diff options
author | Ross Burton <ross.burton@arm.com> | 2023-07-03 13:19:25 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-07-10 11:36:34 +0100 |
commit | 238b4ff55e1a1c267dda5277f12b2bcb1fb2f5ea (patch) | |
tree | 3d23c49b90c6bbd691aa4db86ee637ab330595a4 /meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch | |
parent | 7379a88457283bd597820a35a33088f688950c73 (diff) | |
download | poky-238b4ff55e1a1c267dda5277f12b2bcb1fb2f5ea.tar.gz |
tiff: upgrade to 4.5.1
Also remove old CVE_CHECK_IGNOREs which are no longer needed due to CPE
updates.
(From OE-Core rev: 2200fde7011c4206382150c2602b2eb17423d45e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch | 99 |
1 files changed, 0 insertions, 99 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch deleted file mode 100644 index 5fdc1ed013..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Tue, 14 Feb 2023 20:43:43 +0100 | ||
4 | Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. | ||
5 | Fix issue 527 | ||
6 | |||
7 | Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. | ||
8 | |||
9 | Closes #527 | ||
10 | |||
11 | CVE: CVE-2023-26965 | ||
12 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf] | ||
13 | Signed-off-by: Natasha Bailey <nat.bailey@windriver.com> | ||
14 | --- | ||
15 | tools/tiffcrop.c | 47 +++++++++++++---------------------------------- | ||
16 | 1 file changed, 13 insertions(+), 34 deletions(-) | ||
17 | |||
18 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
19 | index d7ad5ca8..d3e11ba2 100644 | ||
20 | --- a/tools/tiffcrop.c | ||
21 | +++ b/tools/tiffcrop.c | ||
22 | @@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, | ||
23 | uint32_t tw = 0, tl = 0; /* Tile width and length */ | ||
24 | tmsize_t tile_rowsize = 0; | ||
25 | unsigned char *read_buff = NULL; | ||
26 | - unsigned char *new_buff = NULL; | ||
27 | int readunit = 0; | ||
28 | - static tmsize_t prev_readsize = 0; | ||
29 | |||
30 | TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); | ||
31 | TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); | ||
32 | @@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, | ||
33 | } | ||
34 | |||
35 | read_buff = *read_ptr; | ||
36 | - /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ | ||
37 | - /* outside buffer */ | ||
38 | - if (!read_buff) | ||
39 | + /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit | ||
40 | + * outside buffer */ | ||
41 | + /* Reuse of read_buff from previous image is quite unsafe, because other | ||
42 | + * functions (like rotateImage() etc.) reallocate that buffer with different | ||
43 | + * size without updating the local prev_readsize value. */ | ||
44 | + if (read_buff) | ||
45 | { | ||
46 | - if (buffsize > 0xFFFFFFFFU - 3) | ||
47 | - { | ||
48 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
49 | - return (-1); | ||
50 | - } | ||
51 | - read_buff = | ||
52 | - (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
53 | + _TIFFfree(read_buff); | ||
54 | } | ||
55 | - else | ||
56 | + if (buffsize > 0xFFFFFFFFU - 3) | ||
57 | { | ||
58 | - if (prev_readsize < buffsize) | ||
59 | - { | ||
60 | - if (buffsize > 0xFFFFFFFFU - 3) | ||
61 | - { | ||
62 | - TIFFError("loadImage", | ||
63 | - "Unable to allocate/reallocate read buffer"); | ||
64 | - return (-1); | ||
65 | - } | ||
66 | - new_buff = | ||
67 | - _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
68 | - if (!new_buff) | ||
69 | - { | ||
70 | - free(read_buff); | ||
71 | - read_buff = (unsigned char *)limitMalloc( | ||
72 | - buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
73 | - } | ||
74 | - else | ||
75 | - read_buff = new_buff; | ||
76 | - } | ||
77 | + TIFFError("loadImage", "Required read buffer size too large"); | ||
78 | + return (-1); | ||
79 | } | ||
80 | + read_buff = | ||
81 | + (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
82 | if (!read_buff) | ||
83 | { | ||
84 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
85 | + TIFFError("loadImage", "Unable to allocate read buffer"); | ||
86 | return (-1); | ||
87 | } | ||
88 | |||
89 | @@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, | ||
90 | read_buff[buffsize + 1] = 0; | ||
91 | read_buff[buffsize + 2] = 0; | ||
92 | |||
93 | - prev_readsize = buffsize; | ||
94 | *read_ptr = read_buff; | ||
95 | |||
96 | /* N.B. The read functions used copy separate plane data into a buffer as | ||
97 | -- | ||
98 | 2.39.0 | ||
99 | |||