tiff: Security fix for CVE-2023-40745

Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5 (From OE-Core rev: d282b85cf69ecfbce12224428c713cd0dc639ced) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-11-07 11:12:20 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-11-17 06:00:32 -1000
commit: cd9a699320dab88f7de8711a00ee66d98605748b (patch)
tree: 346eded20cdf1f7da539b7f9f2ce41161f13fa82 /meta/recipes-multimedia
parent: 5e9e6627ac74295b311786d4acec1520b46b3105 (diff)
download: poky-cd9a699320dab88f7de8711a00ee66d98605748b.tar.gz
2 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
new file mode 100644
index 0000000000..6eb286039f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
@@ -0,0 +1,34 @@
+From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Wed, 19 Jul 2023 19:34:25 +0000
+Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
+ (fixes #591)
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
+CVE: CVE-2023-40745
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 83b3910..007bd05 100644
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -1437,6 +1437,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+                TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+                return 0;
+        }
+
+       if ( (imagew - tilew * spp) > INT_MAX ){
+        TIFFError(TIFFFileName(in),
+                  "Error, image raster scan line size is too large");
+        return 0;
+       }
+
+        iskew = imagew - tilew*spp;
+        tilebuf = _TIFFmalloc(tilesize);
+        if (tilebuf == 0)
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index d27381b4cd..31e7db19aa 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-3316.patch \
           file://CVE-2023-3576.patch \
           file://CVE-2023-3618.patch \
+           file://CVE-2023-40745.patch \
          "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-11-07 11:12:20 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-11-17 06:00:32 -1000
commit	cd9a699320dab88f7de8711a00ee66d98605748b (patch)
tree	346eded20cdf1f7da539b7f9f2ce41161f13fa82 /meta/recipes-multimedia
parent	5e9e6627ac74295b311786d4acec1520b46b3105 (diff)
download	poky-cd9a699320dab88f7de8711a00ee66d98605748b.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch new file mode 100644 index 0000000000..6eb286039f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
@@ -0,0 +1,34 @@
		1	From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
		2	From: Arie Haenel <arie.haenel@jct.ac.il>
		3	Date: Wed, 19 Jul 2023 19:34:25 +0000
		4	Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
		5	(fixes #591)
		6
		7	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
		8	CVE: CVE-2023-40745
		9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		10	---
		11	tools/tiffcp.c \| 7 +++++++
		12	1 file changed, 7 insertions(+)
		13
		14	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
		15	index 83b3910..007bd05 100644
		16	--- a/tools/tiffcp.c
		17	+++ b/tools/tiffcp.c
		18	@@ -1437,6 +1437,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
		19	TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
		20	return 0;
		21	}
		22	+
		23	+ if ( (imagew - tilew * spp) > INT_MAX ){
		24	+ TIFFError(TIFFFileName(in),
		25	+ "Error, image raster scan line size is too large");
		26	+ return 0;
		27	+ }
		28	+
		29	iskew = imagew - tilew*spp;
		30	tilebuf = _TIFFmalloc(tilesize);
		31	if (tilebuf == 0)
		32	--
		33	2.25.1
		34


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index d27381b4cd..31e7db19aa 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
45	file://CVE-2023-3316.patch \	45	file://CVE-2023-3316.patch \
46	file://CVE-2023-3576.patch \	46	file://CVE-2023-3576.patch \
47	file://CVE-2023-3618.patch \	47	file://CVE-2023-3618.patch \
		48	file://CVE-2023-40745.patch \
48	"	49	"
49	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"	50	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
50	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"	51	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"