinstring > 0; | ||
103 | + if(ninksinstring > 0 ) { | ||
104 | + _TIFFsetNString(&td->td_inknames, s, v); | ||
105 | + td->td_inknameslen = v; | ||
106 | + /* Set NumberOfInks to the value ninksinstring */ | ||
107 | + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) | ||
108 | + { | ||
109 | + if (td->td_numberofinks != ninksinstring) { | ||
110 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
111 | + "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"", | ||
112 | + tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); | ||
113 | + td->td_numberofinks = ninksinstring; | ||
114 | + } | ||
115 | + } else { | ||
116 | + td->td_numberofinks = ninksinstring; | ||
117 | + TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); | ||
118 | + } | ||
119 | + if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) | ||
120 | + { | ||
121 | + if (td->td_numberofinks != td->td_samplesperpixel) { | ||
122 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
123 | + "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", | ||
124 | + tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); | ||
125 | + } | ||
126 | + } | ||
127 | + } | ||
128 | + } | ||
129 | + break; | ||
130 | + case TIFFTAG_NUMBEROFINKS: | ||
131 | + v = (uint16_t)va_arg(ap, uint16_vap); | ||
132 | + /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ | ||
133 | + if (TIFFFieldSet(tif, FIELD_INKNAMES)) | ||
134 | + { | ||
135 | + if (v != td->td_numberofinks) { | ||
136 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
137 | + "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")", | ||
138 | + tif->tif_name, fip->field_name, v, td->td_numberofinks); | ||
139 | + /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ | ||
140 | + status = 0; | ||
141 | + } | ||
142 | + } else { | ||
143 | + td->td_numberofinks = (uint16_t)v; | ||
144 | + if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) | ||
145 | + { | ||
146 | + if (td->td_numberofinks != td->td_samplesperpixel) { | ||
147 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
148 | + "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", | ||
149 | + tif->tif_name, fip->field_name, v, td->td_samplesperpixel); | ||
150 | + } | ||
151 | + } | ||
152 | } | ||
153 | break; | ||
154 | case TIFFTAG_PERSAMPLE: | ||
155 | @@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) | ||
156 | if (fip->field_bit == FIELD_CUSTOM) { | ||
157 | standard_tag = 0; | ||
158 | } | ||
159 | - | ||
160 | - if( standard_tag == TIFFTAG_NUMBEROFINKS ) | ||
161 | - { | ||
162 | - int i; | ||
163 | - for (i = 0; i < td->td_customValueCount; i++) { | ||
164 | - uint16_t val; | ||
165 | - TIFFTagValue *tv = td->td_customValues + i; | ||
166 | - if (tv->info->field_tag != standard_tag) | ||
167 | - continue; | ||
168 | - if( tv->value == NULL ) | ||
169 | - return 0; | ||
170 | - val = *(uint16_t *)tv->value; | ||
171 | - /* Truncate to SamplesPerPixel, since the */ | ||
172 | - /* setting code for INKNAMES assume that there are SamplesPerPixel */ | ||
173 | - /* inknames. */ | ||
174 | - /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ | ||
175 | - if( val > td->td_samplesperpixel ) | ||
176 | - { | ||
177 | - TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", | ||
178 | - "Truncating NumberOfInks from %u to %"PRIu16, | ||
179 | - val, td->td_samplesperpixel); | ||
180 | - val = td->td_samplesperpixel; | ||
181 | - } | ||
182 | - *va_arg(ap, uint16_t*) = val; | ||
183 | - return 1; | ||
184 | - } | ||
185 | - return 0; | ||
186 | - } | ||
187 | |||
188 | switch (standard_tag) { | ||
189 | case TIFFTAG_SUBFILETYPE: | ||
190 | @@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) | ||
191 | case TIFFTAG_INKNAMES: | ||
192 | *va_arg(ap, const char**) = td->td_inknames; | ||
193 | break; | ||
194 | + case TIFFTAG_NUMBEROFINKS: | ||
195 | + *va_arg(ap, uint16_t *) = td->td_numberofinks; | ||
196 | + break; | ||
197 | default: | ||
198 | { | ||
199 | int i; | ||
200 | diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h | ||
201 | index 09065648..0c251c9e 100644 | ||
202 | --- a/libtiff/tif_dir.h | ||
203 | +++ b/libtiff/tif_dir.h | ||
204 | @@ -117,6 +117,7 @@ typedef struct { | ||
205 | /* CMYK parameters */ | ||
206 | int td_inknameslen; | ||
207 | char* td_inknames; | ||
208 | + uint16_t td_numberofinks; /* number of inks in InkNames string */ | ||
209 | |||
210 | int td_customValueCount; | ||
211 | TIFFTagValue *td_customValues; | ||
212 | @@ -174,6 +175,7 @@ typedef struct { | ||
213 | #define FIELD_TRANSFERFUNCTION 44 | ||
214 | #define FIELD_INKNAMES 46 | ||
215 | #define FIELD_SUBIFD 49 | ||
216 | +#define FIELD_NUMBEROFINKS 50 | ||
217 | /* FIELD_CUSTOM (see tiffio.h) 65 */ | ||
218 | /* end of support for well-known tags; codec-private tags follow */ | ||
219 | #define FIELD_CODEC 66 /* base of codec-private tags */ | ||
220 | diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c | ||
221 | index 3371cb5c..3b4bcd33 100644 | ||
222 | --- a/libtiff/tif_dirinfo.c | ||
223 | +++ b/libtiff/tif_dirinfo.c | ||
224 | @@ -114,7 +114,7 @@ tiffFields[] = { | ||
225 | { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, | ||
226 | { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, | ||
227 | { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, | ||
228 | - { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, | ||
229 | + { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, | ||
230 | { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, | ||
231 | { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, | ||
232 | { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, | ||
233 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
234 | index 6c86fdca..062e4610 100644 | ||
235 | --- a/libtiff/tif_dirwrite.c | ||
236 | +++ b/libtiff/tif_dirwrite.c | ||
237 | @@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff) | ||
238 | if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) | ||
239 | goto bad; | ||
240 | } | ||
241 | + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) | ||
242 | + { | ||
243 | + if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) | ||
244 | + goto bad; | ||
245 | + } | ||
246 | if (TIFFFieldSet(tif,FIELD_SUBIFD)) | ||
247 | { | ||
248 | if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) | ||
249 | diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c | ||
250 | index 16ce5780..a91b9e7b 100644 | ||
251 | --- a/libtiff/tif_print.c | ||
252 | +++ b/libtiff/tif_print.c | ||
253 | @@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) | ||
254 | } | ||
255 | fputs("\n", fd); | ||
256 | } | ||
257 | + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { | ||
258 | + fprintf(fd, " NumberOfInks: %d\n", | ||
259 | + td->td_numberofinks); | ||
260 | + } | ||
261 | if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { | ||
262 | fprintf(fd, " Thresholding: "); | ||
263 | switch (td->td_threshholding) { | ||
264 | -- | ||
265 | 2.34.1 | ||
266 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch new file mode 100644 index 0000000000..79b4ff3f6e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Sat, 20 Aug 2022 23:35:26 +0200 | ||
4 | Subject: [PATCH] tiffcrop -S option: Make decision simpler. | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
8 | |||
9 | --- | ||
10 | tools/tiffcrop.c | 10 +++++----- | ||
11 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
12 | |||
13 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
14 | index c3b758ec..8fd856dc 100644 | ||
15 | --- a/tools/tiffcrop.c | ||
16 | +++ b/tools/tiffcrop.c | ||
17 | @@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 | ||
18 | } | ||
19 | /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ | ||
20 | char XY, Z, R, S; | ||
21 | - XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); | ||
22 | - Z = (crop_data->crop_mode & CROP_ZONES); | ||
23 | - R = (crop_data->crop_mode & CROP_REGIONS); | ||
24 | - S = (page->mode & PAGE_MODE_ROWSCOLS); | ||
25 | - if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { | ||
26 | + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; | ||
27 | + Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; | ||
28 | + R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; | ||
29 | + S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; | ||
30 | + if (XY + Z + R + S > 1) { | ||
31 | TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); | ||
32 | exit(EXIT_FAILURE); | ||
33 | } | ||
34 | -- | ||
35 | 2.34.1 | ||
36 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch new file mode 100644 index 0000000000..6a62787648 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Thu, 25 Aug 2022 16:11:41 +0200 | ||
4 | Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options | ||
5 | with any PAGE_MODE_x option (fixes #411 and #413) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S. | ||
11 | |||
12 | Code analysis: | ||
13 | |||
14 | With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. | ||
15 | In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . | ||
16 | |||
17 | Execution of the else-clause often leads to buffer-overflows. | ||
18 | |||
19 | Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. | ||
20 | |||
21 | The MR solves issues #411 and #413. | ||
22 | |||
23 | CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627 | ||
24 | Upstream-Status: Backport | ||
25 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
26 | --- | ||
27 | doc/tools/tiffcrop.rst | 8 ++++++++ | ||
28 | tools/tiffcrop.c | 32 +++++++++++++++++++++++++------- | ||
29 | 2 files changed, 33 insertions(+), 7 deletions(-) | ||
30 | |||
31 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
32 | index 8fd856dc..41a2ea36 100644 | ||
33 | --- a/tools/tiffcrop.c | ||
34 | +++ b/tools/tiffcrop.c | ||
35 | @@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 | ||
36 | R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; | ||
37 | S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; | ||
38 | if (XY + Z + R + S > 1) { | ||
39 | - TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); | ||
40 | + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); | ||
41 | exit(EXIT_FAILURE); | ||
42 | } | ||
43 | + | ||
44 | + /* Check for not allowed combination: | ||
45 | + * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options | ||
46 | + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. | ||
47 | +. */ | ||
48 | + if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { | ||
49 | + TIFFError("tiffcrop input error", | ||
50 | + "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); | ||
51 | + exit(EXIT_FAILURE); | ||
52 | + } | ||
53 | + | ||
54 | } /* end process_command_opts */ | ||
55 | |||
56 | /* Start a new output file if one has not been previously opened or | ||
57 | -- | ||
58 | 2.34.1 | ||
59 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch new file mode 100644 index 0000000000..e10e37ccc9 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch | |||
@@ -0,0 +1,640 @@ | |||
1 | From 1e000b3484808f1ee7a68bd276220d1cd82dec73 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Thu, 13 Oct 2022 14:33:27 +0000 | ||
4 | Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271, | ||
5 | #381, #386, #388, #389, #435) | ||
6 | |||
7 | CVE: CVE-2022-3570 CVE-2022-3598 | ||
8 | Upstream-Status: Backport | ||
9 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
10 | --- | ||
11 | tools/tiffcrop.c | 203 ++++++++++++++++++++++++++--------------------- | ||
12 | 1 file changed, 114 insertions(+), 89 deletions(-) | ||
13 | |||
14 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
15 | index f96c7d60..adf0f849 100644 | ||
16 | --- a/tools/tiffcrop.c | ||
17 | +++ b/tools/tiffcrop.c | ||
18 | @@ -210,6 +210,10 @@ static char tiffcrop_rev_date[] = "02-09-2022"; | ||
19 | |||
20 | #define TIFF_DIR_MAX 65534 | ||
21 | |||
22 | +/* Some conversion subroutines require image buffers, which are at least 3 bytes | ||
23 | + * larger than the necessary size for the image itself. */ | ||
24 | +#define NUM_BUFF_OVERSIZE_BYTES 3 | ||
25 | + | ||
26 | /* Offsets into buffer for margins and fixed width and length segments */ | ||
27 | struct offset { | ||
28 | uint32_t tmargin; | ||
29 | @@ -231,7 +235,7 @@ struct offset { | ||
30 | */ | ||
31 | |||
32 | struct buffinfo { | ||
33 | - uint32_t size; /* size of this buffer */ | ||
34 | + size_t size; /* size of this buffer */ | ||
35 | unsigned char *buffer; /* address of the allocated buffer */ | ||
36 | }; | ||
37 | |||
38 | @@ -805,8 +809,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, | ||
39 | uint32_t dst_rowsize, shift_width; | ||
40 | uint32_t bytes_per_sample, bytes_per_pixel; | ||
41 | uint32_t trailing_bits, prev_trailing_bits; | ||
42 | - uint32_t tile_rowsize = TIFFTileRowSize(in); | ||
43 | - uint32_t src_offset, dst_offset; | ||
44 | + tmsize_t tile_rowsize = TIFFTileRowSize(in); | ||
45 | + tmsize_t src_offset, dst_offset; | ||
46 | uint32_t row_offset, col_offset; | ||
47 | uint8_t *bufp = (uint8_t*) buf; | ||
48 | unsigned char *src = NULL; | ||
49 | @@ -856,7 +860,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, | ||
50 | TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); | ||
51 | exit(EXIT_FAILURE); | ||
52 | } | ||
53 | - tilebuf = limitMalloc(tile_buffsize + 3); | ||
54 | + tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
55 | if (tilebuf == 0) | ||
56 | return 0; | ||
57 | tilebuf[tile_buffsize] = 0; | ||
58 | @@ -1019,7 +1023,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf, | ||
59 | for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) | ||
60 | { | ||
61 | srcbuffs[sample] = NULL; | ||
62 | - tbuff = (unsigned char *)limitMalloc(tilesize + 8); | ||
63 | + tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); | ||
64 | if (!tbuff) | ||
65 | { | ||
66 | TIFFError ("readSeparateTilesIntoBuffer", | ||
67 | @@ -1213,7 +1217,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, | ||
68 | } | ||
69 | rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); | ||
70 | |||
71 | - obuf = limitMalloc (rowstripsize); | ||
72 | + /* Add 3 padding bytes for extractContigSamples32bits */ | ||
73 | + obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); | ||
74 | if (obuf == NULL) | ||
75 | return 1; | ||
76 | |||
77 | @@ -1226,7 +1231,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, | ||
78 | stripsize = TIFFVStripSize(out, nrows); | ||
79 | src = buf + (row * rowsize); | ||
80 | total_bytes += stripsize; | ||
81 | - memset (obuf, '\0', rowstripsize); | ||
82 | + memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES); | ||
83 | if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) | ||
84 | { | ||
85 | _TIFFfree(obuf); | ||
86 | @@ -1234,10 +1239,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, | ||
87 | } | ||
88 | if ((dump->outfile != NULL) && (dump->level == 1)) | ||
89 | { | ||
90 | - dump_info(dump->outfile, dump->format,"", | ||
91 | + if (scanlinesize > 0x0ffffffffULL) { | ||
92 | + dump_info(dump->infile, dump->format, "loadImage", | ||
93 | + "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", | ||
94 | + scanlinesize); | ||
95 | + } | ||
96 | + dump_info(dump->outfile, dump->format,"", | ||
97 | "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", | ||
98 | - s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); | ||
99 | - dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); | ||
100 | + s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf); | ||
101 | + dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf); | ||
102 | } | ||
103 | |||
104 | if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) | ||
105 | @@ -1264,7 +1274,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng | ||
106 | uint32_t tl, tw; | ||
107 | uint32_t row, col, nrow, ncol; | ||
108 | uint32_t src_rowsize, col_offset; | ||
109 | - uint32_t tile_rowsize = TIFFTileRowSize(out); | ||
110 | + tmsize_t tile_rowsize = TIFFTileRowSize(out); | ||
111 | uint8_t* bufp = (uint8_t*) buf; | ||
112 | tsize_t tile_buffsize = 0; | ||
113 | tsize_t tilesize = TIFFTileSize(out); | ||
114 | @@ -1307,9 +1317,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng | ||
115 | } | ||
116 | src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; | ||
117 | |||
118 | - tilebuf = limitMalloc(tile_buffsize); | ||
119 | + /* Add 3 padding bytes for extractContigSamples32bits */ | ||
120 | + tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
121 | if (tilebuf == 0) | ||
122 | return 1; | ||
123 | + memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
124 | for (row = 0; row < imagelength; row += tl) | ||
125 | { | ||
126 | nrow = (row + tl > imagelength) ? imagelength - row : tl; | ||
127 | @@ -1355,7 +1367,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele | ||
128 | uint32_t imagewidth, tsample_t spp, | ||
129 | struct dump_opts * dump) | ||
130 | { | ||
131 | - tdata_t obuf = limitMalloc(TIFFTileSize(out)); | ||
132 | + /* Add 3 padding bytes for extractContigSamples32bits */ | ||
133 | + tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); | ||
134 | uint32_t tl, tw; | ||
135 | uint32_t row, col, nrow, ncol; | ||
136 | uint32_t src_rowsize, col_offset; | ||
137 | @@ -1365,6 +1378,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele | ||
138 | |||
139 | if (obuf == NULL) | ||
140 | return 1; | ||
141 | + memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); | ||
142 | |||
143 | if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || | ||
144 | !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || | ||
145 | @@ -1790,14 +1804,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 | ||
146 | |||
147 | *opt_offset = '\0'; | ||
148 | /* convert option to lowercase */ | ||
149 | - end = strlen (opt_ptr); | ||
150 | + end = (unsigned int)strlen (opt_ptr); | ||
151 | for (i = 0; i < end; i++) | ||
152 | *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); | ||
153 | /* Look for dump format specification */ | ||
154 | if (strncmp(opt_ptr, "for", 3) == 0) | ||
155 | { | ||
156 | /* convert value to lowercase */ | ||
157 | - end = strlen (opt_offset + 1); | ||
158 | + end = (unsigned int)strlen (opt_offset + 1); | ||
159 | for (i = 1; i <= end; i++) | ||
160 | *(opt_offset + i) = tolower((int) *(opt_offset + i)); | ||
161 | /* check dump format value */ | ||
162 | @@ -2270,6 +2284,8 @@ main(int argc, char* argv[]) | ||
163 | size_t length; | ||
164 | char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */ | ||
165 | |||
166 | + assert(NUM_BUFF_OVERSIZE_BYTES >= 3); | ||
167 | + | ||
168 | little_endian = *((unsigned char *)&little_endian) & '1'; | ||
169 | |||
170 | initImageData(&image); | ||
171 | @@ -3222,13 +3238,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, | ||
172 | /* If we have a full buffer's worth, write it out */ | ||
173 | if (ready_bits >= 32) | ||
174 | { | ||
175 | - bytebuff1 = (buff2 >> 56); | ||
176 | + bytebuff1 = (uint8_t)(buff2 >> 56); | ||
177 | *dst++ = bytebuff1; | ||
178 | - bytebuff2 = (buff2 >> 48); | ||
179 | + bytebuff2 = (uint8_t)(buff2 >> 48); | ||
180 | *dst++ = bytebuff2; | ||
181 | - bytebuff3 = (buff2 >> 40); | ||
182 | + bytebuff3 = (uint8_t)(buff2 >> 40); | ||
183 | *dst++ = bytebuff3; | ||
184 | - bytebuff4 = (buff2 >> 32); | ||
185 | + bytebuff4 = (uint8_t)(buff2 >> 32); | ||
186 | *dst++ = bytebuff4; | ||
187 | ready_bits -= 32; | ||
188 | |||
189 | @@ -3637,13 +3653,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, | ||
190 | } | ||
191 | else /* If we have a full buffer's worth, write it out */ | ||
192 | { | ||
193 | - bytebuff1 = (buff2 >> 56); | ||
194 | + bytebuff1 = (uint8_t)(buff2 >> 56); | ||
195 | *dst++ = bytebuff1; | ||
196 | - bytebuff2 = (buff2 >> 48); | ||
197 | + bytebuff2 = (uint8_t)(buff2 >> 48); | ||
198 | *dst++ = bytebuff2; | ||
199 | - bytebuff3 = (buff2 >> 40); | ||
200 | + bytebuff3 = (uint8_t)(buff2 >> 40); | ||
201 | *dst++ = bytebuff3; | ||
202 | - bytebuff4 = (buff2 >> 32); | ||
203 | + bytebuff4 = (uint8_t)(buff2 >> 32); | ||
204 | *dst++ = bytebuff4; | ||
205 | ready_bits -= 32; | ||
206 | |||
207 | @@ -3820,10 +3836,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3 | ||
208 | static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) | ||
209 | { | ||
210 | uint8_t* bufp = buf; | ||
211 | - int32_t bytes_read = 0; | ||
212 | + tmsize_t bytes_read = 0; | ||
213 | uint32_t strip, nstrips = TIFFNumberOfStrips(in); | ||
214 | - uint32_t stripsize = TIFFStripSize(in); | ||
215 | - uint32_t rows = 0; | ||
216 | + tmsize_t stripsize = TIFFStripSize(in); | ||
217 | + tmsize_t rows = 0; | ||
218 | uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); | ||
219 | tsize_t scanline_size = TIFFScanlineSize(in); | ||
220 | |||
221 | @@ -3836,11 +3852,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) | ||
222 | bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1); | ||
223 | rows = bytes_read / scanline_size; | ||
224 | if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize)) | ||
225 | - TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32, | ||
226 | + TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64, | ||
227 | strip + 1, bytes_read, stripsize); | ||
228 | |||
229 | if (bytes_read < 0 && !ignore) { | ||
230 | - TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows", | ||
231 | + TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows", | ||
232 | strip, rows); | ||
233 | return 0; | ||
234 | } | ||
235 | @@ -4305,13 +4321,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, | ||
236 | /* If we have a full buffer's worth, write it out */ | ||
237 | if (ready_bits >= 32) | ||
238 | { | ||
239 | - bytebuff1 = (buff2 >> 56); | ||
240 | + bytebuff1 = (uint8_t)(buff2 >> 56); | ||
241 | *dst++ = bytebuff1; | ||
242 | - bytebuff2 = (buff2 >> 48); | ||
243 | + bytebuff2 = (uint8_t)(buff2 >> 48); | ||
244 | *dst++ = bytebuff2; | ||
245 | - bytebuff3 = (buff2 >> 40); | ||
246 | + bytebuff3 = (uint8_t)(buff2 >> 40); | ||
247 | *dst++ = bytebuff3; | ||
248 | - bytebuff4 = (buff2 >> 32); | ||
249 | + bytebuff4 = (uint8_t)(buff2 >> 32); | ||
250 | *dst++ = bytebuff4; | ||
251 | ready_bits -= 32; | ||
252 | |||
253 | @@ -4354,10 +4370,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, | ||
254 | "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", | ||
255 | row + 1, col + 1, src_byte, src_bit, dst - out); | ||
256 | |||
257 | - dump_long (dumpfile, format, "Match bits ", matchbits); | ||
258 | + dump_wide (dumpfile, format, "Match bits ", matchbits); | ||
259 | dump_data (dumpfile, format, "Src bits ", src, 4); | ||
260 | - dump_long (dumpfile, format, "Buff1 bits ", buff1); | ||
261 | - dump_long (dumpfile, format, "Buff2 bits ", buff2); | ||
262 | + dump_wide (dumpfile, format, "Buff1 bits ", buff1); | ||
263 | + dump_wide (dumpfile, format, "Buff2 bits ", buff2); | ||
264 | dump_byte (dumpfile, format, "Write bits1", bytebuff1); | ||
265 | dump_byte (dumpfile, format, "Write bits2", bytebuff2); | ||
266 | dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); | ||
267 | @@ -4830,13 +4846,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, | ||
268 | /* If we have a full buffer's worth, write it out */ | ||
269 | if (ready_bits >= 32) | ||
270 | { | ||
271 | - bytebuff1 = (buff2 >> 56); | ||
272 | + bytebuff1 = (uint8_t)(buff2 >> 56); | ||
273 | *dst++ = bytebuff1; | ||
274 | - bytebuff2 = (buff2 >> 48); | ||
275 | + bytebuff2 = (uint8_t)(buff2 >> 48); | ||
276 | *dst++ = bytebuff2; | ||
277 | - bytebuff3 = (buff2 >> 40); | ||
278 | + bytebuff3 = (uint8_t)(buff2 >> 40); | ||
279 | *dst++ = bytebuff3; | ||
280 | - bytebuff4 = (buff2 >> 32); | ||
281 | + bytebuff4 = (uint8_t)(buff2 >> 32); | ||
282 | *dst++ = bytebuff4; | ||
283 | ready_bits -= 32; | ||
284 | |||
285 | @@ -4879,10 +4895,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, | ||
286 | "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", | ||
287 | row + 1, col + 1, src_byte, src_bit, dst - out); | ||
288 | |||
289 | - dump_long (dumpfile, format, "Match bits ", matchbits); | ||
290 | + dump_wide (dumpfile, format, "Match bits ", matchbits); | ||
291 | dump_data (dumpfile, format, "Src bits ", src, 4); | ||
292 | - dump_long (dumpfile, format, "Buff1 bits ", buff1); | ||
293 | - dump_long (dumpfile, format, "Buff2 bits ", buff2); | ||
294 | + dump_wide (dumpfile, format, "Buff1 bits ", buff1); | ||
295 | + dump_wide (dumpfile, format, "Buff2 bits ", buff2); | ||
296 | dump_byte (dumpfile, format, "Write bits1", bytebuff1); | ||
297 | dump_byte (dumpfile, format, "Write bits2", bytebuff2); | ||
298 | dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); | ||
299 | @@ -4905,7 +4921,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt | ||
300 | { | ||
301 | int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; | ||
302 | uint32_t j; | ||
303 | - int32_t bytes_read = 0; | ||
304 | + tmsize_t bytes_read = 0; | ||
305 | uint16_t bps = 0, planar; | ||
306 | uint32_t nstrips; | ||
307 | uint32_t strips_per_sample; | ||
308 | @@ -4971,7 +4987,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt | ||
309 | for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
310 | { | ||
311 | srcbuffs[s] = NULL; | ||
312 | - buff = limitMalloc(stripsize + 3); | ||
313 | + buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); | ||
314 | if (!buff) | ||
315 | { | ||
316 | TIFFError ("readSeparateStripsIntoBuffer", | ||
317 | @@ -4994,7 +5010,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt | ||
318 | buff = srcbuffs[s]; | ||
319 | strip = (s * strips_per_sample) + j; | ||
320 | bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); | ||
321 | - rows_this_strip = bytes_read / src_rowsize; | ||
322 | + rows_this_strip = (uint32_t)(bytes_read / src_rowsize); | ||
323 | if (bytes_read < 0 && !ignore) | ||
324 | { | ||
325 | TIFFError(TIFFFileName(in), | ||
326 | @@ -6047,13 +6063,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
327 | uint16_t input_compression = 0, input_photometric = 0; | ||
328 | uint16_t subsampling_horiz, subsampling_vert; | ||
329 | uint32_t width = 0, length = 0; | ||
330 | - uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; | ||
331 | + tmsize_t stsize = 0, tlsize = 0, buffsize = 0; | ||
332 | + tmsize_t scanlinesize = 0; | ||
333 | uint32_t tw = 0, tl = 0; /* Tile width and length */ | ||
334 | - uint32_t tile_rowsize = 0; | ||
335 | + tmsize_t tile_rowsize = 0; | ||
336 | unsigned char *read_buff = NULL; | ||
337 | unsigned char *new_buff = NULL; | ||
338 | int readunit = 0; | ||
339 | - static uint32_t prev_readsize = 0; | ||
340 | + static tmsize_t prev_readsize = 0; | ||
341 | |||
342 | TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); | ||
343 | TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); | ||
344 | @@ -6355,7 +6372,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
345 | TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
346 | return (-1); | ||
347 | } | ||
348 | - read_buff = (unsigned char *)limitMalloc(buffsize+3); | ||
349 | + read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
350 | } | ||
351 | else | ||
352 | { | ||
353 | @@ -6366,11 +6383,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
354 | TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
355 | return (-1); | ||
356 | } | ||
357 | - new_buff = _TIFFrealloc(read_buff, buffsize+3); | ||
358 | + new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
359 | if (!new_buff) | ||
360 | { | ||
361 | free (read_buff); | ||
362 | - read_buff = (unsigned char *)limitMalloc(buffsize+3); | ||
363 | + read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
364 | } | ||
365 | else | ||
366 | read_buff = new_buff; | ||
367 | @@ -6443,8 +6460,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
368 | dump_info (dump->infile, dump->format, "", | ||
369 | "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp); | ||
370 | |||
371 | + if (scanlinesize > 0x0ffffffffULL) { | ||
372 | + dump_info(dump->infile, dump->format, "loadImage", | ||
373 | + "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", | ||
374 | + scanlinesize); | ||
375 | + } | ||
376 | for (i = 0; i < length; i++) | ||
377 | - dump_buffer(dump->infile, dump->format, 1, scanlinesize, | ||
378 | + dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize, | ||
379 | i, read_buff + (i * scanlinesize)); | ||
380 | } | ||
381 | return (0); | ||
382 | @@ -7464,13 +7486,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image, | ||
383 | if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { | ||
384 | TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); | ||
385 | if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { | ||
386 | - int inknameslen = strlen(inknames) + 1; | ||
387 | + int inknameslen = (int)strlen(inknames) + 1; | ||
388 | const char* cp = inknames; | ||
389 | while (ninks > 1) { | ||
390 | cp = strchr(cp, '\0'); | ||
391 | if (cp) { | ||
392 | cp++; | ||
393 | - inknameslen += (strlen(cp) + 1); | ||
394 | + inknameslen += ((int)strlen(cp) + 1); | ||
395 | } | ||
396 | ninks--; | ||
397 | } | ||
398 | @@ -7533,23 +7555,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) | ||
399 | |||
400 | if (!sect_buff) | ||
401 | { | ||
402 | - sect_buff = (unsigned char *)limitMalloc(sectsize); | ||
403 | + sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
404 | if (!sect_buff) | ||
405 | { | ||
406 | TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
407 | return (-1); | ||
408 | } | ||
409 | - _TIFFmemset(sect_buff, 0, sectsize); | ||
410 | + _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
411 | } | ||
412 | else | ||
413 | { | ||
414 | if (prev_sectsize < sectsize) | ||
415 | { | ||
416 | - new_buff = _TIFFrealloc(sect_buff, sectsize); | ||
417 | + new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
418 | if (!new_buff) | ||
419 | { | ||
420 | _TIFFfree (sect_buff); | ||
421 | - sect_buff = (unsigned char *)limitMalloc(sectsize); | ||
422 | + sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
423 | } | ||
424 | else | ||
425 | sect_buff = new_buff; | ||
426 | @@ -7559,7 +7581,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) | ||
427 | TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
428 | return (-1); | ||
429 | } | ||
430 | - _TIFFmemset(sect_buff, 0, sectsize); | ||
431 | + _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
432 | } | ||
433 | } | ||
434 | |||
435 | @@ -7590,17 +7612,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
436 | cropsize = crop->bufftotal; | ||
437 | crop_buff = seg_buffs[0].buffer; | ||
438 | if (!crop_buff) | ||
439 | - crop_buff = (unsigned char *)limitMalloc(cropsize); | ||
440 | + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
441 | else | ||
442 | { | ||
443 | prev_cropsize = seg_buffs[0].size; | ||
444 | if (prev_cropsize < cropsize) | ||
445 | { | ||
446 | - next_buff = _TIFFrealloc(crop_buff, cropsize); | ||
447 | + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
448 | if (! next_buff) | ||
449 | { | ||
450 | _TIFFfree (crop_buff); | ||
451 | - crop_buff = (unsigned char *)limitMalloc(cropsize); | ||
452 | + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
453 | } | ||
454 | else | ||
455 | crop_buff = next_buff; | ||
456 | @@ -7613,7 +7635,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
457 | return (-1); | ||
458 | } | ||
459 | |||
460 | - _TIFFmemset(crop_buff, 0, cropsize); | ||
461 | + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
462 | seg_buffs[0].buffer = crop_buff; | ||
463 | seg_buffs[0].size = cropsize; | ||
464 | |||
465 | @@ -7693,17 +7715,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
466 | cropsize = crop->bufftotal; | ||
467 | crop_buff = seg_buffs[i].buffer; | ||
468 | if (!crop_buff) | ||
469 | - crop_buff = (unsigned char *)limitMalloc(cropsize); | ||
470 | + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
471 | else | ||
472 | { | ||
473 | prev_cropsize = seg_buffs[0].size; | ||
474 | if (prev_cropsize < cropsize) | ||
475 | { | ||
476 | - next_buff = _TIFFrealloc(crop_buff, cropsize); | ||
477 | + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
478 | if (! next_buff) | ||
479 | { | ||
480 | _TIFFfree (crop_buff); | ||
481 | - crop_buff = (unsigned char *)limitMalloc(cropsize); | ||
482 | + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
483 | } | ||
484 | else | ||
485 | crop_buff = next_buff; | ||
486 | @@ -7716,7 +7738,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
487 | return (-1); | ||
488 | } | ||
489 | |||
490 | - _TIFFmemset(crop_buff, 0, cropsize); | ||
491 | + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
492 | seg_buffs[i].buffer = crop_buff; | ||
493 | seg_buffs[i].size = cropsize; | ||
494 | |||
495 | @@ -7832,24 +7854,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
496 | crop_buff = *crop_buff_ptr; | ||
497 | if (!crop_buff) | ||
498 | { | ||
499 | - crop_buff = (unsigned char *)limitMalloc(cropsize); | ||
500 | + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
501 | if (!crop_buff) | ||
502 | { | ||
503 | TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
504 | return (-1); | ||
505 | } | ||
506 | - _TIFFmemset(crop_buff, 0, cropsize); | ||
507 | + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
508 | prev_cropsize = cropsize; | ||
509 | } | ||
510 | else | ||
511 | { | ||
512 | if (prev_cropsize < cropsize) | ||
513 | { | ||
514 | - new_buff = _TIFFrealloc(crop_buff, cropsize); | ||
515 | + new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
516 | if (!new_buff) | ||
517 | { | ||
518 | free (crop_buff); | ||
519 | - crop_buff = (unsigned char *)limitMalloc(cropsize); | ||
520 | + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
521 | } | ||
522 | else | ||
523 | crop_buff = new_buff; | ||
524 | @@ -7858,7 +7880,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
525 | TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
526 | return (-1); | ||
527 | } | ||
528 | - _TIFFmemset(crop_buff, 0, cropsize); | ||
529 | + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
530 | } | ||
531 | } | ||
532 | |||
533 | @@ -8156,13 +8178,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, | ||
534 | if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { | ||
535 | TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); | ||
536 | if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { | ||
537 | - int inknameslen = strlen(inknames) + 1; | ||
538 | + int inknameslen = (int)strlen(inknames) + 1; | ||
539 | const char* cp = inknames; | ||
540 | while (ninks > 1) { | ||
541 | cp = strchr(cp, '\0'); | ||
542 | if (cp) { | ||
543 | cp++; | ||
544 | - inknameslen += (strlen(cp) + 1); | ||
545 | + inknameslen += ((int)strlen(cp) + 1); | ||
546 | } | ||
547 | ninks--; | ||
548 | } | ||
549 | @@ -8547,13 +8569,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ | ||
550 | } | ||
551 | else /* If we have a full buffer's worth, write it out */ | ||
552 | { | ||
553 | - bytebuff1 = (buff2 >> 56); | ||
554 | + bytebuff1 = (uint8_t)(buff2 >> 56); | ||
555 | *dst++ = bytebuff1; | ||
556 | - bytebuff2 = (buff2 >> 48); | ||
557 | + bytebuff2 = (uint8_t)(buff2 >> 48); | ||
558 | *dst++ = bytebuff2; | ||
559 | - bytebuff3 = (buff2 >> 40); | ||
560 | + bytebuff3 = (uint8_t)(buff2 >> 40); | ||
561 | *dst++ = bytebuff3; | ||
562 | - bytebuff4 = (buff2 >> 32); | ||
563 | + bytebuff4 = (uint8_t)(buff2 >> 32); | ||
564 | *dst++ = bytebuff4; | ||
565 | ready_bits -= 32; | ||
566 | |||
567 | @@ -8622,12 +8644,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, | ||
568 | return (-1); | ||
569 | } | ||
570 | |||
571 | - if (!(rbuff = (unsigned char *)limitMalloc(buffsize))) | ||
572 | + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ | ||
573 | + if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) | ||
574 | { | ||
575 | - TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); | ||
576 | + TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
577 | return (-1); | ||
578 | } | ||
579 | - _TIFFmemset(rbuff, '\0', buffsize); | ||
580 | + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
581 | |||
582 | ibuff = *ibuff_ptr; | ||
583 | switch (rotation) | ||
584 | @@ -9155,13 +9178,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width, | ||
585 | } | ||
586 | else /* If we have a full buffer's worth, write it out */ | ||
587 | { | ||
588 | - bytebuff1 = (buff2 >> 56); | ||
589 | + bytebuff1 = (uint8_t)(buff2 >> 56); | ||
590 | *dst++ = bytebuff1; | ||
591 | - bytebuff2 = (buff2 >> 48); | ||
592 | + bytebuff2 = (uint8_t)(buff2 >> 48); | ||
593 | *dst++ = bytebuff2; | ||
594 | - bytebuff3 = (buff2 >> 40); | ||
595 | + bytebuff3 = (uint8_t)(buff2 >> 40); | ||
596 | *dst++ = bytebuff3; | ||
597 | - bytebuff4 = (buff2 >> 32); | ||
598 | + bytebuff4 = (uint8_t)(buff2 >> 32); | ||
599 | *dst++ = bytebuff4; | ||
600 | ready_bits -= 32; | ||
601 | |||
602 | @@ -9252,12 +9275,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ | ||
603 | { | ||
604 | case MIRROR_BOTH: | ||
605 | case MIRROR_VERT: | ||
606 | - line_buff = (unsigned char *)limitMalloc(rowsize); | ||
607 | + line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
608 | if (line_buff == NULL) | ||
609 | { | ||
610 | - TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); | ||
611 | + TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
612 | return (-1); | ||
613 | } | ||
614 | + _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
615 | |||
616 | dst = ibuff + (rowsize * (length - 1)); | ||
617 | for (row = 0; row < length / 2; row++) | ||
618 | @@ -9289,11 +9313,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ | ||
619 | } | ||
620 | else | ||
621 | { /* non 8 bit per sample data */ | ||
622 | - if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1))) | ||
623 | + if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) | ||
624 | { | ||
625 | TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); | ||
626 | return (-1); | ||
627 | } | ||
628 | + _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
629 | bytes_per_sample = (bps + 7) / 8; | ||
630 | bytes_per_pixel = ((bps * spp) + 7) / 8; | ||
631 | if (bytes_per_pixel < (bytes_per_sample + 1)) | ||
632 | @@ -9305,7 +9330,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ | ||
633 | { | ||
634 | row_offset = row * rowsize; | ||
635 | src = ibuff + row_offset; | ||
636 | - _TIFFmemset (line_buff, '\0', rowsize); | ||
637 | + _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
638 | switch (shift_width) | ||
639 | { | ||
640 | case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff)) | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 29a2c38d8e..af9bdcfbde 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | |||
@@ -27,6 +27,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
27 | file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \ | 27 | file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \ |
28 | file://0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch \ | 28 | file://0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch \ |
29 | file://CVE-2022-2953.patch \ | 29 | file://CVE-2022-2953.patch \ |
30 | file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch \ | ||
31 | file://0001-tiffcrop-S-option-Make-decision-simpler.patch \ | ||
32 | file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \ | ||
33 | file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \ | ||
30 | " | 34 | " |
31 | 35 | ||
32 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" | 36 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" |
@@ -40,7 +44,6 @@ CVE_CHECK_IGNORE += "CVE-2015-7313" | |||
40 | # These issues only affect libtiff post-4.3.0 but before 4.4.0, | 44 | # These issues only affect libtiff post-4.3.0 but before 4.4.0, |
41 | # caused by 3079627e and fixed by b4e79bfa. | 45 | # caused by 3079627e and fixed by b4e79bfa. |
42 | CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" | 46 | CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" |
43 | |||
44 | # Issue is in jbig which we don't enable | 47 | # Issue is in jbig which we don't enable |
45 | CVE_CHECK_IGNORE += "CVE-2022-1210" | 48 | CVE_CHECK_IGNORE += "CVE-2022-1210" |
46 | 49 | ||