tiff: Add backports for two CVEs from upstream

Based on commit from master (From OE-Core rev: a5bb7cc568d5da3633f3854295b0ebe46a2dd863) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6ae14b4ff7a655b48c6d99ac565d12bf8825414f) Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: sana kazi <sanakazisk19@gmail.com> 2022-03-09 17:29:32 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-03-11 23:44:42 +0000
commit: ce4a1354ccfd7cfd226befd31c2dd2238b077250 (patch)
tree: 4335a03b14ea1a085c7229e3ecbcc240033ebfe1
parent: f3baa35d4281ba0d56ade67463f5ca06550cd57b (diff)
download: poky-ce4a1354ccfd7cfd226befd31c2dd2238b077250.tar.gz
3 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
new file mode 100644
index 0000000000..01ed5dcd24
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
@@ -0,0 +1,28 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+Upstream-Status: Backport
+CVE: CVE-2022-0562
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+Comment: Refreshed patch
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 2bbc4585..23194ced 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -4126,7 +4126,8 @@
+                     goto bad;
+                 }
+ 
+-                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+                if (old_extrasamples > 0)
+                    memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+                 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+                 _TIFFfree(new_sampleinfo);
+         }
diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
new file mode 100644
index 0000000000..fc5d0ab5f4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
@@ -0,0 +1,30 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+Upstream-Status: Backport
+CVE: CVE-2022-0561
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+Comment: Refreshed patch
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 23194ced..50ebf8ac 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5683,8 +5682,9 @@
+                        _TIFFfree(data);
+                        return(0);
+                }
+-                _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-                _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
+               if( dir->tdir_count )
+                       _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
+               _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+                _TIFFfree(data);
+                data=resizeddata;
+        }
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 0948bb4e2f..9db247ecc7 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -16,6 +16,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
           file://CVE-2020-35521_and_CVE-2020-35522.patch \
           file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
+           file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
+           file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
          "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
author	sana kazi <sanakazisk19@gmail.com>	2022-03-09 17:29:32 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-03-11 23:44:42 +0000
commit	ce4a1354ccfd7cfd226befd31c2dd2238b077250 (patch)
tree	4335a03b14ea1a085c7229e3ecbcc240033ebfe1
parent	f3baa35d4281ba0d56ade67463f5ca06550cd57b (diff)
download	poky-ce4a1354ccfd7cfd226befd31c2dd2238b077250.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch new file mode 100644 index 0000000000..01ed5dcd24 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
@@ -0,0 +1,28 @@
		1	From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sat, 5 Feb 2022 20:36:41 +0100
		4	Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
		5	source pointer and size of zero (fixes #362)
		6
		7	Upstream-Status: Backport
		8	CVE: CVE-2022-0562
		9	Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
		10	Comment: Refreshed patch
		11	---
		12	libtiff/tif_dirread.c \| 3 ++-
		13	1 file changed, 2 insertions(+), 1 deletion(-)
		14
		15	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		16	index 2bbc4585..23194ced 100644
		17	--- a/libtiff/tif_dirread.c
		18	+++ b/libtiff/tif_dirread.c
		19	@@ -4126,7 +4126,8 @@
		20	goto bad;
		21	}
		22
		23	- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
		24	+ if (old_extrasamples > 0)
		25	+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
		26	_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
		27	_TIFFfree(new_sampleinfo);
		28	}


diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch new file mode 100644 index 0000000000..fc5d0ab5f4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
@@ -0,0 +1,30 @@
		1	From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sun, 6 Feb 2022 13:08:38 +0100
		4	Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
		5	source pointer and size of zero (fixes #362)
		6
		7	Upstream-Status: Backport
		8	CVE: CVE-2022-0561
		9	Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
		10	Comment: Refreshed patch
		11	---
		12	libtiff/tif_dirread.c \| 5 +++--
		13	1 file changed, 3 insertions(+), 2 deletions(-)
		14
		15	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		16	index 23194ced..50ebf8ac 100644
		17	--- a/libtiff/tif_dirread.c
		18	+++ b/libtiff/tif_dirread.c
		19	@@ -5683,8 +5682,9 @@
		20	_TIFFfree(data);
		21	return(0);
		22	}
		23	- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
		24	- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
		25	+ if( dir->tdir_count )
		26	+ _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
		27	+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
		28	_TIFFfree(data);
		29	data=resizeddata;
		30	}


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 0948bb4e2f..9db247ecc7 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -16,6 +16,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
16	file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \	16	file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
17	file://CVE-2020-35521_and_CVE-2020-35522.patch \	17	file://CVE-2020-35521_and_CVE-2020-35522.patch \
18	file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \	18	file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
		19	file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
		20	file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
19	"	21	"
20	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"	22	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
21	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"	23	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"