diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-08-01 11:42:22 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-08-16 03:55:12 -1000 |
commit | b5f81a875de8a146c4f698d9bd06ac1a152a01f7 (patch) | |
tree | 6e3f02b157fee9904ec24a2e65b1a96158617aa6 /meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch | |
parent | 2ff427ee403263834ef7f59027f197e44fb7ed1d (diff) | |
download | poky-b5f81a875de8a146c4f698d9bd06ac1a152a01f7.tar.gz |
tiff: fix multiple CVEs
Backport fixes for:
* CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
* CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38
* CVE-2023-26965 & CVE-2023-26966 - Upstream-Status: Backport from import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
(From OE-Core rev: 3d322227477f9e82fc22de6e896174d04513d72b)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch new file mode 100644 index 0000000000..6a6596f092 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Sun, 29 Jan 2023 11:09:26 +0100 | ||
4 | Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) | ||
5 | image width and length parameters when only cropped image sections are | ||
6 | rotated. Remove buffptr from region structure because never used. | ||
7 | |||
8 | Closes #492 #493 #494 #495 #499 #518 #519 | ||
9 | |||
10 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38] | ||
11 | CVE: CVE-2023-25434 & CVE-2023-25435 | ||
12 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
13 | --- | ||
14 | tools/tiffcrop.c | 29 +++++++++++++++++------------ | ||
15 | 1 file changed, 17 insertions(+), 12 deletions(-) | ||
16 | |||
17 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
18 | index aab0ec6..ce84414 100644 | ||
19 | --- a/tools/tiffcrop.c | ||
20 | +++ b/tools/tiffcrop.c | ||
21 | @@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, | ||
22 | static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, | ||
23 | uint32, uint32, uint8 *, uint8 *); | ||
24 | static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, | ||
25 | - unsigned char **, size_t *); | ||
26 | + unsigned char **, size_t *, int); | ||
27 | static int mirrorImage(uint16, uint16, uint16, uint32, uint32, | ||
28 | unsigned char *); | ||
29 | static int invertImage(uint16, uint16, uint16, uint32, uint32, | ||
30 | @@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b | ||
31 | /* Dummy variable in order not to switch two times the | ||
32 | * image->width,->length within rotateImage(), | ||
33 | * but switch xres, yres there. */ | ||
34 | - uint32_t width = image->width; | ||
35 | - uint32_t length = image->length; | ||
36 | - if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL)) | ||
37 | - { | ||
38 | + uint32_t width = image->width; | ||
39 | + uint32_t length = image->length; | ||
40 | + if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, | ||
41 | + TRUE)) | ||
42 | + { | ||
43 | TIFFError ("correct_orientation", "Unable to rotate image"); | ||
44 | return (-1); | ||
45 | } | ||
46 | @@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
47 | * accordingly. */ | ||
48 | size_t rot_buf_size = 0; | ||
49 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
50 | - &crop->combined_length, &crop_buff, &rot_buf_size)) | ||
51 | + &crop->combined_length, &crop_buff, &rot_buf_size, | ||
52 | + FALSE)) | ||
53 | { | ||
54 | TIFFError("processCropSelections", | ||
55 | "Failed to rotate composite regions by %d degrees", crop->rotation); | ||
56 | @@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
57 | * its size individually. Therefore, seg_buffs size needs to be | ||
58 | * updated accordingly. */ | ||
59 | size_t rot_buf_size = 0; | ||
60 | - if (rotateImage( | ||
61 | - crop->rotation, image, &crop->regionlist[i].width, | ||
62 | - &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) | ||
63 | + if (rotateImage(crop->rotation, image, | ||
64 | + &crop->regionlist[i].width, | ||
65 | + &crop->regionlist[i].length, &crop_buff, | ||
66 | + &rot_buf_size, FALSE)) | ||
67 | { | ||
68 | TIFFError("processCropSelections", | ||
69 | "Failed to rotate crop region by %d degrees", crop->rotation); | ||
70 | @@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
71 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
72 | { | ||
73 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
74 | - &crop->combined_length, crop_buff_ptr, NULL)) | ||
75 | + &crop->combined_length, crop_buff_ptr, NULL, TRUE)) | ||
76 | { | ||
77 | TIFFError("createCroppedImage", | ||
78 | "Failed to rotate image or cropped selection by %d degrees", crop->rotation); | ||
79 | @@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, | ||
80 | |||
81 | /* Rotate an image by a multiple of 90 degrees clockwise */ | ||
82 | static int | ||
83 | -rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
84 | - uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params) | ||
85 | +rotateImage(uint16 rotation, struct image_data *image, | ||
86 | + uint32 *img_width, uint32 *img_length, | ||
87 | + unsigned char **ibuff_ptr, size_t *rot_buf_size, | ||
88 | + int rot_image_params) | ||
89 | { | ||
90 | int shift_width; | ||
91 | uint32 bytes_per_pixel, bytes_per_sample; | ||
92 | -- | ||
93 | 2.25.1 | ||
94 | |||