tiff: fix multiple CVEs

Backport fixes for: * CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44 * CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 * CVE-2023-26965 & CVE-2023-26966 - Upstream-Status: Backport from import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] (From OE-Core rev: 3d322227477f9e82fc22de6e896174d04513d72b) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-08-01 11:42:22 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-08-16 03:55:12 -1000
commit: b5f81a875de8a146c4f698d9bd06ac1a152a01f7 (patch)
tree: 6e3f02b157fee9904ec24a2e65b1a96158617aa6 /meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
parent: 2ff427ee403263834ef7f59027f197e44fb7ed1d (diff)
download: poky-b5f81a875de8a146c4f698d9bd06ac1a152a01f7.tar.gz
1 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
new file mode 100644
index 0000000000..6a6596f092
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
+From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 29 Jan 2023 11:09:26 +0100
+Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
+ image width and length parameters when only cropped image sections are
+ rotated. Remove buffptr from region structure because never used.
+Closes #492 #493 #494 #495 #499 #518 #519
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
+CVE: CVE-2023-25434 & CVE-2023-25435
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index aab0ec6..ce84414 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
+                                      uint32,   uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+-                      unsigned char **, size_t *);
+                      unsigned char **, size_t *, int);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+                       unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -6382,10 +6382,11 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+       /* Dummy variable in order not to switch two times the
+        * image->width,->length within rotateImage(),
+        * but switch xres, yres there. */
+-      uint32_t width = image->width;
+-      uint32_t length = image->length;
+-      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+-      {
+        uint32_t width = image->width;
+        uint32_t length = image->length;
+        if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
+                        TRUE))
+        {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+       }
+@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+        * accordingly. */
+       size_t rot_buf_size = 0;
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff, &rot_buf_size))
+                      &crop->combined_length, &crop_buff, &rot_buf_size,
+                            FALSE))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+            * its size individually. Therefore, seg_buffs size  needs to be
+            * updated accordingly. */
+            size_t rot_buf_size = 0;
+-           if (rotateImage(
+-                crop->rotation, image, &crop->regionlist[i].width,
+-                &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+           if (rotateImage(crop->rotation, image,
+                                &crop->regionlist[i].width,
+                                &crop->regionlist[i].length, &crop_buff,
+                                &rot_buf_size, FALSE))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr, NULL))
+                    &crop->combined_length, crop_buff_ptr, NULL, TRUE))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
+ 
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+-rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, 
+-            uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
+rotateImage(uint16 rotation, struct image_data *image,
+            uint32 *img_width, uint32 *img_length,
+            unsigned char **ibuff_ptr, size_t *rot_buf_size,
+            int rot_image_params)
+   {
+   int      shift_width;
+   uint32   bytes_per_pixel, bytes_per_sample;
+-- 
+2.25.1
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-08-01 11:42:22 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-08-16 03:55:12 -1000
commit	b5f81a875de8a146c4f698d9bd06ac1a152a01f7 (patch)
tree	6e3f02b157fee9904ec24a2e65b1a96158617aa6 /meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
parent	2ff427ee403263834ef7f59027f197e44fb7ed1d (diff)
download	poky-b5f81a875de8a146c4f698d9bd06ac1a152a01f7.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch new file mode 100644 index 0000000000..6a6596f092 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
	1	From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
	2	From: Su_Laus <sulau@freenet.de>
	3	Date: Sun, 29 Jan 2023 11:09:26 +0100
	4	Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
	5	image width and length parameters when only cropped image sections are
	6	rotated. Remove buffptr from region structure because never used.
	7
	8	Closes #492 #493 #494 #495 #499 #518 #519
	9
	10	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
	11	CVE: CVE-2023-25434 & CVE-2023-25435
	12	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	13	---
	14	tools/tiffcrop.c \| 29 +++++++++++++++++------------
	15	1 file changed, 17 insertions(+), 12 deletions(-)
	16
	17	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
	18	index aab0ec6..ce84414 100644
	19	--- a/tools/tiffcrop.c
	20	+++ b/tools/tiffcrop.c
	21	@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
	22	static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
	23	uint32, uint32, uint8 , uint8 );
	24	static int rotateImage(uint16, struct image_data , uint32 , uint32 *,
	25	- unsigned char *, size_t );
	26	+ unsigned char *, size_t , int);
	27	static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
	28	unsigned char *);
	29	static int invertImage(uint16, uint16, uint16, uint32, uint32,
	30	@@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data image, unsigned char *work_b
	31	/* Dummy variable in order not to switch two times the
	32	* image->width,->length within rotateImage(),
	33	* but switch xres, yres there. */
	34	- uint32_t width = image->width;
	35	- uint32_t length = image->length;
	36	- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
	37	- {
	38	+ uint32_t width = image->width;
	39	+ uint32_t length = image->length;
	40	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
	41	+ TRUE))
	42	+ {
	43	TIFFError ("correct_orientation", "Unable to rotate image");
	44	return (-1);
	45	}
	46	@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data image, struct crop_mask crop,
	47	* accordingly. */
	48	size_t rot_buf_size = 0;
	49	if (rotateImage(crop->rotation, image, &crop->combined_width,
	50	- &crop->combined_length, &crop_buff, &rot_buf_size))
	51	+ &crop->combined_length, &crop_buff, &rot_buf_size,
	52	+ FALSE))
	53	{
	54	TIFFError("processCropSelections",
	55	"Failed to rotate composite regions by %d degrees", crop->rotation);
	56	@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data image, struct crop_mask crop,
	57	* its size individually. Therefore, seg_buffs size needs to be
	58	* updated accordingly. */
	59	size_t rot_buf_size = 0;
	60	- if (rotateImage(
	61	- crop->rotation, image, &crop->regionlist[i].width,
	62	- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
	63	+ if (rotateImage(crop->rotation, image,
	64	+ &crop->regionlist[i].width,
	65	+ &crop->regionlist[i].length, &crop_buff,
	66	+ &rot_buf_size, FALSE))
	67	{
	68	TIFFError("processCropSelections",
	69	"Failed to rotate crop region by %d degrees", crop->rotation);
	70	@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
	71	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
	72	{
	73	if (rotateImage(crop->rotation, image, &crop->combined_width,
	74	- &crop->combined_length, crop_buff_ptr, NULL))
	75	+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
	76	{
	77	TIFFError("createCroppedImage",
	78	"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
	79	@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
	80
	81	/* Rotate an image by a multiple of 90 degrees clockwise */
	82	static int
	83	-rotateImage(uint16 rotation, struct image_data image, uint32 img_width,
	84	- uint32 img_length, unsigned char *ibuff_ptr, int rot_image_params)
	85	+rotateImage(uint16 rotation, struct image_data *image,
	86	+ uint32 img_width, uint32 img_length,
	87	+ unsigned char *ibuff_ptr, size_t rot_buf_size,
	88	+ int rot_image_params)
	89	{
	90	int shift_width;
	91	uint32 bytes_per_pixel, bytes_per_sample;
	92	--
	93	2.25.1
	94