tiff: Add patches to fix multiple CVEs

Add patches to fix below CVE issues CVE-2022-0865 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 (From OE-Core rev: 7c71434832caf6a15f8fb884d028a8c1bf4090a9) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> 2022-05-16 19:09:56 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-05-20 10:08:00 +0100
commit: 37bbb105c93213cb8bf78c054b4e682378c9f50c (patch)
tree: 2f2dc6b208435f707e45767174d4af2d30c46d5d /meta/recipes-multimedia
parent: fec7f76cfcf94947b8437fde0703da3d645ed2dc (diff)
download: poky-37bbb105c93213cb8bf78c054b4e682378c9f50c.tar.gz
6 files changed, 267 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch
new file mode 100644
index 0000000000..e2d136f587
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch
@@ -0,0 +1,39 @@
+From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 24 Feb 2022 22:26:02 +0100
+Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
+ in memory-mapped mode and when bit reversal is needed (fixes #385)
+CVE: CVE-2022-0865
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0865.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+---
+ libtiff/tif_jbig.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 74086338..8bfa4cef 100644
+--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
+@@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
+         */
+        tif->tif_flags |= TIFF_NOBITREV;
+        tif->tif_flags &= ~TIFF_MAPPED;
+       /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
+        * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
+        * value to be consistent with the state of a non-memory mapped file.
+        */
+       if (tif->tif_flags&TIFF_BUFFERMMAP) {
+               tif->tif_rawdata = NULL;
+               tif->tif_rawdatasize = 0;
+               tif->tif_flags &= ~TIFF_BUFFERMMAP;
+               tif->tif_flags |= TIFF_MYBUFFER;
+       }
+ 
+        /* Setup the function pointers for encode, decode, and cleanup. */
+        tif->tif_setupdecode = JBIGSetupDecode;
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch
new file mode 100644
index 0000000000..da3ead5481
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch
@@ -0,0 +1,94 @@
+From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001
+From: Augustus <wangdw.augustus@qq.com>
+Date: Mon, 7 Mar 2022 18:21:49 +0800
+Subject: [PATCH] add checks for return value of limitMalloc (#392)
+CVE: CVE-2022-0907
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0907.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+---
+ tools/tiffcrop.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f2e5474a..9b8acc7e 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -7337,7 +7337,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+   if (!sect_buff)
+     {
+     sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
+-    *sect_buff_ptr = sect_buff;
+    if (!sect_buff)
+    {
+        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+        return (-1);
+    }
+     _TIFFmemset(sect_buff, 0, sectsize);
+     }
+   else
+@@ -7353,15 +7357,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+       else
+         sect_buff = new_buff;
+ 
+      if (!sect_buff)
+      {
+          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+          return (-1);
+      }
+       _TIFFmemset(sect_buff, 0, sectsize);
+       }
+     }
+ 
+-  if (!sect_buff)
+-    {
+-    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+-    return (-1);
+-    }
+   prev_sectsize = sectsize;
+   *sect_buff_ptr = sect_buff;
+ 
+@@ -7628,7 +7632,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (!crop_buff)
+     {
+     crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+-    *crop_buff_ptr = crop_buff;
+    if (!crop_buff)
+    {
+        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+        return (-1);
+    }
+     _TIFFmemset(crop_buff, 0, cropsize);
+     prev_cropsize = cropsize;
+     }
+@@ -7644,15 +7652,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+         }
+       else
+         crop_buff = new_buff;
+      if (!crop_buff)
+      {
+          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+          return (-1);
+      }
+       _TIFFmemset(crop_buff, 0, cropsize);
+       }
+     }
+ 
+-  if (!crop_buff)
+-    {
+-    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+-    return (-1);
+-    }
+   *crop_buff_ptr = crop_buff;
+ 
+   if (crop->crop_mode & CROP_INVERT)
+@@ -9211,3 +9219,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
+  * fill-column: 78
+  * End:
+  */
+
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch
new file mode 100644
index 0000000000..e65af6c600
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch
@@ -0,0 +1,34 @@
+From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #383)
+CVE: CVE-2022-0908
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0908.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 50ebf8ac..2ec44a4f 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+                                                                _TIFFfree(data);
+                                                        return(0);
+                                                }
+-                                               _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+                                               if (dp->tdir_count > 0 )
+                                               {
+                                                       _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+                                               }
+                                                o[(uint32)dp->tdir_count]=0;
+                                                if (data!=0)
+                                                        _TIFFfree(data);
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch
new file mode 100644
index 0000000000..d487f1bd95
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch
@@ -0,0 +1,37 @@
+From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH] fix the FPE in tiffcrop (#393)
+CVE: CVE-2022-0909
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0909.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 57055ca9..59b346ca 100644
+--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
+@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
+                break;
+        case TIFFTAG_XRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
+        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+                td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
+                break;
+        case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
+        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+                td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
+                break;
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
new file mode 100644
index 0000000000..ddb035c972
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
@@ -0,0 +1,58 @@
+From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
+CVE: CVE-2022-0924
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 224583e0..aa32b118 100644
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+        tdata_t obuf;
+        tstrip_t strip = 0;
+        tsample_t s;
+       uint16 bps = 0, bytes_per_sample;
+ 
+        obuf = _TIFFmalloc(stripsize);
+        if (obuf == NULL)
+                return (0);
+        _TIFFmemset(obuf, 0, stripsize);
+        (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+       (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+       if( bps == 0 )
+        {
+            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+            _TIFFfree(obuf);
+            return 0;
+        }
+        if( (bps % 8) != 0 )
+        {
+            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+            _TIFFfree(obuf);
+            return 0;
+        }
+       bytes_per_sample = bps/8;
+        for (s = 0; s < spp; s++) {
+                uint32 row;
+                for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+ 
+                        cpContigBufToSeparateBuf(
+                            obuf, (uint8*) buf + row*rowsize + s,
+-                           nrows, imagewidth, 0, 0, spp, 1);
+                           nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+                        if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+                                TIFFError(TIFFFileName(out),
+                                    "Error, can't write strip %u",
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index e3ffb12f9e..75bc20de78 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -18,7 +18,12 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
           file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
           file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
+           file://CVE-2022-0865.patch \
+           file://CVE-2022-0908.patch \
+           file://CVE-2022-0907.patch \
+           file://CVE-2022-0909.patch \
           file://CVE-2022-0891.patch \
+           file://CVE-2022-0924.patch \
          "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
author	Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>	2022-05-16 19:09:56 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-05-20 10:08:00 +0100
commit	37bbb105c93213cb8bf78c054b4e682378c9f50c (patch)
tree	2f2dc6b208435f707e45767174d4af2d30c46d5d /meta/recipes-multimedia
parent	fec7f76cfcf94947b8437fde0703da3d645ed2dc (diff)
download	poky-37bbb105c93213cb8bf78c054b4e682378c9f50c.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch new file mode 100644 index 0000000000..e2d136f587 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch
@@ -0,0 +1,39 @@
		1	From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Thu, 24 Feb 2022 22:26:02 +0100
		4	Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
		5	in memory-mapped mode and when bit reversal is needed (fixes #385)
		6
		7	CVE: CVE-2022-0865
		8	Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0865.patch/]
		9	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		10	Comment: No change in any hunk
		11
		12	---
		13	libtiff/tif_jbig.c \| 10 ++++++++++
		14	1 file changed, 10 insertions(+)
		15
		16	diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
		17	index 74086338..8bfa4cef 100644
		18	--- a/libtiff/tif_jbig.c
		19	+++ b/libtiff/tif_jbig.c
		20	@@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
		21	*/
		22	tif->tif_flags \|= TIFF_NOBITREV;
		23	tif->tif_flags &= ~TIFF_MAPPED;
		24	+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
		25	+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
		26	+ * value to be consistent with the state of a non-memory mapped file.
		27	+ */
		28	+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
		29	+ tif->tif_rawdata = NULL;
		30	+ tif->tif_rawdatasize = 0;
		31	+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
		32	+ tif->tif_flags \|= TIFF_MYBUFFER;
		33	+ }
		34
		35	/* Setup the function pointers for encode, decode, and cleanup. */
		36	tif->tif_setupdecode = JBIGSetupDecode;
		37	--
		38	GitLab
		39


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch new file mode 100644 index 0000000000..da3ead5481 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch
@@ -0,0 +1,94 @@
		1	From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001
		2	From: Augustus <wangdw.augustus@qq.com>
		3	Date: Mon, 7 Mar 2022 18:21:49 +0800
		4	Subject: [PATCH] add checks for return value of limitMalloc (#392)
		5
		6	CVE: CVE-2022-0907
		7	Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0907.patch/]
		8	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		9	Comment: No change in any hunk
		10
		11	---
		12	tools/tiffcrop.c \| 33 +++++++++++++++++++++------------
		13	1 file changed, 21 insertions(+), 12 deletions(-)
		14
		15	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		16	index f2e5474a..9b8acc7e 100644
		17	--- a/tools/tiffcrop.c
		18	+++ b/tools/tiffcrop.c
		19	@@ -7337,7 +7337,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
		20	if (!sect_buff)
		21	{
		22	sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
		23	- *sect_buff_ptr = sect_buff;
		24	+ if (!sect_buff)
		25	+ {
		26	+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
		27	+ return (-1);
		28	+ }
		29	_TIFFmemset(sect_buff, 0, sectsize);
		30	}
		31	else
		32	@@ -7353,15 +7357,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
		33	else
		34	sect_buff = new_buff;
		35
		36	+ if (!sect_buff)
		37	+ {
		38	+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
		39	+ return (-1);
		40	+ }
		41	_TIFFmemset(sect_buff, 0, sectsize);
		42	}
		43	}
		44
		45	- if (!sect_buff)
		46	- {
		47	- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
		48	- return (-1);
		49	- }
		50	prev_sectsize = sectsize;
		51	*sect_buff_ptr = sect_buff;
		52
		53	@@ -7628,7 +7632,11 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		54	if (!crop_buff)
		55	{
		56	crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
		57	- *crop_buff_ptr = crop_buff;
		58	+ if (!crop_buff)
		59	+ {
		60	+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
		61	+ return (-1);
		62	+ }
		63	_TIFFmemset(crop_buff, 0, cropsize);
		64	prev_cropsize = cropsize;
		65	}
		66	@@ -7644,15 +7652,15 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		67	}
		68	else
		69	crop_buff = new_buff;
		70	+ if (!crop_buff)
		71	+ {
		72	+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
		73	+ return (-1);
		74	+ }
		75	_TIFFmemset(crop_buff, 0, cropsize);
		76	}
		77	}
		78
		79	- if (!crop_buff)
		80	- {
		81	- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
		82	- return (-1);
		83	- }
		84	*crop_buff_ptr = crop_buff;
		85
		86	if (crop->crop_mode & CROP_INVERT)
		87	@@ -9211,3 +9219,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
		88	* fill-column: 78
		89	* End:
		90	*/
		91	+
		92	--
		93	GitLab
		94


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch new file mode 100644 index 0000000000..e65af6c600 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch
@@ -0,0 +1,34 @@
		1	From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Thu, 17 Feb 2022 15:28:43 +0100
		4	Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
		5	source pointer and size of zero (fixes #383)
		6
		7	CVE: CVE-2022-0908
		8	Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0908.patch/]
		9	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		10	Comment: No change in any hunk
		11
		12	---
		13	libtiff/tif_dirread.c \| 5 ++++-
		14	1 file changed, 4 insertions(+), 1 deletion(-)
		15
		16	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		17	index 50ebf8ac..2ec44a4f 100644
		18	--- a/libtiff/tif_dirread.c
		19	+++ b/libtiff/tif_dirread.c
		20	@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
		21	_TIFFfree(data);
		22	return(0);
		23	}
		24	- _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
		25	+ if (dp->tdir_count > 0 )
		26	+ {
		27	+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
		28	+ }
		29	o[(uint32)dp->tdir_count]=0;
		30	if (data!=0)
		31	_TIFFfree(data);
		32	--
		33	GitLab
		34


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch new file mode 100644 index 0000000000..d487f1bd95 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch
@@ -0,0 +1,37 @@
		1	From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
		2	From: 4ugustus <wangdw.augustus@qq.com>
		3	Date: Tue, 8 Mar 2022 16:22:04 +0000
		4	Subject: [PATCH] fix the FPE in tiffcrop (#393)
		5
		6	CVE: CVE-2022-0909
		7	Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0909.patch/]
		8	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		9	Comment: No change in any hunk
		10
		11	---
		12	libtiff/tif_dir.c \| 4 ++--
		13	1 file changed, 2 insertions(+), 2 deletions(-)
		14
		15	diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
		16	index 57055ca9..59b346ca 100644
		17	--- a/libtiff/tif_dir.c
		18	+++ b/libtiff/tif_dir.c
		19	@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
		20	break;
		21	case TIFFTAG_XRESOLUTION:
		22	dblval = va_arg(ap, double);
		23	- if( dblval < 0 )
		24	+ if( dblval != dblval \|\| dblval < 0 )
		25	goto badvaluedouble;
		26	td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
		27	break;
		28	case TIFFTAG_YRESOLUTION:
		29	dblval = va_arg(ap, double);
		30	- if( dblval < 0 )
		31	+ if( dblval != dblval \|\| dblval < 0 )
		32	goto badvaluedouble;
		33	td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
		34	break;
		35	--
		36	GitLab
		37


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch new file mode 100644 index 0000000000..ddb035c972 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
@@ -0,0 +1,58 @@
		1	From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
		2	From: 4ugustus <wangdw.augustus@qq.com>
		3	Date: Thu, 10 Mar 2022 08:48:00 +0000
		4	Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
		5
		6	CVE: CVE-2022-0924
		7	Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/]
		8	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		9	Comment: No change in any hunk
		10
		11	---
		12	tools/tiffcp.c \| 17 ++++++++++++++++-
		13	1 file changed, 16 insertions(+), 1 deletion(-)
		14
		15	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
		16	index 224583e0..aa32b118 100644
		17	--- a/tools/tiffcp.c
		18	+++ b/tools/tiffcp.c
		19	@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
		20	tdata_t obuf;
		21	tstrip_t strip = 0;
		22	tsample_t s;
		23	+ uint16 bps = 0, bytes_per_sample;
		24
		25	obuf = _TIFFmalloc(stripsize);
		26	if (obuf == NULL)
		27	return (0);
		28	_TIFFmemset(obuf, 0, stripsize);
		29	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
		30	+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
		31	+ if( bps == 0 )
		32	+ {
		33	+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
		34	+ _TIFFfree(obuf);
		35	+ return 0;
		36	+ }
		37	+ if( (bps % 8) != 0 )
		38	+ {
		39	+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
		40	+ _TIFFfree(obuf);
		41	+ return 0;
		42	+ }
		43	+ bytes_per_sample = bps/8;
		44	for (s = 0; s < spp; s++) {
		45	uint32 row;
		46	for (row = 0; row < imagelength; row += rowsperstrip) {
		47	@@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
		48
		49	cpContigBufToSeparateBuf(
		50	obuf, (uint8) buf + rowrowsize + s,
		51	- nrows, imagewidth, 0, 0, spp, 1);
		52	+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
		53	if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
		54	TIFFError(TIFFFileName(out),
		55	"Error, can't write strip %u",
		56	--
		57	GitLab
		58


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index e3ffb12f9e..75bc20de78 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -18,7 +18,12 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
18	file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \	18	file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
19	file://561599c99f987dc32ae110370cfdd7df7975586b.patch \	19	file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
20	file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \	20	file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
		21	file://CVE-2022-0865.patch \
		22	file://CVE-2022-0908.patch \
		23	file://CVE-2022-0907.patch \
		24	file://CVE-2022-0909.patch \
21	file://CVE-2022-0891.patch \	25	file://CVE-2022-0891.patch \
		26	file://CVE-2022-0924.patch \
22	"	27	"
23	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"	28	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
24	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"	29	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"