summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
diff options
context:
space:
mode:
authorRoss Burton <ross@burtonini.com>2022-03-21 13:22:25 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-03-23 12:13:50 +0000
commita2b1bfd957e7df8ddf167f46bb1e9d573f4761e5 (patch)
tree1159b36e14ae83cd67f2b55f4f30d5d688a304f1 /meta/recipes-multimedia
parent73aa8621c5987befdec66a9ff09e1e2cb4f6adcd (diff)
downloadpoky-a2b1bfd957e7df8ddf167f46bb1e9d573f4761e5.tar.gz
tiff: backport CVE fixes:
Backport fixes for the following CVEs: - CVE-2022-0865 - CVE-2022-0891 - CVE-2022-0907 - CVE-2022-0908 - CVE-2022-0909 - CVE-2022-0924 (From OE-Core rev: 2fe35de73cfa8de444d7ffb24246e8f87c36ee8d) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch38
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch218
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch93
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch33
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch36
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch57
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.3.0.bb9
7 files changed, 483 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
new file mode 100644
index 0000000000..f1a4ab4251
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
@@ -0,0 +1,38 @@
1CVE: CVE-2022-0865
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001
6From: Even Rouault <even.rouault@spatialys.com>
7Date: Thu, 24 Feb 2022 22:26:02 +0100
8Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple
9 IFD in memory-mapped mode and when bit reversal is needed (fixes #385)
10
11---
12 libtiff/tif_jbig.c | 10 ++++++++++
13 1 file changed, 10 insertions(+)
14
15diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
16index 74086338..8bfa4cef 100644
17--- a/libtiff/tif_jbig.c
18+++ b/libtiff/tif_jbig.c
19@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
20 */
21 tif->tif_flags |= TIFF_NOBITREV;
22 tif->tif_flags &= ~TIFF_MAPPED;
23+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
24+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
25+ * value to be consistent with the state of a non-memory mapped file.
26+ */
27+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
28+ tif->tif_rawdata = NULL;
29+ tif->tif_rawdatasize = 0;
30+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
31+ tif->tif_flags |= TIFF_MYBUFFER;
32+ }
33
34 /* Setup the function pointers for encode, decode, and cleanup. */
35 tif->tif_setupdecode = JBIGSetupDecode;
36--
372.25.1
38
diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
new file mode 100644
index 0000000000..d31e9650d1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
@@ -0,0 +1,218 @@
1CVE: CVE-2022-0891
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001
6From: Su Laus <sulau@freenet.de>
7Date: Tue, 8 Mar 2022 17:02:44 +0000
8Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in
9 extractImageSection
10
11---
12 tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
13 1 file changed, 36 insertions(+), 56 deletions(-)
14
15diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
16index b85c2ce7..302a7e91 100644
17--- a/tools/tiffcrop.c
18+++ b/tools/tiffcrop.c
19@@ -105,8 +105,8 @@
20 * of messages to monitor progress without enabling dump logs.
21 */
22
23-static char tiffcrop_version_id[] = "2.4";
24-static char tiffcrop_rev_date[] = "12-13-2010";
25+static char tiffcrop_version_id[] = "2.4.1";
26+static char tiffcrop_rev_date[] = "03-03-2010";
27
28 #include "tif_config.h"
29 #include "libport.h"
30@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
31 #ifdef DEVELMODE
32 uint32_t img_length;
33 #endif
34- uint32_t j, shift1, shift2, trailing_bits;
35+ uint32_t j, shift1, trailing_bits;
36 uint32_t row, first_row, last_row, first_col, last_col;
37 uint32_t src_offset, dst_offset, row_offset, col_offset;
38- uint32_t offset1, offset2, full_bytes;
39+ uint32_t offset1, full_bytes;
40 uint32_t sect_width;
41 #ifdef DEVELMODE
42 uint32_t sect_length;
43@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
44 #ifdef DEVELMODE
45 int k;
46 unsigned char bitset;
47- static char *bitarray = NULL;
48 #endif
49
50 img_width = image->width;
51@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
52 dst_offset = 0;
53
54 #ifdef DEVELMODE
55- if (bitarray == NULL)
56- {
57- if ((bitarray = (char *)malloc(img_width)) == NULL)
58- {
59- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
60- return (-1);
61- }
62- }
63+ char bitarray[39];
64 #endif
65
66- /* rows, columns, width, length are expressed in pixels */
67+ /* rows, columns, width, length are expressed in pixels
68+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
69+ * last_col shall be also extracted. */
70 first_row = section->y1;
71 last_row = section->y2;
72 first_col = section->x1;
73@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
74 #ifdef DEVELMODE
75 sect_length = last_row - first_row + 1;
76 #endif
77- img_rowsize = ((img_width * bps + 7) / 8) * spp;
78- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
79- trailing_bits = (sect_width * bps) % 8;
80+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
81+ * samples rather than separate planes so the same logic works to extract regions
82+ * regardless of the way the data are organized in the input file.
83+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
84+ */
85+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
86+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
87+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
88
89 #ifdef DEVELMODE
90 TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
91@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
92
93 if ((bps % 8) == 0)
94 {
95- col_offset = first_col * spp * bps / 8;
96+ col_offset = (first_col * spp * bps) / 8;
97 for (row = first_row; row <= last_row; row++)
98 {
99- /* row_offset = row * img_width * spp * bps / 8; */
100 row_offset = row * img_rowsize;
101 src_offset = row_offset + col_offset;
102
103@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
104 }
105 else
106 { /* bps != 8 */
107- shift1 = spp * ((first_col * bps) % 8);
108- shift2 = spp * ((last_col * bps) % 8);
109+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
110 for (row = first_row; row <= last_row; row++)
111 {
112 /* pull out the first byte */
113 row_offset = row * img_rowsize;
114- offset1 = row_offset + (first_col * bps / 8);
115- offset2 = row_offset + (last_col * bps / 8);
116+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
117
118 #ifdef DEVELMODE
119 for (j = 0, k = 7; j < 8; j++, k--)
120@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
121 sprintf(&bitarray[9], " ");
122 for (j = 10, k = 7; j < 18; j++, k--)
123 {
124- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
125+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
126 sprintf(&bitarray[j], (bitset) ? "1" : "0");
127 }
128 bitarray[18] = '\0';
129- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
130- row, offset1, shift1, offset2, shift2);
131+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
132+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
133 #endif
134
135 bytebuff1 = bytebuff2 = 0;
136@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
137
138 if (trailing_bits != 0)
139 {
140- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
141+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
142+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
143 sect_buff[dst_offset] = bytebuff2;
144 #ifdef DEVELMODE
145 TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
146- offset2, dst_offset);
147+ offset1 + full_bytes, dst_offset);
148 for (j = 30, k = 7; j < 38; j++, k--)
149 {
150 bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
151@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
152 #endif
153 for (j = 0; j <= full_bytes; j++)
154 {
155- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
156- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
157+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
158+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
159+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
160+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
161 sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
162 }
163 #ifdef DEVELMODE
164@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
165 #endif
166 dst_offset += full_bytes;
167
168+ /* Copy the trailing_bits for the last byte in the destination buffer.
169+ Could come from one ore two bytes of the source buffer. */
170 if (trailing_bits != 0)
171 {
172 #ifdef DEVELMODE
173- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
174-#endif
175- if (shift2 > shift1)
176- {
177- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
178- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
179- sect_buff[dst_offset] = bytebuff2;
180-#ifdef DEVELMODE
181- TIFFError ("", " Shift2 > Shift1\n");
182+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
183 #endif
184+ /* More than necessary bits are already copied into last destination buffer,
185+ * only masking of last byte in destination buffer is necessary.*/
186+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
187 }
188- else
189- {
190- if (shift2 < shift1)
191- {
192- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
193- sect_buff[dst_offset] &= bytebuff2;
194-#ifdef DEVELMODE
195- TIFFError ("", " Shift2 < Shift1\n");
196-#endif
197- }
198-#ifdef DEVELMODE
199- else
200- TIFFError ("", " Shift2 == Shift1\n");
201-#endif
202- }
203- }
204 #ifdef DEVELMODE
205 sprintf(&bitarray[28], " ");
206 sprintf(&bitarray[29], " ");
207@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
208 width = sections[i].x2 - sections[i].x1 + 1;
209 length = sections[i].y2 - sections[i].y1 + 1;
210 sectsize = (uint32_t)
211- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
212+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
213 /* allocate a buffer if we don't have one already */
214 if (createImageSection(sectsize, sect_buff_ptr))
215 {
216--
2172.25.1
218
diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
new file mode 100644
index 0000000000..a0b856b9e1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
@@ -0,0 +1,93 @@
1CVE: CVE-2022-0907
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001
6From: Augustus <wangdw.augustus@qq.com>
7Date: Mon, 7 Mar 2022 18:21:49 +0800
8Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392)
9
10---
11 tools/tiffcrop.c | 33 +++++++++++++++++++++------------
12 1 file changed, 21 insertions(+), 12 deletions(-)
13
14diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
15index 302a7e91..e407bf51 100644
16--- a/tools/tiffcrop.c
17+++ b/tools/tiffcrop.c
18@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
19 if (!sect_buff)
20 {
21 sect_buff = (unsigned char *)limitMalloc(sectsize);
22- *sect_buff_ptr = sect_buff;
23+ if (!sect_buff)
24+ {
25+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
26+ return (-1);
27+ }
28 _TIFFmemset(sect_buff, 0, sectsize);
29 }
30 else
31@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
32 else
33 sect_buff = new_buff;
34
35+ if (!sect_buff)
36+ {
37+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
38+ return (-1);
39+ }
40 _TIFFmemset(sect_buff, 0, sectsize);
41 }
42 }
43
44- if (!sect_buff)
45- {
46- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
47- return (-1);
48- }
49 prev_sectsize = sectsize;
50 *sect_buff_ptr = sect_buff;
51
52@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
53 if (!crop_buff)
54 {
55 crop_buff = (unsigned char *)limitMalloc(cropsize);
56- *crop_buff_ptr = crop_buff;
57+ if (!crop_buff)
58+ {
59+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
60+ return (-1);
61+ }
62 _TIFFmemset(crop_buff, 0, cropsize);
63 prev_cropsize = cropsize;
64 }
65@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
66 }
67 else
68 crop_buff = new_buff;
69+ if (!crop_buff)
70+ {
71+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
72+ return (-1);
73+ }
74 _TIFFmemset(crop_buff, 0, cropsize);
75 }
76 }
77
78- if (!crop_buff)
79- {
80- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
81- return (-1);
82- }
83 *crop_buff_ptr = crop_buff;
84
85 if (crop->crop_mode & CROP_INVERT)
86@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
87 * fill-column: 78
88 * End:
89 */
90+
91--
922.25.1
93
diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
new file mode 100644
index 0000000000..719dabaecc
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
@@ -0,0 +1,33 @@
1CVE: CVE-2022-0908
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001
6From: Even Rouault <even.rouault@spatialys.com>
7Date: Thu, 17 Feb 2022 15:28:43 +0100
8Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null
9 source pointer and size of zero (fixes #383)
10
11---
12 libtiff/tif_dirread.c | 5 ++++-
13 1 file changed, 4 insertions(+), 1 deletion(-)
14
15diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
16index d84147a0..4e8ce729 100644
17--- a/libtiff/tif_dirread.c
18+++ b/libtiff/tif_dirread.c
19@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
20 _TIFFfree(data);
21 return(0);
22 }
23- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
24+ if (dp->tdir_count > 0 )
25+ {
26+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
27+ }
28 o[(uint32_t)dp->tdir_count]=0;
29 if (data!=0)
30 _TIFFfree(data);
31--
322.25.1
33
diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
new file mode 100644
index 0000000000..64dbe9ef92
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
@@ -0,0 +1,36 @@
1CVE: CVE-2022-0909
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001
6From: 4ugustus <wangdw.augustus@qq.com>
7Date: Tue, 8 Mar 2022 16:22:04 +0000
8Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393)
9
10---
11 libtiff/tif_dir.c | 4 ++--
12 1 file changed, 2 insertions(+), 2 deletions(-)
13
14diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
15index a6c254fc..77da6ea4 100644
16--- a/libtiff/tif_dir.c
17+++ b/libtiff/tif_dir.c
18@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
19 break;
20 case TIFFTAG_XRESOLUTION:
21 dblval = va_arg(ap, double);
22- if( dblval < 0 )
23+ if( dblval != dblval || dblval < 0 )
24 goto badvaluedouble;
25 td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
26 break;
27 case TIFFTAG_YRESOLUTION:
28 dblval = va_arg(ap, double);
29- if( dblval < 0 )
30+ if( dblval != dblval || dblval < 0 )
31 goto badvaluedouble;
32 td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
33 break;
34--
352.25.1
36
diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
new file mode 100644
index 0000000000..afd5e59960
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
@@ -0,0 +1,57 @@
1CVE: CVE-2022-0924
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001
6From: 4ugustus <wangdw.augustus@qq.com>
7Date: Thu, 10 Mar 2022 08:48:00 +0000
8Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278)
9
10---
11 tools/tiffcp.c | 17 ++++++++++++++++-
12 1 file changed, 16 insertions(+), 1 deletion(-)
13
14diff --git a/tools/tiffcp.c b/tools/tiffcp.c
15index 1f889516..552d8fad 100644
16--- a/tools/tiffcp.c
17+++ b/tools/tiffcp.c
18@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
19 tdata_t obuf;
20 tstrip_t strip = 0;
21 tsample_t s;
22+ uint16_t bps = 0, bytes_per_sample;
23
24 obuf = limitMalloc(stripsize);
25 if (obuf == NULL)
26 return (0);
27 _TIFFmemset(obuf, 0, stripsize);
28 (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
29+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
30+ if( bps == 0 )
31+ {
32+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
33+ _TIFFfree(obuf);
34+ return 0;
35+ }
36+ if( (bps % 8) != 0 )
37+ {
38+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
39+ _TIFFfree(obuf);
40+ return 0;
41+ }
42+ bytes_per_sample = bps/8;
43 for (s = 0; s < spp; s++) {
44 uint32_t row;
45 for (row = 0; row < imagelength; row += rowsperstrip) {
46@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
47
48 cpContigBufToSeparateBuf(
49 obuf, (uint8_t*) buf + row * rowsize + s,
50- nrows, imagewidth, 0, 0, spp, 1);
51+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
52 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
53 TIFFError(TIFFFileName(out),
54 "Error, can't write strip %"PRIu32,
55--
562.25.1
57
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 6b933a409b..9c9108a6af 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -11,7 +11,14 @@ CVE_PRODUCT = "libtiff"
11SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ 11SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12 file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \ 12 file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
13 file://561599c99f987dc32ae110370cfdd7df7975586b.patch \ 13 file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
14 file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch" 14 file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
15 file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \
16 file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \
17 file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \
18 file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \
19 file://0005-fix-the-FPE-in-tiffcrop-393.patch \
20 file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \
21 "
15 22
16SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" 23SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
17 24