diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2024-04-01 10:24:21 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-05 07:23:59 -0700 |
commit | 1921c279467ae185aecfe0e8b91da50b8a38d248 (patch) | |
tree | a9c2afee524fdbc324a54e1c9de82b8830d28fe1 /meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch | |
parent | ebebf9d948b21983271c1c92e419a97b7d52e5bf (diff) | |
download | poky-1921c279467ae185aecfe0e8b91da50b8a38d248.tar.gz |
tiff: fix CVE-2023-52356 CVE-2023-6277
import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277
import from
http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
(From OE-Core rev: 4728df36bb3888df4d3cc0db1fd66138e865c511)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch new file mode 100644 index 0000000000..453df897ac --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | CVE: CVE-2023-6277 | ||
2 | Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a | ||
3 | ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] | ||
4 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
5 | |||
6 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
7 | to match the current version of the file in the present Ubuntu release: | ||
8 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
9 | . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); | ||
10 | -- Rodrigo Figueiredo Zaiden] | ||
11 | |||
12 | Backport of: | ||
13 | |||
14 | From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 | ||
15 | From: Su Laus <sulau@freenet.de> | ||
16 | Date: Tue, 31 Oct 2023 15:43:29 +0000 | ||
17 | Subject: [PATCH] Prevent some out-of-memory attacks | ||
18 | |||
19 | Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. | ||
20 | |||
21 | At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. | ||
22 | |||
23 | See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 | ||
24 | --- | ||
25 | libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++- | ||
26 | 1 file changed, 90 insertions(+), 2 deletions(-) | ||
27 | |||
28 | --- tiff-4.3.0.orig/libtiff/tif_dirread.c | ||
29 | +++ tiff-4.3.0/libtiff/tif_dirread.c | ||
30 | @@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead | ||
31 | datasize=(*count)*typesize; | ||
32 | assert((tmsize_t)datasize>0); | ||
33 | |||
34 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
35 | + * size of requested memory is not greater than file size. | ||
36 | + */ | ||
37 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
38 | + if (datasize > filesize) | ||
39 | + { | ||
40 | + TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
41 | + "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
42 | + " is greather than filesize %" PRIu64 | ||
43 | + ". Memory not allocated, tag not read", | ||
44 | + direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
45 | + filesize); | ||
46 | + return (TIFFReadDirEntryErrAlloc); | ||
47 | + } | ||
48 | + | ||
49 | if( isMapped(tif) && datasize > (uint64_t)tif->tif_size ) | ||
50 | return TIFFReadDirEntryErrIo; | ||
51 | |||
52 | @@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
53 | if( !_TIFFFillStrilesInternal( tif, 0 ) ) | ||
54 | return -1; | ||
55 | |||
56 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
57 | + * size of requested memory is not greater than file size. */ | ||
58 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
59 | + uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); | ||
60 | + if (allocsize > filesize) | ||
61 | + { | ||
62 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
63 | + "Requested memory size for StripByteCounts of %" PRIu64 | ||
64 | + " is greather than filesize %" PRIu64 | ||
65 | + ". Memory not allocated", | ||
66 | + allocsize, filesize); | ||
67 | + return -1; | ||
68 | + } | ||
69 | + | ||
70 | if (td->td_stripbytecount_p) | ||
71 | _TIFFfree(td->td_stripbytecount_p); | ||
72 | td->td_stripbytecount_p = (uint64_t*) | ||
73 | @@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
74 | |||
75 | if (td->td_compression != COMPRESSION_NONE) { | ||
76 | uint64_t space; | ||
77 | - uint64_t filesize; | ||
78 | uint16_t n; | ||
79 | - filesize = TIFFGetFileSize(tif); | ||
80 | if (!(tif->tif_flags&TIFF_BIGTIFF)) | ||
81 | space=sizeof(TIFFHeaderClassic)+2+dircount*12+4; | ||
82 | else | ||
83 | @@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d | ||
84 | dircount16 = (uint16_t)dircount64; | ||
85 | dirsize = 20; | ||
86 | } | ||
87 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
88 | + * if size of requested memory is not greater than file size. */ | ||
89 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
90 | + uint64_t allocsize = (uint64_t)dircount16 * dirsize; | ||
91 | + if (allocsize > filesize) | ||
92 | + { | ||
93 | + TIFFWarningExt( | ||
94 | + tif->tif_clientdata, module, | ||
95 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
96 | + " is greather than filesize %" PRIu64 | ||
97 | + ". Memory not allocated, TIFF directory not read", | ||
98 | + allocsize, filesize); | ||
99 | + return 0; | ||
100 | + } | ||
101 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
102 | dirsize, "to read TIFF directory"); | ||
103 | if (origdir == NULL) | ||
104 | @@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d | ||
105 | "Sanity check on directory count failed, zero tag directories not supported"); | ||
106 | return 0; | ||
107 | } | ||
108 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
109 | + * if size of requested memory is not greater than file size. */ | ||
110 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
111 | + uint64_t allocsize = (uint64_t)dircount16 * dirsize; | ||
112 | + if (allocsize > filesize) | ||
113 | + { | ||
114 | + TIFFWarningExt( | ||
115 | + tif->tif_clientdata, module, | ||
116 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
117 | + " is greather than filesize %" PRIu64 | ||
118 | + ". Memory not allocated, TIFF directory not read", | ||
119 | + allocsize, filesize); | ||
120 | + return 0; | ||
121 | + } | ||
122 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
123 | dirsize, | ||
124 | "to read TIFF directory"); | ||
125 | @@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d | ||
126 | } | ||
127 | } | ||
128 | } | ||
129 | + /* No check against filesize needed here because "dir" should have same size | ||
130 | + * than "origdir" checked above. */ | ||
131 | dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16, | ||
132 | sizeof(TIFFDirEntry), | ||
133 | "to read TIFF directory"); | ||
134 | @@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn | ||
135 | return(0); | ||
136 | } | ||
137 | |||
138 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
139 | + * if size of requested memory is not greater than file size. */ | ||
140 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
141 | + uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); | ||
142 | + if (allocsize > filesize) | ||
143 | + { | ||
144 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
145 | + "Requested memory size for StripArray of %" PRIu64 | ||
146 | + " is greather than filesize %" PRIu64 | ||
147 | + ". Memory not allocated", | ||
148 | + allocsize, filesize); | ||
149 | + _TIFFfree(data); | ||
150 | + return (0); | ||
151 | + } | ||
152 | resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array"); | ||
153 | if (resizeddata==0) { | ||
154 | _TIFFfree(data); | ||
155 | @@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI | ||
156 | } | ||
157 | bytecount = last_offset + last_bytecount - offset; | ||
158 | |||
159 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
160 | + * size of StripByteCount and StripOffset tags is not greater than | ||
161 | + * file size. | ||
162 | + */ | ||
163 | + uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; | ||
164 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
165 | + if (allocsize > filesize) | ||
166 | + { | ||
167 | + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
168 | + "Requested memory size for StripByteCount and " | ||
169 | + "StripOffsets %" PRIu64 | ||
170 | + " is greather than filesize %" PRIu64 | ||
171 | + ". Memory not allocated", | ||
172 | + allocsize, filesize); | ||
173 | + return; | ||
174 | + } | ||
175 | + | ||
176 | newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t), | ||
177 | "for chopped \"StripByteCounts\" array"); | ||
178 | newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t), | ||