tiff: Security fixes CVE-2022-1354 and CVE-2022-1355

References: https://nvd.nist.gov/vuln/detail/CVE-2022-1354 https://security-tracker.debian.org/tracker/CVE-2022-1354 https://nvd.nist.gov/vuln/detail/CVE-2022-1355 https://security-tracker.debian.org/tracker/CVE-2022-1355 Patches from: CVE-2022-1354: https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798 CVE-2022-1355: https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2 (From OE-Core rev: 6c373c041f1dd45458866408d1ca16d47cacbd86) (From OE-Core rev: 8414d39f3f89cc1176bd55c9455ad942db8ea4b1) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2022-09-13 08:32:05 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-16 17:53:28 +0100
commit: 5e7c237200c6319e17191cc93df4d0e19f5a73be (patch)
tree: f1dea47a2851d51cd7122004fd1714c5a48e8e68 /meta/recipes-multimedia
parent: a98b309fe23cfdcf3f8be7afc4fde6734b973f43 (diff)
download: poky-5e7c237200c6319e17191cc93df4d0e19f5a73be.tar.gz
3 files changed, 276 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
new file mode 100644
index 0000000000..71b85cac10
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
@@ -0,0 +1,212 @@
+From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 5 Dec 2021 14:37:46 +0100
+Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
+to avoid having the size of the strip arrays inconsistent with the
+number of strips returned by TIFFNumberOfStrips(), which may cause
+out-ouf-bounds array read afterwards.
+One of the OJPEG hack that alters SamplesPerPixel may influence the
+number of strips. Hence compute tif_dir.td_nstrips only afterwards.
+CVE: CVE-2022-1354
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
+ 1 file changed, 83 insertions(+), 79 deletions(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 8f434ef5..14c031d1 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
+                MissingRequired(tif,"ImageLength");
+                goto bad;
+        }
+-       /*
+-        * Setup appropriate structures (by strip or by tile)
+-        */
+-       if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
+-               tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);  
+-               tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
+-               tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
+-               tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
+-               tif->tif_flags &= ~TIFF_ISTILED;
+-       } else {
+-               tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
+-               tif->tif_flags |= TIFF_ISTILED;
+-       }
+-       if (!tif->tif_dir.td_nstrips) {
+-               TIFFErrorExt(tif->tif_clientdata, module,
+-                   "Cannot handle zero number of %s",
+-                   isTiled(tif) ? "tiles" : "strips");
+-               goto bad;
+-       }
+-       tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+-       if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+-               tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
+-       if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
+-#ifdef OJPEG_SUPPORT
+-               if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
+-                   (isTiled(tif)==0) &&
+-                   (tif->tif_dir.td_nstrips==1)) {
+-                       /*
+-                        * XXX: OJPEG hack.
+-                        * If a) compression is OJPEG, b) it's not a tiled TIFF,
+-                        * and c) the number of strips is 1,
+-                        * then we tolerate the absence of stripoffsets tag,
+-                        * because, presumably, all required data is in the
+-                        * JpegInterchangeFormat stream.
+-                        */
+-                       TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
+-               } else
+-#endif
+-        {
+-                       MissingRequired(tif,
+-                               isTiled(tif) ? "TileOffsets" : "StripOffsets");
+-                       goto bad;
+-               }
+-       }
+
+        /*
+         * Second pass: extract other information.
+         */
+@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
+                        } /* -- if (!dp->tdir_ignore) */
+                } /* -- for-loop -- */
+ 
+-        if( tif->tif_mode == O_RDWR &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
+-        {
+-            /* Directory typically created with TIFFDeferStrileArrayWriting() */
+-            TIFFSetupStrips(tif);
+-        }
+-        else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
+-        {
+-            if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
+-            {
+-                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
+-                                         tif->tif_dir.td_nstrips,
+-                                         &tif->tif_dir.td_stripoffset_p))
+-                {
+-                    goto bad;
+-                }
+-            }
+-            if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
+-            {
+-                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
+-                                         tif->tif_dir.td_nstrips,
+-                                         &tif->tif_dir.td_stripbytecount_p))
+-                {
+-                    goto bad;
+-                }
+-            }
+-        }
+-
+        /*
+         * OJPEG hack:
+         * - If a) compression is OJPEG, and b) photometric tag is missing,
+@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
+                }
+        }
+ 
+       /*
+        * Setup appropriate structures (by strip or by tile)
+        * We do that only after the above OJPEG hack which alters SamplesPerPixel
+        * and thus influences the number of strips in the separate planarconfig.
+        */
+       if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
+               tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);  
+               tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
+               tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
+               tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
+               tif->tif_flags &= ~TIFF_ISTILED;
+       } else {
+               tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
+               tif->tif_flags |= TIFF_ISTILED;
+       }
+       if (!tif->tif_dir.td_nstrips) {
+               TIFFErrorExt(tif->tif_clientdata, module,
+                   "Cannot handle zero number of %s",
+                   isTiled(tif) ? "tiles" : "strips");
+               goto bad;
+       }
+       tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+       if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+               tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
+       if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
+#ifdef OJPEG_SUPPORT
+               if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
+                   (isTiled(tif)==0) &&
+                   (tif->tif_dir.td_nstrips==1)) {
+                       /*
+                        * XXX: OJPEG hack.
+                        * If a) compression is OJPEG, b) it's not a tiled TIFF,
+                        * and c) the number of strips is 1,
+                        * then we tolerate the absence of stripoffsets tag,
+                        * because, presumably, all required data is in the
+                        * JpegInterchangeFormat stream.
+                        */
+                       TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
+               } else
+#endif
+        {
+                       MissingRequired(tif,
+                               isTiled(tif) ? "TileOffsets" : "StripOffsets");
+                       goto bad;
+               }
+       }
+
+        if( tif->tif_mode == O_RDWR &&
+            tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
+            tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
+            tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
+            tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
+            tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
+            tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
+            tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
+            tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
+        {
+            /* Directory typically created with TIFFDeferStrileArrayWriting() */
+            TIFFSetupStrips(tif);
+        }
+        else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
+        {
+            if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
+            {
+                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
+                                         tif->tif_dir.td_nstrips,
+                                         &tif->tif_dir.td_stripoffset_p))
+                {
+                    goto bad;
+                }
+            }
+            if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
+            {
+                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
+                                         tif->tif_dir.td_nstrips,
+                                         &tif->tif_dir.td_stripbytecount_p))
+                {
+                    goto bad;
+                }
+            }
+        }
+
+        /*
+         * Make sure all non-color channels are extrasamples.
+         * If it's not the case, define them as such.
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
new file mode 100644
index 0000000000..e59f5aad55
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
@@ -0,0 +1,62 @@
+From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Apr 2022 22:33:31 +0200
+Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
+CVE: CVE-2022-1355
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ tools/tiffcp.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index fd129bb7..8d944ff6 100644
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -274,19 +274,34 @@ main(int argc, char* argv[])
+                        deftilewidth = atoi(optarg);
+                        break;
+                case 'B':
+-                       *mp++ = 'b'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode) - 1))
+                       {
+                               *mp++ = 'b'; *mp = '\0';
+                       }
+                        break;
+                case 'L':
+-                       *mp++ = 'l'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode) - 1))
+                       {
+                               *mp++ = 'l'; *mp = '\0';
+                       }
+                        break;
+                case 'M':
+-                       *mp++ = 'm'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode) - 1))
+                       {
+                               *mp++ = 'm'; *mp = '\0';
+                       }
+                        break;
+                case 'C':
+-                       *mp++ = 'c'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode) - 1))
+                       {
+                               *mp++ = 'c'; *mp = '\0';
+                       }
+                        break;
+                case '8':
+-                       *mp++ = '8'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode)-1))
+                       {
+                               *mp++ = '8'; *mp = '\0';
+                       }
+                        break;
+                case 'x':
+                        pageInSeq = 1;
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 93a35230d6..74ececb113 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -27,6 +27,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
           file://CVE-2022-34526.patch \
           file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
+           file://CVE-2022-1354.patch \
+           file://CVE-2022-1355.patch \
          "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
author	Yi Zhao <yi.zhao@windriver.com>	2022-09-13 08:32:05 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-16 17:53:28 +0100
commit	5e7c237200c6319e17191cc93df4d0e19f5a73be (patch)
tree	f1dea47a2851d51cd7122004fd1714c5a48e8e68 /meta/recipes-multimedia
parent	a98b309fe23cfdcf3f8be7afc4fde6734b973f43 (diff)
download	poky-5e7c237200c6319e17191cc93df4d0e19f5a73be.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch new file mode 100644 index 0000000000..71b85cac10 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
@@ -0,0 +1,212 @@
		1	From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sun, 5 Dec 2021 14:37:46 +0100
		4	Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
		5
		6	to avoid having the size of the strip arrays inconsistent with the
		7	number of strips returned by TIFFNumberOfStrips(), which may cause
		8	out-ouf-bounds array read afterwards.
		9
		10	One of the OJPEG hack that alters SamplesPerPixel may influence the
		11	number of strips. Hence compute tif_dir.td_nstrips only afterwards.
		12
		13	CVE: CVE-2022-1354
		14
		15	Upstream-Status: Backport
		16	[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
		17
		18	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		19	---
		20	libtiff/tif_dirread.c \| 162 ++++++++++++++++++++++--------------------
		21	1 file changed, 83 insertions(+), 79 deletions(-)
		22
		23	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		24	index 8f434ef5..14c031d1 100644
		25	--- a/libtiff/tif_dirread.c
		26	+++ b/libtiff/tif_dirread.c
		27	@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
		28	MissingRequired(tif,"ImageLength");
		29	goto bad;
		30	}
		31	- /*
		32	- * Setup appropriate structures (by strip or by tile)
		33	- */
		34	- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
		35	- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
		36	- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
		37	- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
		38	- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
		39	- tif->tif_flags &= ~TIFF_ISTILED;
		40	- } else {
		41	- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
		42	- tif->tif_flags \|= TIFF_ISTILED;
		43	- }
		44	- if (!tif->tif_dir.td_nstrips) {
		45	- TIFFErrorExt(tif->tif_clientdata, module,
		46	- "Cannot handle zero number of %s",
		47	- isTiled(tif) ? "tiles" : "strips");
		48	- goto bad;
		49	- }
		50	- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
		51	- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
		52	- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
		53	- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
		54	-#ifdef OJPEG_SUPPORT
		55	- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
		56	- (isTiled(tif)==0) &&
		57	- (tif->tif_dir.td_nstrips==1)) {
		58	- /*
		59	- * XXX: OJPEG hack.
		60	- * If a) compression is OJPEG, b) it's not a tiled TIFF,
		61	- * and c) the number of strips is 1,
		62	- * then we tolerate the absence of stripoffsets tag,
		63	- * because, presumably, all required data is in the
		64	- * JpegInterchangeFormat stream.
		65	- */
		66	- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
		67	- } else
		68	-#endif
		69	- {
		70	- MissingRequired(tif,
		71	- isTiled(tif) ? "TileOffsets" : "StripOffsets");
		72	- goto bad;
		73	- }
		74	- }
		75	+
		76	/*
		77	* Second pass: extract other information.
		78	*/
		79	@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
		80	} /* -- if (!dp->tdir_ignore) */
		81	} /* -- for-loop -- */
		82
		83	- if( tif->tif_mode == O_RDWR &&
		84	- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
		85	- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
		86	- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
		87	- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
		88	- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
		89	- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
		90	- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
		91	- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
		92	- {
		93	- /* Directory typically created with TIFFDeferStrileArrayWriting() */
		94	- TIFFSetupStrips(tif);
		95	- }
		96	- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
		97	- {
		98	- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
		99	- {
		100	- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
		101	- tif->tif_dir.td_nstrips,
		102	- &tif->tif_dir.td_stripoffset_p))
		103	- {
		104	- goto bad;
		105	- }
		106	- }
		107	- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
		108	- {
		109	- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
		110	- tif->tif_dir.td_nstrips,
		111	- &tif->tif_dir.td_stripbytecount_p))
		112	- {
		113	- goto bad;
		114	- }
		115	- }
		116	- }
		117	-
		118	/*
		119	* OJPEG hack:
		120	* - If a) compression is OJPEG, and b) photometric tag is missing,
		121	@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
		122	}
		123	}
		124
		125	+ /*
		126	+ * Setup appropriate structures (by strip or by tile)
		127	+ * We do that only after the above OJPEG hack which alters SamplesPerPixel
		128	+ * and thus influences the number of strips in the separate planarconfig.
		129	+ */
		130	+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
		131	+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
		132	+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
		133	+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
		134	+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
		135	+ tif->tif_flags &= ~TIFF_ISTILED;
		136	+ } else {
		137	+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
		138	+ tif->tif_flags \|= TIFF_ISTILED;
		139	+ }
		140	+ if (!tif->tif_dir.td_nstrips) {
		141	+ TIFFErrorExt(tif->tif_clientdata, module,
		142	+ "Cannot handle zero number of %s",
		143	+ isTiled(tif) ? "tiles" : "strips");
		144	+ goto bad;
		145	+ }
		146	+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
		147	+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
		148	+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
		149	+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
		150	+#ifdef OJPEG_SUPPORT
		151	+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
		152	+ (isTiled(tif)==0) &&
		153	+ (tif->tif_dir.td_nstrips==1)) {
		154	+ /*
		155	+ * XXX: OJPEG hack.
		156	+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
		157	+ * and c) the number of strips is 1,
		158	+ * then we tolerate the absence of stripoffsets tag,
		159	+ * because, presumably, all required data is in the
		160	+ * JpegInterchangeFormat stream.
		161	+ */
		162	+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
		163	+ } else
		164	+#endif
		165	+ {
		166	+ MissingRequired(tif,
		167	+ isTiled(tif) ? "TileOffsets" : "StripOffsets");
		168	+ goto bad;
		169	+ }
		170	+ }
		171	+
		172	+ if( tif->tif_mode == O_RDWR &&
		173	+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
		174	+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
		175	+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
		176	+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
		177	+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
		178	+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
		179	+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
		180	+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
		181	+ {
		182	+ /* Directory typically created with TIFFDeferStrileArrayWriting() */
		183	+ TIFFSetupStrips(tif);
		184	+ }
		185	+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
		186	+ {
		187	+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
		188	+ {
		189	+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
		190	+ tif->tif_dir.td_nstrips,
		191	+ &tif->tif_dir.td_stripoffset_p))
		192	+ {
		193	+ goto bad;
		194	+ }
		195	+ }
		196	+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
		197	+ {
		198	+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
		199	+ tif->tif_dir.td_nstrips,
		200	+ &tif->tif_dir.td_stripbytecount_p))
		201	+ {
		202	+ goto bad;
		203	+ }
		204	+ }
		205	+ }
		206	+
		207	/*
		208	* Make sure all non-color channels are extrasamples.
		209	* If it's not the case, define them as such.
		210	--
		211	2.25.1
		212


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch new file mode 100644 index 0000000000..e59f5aad55 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
@@ -0,0 +1,62 @@
		1	From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sat, 2 Apr 2022 22:33:31 +0200
		4	Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
		5
		6	CVE: CVE-2022-1355
		7
		8	Upstream-Status: Backport
		9	[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
		10
		11	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		12	---
		13	tools/tiffcp.c \| 25 ++++++++++++++++++++-----
		14	1 file changed, 20 insertions(+), 5 deletions(-)
		15
		16	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
		17	index fd129bb7..8d944ff6 100644
		18	--- a/tools/tiffcp.c
		19	+++ b/tools/tiffcp.c
		20	@@ -274,19 +274,34 @@ main(int argc, char* argv[])
		21	deftilewidth = atoi(optarg);
		22	break;
		23	case 'B':
		24	- mp++ = 'b'; mp = '\0';
		25	+ if (strlen(mode) < (sizeof(mode) - 1))
		26	+ {
		27	+ mp++ = 'b'; mp = '\0';
		28	+ }
		29	break;
		30	case 'L':
		31	- mp++ = 'l'; mp = '\0';
		32	+ if (strlen(mode) < (sizeof(mode) - 1))
		33	+ {
		34	+ mp++ = 'l'; mp = '\0';
		35	+ }
		36	break;
		37	case 'M':
		38	- mp++ = 'm'; mp = '\0';
		39	+ if (strlen(mode) < (sizeof(mode) - 1))
		40	+ {
		41	+ mp++ = 'm'; mp = '\0';
		42	+ }
		43	break;
		44	case 'C':
		45	- mp++ = 'c'; mp = '\0';
		46	+ if (strlen(mode) < (sizeof(mode) - 1))
		47	+ {
		48	+ mp++ = 'c'; mp = '\0';
		49	+ }
		50	break;
		51	case '8':
		52	- mp++ = '8'; mp = '\0';
		53	+ if (strlen(mode) < (sizeof(mode)-1))
		54	+ {
		55	+ mp++ = '8'; mp = '\0';
		56	+ }
		57	break;
		58	case 'x':
		59	pageInSeq = 1;
		60	--
		61	2.25.1
		62


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 93a35230d6..74ececb113 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -27,6 +27,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
27	file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \	27	file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
28	file://CVE-2022-34526.patch \	28	file://CVE-2022-34526.patch \
29	file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \	29	file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
		30	file://CVE-2022-1354.patch \
		31	file://CVE-2022-1355.patch \
30	"	32	"
31	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"	33	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
32	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"	34	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"