summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
diff options
context:
space:
mode:
authorChee Yang Lee <chee.yang.lee@intel.com>2023-03-01 13:26:10 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2023-03-14 14:59:10 +0000
commitc35692c6ebd704e7f4c13b34ac66eda35e8e251e (patch)
treebb310b55a3a4bb340fdc25da6a35fd33bfcdb297 /meta/recipes-multimedia
parent9fa2eba749289f49c7118d5c485257f820b705f3 (diff)
downloadpoky-c35692c6ebd704e7f4c13b34ac66eda35e8e251e.tar.gz
tiff: fix multiple CVEs
import patches from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz fix multiple CVEs: CVE-2022-3570 CVE-2022-3597 CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627 CVE-2022-3970 CVE-2022-48281 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 (From OE-Core rev: a6859c967e6e0079dd197fc36844b862938f4eed) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch659
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch123
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch277
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch45
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch26
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch157
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch135
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.1.0.bb7
8 files changed, 1429 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
new file mode 100644
index 0000000000..760e20dd2b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
@@ -0,0 +1,659 @@
1From 226e336cdceec933da2e9f72b6578c7a1bea450b Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Thu, 13 Oct 2022 14:33:27 +0000
4Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3570 CVE-2022-3598
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff
11Origin: https://gitlab.com/libtiff/libtiff/-/commit/24d3b2425af24432e0e4e2fd58b33f3b04c4bfa4
12Reviewed-by: Sylvain Beucler <beuc@debian.org>
13Last-Update: 2023-01-17
14
15 #381, #386, #388, #389, #435)
16
17---
18 tools/tiffcrop.c | 209 ++++++++++++++++++++++++++---------------------
19 1 file changed, 117 insertions(+), 92 deletions(-)
20
21diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
22index c7877aa..c923920 100644
23--- a/tools/tiffcrop.c
24+++ b/tools/tiffcrop.c
25@@ -126,6 +126,7 @@ static char tiffcrop_rev_date[] = "03-03-2010";
26
27 #ifdef HAVE_STDINT_H
28 # include <stdint.h>
29+# include <inttypes.h>
30 #endif
31
32 #ifndef HAVE_GETOPT
33@@ -212,6 +213,10 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
34
35 #define TIFF_DIR_MAX 65534
36
37+/* Some conversion subroutines require image buffers, which are at least 3 bytes
38+ * larger than the necessary size for the image itself. */
39+#define NUM_BUFF_OVERSIZE_BYTES 3
40+
41 /* Offsets into buffer for margins and fixed width and length segments */
42 struct offset {
43 uint32 tmargin;
44@@ -233,7 +238,7 @@ struct offset {
45 */
46
47 struct buffinfo {
48- uint32 size; /* size of this buffer */
49+ size_t size; /* size of this buffer */
50 unsigned char *buffer; /* address of the allocated buffer */
51 };
52
53@@ -771,8 +776,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
54 uint32 dst_rowsize, shift_width;
55 uint32 bytes_per_sample, bytes_per_pixel;
56 uint32 trailing_bits, prev_trailing_bits;
57- uint32 tile_rowsize = TIFFTileRowSize(in);
58- uint32 src_offset, dst_offset;
59+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
60+ tmsize_t src_offset, dst_offset;
61 uint32 row_offset, col_offset;
62 uint8 *bufp = (uint8*) buf;
63 unsigned char *src = NULL;
64@@ -822,7 +827,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
65 TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
66 exit(-1);
67 }
68- tilebuf = _TIFFmalloc(tile_buffsize + 3);
69+ tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
70 if (tilebuf == 0)
71 return 0;
72 tilebuf[tile_buffsize] = 0;
73@@ -986,7 +991,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
74 for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
75 {
76 srcbuffs[sample] = NULL;
77- tbuff = (unsigned char *)_TIFFmalloc(tilesize + 8);
78+ tbuff = (unsigned char *)_TIFFmalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
79 if (!tbuff)
80 {
81 TIFFError ("readSeparateTilesIntoBuffer",
82@@ -1181,7 +1186,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
83 }
84 rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
85
86- obuf = _TIFFmalloc (rowstripsize);
87+ /* Add 3 padding bytes for extractContigSamples32bits */
88+ obuf = _TIFFmalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
89 if (obuf == NULL)
90 return 1;
91
92@@ -1194,7 +1200,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
93 stripsize = TIFFVStripSize(out, nrows);
94 src = buf + (row * rowsize);
95 total_bytes += stripsize;
96- memset (obuf, '\0', rowstripsize);
97+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
98 if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
99 {
100 _TIFFfree(obuf);
101@@ -1202,10 +1208,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
102 }
103 if ((dump->outfile != NULL) && (dump->level == 1))
104 {
105- dump_info(dump->outfile, dump->format,"",
106+ if ((uint64_t)scanlinesize > 0x0ffffffffULL) {
107+ dump_info(dump->infile, dump->format, "loadImage",
108+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
109+ (uint64_t)scanlinesize);
110+ }
111+ dump_info(dump->outfile, dump->format,"",
112 "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
113- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
114- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
115+ s + 1, strip + 1, stripsize, row + 1, (uint32)scanlinesize, src - buf);
116+ dump_buffer(dump->outfile, dump->format, nrows, (uint32)scanlinesize, row, obuf);
117 }
118
119 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
120@@ -1232,7 +1243,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
121 uint32 tl, tw;
122 uint32 row, col, nrow, ncol;
123 uint32 src_rowsize, col_offset;
124- uint32 tile_rowsize = TIFFTileRowSize(out);
125+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
126 uint8* bufp = (uint8*) buf;
127 tsize_t tile_buffsize = 0;
128 tsize_t tilesize = TIFFTileSize(out);
129@@ -1275,9 +1286,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
130 }
131 src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
132
133- tilebuf = _TIFFmalloc(tile_buffsize);
134+ /* Add 3 padding bytes for extractContigSamples32bits */
135+ tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
136 if (tilebuf == 0)
137 return 1;
138+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
139 for (row = 0; row < imagelength; row += tl)
140 {
141 nrow = (row + tl > imagelength) ? imagelength - row : tl;
142@@ -1323,7 +1336,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
143 uint32 imagewidth, tsample_t spp,
144 struct dump_opts * dump)
145 {
146- tdata_t obuf = _TIFFmalloc(TIFFTileSize(out));
147+ /* Add 3 padding bytes for extractContigSamples32bits */
148+ tdata_t obuf = _TIFFmalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
149 uint32 tl, tw;
150 uint32 row, col, nrow, ncol;
151 uint32 src_rowsize, col_offset;
152@@ -1333,6 +1347,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
153
154 if (obuf == NULL)
155 return 1;
156+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
157
158 TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
159 TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
160@@ -1754,14 +1769,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
161
162 *opt_offset = '\0';
163 /* convert option to lowercase */
164- end = strlen (opt_ptr);
165+ end = (unsigned int)strlen (opt_ptr);
166 for (i = 0; i < end; i++)
167 *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
168 /* Look for dump format specification */
169 if (strncmp(opt_ptr, "for", 3) == 0)
170 {
171 /* convert value to lowercase */
172- end = strlen (opt_offset + 1);
173+ end = (unsigned int)strlen (opt_offset + 1);
174 for (i = 1; i <= end; i++)
175 *(opt_offset + i) = tolower((int) *(opt_offset + i));
176 /* check dump format value */
177@@ -2213,6 +2228,8 @@ main(int argc, char* argv[])
178 size_t length;
179 char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
180
181+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
182+
183 little_endian = *((unsigned char *)&little_endian) & '1';
184
185 initImageData(&image);
186@@ -3114,13 +3131,13 @@ extractContigSamples32bits (uint8 *in, uint8 *out, uint32 cols,
187 /* If we have a full buffer's worth, write it out */
188 if (ready_bits >= 32)
189 {
190- bytebuff1 = (buff2 >> 56);
191+ bytebuff1 = (uint8)(buff2 >> 56);
192 *dst++ = bytebuff1;
193- bytebuff2 = (buff2 >> 48);
194+ bytebuff2 = (uint8)(buff2 >> 48);
195 *dst++ = bytebuff2;
196- bytebuff3 = (buff2 >> 40);
197+ bytebuff3 = (uint8)(buff2 >> 40);
198 *dst++ = bytebuff3;
199- bytebuff4 = (buff2 >> 32);
200+ bytebuff4 = (uint8)(buff2 >> 32);
201 *dst++ = bytebuff4;
202 ready_bits -= 32;
203
204@@ -3495,13 +3512,13 @@ extractContigSamplesShifted32bits (uint8 *in, uint8 *out, uint32 cols,
205 }
206 else /* If we have a full buffer's worth, write it out */
207 {
208- bytebuff1 = (buff2 >> 56);
209+ bytebuff1 = (uint8)(buff2 >> 56);
210 *dst++ = bytebuff1;
211- bytebuff2 = (buff2 >> 48);
212+ bytebuff2 = (uint8)(buff2 >> 48);
213 *dst++ = bytebuff2;
214- bytebuff3 = (buff2 >> 40);
215+ bytebuff3 = (uint8)(buff2 >> 40);
216 *dst++ = bytebuff3;
217- bytebuff4 = (buff2 >> 32);
218+ bytebuff4 = (uint8)(buff2 >> 32);
219 *dst++ = bytebuff4;
220 ready_bits -= 32;
221
222@@ -3678,10 +3695,10 @@ extractContigSamplesToTileBuffer(uint8 *out, uint8 *in, uint32 rows, uint32 cols
223 static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
224 {
225 uint8* bufp = buf;
226- int32 bytes_read = 0;
227+ tmsize_t bytes_read = 0;
228 uint32 strip, nstrips = TIFFNumberOfStrips(in);
229- uint32 stripsize = TIFFStripSize(in);
230- uint32 rows = 0;
231+ tmsize_t stripsize = TIFFStripSize(in);
232+ tmsize_t rows = 0;
233 uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
234 tsize_t scanline_size = TIFFScanlineSize(in);
235
236@@ -3694,13 +3711,12 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
237 bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
238 rows = bytes_read / scanline_size;
239 if ((strip < (nstrips - 1)) && (bytes_read != (int32)stripsize))
240- TIFFError("", "Strip %d: read %lu bytes, strip size %lu",
241- (int)strip + 1, (unsigned long) bytes_read,
242- (unsigned long)stripsize);
243+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
244+ strip + 1, bytes_read, stripsize);
245
246 if (bytes_read < 0 && !ignore) {
247- TIFFError("", "Error reading strip %lu after %lu rows",
248- (unsigned long) strip, (unsigned long)rows);
249+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
250+ strip, rows);
251 return 0;
252 }
253 bufp += stripsize;
254@@ -4164,13 +4180,13 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
255 /* If we have a full buffer's worth, write it out */
256 if (ready_bits >= 32)
257 {
258- bytebuff1 = (buff2 >> 56);
259+ bytebuff1 = (uint8)(buff2 >> 56);
260 *dst++ = bytebuff1;
261- bytebuff2 = (buff2 >> 48);
262+ bytebuff2 = (uint8)(buff2 >> 48);
263 *dst++ = bytebuff2;
264- bytebuff3 = (buff2 >> 40);
265+ bytebuff3 = (uint8)(buff2 >> 40);
266 *dst++ = bytebuff3;
267- bytebuff4 = (buff2 >> 32);
268+ bytebuff4 = (uint8)(buff2 >> 32);
269 *dst++ = bytebuff4;
270 ready_bits -= 32;
271
272@@ -4213,10 +4229,10 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
273 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
274 row + 1, col + 1, src_byte, src_bit, dst - out);
275
276- dump_long (dumpfile, format, "Match bits ", matchbits);
277+ dump_wide (dumpfile, format, "Match bits ", matchbits);
278 dump_data (dumpfile, format, "Src bits ", src, 4);
279- dump_long (dumpfile, format, "Buff1 bits ", buff1);
280- dump_long (dumpfile, format, "Buff2 bits ", buff2);
281+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
282+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
283 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
284 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
285 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
286@@ -4689,13 +4705,13 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
287 /* If we have a full buffer's worth, write it out */
288 if (ready_bits >= 32)
289 {
290- bytebuff1 = (buff2 >> 56);
291+ bytebuff1 = (uint8)(buff2 >> 56);
292 *dst++ = bytebuff1;
293- bytebuff2 = (buff2 >> 48);
294+ bytebuff2 = (uint8)(buff2 >> 48);
295 *dst++ = bytebuff2;
296- bytebuff3 = (buff2 >> 40);
297+ bytebuff3 = (uint8)(buff2 >> 40);
298 *dst++ = bytebuff3;
299- bytebuff4 = (buff2 >> 32);
300+ bytebuff4 = (uint8)(buff2 >> 32);
301 *dst++ = bytebuff4;
302 ready_bits -= 32;
303
304@@ -4738,10 +4754,10 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
305 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
306 row + 1, col + 1, src_byte, src_bit, dst - out);
307
308- dump_long (dumpfile, format, "Match bits ", matchbits);
309+ dump_wide (dumpfile, format, "Match bits ", matchbits);
310 dump_data (dumpfile, format, "Src bits ", src, 4);
311- dump_long (dumpfile, format, "Buff1 bits ", buff1);
312- dump_long (dumpfile, format, "Buff2 bits ", buff2);
313+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
314+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
315 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
316 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
317 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
318@@ -4764,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
319 {
320 int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
321 uint32 j;
322- int32 bytes_read = 0;
323+ tmsize_t bytes_read = 0;
324 uint16 bps = 0, planar;
325 uint32 nstrips;
326 uint32 strips_per_sample;
327@@ -4830,7 +4846,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
328 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
329 {
330 srcbuffs[s] = NULL;
331- buff = _TIFFmalloc(stripsize + 3);
332+ buff = _TIFFmalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
333 if (!buff)
334 {
335 TIFFError ("readSeparateStripsIntoBuffer",
336@@ -4853,7 +4869,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
337 buff = srcbuffs[s];
338 strip = (s * strips_per_sample) + j;
339 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
340- rows_this_strip = bytes_read / src_rowsize;
341+ rows_this_strip = (uint32)(bytes_read / src_rowsize);
342 if (bytes_read < 0 && !ignore)
343 {
344 TIFFError(TIFFFileName(in),
345@@ -5860,13 +5876,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
346 uint16 input_compression = 0, input_photometric = 0;
347 uint16 subsampling_horiz, subsampling_vert;
348 uint32 width = 0, length = 0;
349- uint32 stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
350+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
351+ tmsize_t scanlinesize = 0;
352 uint32 tw = 0, tl = 0; /* Tile width and length */
353- uint32 tile_rowsize = 0;
354+ tmsize_t tile_rowsize = 0;
355 unsigned char *read_buff = NULL;
356 unsigned char *new_buff = NULL;
357 int readunit = 0;
358- static uint32 prev_readsize = 0;
359+ static tmsize_t prev_readsize = 0;
360
361 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
362 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
363@@ -6168,7 +6185,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
364 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
365 return (-1);
366 }
367- read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
368+ read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
369 }
370 else
371 {
372@@ -6179,11 +6196,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
373 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
374 return (-1);
375 }
376- new_buff = _TIFFrealloc(read_buff, buffsize+3);
377+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
378 if (!new_buff)
379 {
380 free (read_buff);
381- read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
382+ read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
383 }
384 else
385 read_buff = new_buff;
386@@ -6256,8 +6273,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
387 dump_info (dump->infile, dump->format, "",
388 "Bits per sample %d, Samples per pixel %d", bps, spp);
389
390+ if ((uint64_t)scanlinesize > 0x0ffffffffULL) {
391+ dump_info(dump->infile, dump->format, "loadImage",
392+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
393+ (uint64_t)scanlinesize);
394+ }
395 for (i = 0; i < length; i++)
396- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
397+ dump_buffer(dump->infile, dump->format, 1, (uint32)scanlinesize,
398 i, read_buff + (i * scanlinesize));
399 }
400 return (0);
401@@ -7277,13 +7299,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
402 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
403 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
404 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
405- int inknameslen = strlen(inknames) + 1;
406+ int inknameslen = (int)strlen(inknames) + 1;
407 const char* cp = inknames;
408 while (ninks > 1) {
409 cp = strchr(cp, '\0');
410 if (cp) {
411 cp++;
412- inknameslen += (strlen(cp) + 1);
413+ inknameslen += ((int)strlen(cp) + 1);
414 }
415 ninks--;
416 }
417@@ -7346,23 +7368,23 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
418
419 if (!sect_buff)
420 {
421- sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
422+ sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
423 if (!sect_buff)
424 {
425 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
426 return (-1);
427 }
428- _TIFFmemset(sect_buff, 0, sectsize);
429+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
430 }
431 else
432 {
433 if (prev_sectsize < sectsize)
434 {
435- new_buff = _TIFFrealloc(sect_buff, sectsize);
436+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
437 if (!new_buff)
438 {
439 free (sect_buff);
440- sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
441+ sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
442 }
443 else
444 sect_buff = new_buff;
445@@ -7372,7 +7394,7 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
446 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
447 return (-1);
448 }
449- _TIFFmemset(sect_buff, 0, sectsize);
450+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
451 }
452 }
453
454@@ -7403,17 +7425,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
455 cropsize = crop->bufftotal;
456 crop_buff = seg_buffs[0].buffer;
457 if (!crop_buff)
458- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
459+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
460 else
461 {
462 prev_cropsize = seg_buffs[0].size;
463 if (prev_cropsize < cropsize)
464 {
465- next_buff = _TIFFrealloc(crop_buff, cropsize);
466+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
467 if (! next_buff)
468 {
469 _TIFFfree (crop_buff);
470- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
471+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
472 }
473 else
474 crop_buff = next_buff;
475@@ -7426,7 +7448,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
476 return (-1);
477 }
478
479- _TIFFmemset(crop_buff, 0, cropsize);
480+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
481 seg_buffs[0].buffer = crop_buff;
482 seg_buffs[0].size = cropsize;
483
484@@ -7505,17 +7527,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
485 cropsize = crop->bufftotal;
486 crop_buff = seg_buffs[i].buffer;
487 if (!crop_buff)
488- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
489+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
490 else
491 {
492 prev_cropsize = seg_buffs[0].size;
493 if (prev_cropsize < cropsize)
494 {
495- next_buff = _TIFFrealloc(crop_buff, cropsize);
496+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
497 if (! next_buff)
498 {
499 _TIFFfree (crop_buff);
500- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
501+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
502 }
503 else
504 crop_buff = next_buff;
505@@ -7528,7 +7550,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
506 return (-1);
507 }
508
509- _TIFFmemset(crop_buff, 0, cropsize);
510+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
511 seg_buffs[i].buffer = crop_buff;
512 seg_buffs[i].size = cropsize;
513
514@@ -7641,24 +7663,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
515 crop_buff = *crop_buff_ptr;
516 if (!crop_buff)
517 {
518- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
519+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
520 if (!crop_buff)
521 {
522 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
523 return (-1);
524 }
525- _TIFFmemset(crop_buff, 0, cropsize);
526+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
527 prev_cropsize = cropsize;
528 }
529 else
530 {
531 if (prev_cropsize < cropsize)
532 {
533- new_buff = _TIFFrealloc(crop_buff, cropsize);
534+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
535 if (!new_buff)
536 {
537 free (crop_buff);
538- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
539+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
540 }
541 else
542 crop_buff = new_buff;
543@@ -7667,7 +7689,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
544 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
545 return (-1);
546 }
547- _TIFFmemset(crop_buff, 0, cropsize);
548+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
549 }
550 }
551
552@@ -7965,13 +7987,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
553 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
554 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
555 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
556- int inknameslen = strlen(inknames) + 1;
557+ int inknameslen = (int)strlen(inknames) + 1;
558 const char* cp = inknames;
559 while (ninks > 1) {
560 cp = strchr(cp, '\0');
561 if (cp) {
562 cp++;
563- inknameslen += (strlen(cp) + 1);
564+ inknameslen += ((int)strlen(cp) + 1);
565 }
566 ninks--;
567 }
568@@ -8356,13 +8378,13 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
569 }
570 else /* If we have a full buffer's worth, write it out */
571 {
572- bytebuff1 = (buff2 >> 56);
573+ bytebuff1 = (uint8)(buff2 >> 56);
574 *dst++ = bytebuff1;
575- bytebuff2 = (buff2 >> 48);
576+ bytebuff2 = (uint8)(buff2 >> 48);
577 *dst++ = bytebuff2;
578- bytebuff3 = (buff2 >> 40);
579+ bytebuff3 = (uint8)(buff2 >> 40);
580 *dst++ = bytebuff3;
581- bytebuff4 = (buff2 >> 32);
582+ bytebuff4 = (uint8)(buff2 >> 32);
583 *dst++ = bytebuff4;
584 ready_bits -= 32;
585
586@@ -8431,12 +8453,13 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
587 return (-1);
588 }
589
590- if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize)))
591+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
592+ if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
593 {
594- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
595+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
596 return (-1);
597 }
598- _TIFFmemset(rbuff, '\0', buffsize);
599+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
600
601 ibuff = *ibuff_ptr;
602 switch (rotation)
603@@ -8964,13 +8987,13 @@ reverseSamples32bits (uint16 spp, uint16 bps, uint32 width,
604 }
605 else /* If we have a full buffer's worth, write it out */
606 {
607- bytebuff1 = (buff2 >> 56);
608+ bytebuff1 = (uint8)(buff2 >> 56);
609 *dst++ = bytebuff1;
610- bytebuff2 = (buff2 >> 48);
611+ bytebuff2 = (uint8)(buff2 >> 48);
612 *dst++ = bytebuff2;
613- bytebuff3 = (buff2 >> 40);
614+ bytebuff3 = (uint8)(buff2 >> 40);
615 *dst++ = bytebuff3;
616- bytebuff4 = (buff2 >> 32);
617+ bytebuff4 = (uint8)(buff2 >> 32);
618 *dst++ = bytebuff4;
619 ready_bits -= 32;
620
621@@ -9061,12 +9084,13 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
622 {
623 case MIRROR_BOTH:
624 case MIRROR_VERT:
625- line_buff = (unsigned char *)_TIFFmalloc(rowsize);
626+ line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
627 if (line_buff == NULL)
628 {
629- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
630+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
631 return (-1);
632 }
633+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
634
635 dst = ibuff + (rowsize * (length - 1));
636 for (row = 0; row < length / 2; row++)
637@@ -9098,11 +9122,12 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
638 }
639 else
640 { /* non 8 bit per sample data */
641- if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + 1)))
642+ if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
643 {
644 TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
645 return (-1);
646 }
647+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
648 bytes_per_sample = (bps + 7) / 8;
649 bytes_per_pixel = ((bps * spp) + 7) / 8;
650 if (bytes_per_pixel < (bytes_per_sample + 1))
651@@ -9114,7 +9139,7 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
652 {
653 row_offset = row * rowsize;
654 src = ibuff + row_offset;
655- _TIFFmemset (line_buff, '\0', rowsize);
656+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
657 switch (shift_width)
658 {
659 case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch
new file mode 100644
index 0000000000..18a4b4e0ff
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch
@@ -0,0 +1,123 @@
1From f7c06c395daf1b2c52ab431e00db2d9fc2ac993e Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Tue, 10 May 2022 20:03:17 +0000
4Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/e319508023580e2f70e6e626f745b5b2a1707313
11Origin: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
12Origin: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba
13Origin: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047
14Reviewed-by: Sylvain Beucler <beuc@debian.org>
15Last-Update: 2023-01-17
16
17---
18 tools/tiffcrop.c | 50 ++++++++++++++++++++++++++++++++++++++++--------
19 1 file changed, 42 insertions(+), 8 deletions(-)
20
21diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
22index c923920..a0789a3 100644
23--- a/tools/tiffcrop.c
24+++ b/tools/tiffcrop.c
25@@ -103,7 +103,12 @@
26 * selects which functions dump data, with higher numbers selecting
27 * lower level, scanline level routines. Debug reports a limited set
28 * of messages to monitor progess without enabling dump logs.
29- */
30+ *
31+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
32+ * In no case should the options be applied to a given selection successively.
33+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
34+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
35+ */
36
37 static char tiffcrop_version_id[] = "2.4.1";
38 static char tiffcrop_rev_date[] = "03-03-2010";
39@@ -176,12 +181,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
40 #define ROTATECW_270 32
41 #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
42
43-#define CROP_NONE 0
44-#define CROP_MARGINS 1
45-#define CROP_WIDTH 2
46-#define CROP_LENGTH 4
47-#define CROP_ZONES 8
48-#define CROP_REGIONS 16
49+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
50+#define CROP_MARGINS 1 /* "-m" */
51+#define CROP_WIDTH 2 /* "-X" */
52+#define CROP_LENGTH 4 /* "-Y" */
53+#define CROP_ZONES 8 /* "-Z" */
54+#define CROP_REGIONS 16 /* "-z" */
55 #define CROP_ROTATE 32
56 #define CROP_MIRROR 64
57 #define CROP_INVERT 128
58@@ -323,7 +328,7 @@ struct crop_mask {
59 #define PAGE_MODE_RESOLUTION 1
60 #define PAGE_MODE_PAPERSIZE 2
61 #define PAGE_MODE_MARGINS 4
62-#define PAGE_MODE_ROWSCOLS 8
63+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
64
65 #define INVERT_DATA_ONLY 10
66 #define INVERT_DATA_AND_TAG 11
67@@ -754,6 +759,12 @@ static char* usage_info[] = {
68 " The four debug/dump options are independent, though it makes little sense to",
69 " specify a dump file without specifying a detail level.",
70 " ",
71+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
72+" In no case should the options be applied to a given selection successively.",
73+" ",
74+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
75+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
76+" ",
77 NULL
78 };
79
80@@ -2112,6 +2123,27 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
81 /*NOTREACHED*/
82 }
83 }
84+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
85+ char XY, Z, R, S;
86+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
87+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
88+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
89+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
90+ if (XY + Z + R + S > 1) {
91+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
92+ exit(EXIT_FAILURE);
93+ }
94+
95+ /* Check for not allowed combination:
96+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
97+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
98+. */
99+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
100+ TIFFError("tiffcrop input error",
101+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
102+ exit(EXIT_FAILURE);
103+ }
104+
105 } /* end process_command_opts */
106
107 /* Start a new output file if one has not been previously opened or
108@@ -2384,6 +2416,7 @@ main(int argc, char* argv[])
109 exit (-1);
110 }
111
112+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
113 if (crop.selections > 0)
114 {
115 if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
116@@ -2400,6 +2433,7 @@ main(int argc, char* argv[])
117 exit (-1);
118 }
119 }
120+ /* Format and write selected image parts to output file(s). */
121 if (page.mode == PAGE_MODE_NONE)
122 { /* Whole image or sections not based on output page size */
123 if (crop.selections > 0)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch
new file mode 100644
index 0000000000..9689a99638
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch
@@ -0,0 +1,277 @@
1From 01bca7e6f608da7696949fca6acda78b9935ba19 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Tue, 30 Aug 2022 16:56:48 +0200
4Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3599
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246
11Reviewed-by: Sylvain Beucler <beuc@debian.org>
12Last-Update: 2023-01-17
13
14 TIFFTAG_NUMBEROFINKS value
15
16In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
17
18Behaviour for writing:
19 `NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
20 `NumberOfInks` is automatically set when `InkNames` is set.
21 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
22 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
23
24Behaviour for reading:
25 When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
26 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
27 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
28
29This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
30
31This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
32
33It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
34
35---
36 libtiff/tif_dir.c | 120 ++++++++++++++++++++++++-----------------
37 libtiff/tif_dir.h | 2 +
38 libtiff/tif_dirinfo.c | 2 +-
39 libtiff/tif_dirwrite.c | 5 ++
40 libtiff/tif_print.c | 4 ++
41 5 files changed, 83 insertions(+), 50 deletions(-)
42
43diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
44index 39aeeb4..9d8267a 100644
45--- a/libtiff/tif_dir.c
46+++ b/libtiff/tif_dir.c
47@@ -29,6 +29,7 @@
48 * (and also some miscellaneous stuff)
49 */
50 #include "tiffiop.h"
51+# include <inttypes.h>
52
53 /*
54 * These are used in the backwards compatibility code...
55@@ -137,32 +138,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32* v)
56 }
57
58 /*
59- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
60+ * Count ink names separated by \0. Returns
61 * zero if the ink names are not as expected.
62 */
63-static uint32
64-checkInkNamesString(TIFF* tif, uint32 slen, const char* s)
65+static uint16
66+countInkNamesString(TIFF *tif, uint32 slen, const char *s)
67 {
68- TIFFDirectory* td = &tif->tif_dir;
69- uint16 i = td->td_samplesperpixel;
70+ uint16 i = 0;
71+ const char *ep = s + slen;
72+ const char *cp = s;
73
74 if (slen > 0) {
75- const char* ep = s+slen;
76- const char* cp = s;
77- for (; i > 0; i--) {
78+ do {
79 for (; cp < ep && *cp != '\0'; cp++) {}
80 if (cp >= ep)
81 goto bad;
82 cp++; /* skip \0 */
83- }
84- return ((uint32)(cp-s));
85+ i++;
86+ } while (cp < ep);
87+ return (i);
88 }
89 bad:
90 TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
91- "%s: Invalid InkNames value; expecting %d names, found %d",
92- tif->tif_name,
93- td->td_samplesperpixel,
94- td->td_samplesperpixel-i);
95+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
96+ tif->tif_name, slen, i);
97 return (0);
98 }
99
100@@ -476,13 +475,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
101 _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
102 break;
103 case TIFFTAG_INKNAMES:
104- v = (uint16) va_arg(ap, uint16_vap);
105- s = va_arg(ap, char*);
106- v = checkInkNamesString(tif, v, s);
107- status = v > 0;
108- if( v > 0 ) {
109- _TIFFsetNString(&td->td_inknames, s, v);
110- td->td_inknameslen = v;
111+ {
112+ v = (uint16) va_arg(ap, uint16_vap);
113+ s = va_arg(ap, char*);
114+ uint16 ninksinstring;
115+ ninksinstring = countInkNamesString(tif, v, s);
116+ status = ninksinstring > 0;
117+ if(ninksinstring > 0 ) {
118+ _TIFFsetNString(&td->td_inknames, s, v);
119+ td->td_inknameslen = v;
120+ /* Set NumberOfInks to the value ninksinstring */
121+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
122+ {
123+ if (td->td_numberofinks != ninksinstring) {
124+ TIFFErrorExt(tif->tif_clientdata, module,
125+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
126+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
127+ td->td_numberofinks = ninksinstring;
128+ }
129+ } else {
130+ td->td_numberofinks = ninksinstring;
131+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
132+ }
133+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
134+ {
135+ if (td->td_numberofinks != td->td_samplesperpixel) {
136+ TIFFErrorExt(tif->tif_clientdata, module,
137+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
138+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
139+ }
140+ }
141+ }
142+ }
143+ break;
144+ case TIFFTAG_NUMBEROFINKS:
145+ v = (uint16)va_arg(ap, uint16_vap);
146+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
147+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
148+ {
149+ if (v != td->td_numberofinks) {
150+ TIFFErrorExt(tif->tif_clientdata, module,
151+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
152+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
153+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
154+ status = 0;
155+ }
156+ } else {
157+ td->td_numberofinks = (uint16)v;
158+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
159+ {
160+ if (td->td_numberofinks != td->td_samplesperpixel) {
161+ TIFFErrorExt(tif->tif_clientdata, module,
162+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
163+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
164+ }
165+ }
166 }
167 break;
168 case TIFFTAG_PERSAMPLE:
169@@ -887,34 +934,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
170 if (fip->field_bit == FIELD_CUSTOM) {
171 standard_tag = 0;
172 }
173-
174- if( standard_tag == TIFFTAG_NUMBEROFINKS )
175- {
176- int i;
177- for (i = 0; i < td->td_customValueCount; i++) {
178- uint16 val;
179- TIFFTagValue *tv = td->td_customValues + i;
180- if (tv->info->field_tag != standard_tag)
181- continue;
182- if( tv->value == NULL )
183- return 0;
184- val = *(uint16 *)tv->value;
185- /* Truncate to SamplesPerPixel, since the */
186- /* setting code for INKNAMES assume that there are SamplesPerPixel */
187- /* inknames. */
188- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
189- if( val > td->td_samplesperpixel )
190- {
191- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
192- "Truncating NumberOfInks from %u to %u",
193- val, td->td_samplesperpixel);
194- val = td->td_samplesperpixel;
195- }
196- *va_arg(ap, uint16*) = val;
197- return 1;
198- }
199- return 0;
200- }
201
202 switch (standard_tag) {
203 case TIFFTAG_SUBFILETYPE:
204@@ -1092,6 +1111,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
205 case TIFFTAG_INKNAMES:
206 *va_arg(ap, char**) = td->td_inknames;
207 break;
208+ case TIFFTAG_NUMBEROFINKS:
209+ *va_arg(ap, uint16 *) = td->td_numberofinks;
210+ break;
211 default:
212 {
213 int i;
214diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
215index e7f0667..7cad679 100644
216--- a/libtiff/tif_dir.h
217+++ b/libtiff/tif_dir.h
218@@ -117,6 +117,7 @@ typedef struct {
219 /* CMYK parameters */
220 int td_inknameslen;
221 char* td_inknames;
222+ uint16 td_numberofinks; /* number of inks in InkNames string */
223
224 int td_customValueCount;
225 TIFFTagValue *td_customValues;
226@@ -174,6 +175,7 @@ typedef struct {
227 #define FIELD_TRANSFERFUNCTION 44
228 #define FIELD_INKNAMES 46
229 #define FIELD_SUBIFD 49
230+#define FIELD_NUMBEROFINKS 50
231 /* FIELD_CUSTOM (see tiffio.h) 65 */
232 /* end of support for well-known tags; codec-private tags follow */
233 #define FIELD_CODEC 66 /* base of codec-private tags */
234diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
235index fbfaaf0..bf7de70 100644
236--- a/libtiff/tif_dirinfo.c
237+++ b/libtiff/tif_dirinfo.c
238@@ -104,7 +104,7 @@ tiffFields[] = {
239 { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
240 { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
241 { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
242- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
243+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
244 { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
245 { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
246 { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
247diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
248index 9e4d306..a2dbc3b 100644
249--- a/libtiff/tif_dirwrite.c
250+++ b/libtiff/tif_dirwrite.c
251@@ -677,6 +677,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
252 if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
253 goto bad;
254 }
255+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
256+ {
257+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
258+ goto bad;
259+ }
260 if (TIFFFieldSet(tif,FIELD_SUBIFD))
261 {
262 if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
263diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
264index a073794..a9f05a7 100644
265--- a/libtiff/tif_print.c
266+++ b/libtiff/tif_print.c
267@@ -402,6 +402,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
268 }
269 fputs("\n", fd);
270 }
271+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
272+ fprintf(fd, " NumberOfInks: %d\n",
273+ td->td_numberofinks);
274+ }
275 if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
276 fprintf(fd, " Thresholding: ");
277 switch (td->td_threshholding) {
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
new file mode 100644
index 0000000000..ea70827cbe
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
@@ -0,0 +1,45 @@
1From 7e87352217d1f0c77eee7033ac59e3aab08532bb Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Tue, 8 Nov 2022 15:16:58 +0100
4Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3970
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
11Reviewed-by: Sylvain Beucler <beuc@debian.org>
12Last-Update: 2023-01-17
13
14 strips/tiles > 2 GB
15
16Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
17
18---
19 libtiff/tif_getimage.c | 8 ++++----
20 1 file changed, 4 insertions(+), 4 deletions(-)
21
22diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
23index 96ab146..0b90dcc 100644
24--- a/libtiff/tif_getimage.c
25+++ b/libtiff/tif_getimage.c
26@@ -3042,15 +3042,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
27 return( ok );
28
29 for( i_row = 0; i_row < read_ysize; i_row++ ) {
30- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
31- raster + (read_ysize - i_row - 1) * read_xsize,
32+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
33+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
34 read_xsize * sizeof(uint32) );
35- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
36+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
37 0, sizeof(uint32) * (tile_xsize - read_xsize) );
38 }
39
40 for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
41- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
42+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
43 0, sizeof(uint32) * tile_xsize );
44 }
45
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
new file mode 100644
index 0000000000..5747202bd9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
@@ -0,0 +1,26 @@
1From 424c82b5b33256e7f03faace51dc8010f3ded9ff Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Sat, 21 Jan 2023 15:58:10 +0000
4Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz]
7CVE: CVE-2022-48281
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10---
11 tools/tiffcrop.c | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
15index a0789a3..8aed9cd 100644
16--- a/tools/tiffcrop.c
17+++ b/tools/tiffcrop.c
18@@ -7564,7 +7564,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
19 crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
20 else
21 {
22- prev_cropsize = seg_buffs[0].size;
23+ prev_cropsize = seg_buffs[i].size;
24 if (prev_cropsize < cropsize)
25 {
26 next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
new file mode 100644
index 0000000000..253018525a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,157 @@
1From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001
2From: Markus Koschany <apo@debian.org>
3Date: Tue, 21 Feb 2023 14:26:43 +0100
4Subject: [PATCH] CVE-2023-0795
5
6This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
7CVE-2023-0799.
8
9Bug-Debian: https://bugs.debian.org/1031632
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
11
12Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
13CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
14Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
15---
16 tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++--------------------
17 1 file changed, 30 insertions(+), 21 deletions(-)
18
19diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
20index 8aed9cd..f21a7d7 100644
21--- a/tools/tiffcrop.c
22+++ b/tools/tiffcrop.c
23@@ -277,7 +277,6 @@ struct region {
24 uint32 width; /* width in pixels */
25 uint32 length; /* length in pixels */
26 uint32 buffsize; /* size of buffer needed to hold the cropped region */
27- unsigned char *buffptr; /* address of start of the region */
28 };
29
30 /* Cropping parameters from command line and image data
31@@ -532,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
32 static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
33 uint32, uint32, uint8 *, uint8 *);
34 static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
35- unsigned char **);
36+ unsigned char **, int);
37 static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
38 unsigned char *);
39 static int invertImage(uint16, uint16, uint16, uint32, uint32,
40@@ -5112,7 +5111,6 @@ initCropMasks (struct crop_mask *cps)
41 cps->regionlist[i].width = 0;
42 cps->regionlist[i].length = 0;
43 cps->regionlist[i].buffsize = 0;
44- cps->regionlist[i].buffptr = NULL;
45 cps->zonelist[i].position = 0;
46 cps->zonelist[i].total = 0;
47 }
48@@ -6358,8 +6356,13 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
49 image->adjustments & ROTATE_ANY);
50 return (-1);
51 }
52-
53- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
54+
55+ /* Dummy variable in order not to switch two times the
56+ * image->width,->length within rotateImage(),
57+ * but switch xres, yres there. */
58+ uint32_t width = image->width;
59+ uint32_t length = image->length;
60+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
61 {
62 TIFFError ("correct_orientation", "Unable to rotate image");
63 return (-1);
64@@ -6427,7 +6430,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
65 /* These should not be needed for composite images */
66 crop->regionlist[i].width = crop_width;
67 crop->regionlist[i].length = crop_length;
68- crop->regionlist[i].buffptr = crop_buff;
69
70 src_rowsize = ((img_width * bps * spp) + 7) / 8;
71 dst_rowsize = (((crop_width * bps * count) + 7) / 8);
72@@ -6664,7 +6666,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop,
73
74 crop->regionlist[region].width = crop_width;
75 crop->regionlist[region].length = crop_length;
76- crop->regionlist[region].buffptr = crop_buff;
77
78 src = read_buff;
79 dst = crop_buff;
80@@ -7542,7 +7543,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
81 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
82 {
83 if (rotateImage(crop->rotation, image, &crop->combined_width,
84- &crop->combined_length, &crop_buff))
85+ &crop->combined_length, &crop_buff, FALSE))
86 {
87 TIFFError("processCropSelections",
88 "Failed to rotate composite regions by %d degrees", crop->rotation);
89@@ -7648,7 +7649,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
90 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
91 {
92 if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
93- &crop->regionlist[i].length, &crop_buff))
94+ &crop->regionlist[i].length, &crop_buff, FALSE))
95 {
96 TIFFError("processCropSelections",
97 "Failed to rotate crop region by %d degrees", crop->rotation);
98@@ -7780,7 +7781,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
99 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
100 {
101 if (rotateImage(crop->rotation, image, &crop->combined_width,
102- &crop->combined_length, crop_buff_ptr))
103+ &crop->combined_length, crop_buff_ptr, TRUE))
104 {
105 TIFFError("createCroppedImage",
106 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
107@@ -8443,7 +8444,7 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
108 /* Rotate an image by a multiple of 90 degrees clockwise */
109 static int
110 rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
111- uint32 *img_length, unsigned char **ibuff_ptr)
112+ uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
113 {
114 int shift_width;
115 uint32 bytes_per_pixel, bytes_per_sample;
116@@ -8634,11 +8635,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
117
118 *img_width = length;
119 *img_length = width;
120- image->width = length;
121- image->length = width;
122- res_temp = image->xres;
123- image->xres = image->yres;
124- image->yres = res_temp;
125+ /* Only toggle image parameters if whole input image is rotated. */
126+ if (rot_image_params)
127+ {
128+ image->width = length;
129+ image->length = width;
130+ res_temp = image->xres;
131+ image->xres = image->yres;
132+ image->yres = res_temp;
133+ }
134 break;
135
136 case 270: if ((bps % 8) == 0) /* byte aligned data */
137@@ -8711,11 +8716,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
138
139 *img_width = length;
140 *img_length = width;
141- image->width = length;
142- image->length = width;
143- res_temp = image->xres;
144- image->xres = image->yres;
145- image->yres = res_temp;
146+ /* Only toggle image parameters if whole input image is rotated. */
147+ if (rot_image_params)
148+ {
149+ image->width = length;
150+ image->length = width;
151+ res_temp = image->xres;
152+ image->xres = image->yres;
153+ image->yres = res_temp;
154+ }
155 break;
156 default:
157 break;
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
new file mode 100644
index 0000000000..bf1a439b4d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
@@ -0,0 +1,135 @@
1From e18be834497e0ebf68d443abb9e18187f36cd3bf Mon Sep 17 00:00:00 2001
2From: Markus Koschany <apo@debian.org>
3Date: Tue, 21 Feb 2023 14:39:52 +0100
4Subject: [PATCH] CVE-2023-0800
5
6This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803,
7CVE-2023-0804.
8
9Bug-Debian: https://bugs.debian.org/1031632
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00
11
12Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
13CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
14Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
15---
16 tools/tiffcrop.c | 73 +++++++++++++++++++++++++++++++++++++++++++++---
17 1 file changed, 69 insertions(+), 4 deletions(-)
18
19diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
20index f21a7d7..742615a 100644
21--- a/tools/tiffcrop.c
22+++ b/tools/tiffcrop.c
23@@ -5250,18 +5250,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
24
25 crop->regionlist[i].buffsize = buffsize;
26 crop->bufftotal += buffsize;
27+
28+ /* For composite images with more than one region, the
29+ * combined_length or combined_width always needs to be equal,
30+ * respectively.
31+ * Otherwise, even the first section/region copy
32+ * action might cause buffer overrun. */
33 if (crop->img_mode == COMPOSITE_IMAGES)
34 {
35 switch (crop->edge_ref)
36 {
37 case EDGE_LEFT:
38 case EDGE_RIGHT:
39+ if (i > 0 && zlength != crop->combined_length)
40+ {
41+ TIFFError(
42+ "computeInputPixelOffsets",
43+ "Only equal length regions can be combined for "
44+ "-E left or right");
45+ return (-1);
46+ }
47 crop->combined_length = zlength;
48 crop->combined_width += zwidth;
49 break;
50 case EDGE_BOTTOM:
51 case EDGE_TOP: /* width from left, length from top */
52 default:
53+ if (i > 0 && zwidth != crop->combined_width)
54+ {
55+ TIFFError("computeInputPixelOffsets",
56+ "Only equal width regions can be "
57+ "combined for -E "
58+ "top or bottom");
59+ return (-1);
60+ }
61 crop->combined_width = zwidth;
62 crop->combined_length += zlength;
63 break;
64@@ -6416,6 +6438,47 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
65 crop->combined_width = 0;
66 crop->combined_length = 0;
67
68+ /* If there is more than one region, check beforehand whether all the width
69+ * and length values of the regions are the same, respectively. */
70+ switch (crop->edge_ref)
71+ {
72+ default:
73+ case EDGE_TOP:
74+ case EDGE_BOTTOM:
75+ for (i = 1; i < crop->selections; i++)
76+ {
77+ uint32_t crop_width0 =
78+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
79+ uint32_t crop_width1 =
80+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
81+ if (crop_width0 != crop_width1)
82+ {
83+ TIFFError("extractCompositeRegions",
84+ "Only equal width regions can be combined for -E "
85+ "top or bottom");
86+ return (1);
87+ }
88+ }
89+ break;
90+ case EDGE_LEFT:
91+ case EDGE_RIGHT:
92+ for (i = 1; i < crop->selections; i++)
93+ {
94+ uint32_t crop_length0 =
95+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
96+ uint32_t crop_length1 =
97+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
98+ if (crop_length0 != crop_length1)
99+ {
100+ TIFFError("extractCompositeRegions",
101+ "Only equal length regions can be combined for "
102+ "-E left or right");
103+ return (1);
104+ }
105+ }
106+ }
107+
108+
109 for (i = 0; i < crop->selections; i++)
110 {
111 /* rows, columns, width, length are expressed in pixels */
112@@ -6439,8 +6502,9 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
113 default:
114 case EDGE_TOP:
115 case EDGE_BOTTOM:
116- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
117- {
118+ if ((crop->selections > i + 1) &&
119+ (crop_width != crop->regionlist[i + 1].width))
120+ {
121 TIFFError ("extractCompositeRegions",
122 "Only equal width regions can be combined for -E top or bottom");
123 return (1);
124@@ -6520,8 +6584,9 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
125 break;
126 case EDGE_LEFT: /* splice the pieces of each row together, side by side */
127 case EDGE_RIGHT:
128- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
129- {
130+ if ((crop->selections > i + 1) &&
131+ (crop_length != crop->regionlist[i + 1].length))
132+ {
133 TIFFError ("extractCompositeRegions",
134 "Only equal length regions can be combined for -E left or right");
135 return (1);
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 74ececb113..4b48d81e2b 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -29,6 +29,13 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
29 file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ 29 file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
30 file://CVE-2022-1354.patch \ 30 file://CVE-2022-1354.patch \
31 file://CVE-2022-1355.patch \ 31 file://CVE-2022-1355.patch \
32 file://CVE-2022-3570_3598.patch \
33 file://CVE-2022-3597_3626_3627.patch \
34 file://CVE-2022-3599.patch \
35 file://CVE-2022-3970.patch \
36 file://CVE-2022-48281.patch \
37 file://CVE-2023-0795_0796_0797_0798_0799.patch \
38 file://CVE-2023-0800_0801_0802_0803_0804.patch \
32 " 39 "
33SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" 40SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
34SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" 41SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-25 05:16:56 +0000