tiff: fix multiple CVEs

Backport fixes for: * CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44 * CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 * CVE-2023-26965 & CVE-2023-26966 - Upstream-Status: Backport from import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] (From OE-Core rev: 3d322227477f9e82fc22de6e896174d04513d72b) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-08-01 11:42:22 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-08-16 03:55:12 -1000
commit: b5f81a875de8a146c4f698d9bd06ac1a152a01f7 (patch)
tree: 6e3f02b157fee9904ec24a2e65b1a96158617aa6 /meta/recipes-multimedia
parent: 2ff427ee403263834ef7f59027f197e44fb7ed1d (diff)
download: poky-b5f81a875de8a146c4f698d9bd06ac1a152a01f7.tar.gz
5 files changed, 396 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
new file mode 100644
index 0000000000..7d6d40f25a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
@@ -0,0 +1,173 @@
+From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 3 Feb 2023 15:31:31 +0100
+Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
+ fix#520 rotateImage() set up a new buffer and calculates its size
+ individually. Therefore, seg_buffs[] size needs to be updated accordingly.
+ Before this fix, the seg_buffs buffer size was calculated with a different
+ formula than within rotateImage().
+Closes #520.
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44]
+CVE: CVE-2023-25433
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 69 +++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 56 insertions(+), 13 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 742615a..aab0ec6 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
+                                      uint32,   uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+-                      unsigned char **, int);
+                      unsigned char **, size_t *);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+                       unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -6384,7 +6384,7 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+        * but switch xres, yres there. */
+       uint32_t width = image->width;
+       uint32_t length = image->length;
+-      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
+      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+       {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+@@ -7607,8 +7607,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+       {
+      /* rotateImage() set up a new buffer and calculates its size
+       * individually. Therefore, seg_buffs size  needs to be updated
+       * accordingly. */
+      size_t rot_buf_size = 0;
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff, FALSE))
+                      &crop->combined_length, &crop_buff, &rot_buf_size))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7713,8 +7717,13 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+       if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+         {
+-       if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
+-                       &crop->regionlist[i].length, &crop_buff, FALSE))
+         /* Furthermore, rotateImage() set up a new buffer and calculates
+           * its size individually. Therefore, seg_buffs size  needs to be
+           * updated accordingly. */
+           size_t rot_buf_size = 0;
+           if (rotateImage(
+                crop->rotation, image, &crop->regionlist[i].width,
+                &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7725,8 +7734,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+         crop->combined_width = total_width;
+         crop->combined_length = total_length;
+         seg_buffs[i].buffer = crop_buff;
+-        seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
+-                               * image->spp) * crop->regionlist[i].length; 
+        seg_buffs[i].size = rot_buf_size;
+         }
+       }
+     }
+@@ -7735,7 +7743,6 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+ /* Copy the crop section of the data from the current image into a buffer
+  * and adjust the IFD values to reflect the new size. If no cropping is
+- * required, use the origial read buffer as the crop buffer.
+  *
+  * There is quite a bit of redundancy between this routine and the more
+  * specialized processCropSelections, but this provides
+@@ -7846,7 +7853,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr, TRUE))
+                    &crop->combined_length, crop_buff_ptr, NULL))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8515,7 +8522,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+   uint32   bytes_per_pixel, bytes_per_sample;
+   uint32   row, rowsize, src_offset, dst_offset;
+   uint32   i, col, width, length;
+-  uint32   colsize, buffsize, col_offset, pix_offset;
+  uint32   colsize, col_offset, pix_offset;
+  tmsize_t buffsize;
+   unsigned char *ibuff;
+   unsigned char *src;
+   unsigned char *dst;
+@@ -8528,12 +8536,41 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+   spp = image->spp;
+   bps = image->bps;
+ 
+  if ((spp != 0 && bps != 0 &&
+         width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
+        (spp != 0 && bps != 0 &&
+         length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
+    {
+        TIFFError("rotateImage", "Integer overflow detected.");
+        return (-1);
+    }
+
+   rowsize = ((bps * spp * width) + 7) / 8;
+   colsize = ((bps * spp * length) + 7) / 8;
+   if ((colsize * width) > (rowsize * length))
+-    buffsize = (colsize + 1) * width;
+{
+        if (((tmsize_t)colsize + 1) != 0 &&
+            (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+                               ((tmsize_t)colsize + 1)))
+        {
+            TIFFError("rotateImage",
+                      "Integer overflow when calculating buffer size.");
+            return (-1);
+        }
+        buffsize = ((tmsize_t)colsize + 1) * width;
+    }
+   else
+-    buffsize = (rowsize + 1) * length;
+    {
+        if (((tmsize_t)rowsize + 1) != 0 &&
+            (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+                                ((tmsize_t)rowsize + 1)))
+        {
+            TIFFError("rotateImage",
+                      "Integer overflow when calculating buffer size.");
+            return (-1);
+        }
+        buffsize = (rowsize + 1) * length;
+    }
+ 
+   bytes_per_sample = (bps + 7) / 8;
+   bytes_per_pixel  = ((bps * spp) + 7) / 8;
+@@ -8556,11 +8593,17 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+   /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+   if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
+     {
+-    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    TIFFError("rotateImage",
+              "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
+              " bytes ",
+              buffsize + NUM_BUFF_OVERSIZE_BYTES);
+     return (-1);
+     }
+   _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ 
+  if (rot_buf_size != NULL)
+       *rot_buf_size = buffsize;
+
+   ibuff = *ibuff_ptr;
+   switch (rotation)
+     {
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
new file mode 100644
index 0000000000..6a6596f092
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
+From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 29 Jan 2023 11:09:26 +0100
+Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
+ image width and length parameters when only cropped image sections are
+ rotated. Remove buffptr from region structure because never used.
+Closes #492 #493 #494 #495 #499 #518 #519
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
+CVE: CVE-2023-25434 & CVE-2023-25435
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index aab0ec6..ce84414 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
+                                      uint32,   uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+-                      unsigned char **, size_t *);
+                      unsigned char **, size_t *, int);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+                       unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -6382,10 +6382,11 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+       /* Dummy variable in order not to switch two times the
+        * image->width,->length within rotateImage(),
+        * but switch xres, yres there. */
+-      uint32_t width = image->width;
+-      uint32_t length = image->length;
+-      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+-      {
+        uint32_t width = image->width;
+        uint32_t length = image->length;
+        if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
+                        TRUE))
+        {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+       }
+@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+        * accordingly. */
+       size_t rot_buf_size = 0;
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff, &rot_buf_size))
+                      &crop->combined_length, &crop_buff, &rot_buf_size,
+                            FALSE))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+            * its size individually. Therefore, seg_buffs size  needs to be
+            * updated accordingly. */
+            size_t rot_buf_size = 0;
+-           if (rotateImage(
+-                crop->rotation, image, &crop->regionlist[i].width,
+-                &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+           if (rotateImage(crop->rotation, image,
+                                &crop->regionlist[i].width,
+                                &crop->regionlist[i].length, &crop_buff,
+                                &rot_buf_size, FALSE))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr, NULL))
+                    &crop->combined_length, crop_buff_ptr, NULL, TRUE))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
+ 
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+-rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, 
+-            uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
+rotateImage(uint16 rotation, struct image_data *image,
+            uint32 *img_width, uint32 *img_length,
+            unsigned char **ibuff_ptr, size_t *rot_buf_size,
+            int rot_image_params)
+   {
+   int      shift_width;
+   uint32   bytes_per_pixel, bytes_per_sample;
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
new file mode 100644
index 0000000000..b7a7e93764
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,90 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+Closes #527
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
+CVE: CVE-2023-26965
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 40 ++++++++++------------------------------
+ 1 file changed, 10 insertions(+), 30 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ce84414..a533089 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   uint32   tw = 0, tl = 0;       /* Tile width and length */
+   tmsize_t   tile_rowsize = 0;
+   unsigned char *read_buff = NULL;
+-  unsigned char *new_buff  = NULL;
+   int      readunit = 0;
+-  static   tmsize_t  prev_readsize = 0;
+ 
+   TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+   TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   read_buff = *read_ptr;
+   /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+   /* outside buffer */
+-  if (!read_buff)
+  if (read_buff)
+   {
+-    if( buffsize > 0xFFFFFFFFU - 3 )
+-    {
+-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-        return (-1);
+-    }
+-    read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    _TIFFfree(read_buff);
+   }
+-  else
+-    {
+-    if (prev_readsize < buffsize)
+-    {
+-      if( buffsize > 0xFFFFFFFFU - 3 )
+-      {
+-          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-          return (-1);
+-      }
+-      new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-      if (!new_buff)
+-        {
+-       free (read_buff);
+-        read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-        }
+-      else
+-        read_buff = new_buff;
+-      }
+-    }
+  if (buffsize > 0xFFFFFFFFU - 3)
+  {
+    TIFFError("loadImage", "Required read buffer size too large");
+    return (-1);
+  }
+  read_buff =
+    (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+   if (!read_buff)
+     {
+-    TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+    TIFFError("loadImage", "Unable to allocate read buffer");
+     return (-1);
+     }
+ 
+@@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   read_buff[buffsize+1] = 0;
+   read_buff[buffsize+2] = 0;
+ 
+-  prev_readsize = buffsize;
+   *read_ptr = read_buff;
+ 
+   /* N.B. The read functions used copy separate plane data into a buffer as interleaved
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
new file mode 100644
index 0000000000..48657e6aa4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
@@ -0,0 +1,35 @@
+From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 16 Feb 2023 12:03:16 +0100
+Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
+Closes #530
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
+CVE: CVE-2023-26966
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_luv.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index 6fe4858..8b2c5f1 100644
+--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
+@@ -923,6 +923,13 @@ uv_encode(double u, double v, int em)      /* encode (u',v') coordinates */
+ {
+        register int    vi, ui;
+ 
+       /* check for NaN */
+       if (u != u || v != v)
+       {
+               u = U_NEU;
+               v = V_NEU;
+        }
+
+        if (v < UV_VSTART)
+                return oog_encode(u, v);
+        vi = itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 4b48d81e2b..fcb2ce1ae4 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -36,6 +36,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2022-48281.patch \
           file://CVE-2023-0795_0796_0797_0798_0799.patch \
           file://CVE-2023-0800_0801_0802_0803_0804.patch \
+           file://CVE-2023-25433.patch \
+           file://CVE-2023-25434-CVE-2023-25435.patch \
+           file://CVE-2023-26965.patch \
+           file://CVE-2023-26966.patch \
          "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-08-01 11:42:22 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-08-16 03:55:12 -1000
commit	b5f81a875de8a146c4f698d9bd06ac1a152a01f7 (patch)
tree	6e3f02b157fee9904ec24a2e65b1a96158617aa6 /meta/recipes-multimedia
parent	2ff427ee403263834ef7f59027f197e44fb7ed1d (diff)
download	poky-b5f81a875de8a146c4f698d9bd06ac1a152a01f7.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch new file mode 100644 index 0000000000..7d6d40f25a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
@@ -0,0 +1,173 @@
		1	From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Fri, 3 Feb 2023 15:31:31 +0100
		4	Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
		5	fix#520 rotateImage() set up a new buffer and calculates its size
		6	individually. Therefore, seg_buffs[] size needs to be updated accordingly.
		7	Before this fix, the seg_buffs buffer size was calculated with a different
		8	formula than within rotateImage().
		9
		10	Closes #520.
		11
		12	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44]
		13	CVE: CVE-2023-25433
		14	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		15	---
		16	tools/tiffcrop.c \| 69 +++++++++++++++++++++++++++++++++++++++---------
		17	1 file changed, 56 insertions(+), 13 deletions(-)
		18
		19	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		20	index 742615a..aab0ec6 100644
		21	--- a/tools/tiffcrop.c
		22	+++ b/tools/tiffcrop.c
		23	@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
		24	static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
		25	uint32, uint32, uint8 , uint8 );
		26	static int rotateImage(uint16, struct image_data , uint32 , uint32 *,
		27	- unsigned char **, int);
		28	+ unsigned char *, size_t );
		29	static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
		30	unsigned char *);
		31	static int invertImage(uint16, uint16, uint16, uint32, uint32,
		32	@@ -6384,7 +6384,7 @@ static int correct_orientation(struct image_data image, unsigned char *work_b
		33	* but switch xres, yres there. */
		34	uint32_t width = image->width;
		35	uint32_t length = image->length;
		36	- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
		37	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
		38	{
		39	TIFFError ("correct_orientation", "Unable to rotate image");
		40	return (-1);
		41	@@ -7607,8 +7607,12 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		42
		43	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		44	{
		45	+ /* rotateImage() set up a new buffer and calculates its size
		46	+ * individually. Therefore, seg_buffs size needs to be updated
		47	+ * accordingly. */
		48	+ size_t rot_buf_size = 0;
		49	if (rotateImage(crop->rotation, image, &crop->combined_width,
		50	- &crop->combined_length, &crop_buff, FALSE))
		51	+ &crop->combined_length, &crop_buff, &rot_buf_size))
		52	{
		53	TIFFError("processCropSelections",
		54	"Failed to rotate composite regions by %d degrees", crop->rotation);
		55	@@ -7713,8 +7717,13 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		56
		57	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		58	{
		59	- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
		60	- &crop->regionlist[i].length, &crop_buff, FALSE))
		61	+ /* Furthermore, rotateImage() set up a new buffer and calculates
		62	+ * its size individually. Therefore, seg_buffs size needs to be
		63	+ * updated accordingly. */
		64	+ size_t rot_buf_size = 0;
		65	+ if (rotateImage(
		66	+ crop->rotation, image, &crop->regionlist[i].width,
		67	+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
		68	{
		69	TIFFError("processCropSelections",
		70	"Failed to rotate crop region by %d degrees", crop->rotation);
		71	@@ -7725,8 +7734,7 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		72	crop->combined_width = total_width;
		73	crop->combined_length = total_length;
		74	seg_buffs[i].buffer = crop_buff;
		75	- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
		76	- * image->spp) * crop->regionlist[i].length;
		77	+ seg_buffs[i].size = rot_buf_size;
		78	}
		79	}
		80	}
		81	@@ -7735,7 +7743,6 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		82
		83	/* Copy the crop section of the data from the current image into a buffer
		84	* and adjust the IFD values to reflect the new size. If no cropping is
		85	- * required, use the origial read buffer as the crop buffer.
		86	*
		87	* There is quite a bit of redundancy between this routine and the more
		88	* specialized processCropSelections, but this provides
		89	@@ -7846,7 +7853,7 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		90	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		91	{
		92	if (rotateImage(crop->rotation, image, &crop->combined_width,
		93	- &crop->combined_length, crop_buff_ptr, TRUE))
		94	+ &crop->combined_length, crop_buff_ptr, NULL))
		95	{
		96	TIFFError("createCroppedImage",
		97	"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
		98	@@ -8515,7 +8522,8 @@ rotateImage(uint16 rotation, struct image_data image, uint32 img_width,
		99	uint32 bytes_per_pixel, bytes_per_sample;
		100	uint32 row, rowsize, src_offset, dst_offset;
		101	uint32 i, col, width, length;
		102	- uint32 colsize, buffsize, col_offset, pix_offset;
		103	+ uint32 colsize, col_offset, pix_offset;
		104	+ tmsize_t buffsize;
		105	unsigned char *ibuff;
		106	unsigned char *src;
		107	unsigned char *dst;
		108	@@ -8528,12 +8536,41 @@ rotateImage(uint16 rotation, struct image_data image, uint32 img_width,
		109	spp = image->spp;
		110	bps = image->bps;
		111
		112	+ if ((spp != 0 && bps != 0 &&
		113	+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) \|\|
		114	+ (spp != 0 && bps != 0 &&
		115	+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
		116	+ {
		117	+ TIFFError("rotateImage", "Integer overflow detected.");
		118	+ return (-1);
		119	+ }
		120	+
		121	rowsize = ((bps * spp * width) + 7) / 8;
		122	colsize = ((bps * spp * length) + 7) / 8;
		123	if ((colsize * width) > (rowsize * length))
		124	- buffsize = (colsize + 1) * width;
		125	+{
		126	+ if (((tmsize_t)colsize + 1) != 0 &&
		127	+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
		128	+ ((tmsize_t)colsize + 1)))
		129	+ {
		130	+ TIFFError("rotateImage",
		131	+ "Integer overflow when calculating buffer size.");
		132	+ return (-1);
		133	+ }
		134	+ buffsize = ((tmsize_t)colsize + 1) * width;
		135	+ }
		136	else
		137	- buffsize = (rowsize + 1) * length;
		138	+ {
		139	+ if (((tmsize_t)rowsize + 1) != 0 &&
		140	+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
		141	+ ((tmsize_t)rowsize + 1)))
		142	+ {
		143	+ TIFFError("rotateImage",
		144	+ "Integer overflow when calculating buffer size.");
		145	+ return (-1);
		146	+ }
		147	+ buffsize = (rowsize + 1) * length;
		148	+ }
		149
		150	bytes_per_sample = (bps + 7) / 8;
		151	bytes_per_pixel = ((bps * spp) + 7) / 8;
		152	@@ -8556,11 +8593,17 @@ rotateImage(uint16 rotation, struct image_data image, uint32 img_width,
		153	/* Add 3 padding bytes for extractContigSamplesShifted32bits */
		154	if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
		155	{
		156	- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
		157	+ TIFFError("rotateImage",
		158	+ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
		159	+ " bytes ",
		160	+ buffsize + NUM_BUFF_OVERSIZE_BYTES);
		161	return (-1);
		162	}
		163	_TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
		164
		165	+ if (rot_buf_size != NULL)
		166	+ *rot_buf_size = buffsize;
		167	+
		168	ibuff = *ibuff_ptr;
		169	switch (rotation)
		170	{
		171	--
		172	2.25.1
		173


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch new file mode 100644 index 0000000000..6a6596f092 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
		1	From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sun, 29 Jan 2023 11:09:26 +0100
		4	Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
		5	image width and length parameters when only cropped image sections are
		6	rotated. Remove buffptr from region structure because never used.
		7
		8	Closes #492 #493 #494 #495 #499 #518 #519
		9
		10	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
		11	CVE: CVE-2023-25434 & CVE-2023-25435
		12	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		13	---
		14	tools/tiffcrop.c \| 29 +++++++++++++++++------------
		15	1 file changed, 17 insertions(+), 12 deletions(-)
		16
		17	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		18	index aab0ec6..ce84414 100644
		19	--- a/tools/tiffcrop.c
		20	+++ b/tools/tiffcrop.c
		21	@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
		22	static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
		23	uint32, uint32, uint8 , uint8 );
		24	static int rotateImage(uint16, struct image_data , uint32 , uint32 *,
		25	- unsigned char *, size_t );
		26	+ unsigned char *, size_t , int);
		27	static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
		28	unsigned char *);
		29	static int invertImage(uint16, uint16, uint16, uint32, uint32,
		30	@@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data image, unsigned char *work_b
		31	/* Dummy variable in order not to switch two times the
		32	* image->width,->length within rotateImage(),
		33	* but switch xres, yres there. */
		34	- uint32_t width = image->width;
		35	- uint32_t length = image->length;
		36	- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
		37	- {
		38	+ uint32_t width = image->width;
		39	+ uint32_t length = image->length;
		40	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
		41	+ TRUE))
		42	+ {
		43	TIFFError ("correct_orientation", "Unable to rotate image");
		44	return (-1);
		45	}
		46	@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		47	* accordingly. */
		48	size_t rot_buf_size = 0;
		49	if (rotateImage(crop->rotation, image, &crop->combined_width,
		50	- &crop->combined_length, &crop_buff, &rot_buf_size))
		51	+ &crop->combined_length, &crop_buff, &rot_buf_size,
		52	+ FALSE))
		53	{
		54	TIFFError("processCropSelections",
		55	"Failed to rotate composite regions by %d degrees", crop->rotation);
		56	@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		57	* its size individually. Therefore, seg_buffs size needs to be
		58	* updated accordingly. */
		59	size_t rot_buf_size = 0;
		60	- if (rotateImage(
		61	- crop->rotation, image, &crop->regionlist[i].width,
		62	- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
		63	+ if (rotateImage(crop->rotation, image,
		64	+ &crop->regionlist[i].width,
		65	+ &crop->regionlist[i].length, &crop_buff,
		66	+ &rot_buf_size, FALSE))
		67	{
		68	TIFFError("processCropSelections",
		69	"Failed to rotate crop region by %d degrees", crop->rotation);
		70	@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		71	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		72	{
		73	if (rotateImage(crop->rotation, image, &crop->combined_width,
		74	- &crop->combined_length, crop_buff_ptr, NULL))
		75	+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
		76	{
		77	TIFFError("createCroppedImage",
		78	"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
		79	@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
		80
		81	/* Rotate an image by a multiple of 90 degrees clockwise */
		82	static int
		83	-rotateImage(uint16 rotation, struct image_data image, uint32 img_width,
		84	- uint32 img_length, unsigned char *ibuff_ptr, int rot_image_params)
		85	+rotateImage(uint16 rotation, struct image_data *image,
		86	+ uint32 img_width, uint32 img_length,
		87	+ unsigned char *ibuff_ptr, size_t rot_buf_size,
		88	+ int rot_image_params)
		89	{
		90	int shift_width;
		91	uint32 bytes_per_pixel, bytes_per_sample;
		92	--
		93	2.25.1
		94


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch new file mode 100644 index 0000000000..b7a7e93764 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,90 @@
		1	From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Tue, 14 Feb 2023 20:43:43 +0100
		4	Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
		5	Fix issue 527
		6
		7	Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
		8
		9	Closes #527
		10
		11	Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
		12	CVE: CVE-2023-26965
		13	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		14	---
		15	tools/tiffcrop.c \| 40 ++++++++++------------------------------
		16	1 file changed, 10 insertions(+), 30 deletions(-)
		17
		18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		19	index ce84414..a533089 100644
		20	--- a/tools/tiffcrop.c
		21	+++ b/tools/tiffcrop.c
		22	@@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
		23	uint32 tw = 0, tl = 0; /* Tile width and length */
		24	tmsize_t tile_rowsize = 0;
		25	unsigned char *read_buff = NULL;
		26	- unsigned char *new_buff = NULL;
		27	int readunit = 0;
		28	- static tmsize_t prev_readsize = 0;
		29
		30	TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
		31	TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
		32	@@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
		33	read_buff = *read_ptr;
		34	/* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
		35	/* outside buffer */
		36	- if (!read_buff)
		37	+ if (read_buff)
		38	{
		39	- if( buffsize > 0xFFFFFFFFU - 3 )
		40	- {
		41	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		42	- return (-1);
		43	- }
		44	- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		45	+ _TIFFfree(read_buff);
		46	}
		47	- else
		48	- {
		49	- if (prev_readsize < buffsize)
		50	- {
		51	- if( buffsize > 0xFFFFFFFFU - 3 )
		52	- {
		53	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		54	- return (-1);
		55	- }
		56	- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
		57	- if (!new_buff)
		58	- {
		59	- free (read_buff);
		60	- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		61	- }
		62	- else
		63	- read_buff = new_buff;
		64	- }
		65	- }
		66	+ if (buffsize > 0xFFFFFFFFU - 3)
		67	+ {
		68	+ TIFFError("loadImage", "Required read buffer size too large");
		69	+ return (-1);
		70	+ }
		71	+ read_buff =
		72	+ (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		73	if (!read_buff)
		74	{
		75	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		76	+ TIFFError("loadImage", "Unable to allocate read buffer");
		77	return (-1);
		78	}
		79
		80	@@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
		81	read_buff[buffsize+1] = 0;
		82	read_buff[buffsize+2] = 0;
		83
		84	- prev_readsize = buffsize;
		85	*read_ptr = read_buff;
		86
		87	/* N.B. The read functions used copy separate plane data into a buffer as interleaved
		88	--
		89	2.25.1
		90


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch new file mode 100644 index 0000000000..48657e6aa4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
@@ -0,0 +1,35 @@
		1	From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Thu, 16 Feb 2023 12:03:16 +0100
		4	Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
		5
		6	Closes #530
		7
		8	Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
		9	CVE: CVE-2023-26966
		10	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		11	---
		12	libtiff/tif_luv.c \| 7 +++++++
		13	1 file changed, 7 insertions(+)
		14
		15	diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
		16	index 6fe4858..8b2c5f1 100644
		17	--- a/libtiff/tif_luv.c
		18	+++ b/libtiff/tif_luv.c
		19	@@ -923,6 +923,13 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */
		20	{
		21	register int vi, ui;
		22
		23	+ /* check for NaN */
		24	+ if (u != u \|\| v != v)
		25	+ {
		26	+ u = U_NEU;
		27	+ v = V_NEU;
		28	+ }
		29	+
		30	if (v < UV_VSTART)
		31	return oog_encode(u, v);
		32	vi = itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
		33	--
		34	2.25.1
		35


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 4b48d81e2b..fcb2ce1ae4 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -36,6 +36,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
36	file://CVE-2022-48281.patch \	36	file://CVE-2022-48281.patch \
37	file://CVE-2023-0795_0796_0797_0798_0799.patch \	37	file://CVE-2023-0795_0796_0797_0798_0799.patch \
38	file://CVE-2023-0800_0801_0802_0803_0804.patch \	38	file://CVE-2023-0800_0801_0802_0803_0804.patch \
		39	file://CVE-2023-25433.patch \
		40	file://CVE-2023-25434-CVE-2023-25435.patch \
		41	file://CVE-2023-26965.patch \
		42	file://CVE-2023-26966.patch \
39	"	43	"
40	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"	44	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
41	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"	45	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"