summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff
diff options
context:
space:
mode:
authorAlexander Kanavin <alex.kanavin@gmail.com>2023-01-04 12:04:40 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2023-01-06 12:08:33 +0000
commiteba274f60f4af04c3b850c23e0af59138993c540 (patch)
tree0b51ad90c0e29c206c674f4ebaa747aab1a26457 /meta/recipes-multimedia/libtiff
parent1622172cc650f519af5310228531b1767a5ff2ca (diff)
downloadpoky-eba274f60f4af04c3b850c23e0af59138993c540.tar.gz
tiff: update 4.4.0 -> 4.5.0
Drop all CVE backports. License-Update: formatting (From OE-Core rev: 9a255a3b114686b04bf54560c7485552ec3b438c) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch266
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch184
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-tiffcrop-S-option-Make-decision-simpler.patch36
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch59
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch653
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch86
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch32
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch39
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.5.0.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.4.0.bb)17
9 files changed, 4 insertions, 1368 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch b/meta/recipes-multimedia/libtiff/files/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
deleted file mode 100644
index ce72c86120..0000000000
--- a/meta/recipes-multimedia/libtiff/files/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
+++ /dev/null
@@ -1,266 +0,0 @@
1CVE: CVE-2022-3599
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001
6From: Su_Laus <sulau@freenet.de>
7Date: Tue, 30 Aug 2022 16:56:48 +0200
8Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related
9 TIFFTAG_NUMBEROFINKS value
10
11In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
12
13Behaviour for writing:
14 `NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
15 `NumberOfInks` is automatically set when `InkNames` is set.
16 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
17 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
18
19Behaviour for reading:
20 When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
21 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
22 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
23
24This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
25
26This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
27
28It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
29---
30 libtiff/tif_dir.c | 119 ++++++++++++++++++++++++-----------------
31 libtiff/tif_dir.h | 2 +
32 libtiff/tif_dirinfo.c | 2 +-
33 libtiff/tif_dirwrite.c | 5 ++
34 libtiff/tif_print.c | 4 ++
35 5 files changed, 82 insertions(+), 50 deletions(-)
36
37diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
38index 793e8a79..816f7756 100644
39--- a/libtiff/tif_dir.c
40+++ b/libtiff/tif_dir.c
41@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
42 }
43
44 /*
45- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
46+ * Count ink names separated by \0. Returns
47 * zero if the ink names are not as expected.
48 */
49-static uint32_t
50-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
51+static uint16_t
52+countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
53 {
54- TIFFDirectory* td = &tif->tif_dir;
55- uint16_t i = td->td_samplesperpixel;
56+ uint16_t i = 0;
57+ const char *ep = s + slen;
58+ const char *cp = s;
59
60 if (slen > 0) {
61- const char* ep = s+slen;
62- const char* cp = s;
63- for (; i > 0; i--) {
64+ do {
65 for (; cp < ep && *cp != '\0'; cp++) {}
66 if (cp >= ep)
67 goto bad;
68 cp++; /* skip \0 */
69- }
70- return ((uint32_t)(cp - s));
71+ i++;
72+ } while (cp < ep);
73+ return (i);
74 }
75 bad:
76 TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
77- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16,
78- tif->tif_name,
79- td->td_samplesperpixel,
80- (uint16_t)(td->td_samplesperpixel-i));
81+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
82+ tif->tif_name, slen, i);
83 return (0);
84 }
85
86@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
87 _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
88 break;
89 case TIFFTAG_INKNAMES:
90- v = (uint16_t) va_arg(ap, uint16_vap);
91- s = va_arg(ap, char*);
92- v = checkInkNamesString(tif, v, s);
93- status = v > 0;
94- if( v > 0 ) {
95- _TIFFsetNString(&td->td_inknames, s, v);
96- td->td_inknameslen = v;
97+ {
98+ v = (uint16_t) va_arg(ap, uint16_vap);
99+ s = va_arg(ap, char*);
100+ uint16_t ninksinstring;
101+ ninksinstring = countInkNamesString(tif, v, s);
102+ status = ninksinstring > 0;
103+ if(ninksinstring > 0 ) {
104+ _TIFFsetNString(&td->td_inknames, s, v);
105+ td->td_inknameslen = v;
106+ /* Set NumberOfInks to the value ninksinstring */
107+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
108+ {
109+ if (td->td_numberofinks != ninksinstring) {
110+ TIFFErrorExt(tif->tif_clientdata, module,
111+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
112+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
113+ td->td_numberofinks = ninksinstring;
114+ }
115+ } else {
116+ td->td_numberofinks = ninksinstring;
117+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
118+ }
119+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
120+ {
121+ if (td->td_numberofinks != td->td_samplesperpixel) {
122+ TIFFErrorExt(tif->tif_clientdata, module,
123+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
124+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
125+ }
126+ }
127+ }
128+ }
129+ break;
130+ case TIFFTAG_NUMBEROFINKS:
131+ v = (uint16_t)va_arg(ap, uint16_vap);
132+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
133+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
134+ {
135+ if (v != td->td_numberofinks) {
136+ TIFFErrorExt(tif->tif_clientdata, module,
137+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
138+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
139+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
140+ status = 0;
141+ }
142+ } else {
143+ td->td_numberofinks = (uint16_t)v;
144+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
145+ {
146+ if (td->td_numberofinks != td->td_samplesperpixel) {
147+ TIFFErrorExt(tif->tif_clientdata, module,
148+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
149+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
150+ }
151+ }
152 }
153 break;
154 case TIFFTAG_PERSAMPLE:
155@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
156 if (fip->field_bit == FIELD_CUSTOM) {
157 standard_tag = 0;
158 }
159-
160- if( standard_tag == TIFFTAG_NUMBEROFINKS )
161- {
162- int i;
163- for (i = 0; i < td->td_customValueCount; i++) {
164- uint16_t val;
165- TIFFTagValue *tv = td->td_customValues + i;
166- if (tv->info->field_tag != standard_tag)
167- continue;
168- if( tv->value == NULL )
169- return 0;
170- val = *(uint16_t *)tv->value;
171- /* Truncate to SamplesPerPixel, since the */
172- /* setting code for INKNAMES assume that there are SamplesPerPixel */
173- /* inknames. */
174- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
175- if( val > td->td_samplesperpixel )
176- {
177- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
178- "Truncating NumberOfInks from %u to %"PRIu16,
179- val, td->td_samplesperpixel);
180- val = td->td_samplesperpixel;
181- }
182- *va_arg(ap, uint16_t*) = val;
183- return 1;
184- }
185- return 0;
186- }
187
188 switch (standard_tag) {
189 case TIFFTAG_SUBFILETYPE:
190@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
191 case TIFFTAG_INKNAMES:
192 *va_arg(ap, const char**) = td->td_inknames;
193 break;
194+ case TIFFTAG_NUMBEROFINKS:
195+ *va_arg(ap, uint16_t *) = td->td_numberofinks;
196+ break;
197 default:
198 {
199 int i;
200diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
201index 09065648..0c251c9e 100644
202--- a/libtiff/tif_dir.h
203+++ b/libtiff/tif_dir.h
204@@ -117,6 +117,7 @@ typedef struct {
205 /* CMYK parameters */
206 int td_inknameslen;
207 char* td_inknames;
208+ uint16_t td_numberofinks; /* number of inks in InkNames string */
209
210 int td_customValueCount;
211 TIFFTagValue *td_customValues;
212@@ -174,6 +175,7 @@ typedef struct {
213 #define FIELD_TRANSFERFUNCTION 44
214 #define FIELD_INKNAMES 46
215 #define FIELD_SUBIFD 49
216+#define FIELD_NUMBEROFINKS 50
217 /* FIELD_CUSTOM (see tiffio.h) 65 */
218 /* end of support for well-known tags; codec-private tags follow */
219 #define FIELD_CODEC 66 /* base of codec-private tags */
220diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
221index 3371cb5c..3b4bcd33 100644
222--- a/libtiff/tif_dirinfo.c
223+++ b/libtiff/tif_dirinfo.c
224@@ -114,7 +114,7 @@ tiffFields[] = {
225 { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
226 { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
227 { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
228- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
229+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
230 { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
231 { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
232 { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
233diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
234index 6c86fdca..062e4610 100644
235--- a/libtiff/tif_dirwrite.c
236+++ b/libtiff/tif_dirwrite.c
237@@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff)
238 if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
239 goto bad;
240 }
241+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
242+ {
243+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
244+ goto bad;
245+ }
246 if (TIFFFieldSet(tif,FIELD_SUBIFD))
247 {
248 if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
249diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
250index 16ce5780..a91b9e7b 100644
251--- a/libtiff/tif_print.c
252+++ b/libtiff/tif_print.c
253@@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
254 }
255 fputs("\n", fd);
256 }
257+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
258+ fprintf(fd, " NumberOfInks: %d\n",
259+ td->td_numberofinks);
260+ }
261 if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
262 fprintf(fd, " Thresholding: ");
263 switch (td->td_threshholding) {
264--
2652.34.1
266
diff --git a/meta/recipes-multimedia/libtiff/files/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch b/meta/recipes-multimedia/libtiff/files/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
deleted file mode 100644
index c7c5f616ed..0000000000
--- a/meta/recipes-multimedia/libtiff/files/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
+++ /dev/null
@@ -1,184 +0,0 @@
1CVE: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 22a205da86ca2d038d0066e1d70752d117258fb4 Mon Sep 17 00:00:00 2001
6From: 4ugustus <wangdw.augustus@qq.com>
7Date: Sat, 11 Jun 2022 09:31:43 +0000
8Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428)
9
10---
11 libtiff/tif_aux.c | 9 +++++++
12 libtiff/tiffiop.h | 1 +
13 tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
14 3 files changed, 44 insertions(+), 28 deletions(-)
15
16diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
17index 140f26c7..5b88c8d0 100644
18--- a/libtiff/tif_aux.c
19+++ b/libtiff/tif_aux.c
20@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
21 return (float)val;
22 }
23
24+uint32_t _TIFFClampDoubleToUInt32(double val)
25+{
26+ if( val < 0 )
27+ return 0;
28+ if( val > 0xFFFFFFFFU || val != val )
29+ return 0xFFFFFFFFU;
30+ return (uint32_t)val;
31+}
32+
33 int _TIFFSeekOK(TIFF* tif, toff_t off)
34 {
35 /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
36diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
37index e3af461d..4e8bdac2 100644
38--- a/libtiff/tiffiop.h
39+++ b/libtiff/tiffiop.h
40@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
41 extern float _TIFFUInt64ToFloat(uint64_t);
42
43 extern float _TIFFClampDoubleToFloat(double);
44+extern uint32_t _TIFFClampDoubleToUInt32(double);
45
46 extern tmsize_t
47 _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
48diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
49index 1f827b2b..90286a5e 100644
50--- a/tools/tiffcrop.c
51+++ b/tools/tiffcrop.c
52@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
53 {
54 if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
55 {
56- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
57- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
58- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
59- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
60+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
61+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
62+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
63+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
64 }
65 else
66 {
67- x1 = (uint32_t) (crop->corners[i].X1);
68- x2 = (uint32_t) (crop->corners[i].X2);
69- y1 = (uint32_t) (crop->corners[i].Y1);
70- y2 = (uint32_t) (crop->corners[i].Y2);
71+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
72+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
73+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
74+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
75 }
76 /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
77 * b) Corners are expected to be submitted as top-left to bottom-right.
78@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
79 {
80 if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
81 { /* User has specified pixels as reference unit */
82- tmargin = (uint32_t)(crop->margins[0]);
83- lmargin = (uint32_t)(crop->margins[1]);
84- bmargin = (uint32_t)(crop->margins[2]);
85- rmargin = (uint32_t)(crop->margins[3]);
86+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
87+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
88+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
89+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
90 }
91 else
92 { /* inches or centimeters specified */
93- tmargin = (uint32_t)(crop->margins[0] * scale * yres);
94- lmargin = (uint32_t)(crop->margins[1] * scale * xres);
95- bmargin = (uint32_t)(crop->margins[2] * scale * yres);
96- rmargin = (uint32_t)(crop->margins[3] * scale * xres);
97+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
98+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
99+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
100+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
101 }
102
103 if ((lmargin + rmargin) > image->width)
104@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
105 if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
106 {
107 if (crop->crop_mode & CROP_WIDTH)
108- width = (uint32_t)crop->width;
109+ width = _TIFFClampDoubleToUInt32(crop->width);
110 else
111 width = image->width - lmargin - rmargin;
112
113 if (crop->crop_mode & CROP_LENGTH)
114- length = (uint32_t)crop->length;
115+ length = _TIFFClampDoubleToUInt32(crop->length);
116 else
117 length = image->length - tmargin - bmargin;
118 }
119 else
120 {
121 if (crop->crop_mode & CROP_WIDTH)
122- width = (uint32_t)(crop->width * scale * image->xres);
123+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
124 else
125 width = image->width - lmargin - rmargin;
126
127 if (crop->crop_mode & CROP_LENGTH)
128- length = (uint32_t)(crop->length * scale * image->yres);
129+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
130 else
131 length = image->length - tmargin - bmargin;
132 }
133@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
134 {
135 if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
136 { /* inches or centimeters specified */
137- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
138- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
139+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
140+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
141 }
142 else
143 { /* Otherwise user has specified pixels as reference unit */
144- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
145- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
146+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
147+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
148 }
149
150 if ((hmargin * 2.0) > (pwidth * page->hres))
151@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
152 {
153 if (page->mode & PAGE_MODE_PAPERSIZE )
154 {
155- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
156- olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
157+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
158+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
159 }
160 else
161 {
162- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
163- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
164+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
165+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
166 }
167 }
168
169@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
170 if (olength > ilength)
171 olength = ilength;
172
173+ if (owidth == 0 || olength == 0)
174+ {
175+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
176+ exit(EXIT_FAILURE);
177+ }
178+
179 /* Compute the number of pages required for Portrait or Landscape */
180 switch (page->orient)
181 {
182--
1832.34.1
184
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-S-option-Make-decision-simpler.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-S-option-Make-decision-simpler.patch
deleted file mode 100644
index 02642ecfbc..0000000000
--- a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-S-option-Make-decision-simpler.patch
+++ /dev/null
@@ -1,36 +0,0 @@
1Upstream-Status: Backport
2Signed-off-by: Ross Burton <ross.burton@arm.com>
3
4From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001
5From: Su_Laus <sulau@freenet.de>
6Date: Sat, 20 Aug 2022 23:35:26 +0200
7Subject: [PATCH] tiffcrop -S option: Make decision simpler.
8
9---
10 tools/tiffcrop.c | 10 +++++-----
11 1 file changed, 5 insertions(+), 5 deletions(-)
12
13diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
14index c3b758ec..8fd856dc 100644
15--- a/tools/tiffcrop.c
16+++ b/tools/tiffcrop.c
17@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
18 }
19 /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
20 char XY, Z, R, S;
21- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
22- Z = (crop_data->crop_mode & CROP_ZONES);
23- R = (crop_data->crop_mode & CROP_REGIONS);
24- S = (page->mode & PAGE_MODE_ROWSCOLS);
25- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
26+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
27+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
28+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
29+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
30+ if (XY + Z + R + S > 1) {
31 TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
32 exit(EXIT_FAILURE);
33 }
34--
352.34.1
36
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
deleted file mode 100644
index 3e33f4adea..0000000000
--- a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
+++ /dev/null
@@ -1,59 +0,0 @@
1CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001
6From: Su_Laus <sulau@freenet.de>
7Date: Thu, 25 Aug 2022 16:11:41 +0200
8Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options
9 with any PAGE_MODE_x option (fixes #411 and #413)
10MIME-Version: 1.0
11Content-Type: text/plain; charset=UTF-8
12Content-Transfer-Encoding: 8bit
13
14tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S.
15
16Code analysis:
17
18With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
19In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
20
21Execution of the else-clause often leads to buffer-overflows.
22
23Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
24
25The MR solves issues #411 and #413.
26---
27 doc/tools/tiffcrop.rst | 8 ++++++++
28 tools/tiffcrop.c | 32 +++++++++++++++++++++++++-------
29 2 files changed, 33 insertions(+), 7 deletions(-)
30
31diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
32index 8fd856dc..41a2ea36 100644
33--- a/tools/tiffcrop.c
34+++ b/tools/tiffcrop.c
35@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
36 R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
37 S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
38 if (XY + Z + R + S > 1) {
39- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
40+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
41 exit(EXIT_FAILURE);
42 }
43+
44+ /* Check for not allowed combination:
45+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
46+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
47+. */
48+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
49+ TIFFError("tiffcrop input error",
50+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
51+ exit(EXIT_FAILURE);
52+ }
53+
54 } /* end process_command_opts */
55
56 /* Start a new output file if one has not been previously opened or
57--
582.34.1
59
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
deleted file mode 100644
index e44b9bc57c..0000000000
--- a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
+++ /dev/null
@@ -1,653 +0,0 @@
1CVE: CVE-2022-3570 CVE-2022-3598
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From afd7086090dafd3949afd172822cbcec4ed17d56 Mon Sep 17 00:00:00 2001
6From: Su Laus <sulau@freenet.de>
7Date: Thu, 13 Oct 2022 14:33:27 +0000
8Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
9 #381, #386, #388, #389, #435)
10
11---
12 tools/tiffcrop.c | 209 ++++++++++++++++++++++++++---------------------
13 1 file changed, 118 insertions(+), 91 deletions(-)
14
15diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
16index 41a2ea36..deab5feb 100644
17--- a/tools/tiffcrop.c
18+++ b/tools/tiffcrop.c
19@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "26-08-2022";
20
21 #define TIFF_DIR_MAX 65534
22
23+/* Some conversion subroutines require image buffers, which are at least 3 bytes
24+ * larger than the necessary size for the image itself. */
25+#define NUM_BUFF_OVERSIZE_BYTES 3
26+
27 /* Offsets into buffer for margins and fixed width and length segments */
28 struct offset {
29 uint32_t tmargin;
30@@ -233,7 +237,7 @@ struct offset {
31 */
32
33 struct buffinfo {
34- uint32_t size; /* size of this buffer */
35+ size_t size; /* size of this buffer */
36 unsigned char *buffer; /* address of the allocated buffer */
37 };
38
39@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
40 uint32_t dst_rowsize, shift_width;
41 uint32_t bytes_per_sample, bytes_per_pixel;
42 uint32_t trailing_bits, prev_trailing_bits;
43- uint32_t tile_rowsize = TIFFTileRowSize(in);
44- uint32_t src_offset, dst_offset;
45+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
46+ tmsize_t src_offset, dst_offset;
47 uint32_t row_offset, col_offset;
48 uint8_t *bufp = (uint8_t*) buf;
49 unsigned char *src = NULL;
50@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
51 TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
52 exit(EXIT_FAILURE);
53 }
54- tilebuf = limitMalloc(tile_buffsize + 3);
55+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
56 if (tilebuf == 0)
57 return 0;
58 tilebuf[tile_buffsize] = 0;
59@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf,
60 for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
61 {
62 srcbuffs[sample] = NULL;
63- tbuff = (unsigned char *)limitMalloc(tilesize + 8);
64+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
65 if (!tbuff)
66 {
67 TIFFError ("readSeparateTilesIntoBuffer",
68@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
69 }
70 rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
71
72- obuf = limitMalloc (rowstripsize);
73+ /* Add 3 padding bytes for extractContigSamples32bits */
74+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
75 if (obuf == NULL)
76 return 1;
77
78@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
79
80 stripsize = TIFFVStripSize(out, nrows);
81 src = buf + (row * rowsize);
82- memset (obuf, '\0', rowstripsize);
83+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
84 if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
85 {
86 _TIFFfree(obuf);
87@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
88 }
89 if ((dump->outfile != NULL) && (dump->level == 1))
90 {
91- dump_info(dump->outfile, dump->format,"",
92+ if (scanlinesize > 0x0ffffffffULL) {
93+ dump_info(dump->infile, dump->format, "loadImage",
94+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
95+ scanlinesize);
96+ }
97+ dump_info(dump->outfile, dump->format,"",
98 "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
99- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
100- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
101+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf);
102+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf);
103 }
104
105 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
106@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
107 uint32_t tl, tw;
108 uint32_t row, col, nrow, ncol;
109 uint32_t src_rowsize, col_offset;
110- uint32_t tile_rowsize = TIFFTileRowSize(out);
111+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
112 uint8_t* bufp = (uint8_t*) buf;
113 tsize_t tile_buffsize = 0;
114 tsize_t tilesize = TIFFTileSize(out);
115@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
116 }
117 src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
118
119- tilebuf = limitMalloc(tile_buffsize);
120+ /* Add 3 padding bytes for extractContigSamples32bits */
121+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
122 if (tilebuf == 0)
123 return 1;
124+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
125 for (row = 0; row < imagelength; row += tl)
126 {
127 nrow = (row + tl > imagelength) ? imagelength - row : tl;
128@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
129 uint32_t imagewidth, tsample_t spp,
130 struct dump_opts * dump)
131 {
132- tdata_t obuf = limitMalloc(TIFFTileSize(out));
133+ /* Add 3 padding bytes for extractContigSamples32bits */
134+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
135 uint32_t tl, tw;
136 uint32_t row, col, nrow, ncol;
137 uint32_t src_rowsize, col_offset;
138@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
139
140 if (obuf == NULL)
141 return 1;
142+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
143
144 if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
145 !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
146@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
147
148 *opt_offset = '\0';
149 /* convert option to lowercase */
150- end = strlen (opt_ptr);
151+ end = (unsigned int)strlen (opt_ptr);
152 for (i = 0; i < end; i++)
153 *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
154 /* Look for dump format specification */
155 if (strncmp(opt_ptr, "for", 3) == 0)
156 {
157 /* convert value to lowercase */
158- end = strlen (opt_offset + 1);
159+ end = (unsigned int)strlen (opt_offset + 1);
160 for (i = 1; i <= end; i++)
161 *(opt_offset + i) = tolower((int) *(opt_offset + i));
162 /* check dump format value */
163@@ -2273,6 +2287,8 @@ main(int argc, char* argv[])
164 size_t length;
165 char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
166
167+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
168+
169 little_endian = *((unsigned char *)&little_endian) & '1';
170
171 initImageData(&image);
172@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
173 /* If we have a full buffer's worth, write it out */
174 if (ready_bits >= 32)
175 {
176- bytebuff1 = (buff2 >> 56);
177+ bytebuff1 = (uint8_t)(buff2 >> 56);
178 *dst++ = bytebuff1;
179- bytebuff2 = (buff2 >> 48);
180+ bytebuff2 = (uint8_t)(buff2 >> 48);
181 *dst++ = bytebuff2;
182- bytebuff3 = (buff2 >> 40);
183+ bytebuff3 = (uint8_t)(buff2 >> 40);
184 *dst++ = bytebuff3;
185- bytebuff4 = (buff2 >> 32);
186+ bytebuff4 = (uint8_t)(buff2 >> 32);
187 *dst++ = bytebuff4;
188 ready_bits -= 32;
189
190@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
191 }
192 else /* If we have a full buffer's worth, write it out */
193 {
194- bytebuff1 = (buff2 >> 56);
195+ bytebuff1 = (uint8_t)(buff2 >> 56);
196 *dst++ = bytebuff1;
197- bytebuff2 = (buff2 >> 48);
198+ bytebuff2 = (uint8_t)(buff2 >> 48);
199 *dst++ = bytebuff2;
200- bytebuff3 = (buff2 >> 40);
201+ bytebuff3 = (uint8_t)(buff2 >> 40);
202 *dst++ = bytebuff3;
203- bytebuff4 = (buff2 >> 32);
204+ bytebuff4 = (uint8_t)(buff2 >> 32);
205 *dst++ = bytebuff4;
206 ready_bits -= 32;
207
208@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3
209 static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
210 {
211 uint8_t* bufp = buf;
212- int32_t bytes_read = 0;
213+ tmsize_t bytes_read = 0;
214 uint32_t strip, nstrips = TIFFNumberOfStrips(in);
215- uint32_t stripsize = TIFFStripSize(in);
216- uint32_t rows = 0;
217+ tmsize_t stripsize = TIFFStripSize(in);
218+ tmsize_t rows = 0;
219 uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
220 tsize_t scanline_size = TIFFScanlineSize(in);
221
222@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
223 bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
224 rows = bytes_read / scanline_size;
225 if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize))
226- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32,
227+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
228 strip + 1, bytes_read, stripsize);
229
230 if (bytes_read < 0 && !ignore) {
231- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows",
232+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
233 strip, rows);
234 return 0;
235 }
236@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
237 /* If we have a full buffer's worth, write it out */
238 if (ready_bits >= 32)
239 {
240- bytebuff1 = (buff2 >> 56);
241+ bytebuff1 = (uint8_t)(buff2 >> 56);
242 *dst++ = bytebuff1;
243- bytebuff2 = (buff2 >> 48);
244+ bytebuff2 = (uint8_t)(buff2 >> 48);
245 *dst++ = bytebuff2;
246- bytebuff3 = (buff2 >> 40);
247+ bytebuff3 = (uint8_t)(buff2 >> 40);
248 *dst++ = bytebuff3;
249- bytebuff4 = (buff2 >> 32);
250+ bytebuff4 = (uint8_t)(buff2 >> 32);
251 *dst++ = bytebuff4;
252 ready_bits -= 32;
253
254@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
255 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
256 row + 1, col + 1, src_byte, src_bit, dst - out);
257
258- dump_long (dumpfile, format, "Match bits ", matchbits);
259+ dump_wide (dumpfile, format, "Match bits ", matchbits);
260 dump_data (dumpfile, format, "Src bits ", src, 4);
261- dump_long (dumpfile, format, "Buff1 bits ", buff1);
262- dump_long (dumpfile, format, "Buff2 bits ", buff2);
263+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
264+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
265 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
266 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
267 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
268@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
269 /* If we have a full buffer's worth, write it out */
270 if (ready_bits >= 32)
271 {
272- bytebuff1 = (buff2 >> 56);
273+ bytebuff1 = (uint8_t)(buff2 >> 56);
274 *dst++ = bytebuff1;
275- bytebuff2 = (buff2 >> 48);
276+ bytebuff2 = (uint8_t)(buff2 >> 48);
277 *dst++ = bytebuff2;
278- bytebuff3 = (buff2 >> 40);
279+ bytebuff3 = (uint8_t)(buff2 >> 40);
280 *dst++ = bytebuff3;
281- bytebuff4 = (buff2 >> 32);
282+ bytebuff4 = (uint8_t)(buff2 >> 32);
283 *dst++ = bytebuff4;
284 ready_bits -= 32;
285
286@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
287 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
288 row + 1, col + 1, src_byte, src_bit, dst - out);
289
290- dump_long (dumpfile, format, "Match bits ", matchbits);
291+ dump_wide (dumpfile, format, "Match bits ", matchbits);
292 dump_data (dumpfile, format, "Src bits ", src, 4);
293- dump_long (dumpfile, format, "Buff1 bits ", buff1);
294- dump_long (dumpfile, format, "Buff2 bits ", buff2);
295+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
296+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
297 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
298 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
299 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
300@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
301 {
302 int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
303 uint32_t j;
304- int32_t bytes_read = 0;
305+ tmsize_t bytes_read = 0;
306 uint16_t bps = 0, planar;
307 uint32_t nstrips;
308 uint32_t strips_per_sample;
309@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
310 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
311 {
312 srcbuffs[s] = NULL;
313- buff = limitMalloc(stripsize + 3);
314+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
315 if (!buff)
316 {
317 TIFFError ("readSeparateStripsIntoBuffer",
318@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
319 buff = srcbuffs[s];
320 strip = (s * strips_per_sample) + j;
321 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
322- rows_this_strip = bytes_read / src_rowsize;
323+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
324 if (bytes_read < 0 && !ignore)
325 {
326 TIFFError(TIFFFileName(in),
327@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
328 uint16_t input_compression = 0, input_photometric = 0;
329 uint16_t subsampling_horiz, subsampling_vert;
330 uint32_t width = 0, length = 0;
331- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
332+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
333+ tmsize_t scanlinesize = 0;
334 uint32_t tw = 0, tl = 0; /* Tile width and length */
335- uint32_t tile_rowsize = 0;
336+ tmsize_t tile_rowsize = 0;
337 unsigned char *read_buff = NULL;
338 unsigned char *new_buff = NULL;
339 int readunit = 0;
340- static uint32_t prev_readsize = 0;
341+ static tmsize_t prev_readsize = 0;
342
343 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
344 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
345@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
346 /* The buffsize_check and the possible adaptation of buffsize
347 * has to account also for padding of each line to a byte boundary.
348 * This is assumed by mirrorImage() and rotateImage().
349+ * Furthermore, functions like extractContigSamplesShifted32bits()
350+ * need a buffer, which is at least 3 bytes larger than the actual image.
351 * Otherwise buffer-overflow might occur there.
352 */
353 buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
354@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
355 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
356 return (-1);
357 }
358- read_buff = (unsigned char *)limitMalloc(buffsize+3);
359+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
360 }
361 else
362 {
363@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
364 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
365 return (-1);
366 }
367- new_buff = _TIFFrealloc(read_buff, buffsize+3);
368+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
369 if (!new_buff)
370 {
371 free (read_buff);
372- read_buff = (unsigned char *)limitMalloc(buffsize+3);
373+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
374 }
375 else
376 read_buff = new_buff;
377@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
378 dump_info (dump->infile, dump->format, "",
379 "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp);
380
381+ if (scanlinesize > 0x0ffffffffULL) {
382+ dump_info(dump->infile, dump->format, "loadImage",
383+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
384+ scanlinesize);
385+ }
386 for (i = 0; i < length; i++)
387- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
388+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize,
389 i, read_buff + (i * scanlinesize));
390 }
391 return (0);
392@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
393 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
394 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
395 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
396- int inknameslen = strlen(inknames) + 1;
397+ int inknameslen = (int)strlen(inknames) + 1;
398 const char* cp = inknames;
399 while (ninks > 1) {
400 cp = strchr(cp, '\0');
401 if (cp) {
402 cp++;
403- inknameslen += (strlen(cp) + 1);
404+ inknameslen += ((int)strlen(cp) + 1);
405 }
406 ninks--;
407 }
408@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
409
410 if (!sect_buff)
411 {
412- sect_buff = (unsigned char *)limitMalloc(sectsize);
413+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
414 if (!sect_buff)
415 {
416 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
417 return (-1);
418 }
419- _TIFFmemset(sect_buff, 0, sectsize);
420+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
421 }
422 else
423 {
424 if (prev_sectsize < sectsize)
425 {
426- new_buff = _TIFFrealloc(sect_buff, sectsize);
427+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
428 if (!new_buff)
429 {
430 _TIFFfree (sect_buff);
431- sect_buff = (unsigned char *)limitMalloc(sectsize);
432+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
433 }
434 else
435 sect_buff = new_buff;
436@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
437 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
438 return (-1);
439 }
440- _TIFFmemset(sect_buff, 0, sectsize);
441+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
442 }
443 }
444
445@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
446 cropsize = crop->bufftotal;
447 crop_buff = seg_buffs[0].buffer;
448 if (!crop_buff)
449- crop_buff = (unsigned char *)limitMalloc(cropsize);
450+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
451 else
452 {
453 prev_cropsize = seg_buffs[0].size;
454 if (prev_cropsize < cropsize)
455 {
456- next_buff = _TIFFrealloc(crop_buff, cropsize);
457+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
458 if (! next_buff)
459 {
460 _TIFFfree (crop_buff);
461- crop_buff = (unsigned char *)limitMalloc(cropsize);
462+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
463 }
464 else
465 crop_buff = next_buff;
466@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
467 return (-1);
468 }
469
470- _TIFFmemset(crop_buff, 0, cropsize);
471+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
472 seg_buffs[0].buffer = crop_buff;
473 seg_buffs[0].size = cropsize;
474
475@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
476 cropsize = crop->bufftotal;
477 crop_buff = seg_buffs[i].buffer;
478 if (!crop_buff)
479- crop_buff = (unsigned char *)limitMalloc(cropsize);
480+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
481 else
482 {
483 prev_cropsize = seg_buffs[0].size;
484 if (prev_cropsize < cropsize)
485 {
486- next_buff = _TIFFrealloc(crop_buff, cropsize);
487+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
488 if (! next_buff)
489 {
490 _TIFFfree (crop_buff);
491- crop_buff = (unsigned char *)limitMalloc(cropsize);
492+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
493 }
494 else
495 crop_buff = next_buff;
496@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
497 return (-1);
498 }
499
500- _TIFFmemset(crop_buff, 0, cropsize);
501+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
502 seg_buffs[i].buffer = crop_buff;
503 seg_buffs[i].size = cropsize;
504
505@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
506 crop_buff = *crop_buff_ptr;
507 if (!crop_buff)
508 {
509- crop_buff = (unsigned char *)limitMalloc(cropsize);
510+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
511 if (!crop_buff)
512 {
513 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
514 return (-1);
515 }
516- _TIFFmemset(crop_buff, 0, cropsize);
517+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
518 prev_cropsize = cropsize;
519 }
520 else
521 {
522 if (prev_cropsize < cropsize)
523 {
524- new_buff = _TIFFrealloc(crop_buff, cropsize);
525+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
526 if (!new_buff)
527 {
528 free (crop_buff);
529- crop_buff = (unsigned char *)limitMalloc(cropsize);
530+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
531 }
532 else
533 crop_buff = new_buff;
534@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
535 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
536 return (-1);
537 }
538- _TIFFmemset(crop_buff, 0, cropsize);
539+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
540 }
541 }
542
543@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
544 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
545 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
546 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
547- int inknameslen = strlen(inknames) + 1;
548+ int inknameslen = (int)strlen(inknames) + 1;
549 const char* cp = inknames;
550 while (ninks > 1) {
551 cp = strchr(cp, '\0');
552 if (cp) {
553 cp++;
554- inknameslen += (strlen(cp) + 1);
555+ inknameslen += ((int)strlen(cp) + 1);
556 }
557 ninks--;
558 }
559@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
560 }
561 else /* If we have a full buffer's worth, write it out */
562 {
563- bytebuff1 = (buff2 >> 56);
564+ bytebuff1 = (uint8_t)(buff2 >> 56);
565 *dst++ = bytebuff1;
566- bytebuff2 = (buff2 >> 48);
567+ bytebuff2 = (uint8_t)(buff2 >> 48);
568 *dst++ = bytebuff2;
569- bytebuff3 = (buff2 >> 40);
570+ bytebuff3 = (uint8_t)(buff2 >> 40);
571 *dst++ = bytebuff3;
572- bytebuff4 = (buff2 >> 32);
573+ bytebuff4 = (uint8_t)(buff2 >> 32);
574 *dst++ = bytebuff4;
575 ready_bits -= 32;
576
577@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
578 return (-1);
579 }
580
581- if (!(rbuff = (unsigned char *)limitMalloc(buffsize)))
582+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
583+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
584 {
585- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
586+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
587 return (-1);
588 }
589- _TIFFmemset(rbuff, '\0', buffsize);
590+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
591
592 ibuff = *ibuff_ptr;
593 switch (rotation)
594@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width,
595 }
596 else /* If we have a full buffer's worth, write it out */
597 {
598- bytebuff1 = (buff2 >> 56);
599+ bytebuff1 = (uint8_t)(buff2 >> 56);
600 *dst++ = bytebuff1;
601- bytebuff2 = (buff2 >> 48);
602+ bytebuff2 = (uint8_t)(buff2 >> 48);
603 *dst++ = bytebuff2;
604- bytebuff3 = (buff2 >> 40);
605+ bytebuff3 = (uint8_t)(buff2 >> 40);
606 *dst++ = bytebuff3;
607- bytebuff4 = (buff2 >> 32);
608+ bytebuff4 = (uint8_t)(buff2 >> 32);
609 *dst++ = bytebuff4;
610 ready_bits -= 32;
611
612@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
613 {
614 case MIRROR_BOTH:
615 case MIRROR_VERT:
616- line_buff = (unsigned char *)limitMalloc(rowsize);
617+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
618 if (line_buff == NULL)
619 {
620- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
621+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
622 return (-1);
623 }
624+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
625
626 dst = ibuff + (rowsize * (length - 1));
627 for (row = 0; row < length / 2; row++)
628@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
629 }
630 else
631 { /* non 8 bit per sample data */
632- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1)))
633+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
634 {
635 TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
636 return (-1);
637 }
638+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
639 bytes_per_sample = (bps + 7) / 8;
640 bytes_per_pixel = ((bps * spp) + 7) / 8;
641 if (bytes_per_pixel < (bytes_per_sample + 1))
642@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
643 {
644 row_offset = row * rowsize;
645 src = ibuff + row_offset;
646- _TIFFmemset (line_buff, '\0', rowsize);
647+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
648 switch (shift_width)
649 {
650 case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
651--
6522.34.1
653
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch
deleted file mode 100644
index e673945fa3..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch
+++ /dev/null
@@ -1,86 +0,0 @@
1CVE: CVE-2022-2953
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001
6From: Su_Laus <sulau@freenet.de>
7Date: Mon, 15 Aug 2022 22:11:03 +0200
8Subject: [PATCH] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
9 =?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20ti?=
10 =?UTF-8?q?ffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually?=
11 =?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),=20-?=
12 =?UTF-8?q?Z=20and=20-z.?=
13MIME-Version: 1.0
14Content-Type: text/plain; charset=UTF-8
15Content-Transfer-Encoding: 8bit
16
17This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
18
19This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
20---
21 tools/tiffcrop.c | 31 ++++++++++++++++---------------
22 1 file changed, 16 insertions(+), 15 deletions(-)
23
24diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
25index 90286a5e..c3b758ec 100644
26--- a/tools/tiffcrop.c
27+++ b/tools/tiffcrop.c
28@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
29 #define ROTATECW_270 32
30 #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
31
32-#define CROP_NONE 0
33-#define CROP_MARGINS 1
34-#define CROP_WIDTH 2
35-#define CROP_LENGTH 4
36-#define CROP_ZONES 8
37-#define CROP_REGIONS 16
38+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
39+#define CROP_MARGINS 1 /* "-m" */
40+#define CROP_WIDTH 2 /* "-X" */
41+#define CROP_LENGTH 4 /* "-Y" */
42+#define CROP_ZONES 8 /* "-Z" */
43+#define CROP_REGIONS 16 /* "-z" */
44 #define CROP_ROTATE 32
45 #define CROP_MIRROR 64
46 #define CROP_INVERT 128
47@@ -316,7 +316,7 @@ struct crop_mask {
48 #define PAGE_MODE_RESOLUTION 1
49 #define PAGE_MODE_PAPERSIZE 2
50 #define PAGE_MODE_MARGINS 4
51-#define PAGE_MODE_ROWSCOLS 8
52+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
53
54 #define INVERT_DATA_ONLY 10
55 #define INVERT_DATA_AND_TAG 11
56@@ -781,7 +781,7 @@ static const char usage_info[] =
57 " The four debug/dump options are independent, though it makes little sense to\n"
58 " specify a dump file without specifying a detail level.\n"
59 "\n"
60-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
61+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
62 " In no case should the options be applied to a given selection successively.\n"
63 "\n"
64 ;
65@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
66 /*NOTREACHED*/
67 }
68 }
69- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
70- char XY, Z, R;
71+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
72+ char XY, Z, R, S;
73 XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
74 Z = (crop_data->crop_mode & CROP_ZONES);
75 R = (crop_data->crop_mode & CROP_REGIONS);
76- if ((XY && Z) || (XY && R) || (Z && R)) {
77- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
78+ S = (page->mode & PAGE_MODE_ROWSCOLS);
79+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
80+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
81 exit(EXIT_FAILURE);
82 }
83 } /* end process_command_opts */
84--
852.34.1
86
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch
deleted file mode 100644
index 54c3345746..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch
+++ /dev/null
@@ -1,32 +0,0 @@
1From 275735d0354e39c0ac1dc3c0db2120d6f31d1990 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Mon, 27 Jun 2022 16:09:43 +0200
4Subject: [PATCH] _TIFFCheckFieldIsValidForCodec(): return FALSE when passed a
5 codec-specific tag and the codec is not configured (fixes #433)
6
7This avoids crashes when querying such tags
8
9CVE: CVE-2022-34526
10Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990]
11Signed-off-by: Khem Raj <raj.khem@gmail.com>
12---
13 libtiff/tif_dirinfo.c | 3 +++
14 1 file changed, 3 insertions(+)
15
16diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
17index c30f569b..3371cb5c 100644
18--- a/libtiff/tif_dirinfo.c
19+++ b/libtiff/tif_dirinfo.c
20@@ -1191,6 +1191,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
21 default:
22 return 1;
23 }
24+ if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) {
25+ return 0;
26+ }
27 /* Check if codec specific tags are allowed for the current
28 * compression scheme (codec) */
29 switch (tif->tif_dir.td_compression) {
30--
31GitLab
32
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
deleted file mode 100644
index b3352ba8ab..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Tue, 8 Nov 2022 15:16:58 +0100
4Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
5 strips/tiles > 2 GB
6
7Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
8Upstream-Status: Accepted
9---
10 libtiff/tif_getimage.c | 8 ++++----
11 1 file changed, 4 insertions(+), 4 deletions(-)
12
13diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
14index a4d0c1d6..60b94d8e 100644
15--- a/libtiff/tif_getimage.c
16+++ b/libtiff/tif_getimage.c
17@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
18 return( ok );
19
20 for( i_row = 0; i_row < read_ysize; i_row++ ) {
21- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
22- raster + (read_ysize - i_row - 1) * read_xsize,
23+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
24+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
25 read_xsize * sizeof(uint32_t) );
26- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
27+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
28 0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
29 }
30
31 for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
32- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
33+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
34 0, sizeof(uint32_t) * tile_xsize );
35 }
36
37--
382.33.0
39
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index 970aab5433..2ed70f7500 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -4,22 +4,13 @@ DESCRIPTION = "Library provides support for the Tag Image File Format \
4provide means to easily access and create TIFF image files." 4provide means to easily access and create TIFF image files."
5HOMEPAGE = "http://www.libtiff.org/" 5HOMEPAGE = "http://www.libtiff.org/"
6LICENSE = "BSD-2-Clause" 6LICENSE = "BSD-2-Clause"
7LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" 7LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
8 8
9CVE_PRODUCT = "libtiff" 9CVE_PRODUCT = "libtiff"
10 10
11SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ 11SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"
12 file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \ 12
13 file://CVE-2022-34526.patch \ 13SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
14 file://CVE-2022-2953.patch \
15 file://CVE-2022-3970.patch \
16 file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch \
17 file://0001-tiffcrop-S-option-Make-decision-simpler.patch \
18 file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \
19 file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
20 "
21
22SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
23 14
24# exclude betas 15# exclude betas
25UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" 16UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-10 13:33:57 +0000