diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-08-01 11:42:22 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-08-16 03:55:12 -1000 |
commit | b5f81a875de8a146c4f698d9bd06ac1a152a01f7 (patch) | |
tree | 6e3f02b157fee9904ec24a2e65b1a96158617aa6 /meta/recipes-multimedia/libtiff | |
parent | 2ff427ee403263834ef7f59027f197e44fb7ed1d (diff) | |
download | poky-b5f81a875de8a146c4f698d9bd06ac1a152a01f7.tar.gz |
tiff: fix multiple CVEs
Backport fixes for:
* CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
* CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38
* CVE-2023-26965 & CVE-2023-26966 - Upstream-Status: Backport from import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
(From OE-Core rev: 3d322227477f9e82fc22de6e896174d04513d72b)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
5 files changed, 396 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch new file mode 100644 index 0000000000..7d6d40f25a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch | |||
@@ -0,0 +1,173 @@ | |||
1 | From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Fri, 3 Feb 2023 15:31:31 +0100 | ||
4 | Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() | ||
5 | fix#520 rotateImage() set up a new buffer and calculates its size | ||
6 | individually. Therefore, seg_buffs[] size needs to be updated accordingly. | ||
7 | Before this fix, the seg_buffs buffer size was calculated with a different | ||
8 | formula than within rotateImage(). | ||
9 | |||
10 | Closes #520. | ||
11 | |||
12 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44] | ||
13 | CVE: CVE-2023-25433 | ||
14 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
15 | --- | ||
16 | tools/tiffcrop.c | 69 +++++++++++++++++++++++++++++++++++++++--------- | ||
17 | 1 file changed, 56 insertions(+), 13 deletions(-) | ||
18 | |||
19 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
20 | index 742615a..aab0ec6 100644 | ||
21 | --- a/tools/tiffcrop.c | ||
22 | +++ b/tools/tiffcrop.c | ||
23 | @@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, | ||
24 | static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, | ||
25 | uint32, uint32, uint8 *, uint8 *); | ||
26 | static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, | ||
27 | - unsigned char **, int); | ||
28 | + unsigned char **, size_t *); | ||
29 | static int mirrorImage(uint16, uint16, uint16, uint32, uint32, | ||
30 | unsigned char *); | ||
31 | static int invertImage(uint16, uint16, uint16, uint32, uint32, | ||
32 | @@ -6384,7 +6384,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b | ||
33 | * but switch xres, yres there. */ | ||
34 | uint32_t width = image->width; | ||
35 | uint32_t length = image->length; | ||
36 | - if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE)) | ||
37 | + if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL)) | ||
38 | { | ||
39 | TIFFError ("correct_orientation", "Unable to rotate image"); | ||
40 | return (-1); | ||
41 | @@ -7607,8 +7607,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
42 | |||
43 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
44 | { | ||
45 | + /* rotateImage() set up a new buffer and calculates its size | ||
46 | + * individually. Therefore, seg_buffs size needs to be updated | ||
47 | + * accordingly. */ | ||
48 | + size_t rot_buf_size = 0; | ||
49 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
50 | - &crop->combined_length, &crop_buff, FALSE)) | ||
51 | + &crop->combined_length, &crop_buff, &rot_buf_size)) | ||
52 | { | ||
53 | TIFFError("processCropSelections", | ||
54 | "Failed to rotate composite regions by %d degrees", crop->rotation); | ||
55 | @@ -7713,8 +7717,13 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
56 | |||
57 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
58 | { | ||
59 | - if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, | ||
60 | - &crop->regionlist[i].length, &crop_buff, FALSE)) | ||
61 | + /* Furthermore, rotateImage() set up a new buffer and calculates | ||
62 | + * its size individually. Therefore, seg_buffs size needs to be | ||
63 | + * updated accordingly. */ | ||
64 | + size_t rot_buf_size = 0; | ||
65 | + if (rotateImage( | ||
66 | + crop->rotation, image, &crop->regionlist[i].width, | ||
67 | + &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) | ||
68 | { | ||
69 | TIFFError("processCropSelections", | ||
70 | "Failed to rotate crop region by %d degrees", crop->rotation); | ||
71 | @@ -7725,8 +7734,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
72 | crop->combined_width = total_width; | ||
73 | crop->combined_length = total_length; | ||
74 | seg_buffs[i].buffer = crop_buff; | ||
75 | - seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) | ||
76 | - * image->spp) * crop->regionlist[i].length; | ||
77 | + seg_buffs[i].size = rot_buf_size; | ||
78 | } | ||
79 | } | ||
80 | } | ||
81 | @@ -7735,7 +7743,6 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
82 | |||
83 | /* Copy the crop section of the data from the current image into a buffer | ||
84 | * and adjust the IFD values to reflect the new size. If no cropping is | ||
85 | - * required, use the origial read buffer as the crop buffer. | ||
86 | * | ||
87 | * There is quite a bit of redundancy between this routine and the more | ||
88 | * specialized processCropSelections, but this provides | ||
89 | @@ -7846,7 +7853,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
90 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
91 | { | ||
92 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
93 | - &crop->combined_length, crop_buff_ptr, TRUE)) | ||
94 | + &crop->combined_length, crop_buff_ptr, NULL)) | ||
95 | { | ||
96 | TIFFError("createCroppedImage", | ||
97 | "Failed to rotate image or cropped selection by %d degrees", crop->rotation); | ||
98 | @@ -8515,7 +8522,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
99 | uint32 bytes_per_pixel, bytes_per_sample; | ||
100 | uint32 row, rowsize, src_offset, dst_offset; | ||
101 | uint32 i, col, width, length; | ||
102 | - uint32 colsize, buffsize, col_offset, pix_offset; | ||
103 | + uint32 colsize, col_offset, pix_offset; | ||
104 | + tmsize_t buffsize; | ||
105 | unsigned char *ibuff; | ||
106 | unsigned char *src; | ||
107 | unsigned char *dst; | ||
108 | @@ -8528,12 +8536,41 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
109 | spp = image->spp; | ||
110 | bps = image->bps; | ||
111 | |||
112 | + if ((spp != 0 && bps != 0 && | ||
113 | + width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) || | ||
114 | + (spp != 0 && bps != 0 && | ||
115 | + length > (uint32_t)((UINT32_MAX - 7) / spp / bps))) | ||
116 | + { | ||
117 | + TIFFError("rotateImage", "Integer overflow detected."); | ||
118 | + return (-1); | ||
119 | + } | ||
120 | + | ||
121 | rowsize = ((bps * spp * width) + 7) / 8; | ||
122 | colsize = ((bps * spp * length) + 7) / 8; | ||
123 | if ((colsize * width) > (rowsize * length)) | ||
124 | - buffsize = (colsize + 1) * width; | ||
125 | +{ | ||
126 | + if (((tmsize_t)colsize + 1) != 0 && | ||
127 | + (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / | ||
128 | + ((tmsize_t)colsize + 1))) | ||
129 | + { | ||
130 | + TIFFError("rotateImage", | ||
131 | + "Integer overflow when calculating buffer size."); | ||
132 | + return (-1); | ||
133 | + } | ||
134 | + buffsize = ((tmsize_t)colsize + 1) * width; | ||
135 | + } | ||
136 | else | ||
137 | - buffsize = (rowsize + 1) * length; | ||
138 | + { | ||
139 | + if (((tmsize_t)rowsize + 1) != 0 && | ||
140 | + (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / | ||
141 | + ((tmsize_t)rowsize + 1))) | ||
142 | + { | ||
143 | + TIFFError("rotateImage", | ||
144 | + "Integer overflow when calculating buffer size."); | ||
145 | + return (-1); | ||
146 | + } | ||
147 | + buffsize = (rowsize + 1) * length; | ||
148 | + } | ||
149 | |||
150 | bytes_per_sample = (bps + 7) / 8; | ||
151 | bytes_per_pixel = ((bps * spp) + 7) / 8; | ||
152 | @@ -8556,11 +8593,17 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
153 | /* Add 3 padding bytes for extractContigSamplesShifted32bits */ | ||
154 | if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) | ||
155 | { | ||
156 | - TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
157 | + TIFFError("rotateImage", | ||
158 | + "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT | ||
159 | + " bytes ", | ||
160 | + buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
161 | return (-1); | ||
162 | } | ||
163 | _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
164 | |||
165 | + if (rot_buf_size != NULL) | ||
166 | + *rot_buf_size = buffsize; | ||
167 | + | ||
168 | ibuff = *ibuff_ptr; | ||
169 | switch (rotation) | ||
170 | { | ||
171 | -- | ||
172 | 2.25.1 | ||
173 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch new file mode 100644 index 0000000000..6a6596f092 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Sun, 29 Jan 2023 11:09:26 +0100 | ||
4 | Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) | ||
5 | image width and length parameters when only cropped image sections are | ||
6 | rotated. Remove buffptr from region structure because never used. | ||
7 | |||
8 | Closes #492 #493 #494 #495 #499 #518 #519 | ||
9 | |||
10 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38] | ||
11 | CVE: CVE-2023-25434 & CVE-2023-25435 | ||
12 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
13 | --- | ||
14 | tools/tiffcrop.c | 29 +++++++++++++++++------------ | ||
15 | 1 file changed, 17 insertions(+), 12 deletions(-) | ||
16 | |||
17 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
18 | index aab0ec6..ce84414 100644 | ||
19 | --- a/tools/tiffcrop.c | ||
20 | +++ b/tools/tiffcrop.c | ||
21 | @@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, | ||
22 | static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, | ||
23 | uint32, uint32, uint8 *, uint8 *); | ||
24 | static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, | ||
25 | - unsigned char **, size_t *); | ||
26 | + unsigned char **, size_t *, int); | ||
27 | static int mirrorImage(uint16, uint16, uint16, uint32, uint32, | ||
28 | unsigned char *); | ||
29 | static int invertImage(uint16, uint16, uint16, uint32, uint32, | ||
30 | @@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b | ||
31 | /* Dummy variable in order not to switch two times the | ||
32 | * image->width,->length within rotateImage(), | ||
33 | * but switch xres, yres there. */ | ||
34 | - uint32_t width = image->width; | ||
35 | - uint32_t length = image->length; | ||
36 | - if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL)) | ||
37 | - { | ||
38 | + uint32_t width = image->width; | ||
39 | + uint32_t length = image->length; | ||
40 | + if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, | ||
41 | + TRUE)) | ||
42 | + { | ||
43 | TIFFError ("correct_orientation", "Unable to rotate image"); | ||
44 | return (-1); | ||
45 | } | ||
46 | @@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
47 | * accordingly. */ | ||
48 | size_t rot_buf_size = 0; | ||
49 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
50 | - &crop->combined_length, &crop_buff, &rot_buf_size)) | ||
51 | + &crop->combined_length, &crop_buff, &rot_buf_size, | ||
52 | + FALSE)) | ||
53 | { | ||
54 | TIFFError("processCropSelections", | ||
55 | "Failed to rotate composite regions by %d degrees", crop->rotation); | ||
56 | @@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
57 | * its size individually. Therefore, seg_buffs size needs to be | ||
58 | * updated accordingly. */ | ||
59 | size_t rot_buf_size = 0; | ||
60 | - if (rotateImage( | ||
61 | - crop->rotation, image, &crop->regionlist[i].width, | ||
62 | - &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) | ||
63 | + if (rotateImage(crop->rotation, image, | ||
64 | + &crop->regionlist[i].width, | ||
65 | + &crop->regionlist[i].length, &crop_buff, | ||
66 | + &rot_buf_size, FALSE)) | ||
67 | { | ||
68 | TIFFError("processCropSelections", | ||
69 | "Failed to rotate crop region by %d degrees", crop->rotation); | ||
70 | @@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
71 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
72 | { | ||
73 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
74 | - &crop->combined_length, crop_buff_ptr, NULL)) | ||
75 | + &crop->combined_length, crop_buff_ptr, NULL, TRUE)) | ||
76 | { | ||
77 | TIFFError("createCroppedImage", | ||
78 | "Failed to rotate image or cropped selection by %d degrees", crop->rotation); | ||
79 | @@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, | ||
80 | |||
81 | /* Rotate an image by a multiple of 90 degrees clockwise */ | ||
82 | static int | ||
83 | -rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
84 | - uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params) | ||
85 | +rotateImage(uint16 rotation, struct image_data *image, | ||
86 | + uint32 *img_width, uint32 *img_length, | ||
87 | + unsigned char **ibuff_ptr, size_t *rot_buf_size, | ||
88 | + int rot_image_params) | ||
89 | { | ||
90 | int shift_width; | ||
91 | uint32 bytes_per_pixel, bytes_per_sample; | ||
92 | -- | ||
93 | 2.25.1 | ||
94 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch new file mode 100644 index 0000000000..b7a7e93764 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Tue, 14 Feb 2023 20:43:43 +0100 | ||
4 | Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. | ||
5 | Fix issue 527 | ||
6 | |||
7 | Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. | ||
8 | |||
9 | Closes #527 | ||
10 | |||
11 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] | ||
12 | CVE: CVE-2023-26965 | ||
13 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
14 | --- | ||
15 | tools/tiffcrop.c | 40 ++++++++++------------------------------ | ||
16 | 1 file changed, 10 insertions(+), 30 deletions(-) | ||
17 | |||
18 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
19 | index ce84414..a533089 100644 | ||
20 | --- a/tools/tiffcrop.c | ||
21 | +++ b/tools/tiffcrop.c | ||
22 | @@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
23 | uint32 tw = 0, tl = 0; /* Tile width and length */ | ||
24 | tmsize_t tile_rowsize = 0; | ||
25 | unsigned char *read_buff = NULL; | ||
26 | - unsigned char *new_buff = NULL; | ||
27 | int readunit = 0; | ||
28 | - static tmsize_t prev_readsize = 0; | ||
29 | |||
30 | TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); | ||
31 | TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); | ||
32 | @@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
33 | read_buff = *read_ptr; | ||
34 | /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ | ||
35 | /* outside buffer */ | ||
36 | - if (!read_buff) | ||
37 | + if (read_buff) | ||
38 | { | ||
39 | - if( buffsize > 0xFFFFFFFFU - 3 ) | ||
40 | - { | ||
41 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
42 | - return (-1); | ||
43 | - } | ||
44 | - read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
45 | + _TIFFfree(read_buff); | ||
46 | } | ||
47 | - else | ||
48 | - { | ||
49 | - if (prev_readsize < buffsize) | ||
50 | - { | ||
51 | - if( buffsize > 0xFFFFFFFFU - 3 ) | ||
52 | - { | ||
53 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
54 | - return (-1); | ||
55 | - } | ||
56 | - new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
57 | - if (!new_buff) | ||
58 | - { | ||
59 | - free (read_buff); | ||
60 | - read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
61 | - } | ||
62 | - else | ||
63 | - read_buff = new_buff; | ||
64 | - } | ||
65 | - } | ||
66 | + if (buffsize > 0xFFFFFFFFU - 3) | ||
67 | + { | ||
68 | + TIFFError("loadImage", "Required read buffer size too large"); | ||
69 | + return (-1); | ||
70 | + } | ||
71 | + read_buff = | ||
72 | + (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
73 | if (!read_buff) | ||
74 | { | ||
75 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
76 | + TIFFError("loadImage", "Unable to allocate read buffer"); | ||
77 | return (-1); | ||
78 | } | ||
79 | |||
80 | @@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
81 | read_buff[buffsize+1] = 0; | ||
82 | read_buff[buffsize+2] = 0; | ||
83 | |||
84 | - prev_readsize = buffsize; | ||
85 | *read_ptr = read_buff; | ||
86 | |||
87 | /* N.B. The read functions used copy separate plane data into a buffer as interleaved | ||
88 | -- | ||
89 | 2.25.1 | ||
90 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch new file mode 100644 index 0000000000..48657e6aa4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Thu, 16 Feb 2023 12:03:16 +0100 | ||
4 | Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode(). | ||
5 | |||
6 | Closes #530 | ||
7 | |||
8 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] | ||
9 | CVE: CVE-2023-26966 | ||
10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
11 | --- | ||
12 | libtiff/tif_luv.c | 7 +++++++ | ||
13 | 1 file changed, 7 insertions(+) | ||
14 | |||
15 | diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c | ||
16 | index 6fe4858..8b2c5f1 100644 | ||
17 | --- a/libtiff/tif_luv.c | ||
18 | +++ b/libtiff/tif_luv.c | ||
19 | @@ -923,6 +923,13 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */ | ||
20 | { | ||
21 | register int vi, ui; | ||
22 | |||
23 | + /* check for NaN */ | ||
24 | + if (u != u || v != v) | ||
25 | + { | ||
26 | + u = U_NEU; | ||
27 | + v = V_NEU; | ||
28 | + } | ||
29 | + | ||
30 | if (v < UV_VSTART) | ||
31 | return oog_encode(u, v); | ||
32 | vi = itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em); | ||
33 | -- | ||
34 | 2.25.1 | ||
35 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 4b48d81e2b..fcb2ce1ae4 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | |||
@@ -36,6 +36,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
36 | file://CVE-2022-48281.patch \ | 36 | file://CVE-2022-48281.patch \ |
37 | file://CVE-2023-0795_0796_0797_0798_0799.patch \ | 37 | file://CVE-2023-0795_0796_0797_0798_0799.patch \ |
38 | file://CVE-2023-0800_0801_0802_0803_0804.patch \ | 38 | file://CVE-2023-0800_0801_0802_0803_0804.patch \ |
39 | file://CVE-2023-25433.patch \ | ||
40 | file://CVE-2023-25434-CVE-2023-25435.patch \ | ||
41 | file://CVE-2023-26965.patch \ | ||
42 | file://CVE-2023-26966.patch \ | ||
39 | " | 43 | " |
40 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" | 44 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" |
41 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" | 45 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" |