tiff: Backport fixes for CVE-2023-6277

(From OE-Core rev: d115e17ad7775cf5bbfd402e98e61f362ac96efa) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Khem Raj <raj.khem@gmail.com> 2023-12-05 09:53:49 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-12-06 22:55:50 +0000
commit: 2b32e0fd6e6d892552636b452ef1e7a8d3fb587f (patch)
tree: fe18ea169e4944b5c838d56f248987d9fa3b3c48 /meta/recipes-multimedia/libtiff
parent: 959b1f7de437db9156da11fb799a3c2f4e9082dc (diff)
download: poky-2b32e0fd6e6d892552636b452ef1e7a8d3fb587f.tar.gz
4 files changed, 228 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch
new file mode 100644
index 0000000000..5d15dff1d9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch
@@ -0,0 +1,27 @@
+From e1640519208121f916da1772a5efb6ca28971b86 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 15:04:37 +0000
+Subject: [PATCH 3/3] Apply 1 suggestion(s) to 1 file(s)
+CVE: CVE-2023-6277
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ libtiff/tif_dirread.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index fe8d6f8..58a4276 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5306,7 +5306,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
+     {
+         uint64_t space;
+         uint16_t n;
+-        filesize = TIFFGetFileSize(tif);
+         if (!(tif->tif_flags & TIFF_BIGTIFF))
+             space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4;
+         else
+-- 
+2.43.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch
new file mode 100644
index 0000000000..9fc8182fef
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch
@@ -0,0 +1,36 @@
+From f500facf7723f1cae725dd288b2daad15e45131c Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Mon, 30 Oct 2023 21:21:57 +0100
+Subject: [PATCH 2/3] At image reading, compare data size of some tags / data
+ structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with
+ file size to prevent provoked out-of-memory attacks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+See issue #614.
+Correct declaration of ‘filesize’ shadows a previous local.
+CVE: CVE-2023-6277
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ libtiff/tif_dirread.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index c52d41f..fe8d6f8 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5305,7 +5305,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
+     if (td->td_compression != COMPRESSION_NONE)
+     {
+         uint64_t space;
+-        uint64_t filesize;
+         uint16_t n;
+         filesize = TIFFGetFileSize(tif);
+         if (!(tif->tif_flags & TIFF_BIGTIFF))
+-- 
+2.43.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch
new file mode 100644
index 0000000000..d5854a9059
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch
@@ -0,0 +1,162 @@
+From b33baa5d9c6aac8ce49b5180dd48e39697ab7a11 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 27 Oct 2023 22:11:10 +0200
+Subject: [PATCH 1/3] At image reading, compare data size of some tags / data
+ structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with
+ file size to prevent provoked out-of-memory attacks.
+See issue #614.
+CVE: CVE-2023-6277
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ libtiff/tif_dirread.c | 90 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 90 insertions(+)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 2c49dc6..c52d41f 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
+     datasize = (*count) * typesize;
+     assert((tmsize_t)datasize > 0);
+ 
+    /* Before allocating a huge amount of memory for corrupted files, check if
+     * size of requested memory is not greater than file size.
+     */
+    uint64_t filesize = TIFFGetFileSize(tif);
+    if (datasize > filesize)
+    {
+        TIFFWarningExtR(tif, "ReadDirEntryArray",
+                        "Requested memory size for tag %d (0x%x) %" PRIu32
+                        " is greather than filesize %" PRIu64
+                        ". Memory not allocated, tag not read",
+                        direntry->tdir_tag, direntry->tdir_tag, datasize,
+                        filesize);
+        return (TIFFReadDirEntryErrAlloc);
+    }
+
+     if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
+         return TIFFReadDirEntryErrIo;
+ 
+@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
+     if (!_TIFFFillStrilesInternal(tif, 0))
+         return -1;
+ 
+    /* Before allocating a huge amount of memory for corrupted files, check if
+     * size of requested memory is not greater than file size. */
+    uint64_t filesize = TIFFGetFileSize(tif);
+    uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+    if (allocsize > filesize)
+    {
+        TIFFWarningExtR(tif, module,
+                        "Requested memory size for StripByteCounts of %" PRIu64
+                        " is greather than filesize %" PRIu64
+                        ". Memory not allocated",
+                        allocsize, filesize);
+        return -1;
+    }
+
+     if (td->td_stripbytecount_p)
+         _TIFFfreeExt(tif, td->td_stripbytecount_p);
+     td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
+@@ -5807,6 +5836,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
+             dircount16 = (uint16_t)dircount64;
+             dirsize = 20;
+         }
+        /* Before allocating a huge amount of memory for corrupted files, check
+         * if size of requested memory is not greater than file size. */
+        uint64_t filesize = TIFFGetFileSize(tif);
+        uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+        if (allocsize > filesize)
+        {
+            TIFFWarningExtR(
+                tif, module,
+                "Requested memory size for TIFF directory of %" PRIu64
+                " is greather than filesize %" PRIu64
+                ". Memory not allocated, TIFF directory not read",
+                allocsize, filesize);
+            return 0;
+        }
+         origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
+                                    "to read TIFF directory");
+         if (origdir == NULL)
+@@ -5921,6 +5964,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
+                           "directories not supported");
+             return 0;
+         }
+        /* Before allocating a huge amount of memory for corrupted files, check
+         * if size of requested memory is not greater than file size. */
+        uint64_t filesize = TIFFGetFileSize(tif);
+        uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+        if (allocsize > filesize)
+        {
+            TIFFWarningExtR(
+                tif, module,
+                "Requested memory size for TIFF directory of %" PRIu64
+                " is greather than filesize %" PRIu64
+                ". Memory not allocated, TIFF directory not read",
+                allocsize, filesize);
+            return 0;
+        }
+         origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
+                                    "to read TIFF directory");
+         if (origdir == NULL)
+@@ -5968,6 +6025,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
+             }
+         }
+     }
+    /* No check against filesize needed here because "dir" should have same size
+     * than "origdir" checked above. */
+     dir = (TIFFDirEntry *)_TIFFCheckMalloc(
+         tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
+     if (dir == 0)
+@@ -7164,6 +7223,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
+             return (0);
+         }
+ 
+        /* Before allocating a huge amount of memory for corrupted files, check
+         * if size of requested memory is not greater than file size. */
+        uint64_t filesize = TIFFGetFileSize(tif);
+        uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+        if (allocsize > filesize)
+        {
+            TIFFWarningExtR(tif, module,
+                            "Requested memory size for StripArray of %" PRIu64
+                            " is greather than filesize %" PRIu64
+                            ". Memory not allocated",
+                            allocsize, filesize);
+            _TIFFfreeExt(tif, data);
+            return (0);
+        }
+         resizeddata = (uint64_t *)_TIFFCheckMalloc(
+             tif, nstrips, sizeof(uint64_t), "for strip array");
+         if (resizeddata == 0)
+@@ -7263,6 +7336,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
+     }
+     bytecount = last_offset + last_bytecount - offset;
+ 
+    /* Before allocating a huge amount of memory for corrupted files, check if
+     * size of StripByteCount and StripOffset tags is not greater than
+     * file size.
+     */
+    uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+    uint64_t filesize = TIFFGetFileSize(tif);
+    if (allocsize > filesize)
+    {
+        TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
+                        "Requested memory size for StripByteCount and "
+                        "StripOffsets %" PRIu64
+                        " is greather than filesize %" PRIu64
+                        ". Memory not allocated",
+                        allocsize, filesize);
+        return;
+    }
+
+     newcounts =
+         (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
+                                      "for chopped \"StripByteCounts\" array");
+-- 
+2.43.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 49984f1125..4c472f8ef6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+           file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch \
+           file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
+           file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
           "
 SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
author	Khem Raj <raj.khem@gmail.com>	2023-12-05 09:53:49 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-12-06 22:55:50 +0000
commit	2b32e0fd6e6d892552636b452ef1e7a8d3fb587f (patch)
tree	fe18ea169e4944b5c838d56f248987d9fa3b3c48 /meta/recipes-multimedia/libtiff
parent	959b1f7de437db9156da11fb799a3c2f4e9082dc (diff)
download	poky-2b32e0fd6e6d892552636b452ef1e7a8d3fb587f.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch new file mode 100644 index 0000000000..5d15dff1d9 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch
@@ -0,0 +1,27 @@
		1	From e1640519208121f916da1772a5efb6ca28971b86 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Tue, 31 Oct 2023 15:04:37 +0000
		4	Subject: [PATCH 3/3] Apply 1 suggestion(s) to 1 file(s)
		5
		6	CVE: CVE-2023-6277
		7	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
		8	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		9	---
		10	libtiff/tif_dirread.c \| 1 -
		11	1 file changed, 1 deletion(-)
		12
		13	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		14	index fe8d6f8..58a4276 100644
		15	--- a/libtiff/tif_dirread.c
		16	+++ b/libtiff/tif_dirread.c
		17	@@ -5306,7 +5306,6 @@ static int EstimateStripByteCounts(TIFF tif, TIFFDirEntry dir,
		18	{
		19	uint64_t space;
		20	uint16_t n;
		21	- filesize = TIFFGetFileSize(tif);
		22	if (!(tif->tif_flags & TIFF_BIGTIFF))
		23	space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4;
		24	else
		25	--
		26	2.43.0
		27


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch new file mode 100644 index 0000000000..9fc8182fef --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch
@@ -0,0 +1,36 @@
		1	From f500facf7723f1cae725dd288b2daad15e45131c Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Mon, 30 Oct 2023 21:21:57 +0100
		4	Subject: [PATCH 2/3] At image reading, compare data size of some tags / data
		5	structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with
		6	file size to prevent provoked out-of-memory attacks.
		7	MIME-Version: 1.0
		8	Content-Type: text/plain; charset=UTF-8
		9	Content-Transfer-Encoding: 8bit
		10
		11	See issue #614.
		12
		13	Correct declaration of ‘filesize’ shadows a previous local.
		14
		15	CVE: CVE-2023-6277
		16	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
		17	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		18	---
		19	libtiff/tif_dirread.c \| 1 -
		20	1 file changed, 1 deletion(-)
		21
		22	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		23	index c52d41f..fe8d6f8 100644
		24	--- a/libtiff/tif_dirread.c
		25	+++ b/libtiff/tif_dirread.c
		26	@@ -5305,7 +5305,6 @@ static int EstimateStripByteCounts(TIFF tif, TIFFDirEntry dir,
		27	if (td->td_compression != COMPRESSION_NONE)
		28	{
		29	uint64_t space;
		30	- uint64_t filesize;
		31	uint16_t n;
		32	filesize = TIFFGetFileSize(tif);
		33	if (!(tif->tif_flags & TIFF_BIGTIFF))
		34	--
		35	2.43.0
		36


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch new file mode 100644 index 0000000000..d5854a9059 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch
@@ -0,0 +1,162 @@
		1	From b33baa5d9c6aac8ce49b5180dd48e39697ab7a11 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Fri, 27 Oct 2023 22:11:10 +0200
		4	Subject: [PATCH 1/3] At image reading, compare data size of some tags / data
		5	structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with
		6	file size to prevent provoked out-of-memory attacks.
		7
		8	See issue #614.
		9
		10	CVE: CVE-2023-6277
		11	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
		12	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		13	---
		14	libtiff/tif_dirread.c \| 90 +++++++++++++++++++++++++++++++++++++++++++
		15	1 file changed, 90 insertions(+)
		16
		17	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		18	index 2c49dc6..c52d41f 100644
		19	--- a/libtiff/tif_dirread.c
		20	+++ b/libtiff/tif_dirread.c
		21	@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF tif, TIFFDirEntry direntry,
		22	datasize = (count) typesize;
		23	assert((tmsize_t)datasize > 0);
		24
		25	+ /* Before allocating a huge amount of memory for corrupted files, check if
		26	+ * size of requested memory is not greater than file size.
		27	+ */
		28	+ uint64_t filesize = TIFFGetFileSize(tif);
		29	+ if (datasize > filesize)
		30	+ {
		31	+ TIFFWarningExtR(tif, "ReadDirEntryArray",
		32	+ "Requested memory size for tag %d (0x%x) %" PRIu32
		33	+ " is greather than filesize %" PRIu64
		34	+ ". Memory not allocated, tag not read",
		35	+ direntry->tdir_tag, direntry->tdir_tag, datasize,
		36	+ filesize);
		37	+ return (TIFFReadDirEntryErrAlloc);
		38	+ }
		39	+
		40	if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
		41	return TIFFReadDirEntryErrIo;
		42
		43	@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF tif, TIFFDirEntry dir,
		44	if (!_TIFFFillStrilesInternal(tif, 0))
		45	return -1;
		46
		47	+ /* Before allocating a huge amount of memory for corrupted files, check if
		48	+ * size of requested memory is not greater than file size. */
		49	+ uint64_t filesize = TIFFGetFileSize(tif);
		50	+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
		51	+ if (allocsize > filesize)
		52	+ {
		53	+ TIFFWarningExtR(tif, module,
		54	+ "Requested memory size for StripByteCounts of %" PRIu64
		55	+ " is greather than filesize %" PRIu64
		56	+ ". Memory not allocated",
		57	+ allocsize, filesize);
		58	+ return -1;
		59	+ }
		60	+
		61	if (td->td_stripbytecount_p)
		62	_TIFFfreeExt(tif, td->td_stripbytecount_p);
		63	td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
		64	@@ -5807,6 +5836,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
		65	dircount16 = (uint16_t)dircount64;
		66	dirsize = 20;
		67	}
		68	+ /* Before allocating a huge amount of memory for corrupted files, check
		69	+ * if size of requested memory is not greater than file size. */
		70	+ uint64_t filesize = TIFFGetFileSize(tif);
		71	+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
		72	+ if (allocsize > filesize)
		73	+ {
		74	+ TIFFWarningExtR(
		75	+ tif, module,
		76	+ "Requested memory size for TIFF directory of %" PRIu64
		77	+ " is greather than filesize %" PRIu64
		78	+ ". Memory not allocated, TIFF directory not read",
		79	+ allocsize, filesize);
		80	+ return 0;
		81	+ }
		82	origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
		83	"to read TIFF directory");
		84	if (origdir == NULL)
		85	@@ -5921,6 +5964,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
		86	"directories not supported");
		87	return 0;
		88	}
		89	+ /* Before allocating a huge amount of memory for corrupted files, check
		90	+ * if size of requested memory is not greater than file size. */
		91	+ uint64_t filesize = TIFFGetFileSize(tif);
		92	+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
		93	+ if (allocsize > filesize)
		94	+ {
		95	+ TIFFWarningExtR(
		96	+ tif, module,
		97	+ "Requested memory size for TIFF directory of %" PRIu64
		98	+ " is greather than filesize %" PRIu64
		99	+ ". Memory not allocated, TIFF directory not read",
		100	+ allocsize, filesize);
		101	+ return 0;
		102	+ }
		103	origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
		104	"to read TIFF directory");
		105	if (origdir == NULL)
		106	@@ -5968,6 +6025,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
		107	}
		108	}
		109	}
		110	+ /* No check against filesize needed here because "dir" should have same size
		111	+ * than "origdir" checked above. */
		112	dir = (TIFFDirEntry *)_TIFFCheckMalloc(
		113	tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
		114	if (dir == 0)
		115	@@ -7164,6 +7223,20 @@ static int TIFFFetchStripThing(TIFF tif, TIFFDirEntry dir, uint32_t nstrips,
		116	return (0);
		117	}
		118
		119	+ /* Before allocating a huge amount of memory for corrupted files, check
		120	+ * if size of requested memory is not greater than file size. */
		121	+ uint64_t filesize = TIFFGetFileSize(tif);
		122	+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
		123	+ if (allocsize > filesize)
		124	+ {
		125	+ TIFFWarningExtR(tif, module,
		126	+ "Requested memory size for StripArray of %" PRIu64
		127	+ " is greather than filesize %" PRIu64
		128	+ ". Memory not allocated",
		129	+ allocsize, filesize);
		130	+ _TIFFfreeExt(tif, data);
		131	+ return (0);
		132	+ }
		133	resizeddata = (uint64_t *)_TIFFCheckMalloc(
		134	tif, nstrips, sizeof(uint64_t), "for strip array");
		135	if (resizeddata == 0)
		136	@@ -7263,6 +7336,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
		137	}
		138	bytecount = last_offset + last_bytecount - offset;
		139
		140	+ /* Before allocating a huge amount of memory for corrupted files, check if
		141	+ * size of StripByteCount and StripOffset tags is not greater than
		142	+ * file size.
		143	+ */
		144	+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
		145	+ uint64_t filesize = TIFFGetFileSize(tif);
		146	+ if (allocsize > filesize)
		147	+ {
		148	+ TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
		149	+ "Requested memory size for StripByteCount and "
		150	+ "StripOffsets %" PRIu64
		151	+ " is greather than filesize %" PRIu64
		152	+ ". Memory not allocated",
		153	+ allocsize, filesize);
		154	+ return;
		155	+ }
		156	+
		157	newcounts =
		158	(uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
		159	"for chopped \"StripByteCounts\" array");
		160	--
		161	2.43.0
		162


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index 49984f1125..4c472f8ef6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
9	CVE_PRODUCT = "libtiff"	9	CVE_PRODUCT = "libtiff"
10		10
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
		12	file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch \
		13	file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
		14	file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
12	"	15	"
13		16
14	SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"	17	SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"