tiff: fix CVE-2020-35523 CVE-2020-35524

(From OE-Core rev: 84239e11227bc0b0e2e6d3b2faa7a9ee63025dd1) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2021-05-11 18:59:10 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-20 12:36:41 +0100
commit: 5471428610888c7ce997730f3d260476496340ca (patch)
tree: 6a11c7af993e45f7c465b17191225f9966b96a0d
parent: 60e33c1c4afc83e29bdb25d92875d2e0bb5c70fd (diff)
download: poky-5471428610888c7ce997730f3d260476496340ca.tar.gz
4 files changed, 136 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
new file mode 100644
index 0000000000..1f30b32799
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
@@ -0,0 +1,55 @@
+From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:54:30 +0100
+Subject: [PATCH] gtTileContig(): check Tile width for overflow
+fixes #211
+Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ]
+CVE: CVE-2020-35523
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ libtiff/tif_getimage.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 4da785d3..96ab1460 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -29,6 +29,7 @@
+  */
+ #include "tiffiop.h"
+ #include <stdio.h>
+#include <limits.h>
+ 
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 
+     flip = setorientation(img);
+     if (flip & FLIP_VERTICALLY) {
+-           y = h - 1;
+-           toskew = -(int32)(tw + w);
+        if ((tw + w) > INT_MAX) {
+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+            return (0);
+        }
+        y = h - 1;
+        toskew = -(int32)(tw + w);
+     }
+     else {
+-           y = 0;
+-           toskew = -(int32)(tw - w);
+        if (tw > (INT_MAX + w)) {
+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+            return (0);
+        }
+        y = 0;
+        toskew = -(int32)(tw - w);
+     }
+      
+     /*
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
new file mode 100644
index 0000000000..5232eacb50
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
@@ -0,0 +1,42 @@
+From c6a12721b46f1a72974f91177890301730d7b330 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:01:59 +0100
+Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
+ YCbCr
+fixes #220
+Upstream-Status: Backport
+https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330
+https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
+CVE: CVE-2021-35524
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiff2pdf.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 719811ea..dc69d2f9 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -2087,9 +2087,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+                (void) 0;
+        }
+-       k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+-       if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+-               k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+       if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+          && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+               k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+       } else {
+               k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+               if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+                       k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+               }
+        }
+        if (k == 0) {
+                /* Assume we had overflow inside TIFFScanlineSize */
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch
new file mode 100644
index 0000000000..406d467766
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch
@@ -0,0 +1,36 @@
+From d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 02:05:05 +0100
+Subject: [PATCH] Fix for building without JPEG support
+Upstream-Status: Backport
+https://gitlab.com/libtiff/libtiff/-/commit/d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2
+https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
+CVE: CVE-2021-35524
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiff2pdf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index dc69d2f9..d0b0ede7 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -2087,10 +2087,13 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+                (void) 0;
+        }
+#ifdef JPEG_SUPPORT
+        if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+           && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+                k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+-       } else {
+       } else
+#endif
+       {
+                k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+                if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+                        k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 5a1cb13c53..97ad575f64 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
 CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+           file://CVE-2020-35523.patch  \
+           file://CVE-2020-35524-1.patch \
+           file://CVE-2020-35524-2.patch \
          "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2021-05-11 18:59:10 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-20 12:36:41 +0100
commit	5471428610888c7ce997730f3d260476496340ca (patch)
tree	6a11c7af993e45f7c465b17191225f9966b96a0d
parent	60e33c1c4afc83e29bdb25d92875d2e0bb5c70fd (diff)
download	poky-5471428610888c7ce997730f3d260476496340ca.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch new file mode 100644 index 0000000000..1f30b32799 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
@@ -0,0 +1,55 @@
		1	From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
		2	From: Thomas Bernard <miniupnp@free.fr>
		3	Date: Tue, 10 Nov 2020 01:54:30 +0100
		4	Subject: [PATCH] gtTileContig(): check Tile width for overflow
		5
		6	fixes #211
		7
		8	Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ]
		9	CVE: CVE-2020-35523
		10	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		11	---
		12	libtiff/tif_getimage.c \| 17 +++++++++++++----
		13	1 file changed, 13 insertions(+), 4 deletions(-)
		14
		15	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
		16	index 4da785d3..96ab1460 100644
		17	--- a/libtiff/tif_getimage.c
		18	+++ b/libtiff/tif_getimage.c
		19	@@ -29,6 +29,7 @@
		20	*/
		21	#include "tiffiop.h"
		22	#include <stdio.h>
		23	+#include <limits.h>
		24
		25	static int gtTileContig(TIFFRGBAImage, uint32, uint32, uint32);
		26	static int gtTileSeparate(TIFFRGBAImage, uint32, uint32, uint32);
		27	@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
		28
		29	flip = setorientation(img);
		30	if (flip & FLIP_VERTICALLY) {
		31	- y = h - 1;
		32	- toskew = -(int32)(tw + w);
		33	+ if ((tw + w) > INT_MAX) {
		34	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
		35	+ return (0);
		36	+ }
		37	+ y = h - 1;
		38	+ toskew = -(int32)(tw + w);
		39	}
		40	else {
		41	- y = 0;
		42	- toskew = -(int32)(tw - w);
		43	+ if (tw > (INT_MAX + w)) {
		44	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
		45	+ return (0);
		46	+ }
		47	+ y = 0;
		48	+ toskew = -(int32)(tw - w);
		49	}
		50
		51	/*
		52	--
		53	GitLab
		54
		55


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch new file mode 100644 index 0000000000..5232eacb50 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
@@ -0,0 +1,42 @@
		1	From c6a12721b46f1a72974f91177890301730d7b330 Mon Sep 17 00:00:00 2001
		2	From: Thomas Bernard <miniupnp@free.fr>
		3	Date: Tue, 10 Nov 2020 01:01:59 +0100
		4	Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
		5	YCbCr
		6
		7	fixes #220
		8	Upstream-Status: Backport
		9	https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330
		10	https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
		11	CVE: CVE-2021-35524
		12	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		13
		14	---
		15	tools/tiff2pdf.c \| 11 ++++++++---
		16	1 file changed, 8 insertions(+), 3 deletions(-)
		17
		18	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
		19	index 719811ea..dc69d2f9 100644
		20	--- a/tools/tiff2pdf.c
		21	+++ b/tools/tiff2pdf.c
		22	@@ -2087,9 +2087,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
		23	#endif
		24	(void) 0;
		25	}
		26	- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
		27	- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
		28	- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
		29	+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
		30	+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
		31	+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
		32	+ } else {
		33	+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
		34	+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
		35	+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
		36	+ }
		37	}
		38	if (k == 0) {
		39	/* Assume we had overflow inside TIFFScanlineSize */
		40	--
		41	GitLab
		42


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch new file mode 100644 index 0000000000..406d467766 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch
@@ -0,0 +1,36 @@
		1	From d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2 Mon Sep 17 00:00:00 2001
		2	From: Thomas Bernard <miniupnp@free.fr>
		3	Date: Tue, 10 Nov 2020 02:05:05 +0100
		4	Subject: [PATCH] Fix for building without JPEG support
		5
		6	Upstream-Status: Backport
		7	https://gitlab.com/libtiff/libtiff/-/commit/d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2
		8	https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
		9	CVE: CVE-2021-35524
		10	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		11	---
		12	tools/tiff2pdf.c \| 5 ++++-
		13	1 file changed, 4 insertions(+), 1 deletion(-)
		14
		15	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
		16	index dc69d2f9..d0b0ede7 100644
		17	--- a/tools/tiff2pdf.c
		18	+++ b/tools/tiff2pdf.c
		19	@@ -2087,10 +2087,13 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
		20	#endif
		21	(void) 0;
		22	}
		23	+#ifdef JPEG_SUPPORT
		24	if(t2p->pdf_compression == T2P_COMPRESS_JPEG
		25	&& t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
		26	k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
		27	- } else {
		28	+ } else
		29	+#endif
		30	+ {
		31	k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
		32	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
		33	k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
		34	--
		35	GitLab
		36


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 5a1cb13c53..97ad575f64 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
9	CVE_PRODUCT = "libtiff"	9	CVE_PRODUCT = "libtiff"
10		10
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
		12	file://CVE-2020-35523.patch \
		13	file://CVE-2020-35524-1.patch \
		14	file://CVE-2020-35524-2.patch \
12	"	15	"
13	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"	16	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
14	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"	17	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"