diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2022-06-06 14:01:16 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-06-07 21:21:54 +0100 |
commit | 570991487424397bf8374e77320820ce89493b3a (patch) | |
tree | 6370c28e8541f2dec687f9d8be24be98924f9d34 /meta/recipes-multimedia/libtiff | |
parent | 6196e496847e67d38462b9b40bba13b021caaf19 (diff) | |
download | poky-570991487424397bf8374e77320820ce89493b3a.tar.gz |
tiff: update 4.3.0 -> 4.4.0
Drop all CVE backports.
(From OE-Core rev: ec3897659a046e7e3f652cabd04e98bb56f1b261)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
10 files changed, 3 insertions, 594 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch deleted file mode 100644 index f1a4ab4251..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | CVE: CVE-2022-0865 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001 | ||
6 | From: Even Rouault <even.rouault@spatialys.com> | ||
7 | Date: Thu, 24 Feb 2022 22:26:02 +0100 | ||
8 | Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple | ||
9 | IFD in memory-mapped mode and when bit reversal is needed (fixes #385) | ||
10 | |||
11 | --- | ||
12 | libtiff/tif_jbig.c | 10 ++++++++++ | ||
13 | 1 file changed, 10 insertions(+) | ||
14 | |||
15 | diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c | ||
16 | index 74086338..8bfa4cef 100644 | ||
17 | --- a/libtiff/tif_jbig.c | ||
18 | +++ b/libtiff/tif_jbig.c | ||
19 | @@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) | ||
20 | */ | ||
21 | tif->tif_flags |= TIFF_NOBITREV; | ||
22 | tif->tif_flags &= ~TIFF_MAPPED; | ||
23 | + /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and | ||
24 | + * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial | ||
25 | + * value to be consistent with the state of a non-memory mapped file. | ||
26 | + */ | ||
27 | + if (tif->tif_flags&TIFF_BUFFERMMAP) { | ||
28 | + tif->tif_rawdata = NULL; | ||
29 | + tif->tif_rawdatasize = 0; | ||
30 | + tif->tif_flags &= ~TIFF_BUFFERMMAP; | ||
31 | + tif->tif_flags |= TIFF_MYBUFFER; | ||
32 | + } | ||
33 | |||
34 | /* Setup the function pointers for encode, decode, and cleanup. */ | ||
35 | tif->tif_setupdecode = JBIGSetupDecode; | ||
36 | -- | ||
37 | 2.25.1 | ||
38 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch deleted file mode 100644 index 72776f09ba..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch +++ /dev/null | |||
@@ -1,43 +0,0 @@ | |||
1 | CVE: CVE-2022-22844 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001 | ||
6 | From: 4ugustus <wangdw.augustus@qq.com> | ||
7 | Date: Tue, 25 Jan 2022 16:25:28 +0000 | ||
8 | Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where | ||
9 | count is required (fixes #355) | ||
10 | |||
11 | --- | ||
12 | tools/tiffset.c | 16 +++++++++++++--- | ||
13 | 1 file changed, 13 insertions(+), 3 deletions(-) | ||
14 | |||
15 | diff --git a/tools/tiffset.c b/tools/tiffset.c | ||
16 | index 8c9e23c5..e7a88c09 100644 | ||
17 | --- a/tools/tiffset.c | ||
18 | +++ b/tools/tiffset.c | ||
19 | @@ -146,9 +146,19 @@ main(int argc, char* argv[]) | ||
20 | |||
21 | arg_index++; | ||
22 | if (TIFFFieldDataType(fip) == TIFF_ASCII) { | ||
23 | - if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) | ||
24 | - fprintf( stderr, "Failed to set %s=%s\n", | ||
25 | - TIFFFieldName(fip), argv[arg_index] ); | ||
26 | + if(TIFFFieldPassCount( fip )) { | ||
27 | + size_t len; | ||
28 | + len = strlen(argv[arg_index]) + 1; | ||
29 | + if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), | ||
30 | + (uint16_t)len, argv[arg_index]) != 1) | ||
31 | + fprintf( stderr, "Failed to set %s=%s\n", | ||
32 | + TIFFFieldName(fip), argv[arg_index] ); | ||
33 | + } else { | ||
34 | + if (TIFFSetField(tiff, TIFFFieldTag(fip), | ||
35 | + argv[arg_index]) != 1) | ||
36 | + fprintf( stderr, "Failed to set %s=%s\n", | ||
37 | + TIFFFieldName(fip), argv[arg_index] ); | ||
38 | + } | ||
39 | } else if (TIFFFieldWriteCount(fip) > 0 | ||
40 | || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { | ||
41 | int ret = 1; | ||
42 | -- | ||
43 | 2.25.1 | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch deleted file mode 100644 index 812ffb232d..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch +++ /dev/null | |||
@@ -1,219 +0,0 @@ | |||
1 | CVE: CVE-2022-0891 | ||
2 | CVE: CVE-2022-1056 | ||
3 | Upstream-Status: Backport | ||
4 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
5 | |||
6 | From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001 | ||
7 | From: Su Laus <sulau@freenet.de> | ||
8 | Date: Tue, 8 Mar 2022 17:02:44 +0000 | ||
9 | Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in | ||
10 | extractImageSection | ||
11 | |||
12 | --- | ||
13 | tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- | ||
14 | 1 file changed, 36 insertions(+), 56 deletions(-) | ||
15 | |||
16 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
17 | index b85c2ce7..302a7e91 100644 | ||
18 | --- a/tools/tiffcrop.c | ||
19 | +++ b/tools/tiffcrop.c | ||
20 | @@ -105,8 +105,8 @@ | ||
21 | * of messages to monitor progress without enabling dump logs. | ||
22 | */ | ||
23 | |||
24 | -static char tiffcrop_version_id[] = "2.4"; | ||
25 | -static char tiffcrop_rev_date[] = "12-13-2010"; | ||
26 | +static char tiffcrop_version_id[] = "2.4.1"; | ||
27 | +static char tiffcrop_rev_date[] = "03-03-2010"; | ||
28 | |||
29 | #include "tif_config.h" | ||
30 | #include "libport.h" | ||
31 | @@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
32 | #ifdef DEVELMODE | ||
33 | uint32_t img_length; | ||
34 | #endif | ||
35 | - uint32_t j, shift1, shift2, trailing_bits; | ||
36 | + uint32_t j, shift1, trailing_bits; | ||
37 | uint32_t row, first_row, last_row, first_col, last_col; | ||
38 | uint32_t src_offset, dst_offset, row_offset, col_offset; | ||
39 | - uint32_t offset1, offset2, full_bytes; | ||
40 | + uint32_t offset1, full_bytes; | ||
41 | uint32_t sect_width; | ||
42 | #ifdef DEVELMODE | ||
43 | uint32_t sect_length; | ||
44 | @@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
45 | #ifdef DEVELMODE | ||
46 | int k; | ||
47 | unsigned char bitset; | ||
48 | - static char *bitarray = NULL; | ||
49 | #endif | ||
50 | |||
51 | img_width = image->width; | ||
52 | @@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
53 | dst_offset = 0; | ||
54 | |||
55 | #ifdef DEVELMODE | ||
56 | - if (bitarray == NULL) | ||
57 | - { | ||
58 | - if ((bitarray = (char *)malloc(img_width)) == NULL) | ||
59 | - { | ||
60 | - TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); | ||
61 | - return (-1); | ||
62 | - } | ||
63 | - } | ||
64 | + char bitarray[39]; | ||
65 | #endif | ||
66 | |||
67 | - /* rows, columns, width, length are expressed in pixels */ | ||
68 | + /* rows, columns, width, length are expressed in pixels | ||
69 | + * first_row, last_row, .. are index into image array starting at 0 to width-1, | ||
70 | + * last_col shall be also extracted. */ | ||
71 | first_row = section->y1; | ||
72 | last_row = section->y2; | ||
73 | first_col = section->x1; | ||
74 | @@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
75 | #ifdef DEVELMODE | ||
76 | sect_length = last_row - first_row + 1; | ||
77 | #endif | ||
78 | - img_rowsize = ((img_width * bps + 7) / 8) * spp; | ||
79 | - full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ | ||
80 | - trailing_bits = (sect_width * bps) % 8; | ||
81 | + /* The read function loadImage() used copy separate plane data into a buffer as interleaved | ||
82 | + * samples rather than separate planes so the same logic works to extract regions | ||
83 | + * regardless of the way the data are organized in the input file. | ||
84 | + * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 | ||
85 | + */ | ||
86 | + img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ | ||
87 | + full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ | ||
88 | + trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ | ||
89 | |||
90 | #ifdef DEVELMODE | ||
91 | TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", | ||
92 | @@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
93 | |||
94 | if ((bps % 8) == 0) | ||
95 | { | ||
96 | - col_offset = first_col * spp * bps / 8; | ||
97 | + col_offset = (first_col * spp * bps) / 8; | ||
98 | for (row = first_row; row <= last_row; row++) | ||
99 | { | ||
100 | - /* row_offset = row * img_width * spp * bps / 8; */ | ||
101 | row_offset = row * img_rowsize; | ||
102 | src_offset = row_offset + col_offset; | ||
103 | |||
104 | @@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
105 | } | ||
106 | else | ||
107 | { /* bps != 8 */ | ||
108 | - shift1 = spp * ((first_col * bps) % 8); | ||
109 | - shift2 = spp * ((last_col * bps) % 8); | ||
110 | + shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ | ||
111 | for (row = first_row; row <= last_row; row++) | ||
112 | { | ||
113 | /* pull out the first byte */ | ||
114 | row_offset = row * img_rowsize; | ||
115 | - offset1 = row_offset + (first_col * bps / 8); | ||
116 | - offset2 = row_offset + (last_col * bps / 8); | ||
117 | + offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ | ||
118 | |||
119 | #ifdef DEVELMODE | ||
120 | for (j = 0, k = 7; j < 8; j++, k--) | ||
121 | @@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
122 | sprintf(&bitarray[9], " "); | ||
123 | for (j = 10, k = 7; j < 18; j++, k--) | ||
124 | { | ||
125 | - bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; | ||
126 | + bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; | ||
127 | sprintf(&bitarray[j], (bitset) ? "1" : "0"); | ||
128 | } | ||
129 | bitarray[18] = '\0'; | ||
130 | - TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", | ||
131 | - row, offset1, shift1, offset2, shift2); | ||
132 | + TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", | ||
133 | + row, offset1, shift1, offset1+full_bytes, trailing_bits); | ||
134 | #endif | ||
135 | |||
136 | bytebuff1 = bytebuff2 = 0; | ||
137 | @@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
138 | |||
139 | if (trailing_bits != 0) | ||
140 | { | ||
141 | - bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); | ||
142 | + /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ | ||
143 | + bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); | ||
144 | sect_buff[dst_offset] = bytebuff2; | ||
145 | #ifdef DEVELMODE | ||
146 | TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", | ||
147 | - offset2, dst_offset); | ||
148 | + offset1 + full_bytes, dst_offset); | ||
149 | for (j = 30, k = 7; j < 38; j++, k--) | ||
150 | { | ||
151 | bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; | ||
152 | @@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
153 | #endif | ||
154 | for (j = 0; j <= full_bytes; j++) | ||
155 | { | ||
156 | - bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); | ||
157 | - bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); | ||
158 | + /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ | ||
159 | + /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ | ||
160 | + bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); | ||
161 | + bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); | ||
162 | sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); | ||
163 | } | ||
164 | #ifdef DEVELMODE | ||
165 | @@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
166 | #endif | ||
167 | dst_offset += full_bytes; | ||
168 | |||
169 | + /* Copy the trailing_bits for the last byte in the destination buffer. | ||
170 | + Could come from one ore two bytes of the source buffer. */ | ||
171 | if (trailing_bits != 0) | ||
172 | { | ||
173 | #ifdef DEVELMODE | ||
174 | - TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); | ||
175 | -#endif | ||
176 | - if (shift2 > shift1) | ||
177 | - { | ||
178 | - bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); | ||
179 | - bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); | ||
180 | - sect_buff[dst_offset] = bytebuff2; | ||
181 | -#ifdef DEVELMODE | ||
182 | - TIFFError ("", " Shift2 > Shift1\n"); | ||
183 | + TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); | ||
184 | #endif | ||
185 | + /* More than necessary bits are already copied into last destination buffer, | ||
186 | + * only masking of last byte in destination buffer is necessary.*/ | ||
187 | + sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); | ||
188 | } | ||
189 | - else | ||
190 | - { | ||
191 | - if (shift2 < shift1) | ||
192 | - { | ||
193 | - bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); | ||
194 | - sect_buff[dst_offset] &= bytebuff2; | ||
195 | -#ifdef DEVELMODE | ||
196 | - TIFFError ("", " Shift2 < Shift1\n"); | ||
197 | -#endif | ||
198 | - } | ||
199 | -#ifdef DEVELMODE | ||
200 | - else | ||
201 | - TIFFError ("", " Shift2 == Shift1\n"); | ||
202 | -#endif | ||
203 | - } | ||
204 | - } | ||
205 | #ifdef DEVELMODE | ||
206 | sprintf(&bitarray[28], " "); | ||
207 | sprintf(&bitarray[29], " "); | ||
208 | @@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, | ||
209 | width = sections[i].x2 - sections[i].x1 + 1; | ||
210 | length = sections[i].y2 - sections[i].y1 + 1; | ||
211 | sectsize = (uint32_t) | ||
212 | - ceil((width * image->bps + 7) / (double)8) * image->spp * length; | ||
213 | + ceil((width * image->bps * image->spp + 7) / (double)8) * length; | ||
214 | /* allocate a buffer if we don't have one already */ | ||
215 | if (createImageSection(sectsize, sect_buff_ptr)) | ||
216 | { | ||
217 | -- | ||
218 | 2.25.1 | ||
219 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch deleted file mode 100644 index a0b856b9e1..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch +++ /dev/null | |||
@@ -1,93 +0,0 @@ | |||
1 | CVE: CVE-2022-0907 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001 | ||
6 | From: Augustus <wangdw.augustus@qq.com> | ||
7 | Date: Mon, 7 Mar 2022 18:21:49 +0800 | ||
8 | Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392) | ||
9 | |||
10 | --- | ||
11 | tools/tiffcrop.c | 33 +++++++++++++++++++++------------ | ||
12 | 1 file changed, 21 insertions(+), 12 deletions(-) | ||
13 | |||
14 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
15 | index 302a7e91..e407bf51 100644 | ||
16 | --- a/tools/tiffcrop.c | ||
17 | +++ b/tools/tiffcrop.c | ||
18 | @@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) | ||
19 | if (!sect_buff) | ||
20 | { | ||
21 | sect_buff = (unsigned char *)limitMalloc(sectsize); | ||
22 | - *sect_buff_ptr = sect_buff; | ||
23 | + if (!sect_buff) | ||
24 | + { | ||
25 | + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
26 | + return (-1); | ||
27 | + } | ||
28 | _TIFFmemset(sect_buff, 0, sectsize); | ||
29 | } | ||
30 | else | ||
31 | @@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) | ||
32 | else | ||
33 | sect_buff = new_buff; | ||
34 | |||
35 | + if (!sect_buff) | ||
36 | + { | ||
37 | + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
38 | + return (-1); | ||
39 | + } | ||
40 | _TIFFmemset(sect_buff, 0, sectsize); | ||
41 | } | ||
42 | } | ||
43 | |||
44 | - if (!sect_buff) | ||
45 | - { | ||
46 | - TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
47 | - return (-1); | ||
48 | - } | ||
49 | prev_sectsize = sectsize; | ||
50 | *sect_buff_ptr = sect_buff; | ||
51 | |||
52 | @@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
53 | if (!crop_buff) | ||
54 | { | ||
55 | crop_buff = (unsigned char *)limitMalloc(cropsize); | ||
56 | - *crop_buff_ptr = crop_buff; | ||
57 | + if (!crop_buff) | ||
58 | + { | ||
59 | + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
60 | + return (-1); | ||
61 | + } | ||
62 | _TIFFmemset(crop_buff, 0, cropsize); | ||
63 | prev_cropsize = cropsize; | ||
64 | } | ||
65 | @@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
66 | } | ||
67 | else | ||
68 | crop_buff = new_buff; | ||
69 | + if (!crop_buff) | ||
70 | + { | ||
71 | + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
72 | + return (-1); | ||
73 | + } | ||
74 | _TIFFmemset(crop_buff, 0, cropsize); | ||
75 | } | ||
76 | } | ||
77 | |||
78 | - if (!crop_buff) | ||
79 | - { | ||
80 | - TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
81 | - return (-1); | ||
82 | - } | ||
83 | *crop_buff_ptr = crop_buff; | ||
84 | |||
85 | if (crop->crop_mode & CROP_INVERT) | ||
86 | @@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui | ||
87 | * fill-column: 78 | ||
88 | * End: | ||
89 | */ | ||
90 | + | ||
91 | -- | ||
92 | 2.25.1 | ||
93 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch deleted file mode 100644 index 719dabaecc..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | CVE: CVE-2022-0908 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001 | ||
6 | From: Even Rouault <even.rouault@spatialys.com> | ||
7 | Date: Thu, 17 Feb 2022 15:28:43 +0100 | ||
8 | Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null | ||
9 | source pointer and size of zero (fixes #383) | ||
10 | |||
11 | --- | ||
12 | libtiff/tif_dirread.c | 5 ++++- | ||
13 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
16 | index d84147a0..4e8ce729 100644 | ||
17 | --- a/libtiff/tif_dirread.c | ||
18 | +++ b/libtiff/tif_dirread.c | ||
19 | @@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) | ||
20 | _TIFFfree(data); | ||
21 | return(0); | ||
22 | } | ||
23 | - _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); | ||
24 | + if (dp->tdir_count > 0 ) | ||
25 | + { | ||
26 | + _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); | ||
27 | + } | ||
28 | o[(uint32_t)dp->tdir_count]=0; | ||
29 | if (data!=0) | ||
30 | _TIFFfree(data); | ||
31 | -- | ||
32 | 2.25.1 | ||
33 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch deleted file mode 100644 index 64dbe9ef92..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | CVE: CVE-2022-0909 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001 | ||
6 | From: 4ugustus <wangdw.augustus@qq.com> | ||
7 | Date: Tue, 8 Mar 2022 16:22:04 +0000 | ||
8 | Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393) | ||
9 | |||
10 | --- | ||
11 | libtiff/tif_dir.c | 4 ++-- | ||
12 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
15 | index a6c254fc..77da6ea4 100644 | ||
16 | --- a/libtiff/tif_dir.c | ||
17 | +++ b/libtiff/tif_dir.c | ||
18 | @@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) | ||
19 | break; | ||
20 | case TIFFTAG_XRESOLUTION: | ||
21 | dblval = va_arg(ap, double); | ||
22 | - if( dblval < 0 ) | ||
23 | + if( dblval != dblval || dblval < 0 ) | ||
24 | goto badvaluedouble; | ||
25 | td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); | ||
26 | break; | ||
27 | case TIFFTAG_YRESOLUTION: | ||
28 | dblval = va_arg(ap, double); | ||
29 | - if( dblval < 0 ) | ||
30 | + if( dblval != dblval || dblval < 0 ) | ||
31 | goto badvaluedouble; | ||
32 | td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); | ||
33 | break; | ||
34 | -- | ||
35 | 2.25.1 | ||
36 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch deleted file mode 100644 index afd5e59960..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | CVE: CVE-2022-0924 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001 | ||
6 | From: 4ugustus <wangdw.augustus@qq.com> | ||
7 | Date: Thu, 10 Mar 2022 08:48:00 +0000 | ||
8 | Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278) | ||
9 | |||
10 | --- | ||
11 | tools/tiffcp.c | 17 ++++++++++++++++- | ||
12 | 1 file changed, 16 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
15 | index 1f889516..552d8fad 100644 | ||
16 | --- a/tools/tiffcp.c | ||
17 | +++ b/tools/tiffcp.c | ||
18 | @@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) | ||
19 | tdata_t obuf; | ||
20 | tstrip_t strip = 0; | ||
21 | tsample_t s; | ||
22 | + uint16_t bps = 0, bytes_per_sample; | ||
23 | |||
24 | obuf = limitMalloc(stripsize); | ||
25 | if (obuf == NULL) | ||
26 | return (0); | ||
27 | _TIFFmemset(obuf, 0, stripsize); | ||
28 | (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); | ||
29 | + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); | ||
30 | + if( bps == 0 ) | ||
31 | + { | ||
32 | + TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); | ||
33 | + _TIFFfree(obuf); | ||
34 | + return 0; | ||
35 | + } | ||
36 | + if( (bps % 8) != 0 ) | ||
37 | + { | ||
38 | + TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); | ||
39 | + _TIFFfree(obuf); | ||
40 | + return 0; | ||
41 | + } | ||
42 | + bytes_per_sample = bps/8; | ||
43 | for (s = 0; s < spp; s++) { | ||
44 | uint32_t row; | ||
45 | for (row = 0; row < imagelength; row += rowsperstrip) { | ||
46 | @@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) | ||
47 | |||
48 | cpContigBufToSeparateBuf( | ||
49 | obuf, (uint8_t*) buf + row * rowsize + s, | ||
50 | - nrows, imagewidth, 0, 0, spp, 1); | ||
51 | + nrows, imagewidth, 0, 0, spp, bytes_per_sample); | ||
52 | if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { | ||
53 | TIFFError(TIFFFileName(out), | ||
54 | "Error, can't write strip %"PRIu32, | ||
55 | -- | ||
56 | 2.25.1 | ||
57 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch deleted file mode 100644 index 0b41dde606..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 5 Feb 2022 20:36:41 +0100 | ||
4 | Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null | ||
5 | source pointer and size of zero (fixes #362) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2022-0562 | ||
9 | |||
10 | --- | ||
11 | libtiff/tif_dirread.c | 3 ++- | ||
12 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
15 | index 2bbc4585..23194ced 100644 | ||
16 | --- a/libtiff/tif_dirread.c | ||
17 | +++ b/libtiff/tif_dirread.c | ||
18 | @@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) | ||
19 | goto bad; | ||
20 | } | ||
21 | |||
22 | - memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); | ||
23 | + if (old_extrasamples > 0) | ||
24 | + memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); | ||
25 | _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); | ||
26 | _TIFFfree(new_sampleinfo); | ||
27 | } | ||
28 | -- | ||
29 | GitLab | ||
30 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch deleted file mode 100644 index 74f9649fdf..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sun, 6 Feb 2022 13:08:38 +0100 | ||
4 | Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null | ||
5 | source pointer and size of zero (fixes #362) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2022-0561 | ||
9 | |||
10 | --- | ||
11 | libtiff/tif_dirread.c | 5 +++-- | ||
12 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
15 | index 23194ced..50ebf8ac 100644 | ||
16 | --- a/libtiff/tif_dirread.c | ||
17 | +++ b/libtiff/tif_dirread.c | ||
18 | @@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l | ||
19 | _TIFFfree(data); | ||
20 | return(0); | ||
21 | } | ||
22 | - _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); | ||
23 | - _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); | ||
24 | + if( dir->tdir_count ) | ||
25 | + _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); | ||
26 | + _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); | ||
27 | _TIFFfree(data); | ||
28 | data=resizeddata; | ||
29 | } | ||
30 | -- | ||
31 | GitLab | ||
32 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb index 7a5e4816a6..c82965ffa1 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | |||
@@ -8,19 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" | |||
8 | 8 | ||
9 | CVE_PRODUCT = "libtiff" | 9 | CVE_PRODUCT = "libtiff" |
10 | 10 | ||
11 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 11 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz" |
12 | file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \ | 12 | |
13 | file://561599c99f987dc32ae110370cfdd7df7975586b.patch \ | 13 | SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed" |
14 | file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \ | ||
15 | file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \ | ||
16 | file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \ | ||
17 | file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \ | ||
18 | file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \ | ||
19 | file://0005-fix-the-FPE-in-tiffcrop-393.patch \ | ||
20 | file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \ | ||
21 | " | ||
22 | |||
23 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" | ||
24 | 14 | ||
25 | # exclude betas | 15 | # exclude betas |
26 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" | 16 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |