tiff: backport CVE fixes:

Backport fixes for the following CVEs: - CVE-2022-0865 - CVE-2022-0891 - CVE-2022-0907 - CVE-2022-0908 - CVE-2022-0909 - CVE-2022-0924 (From OE-Core rev: 2fe35de73cfa8de444d7ffb24246e8f87c36ee8d) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross@burtonini.com> 2022-03-21 13:22:25 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-03-23 12:13:50 +0000
commit: a2b1bfd957e7df8ddf167f46bb1e9d573f4761e5 (patch)
tree: 1159b36e14ae83cd67f2b55f4f30d5d688a304f1 /meta/recipes-multimedia
parent: 73aa8621c5987befdec66a9ff09e1e2cb4f6adcd (diff)
download: poky-a2b1bfd957e7df8ddf167f46bb1e9d573f4761e5.tar.gz
7 files changed, 483 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
new file mode 100644
index 0000000000..f1a4ab4251
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
@@ -0,0 +1,38 @@
+CVE: CVE-2022-0865
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 24 Feb 2022 22:26:02 +0100
+Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple
+ IFD in memory-mapped mode and when bit reversal is needed (fixes #385)
+---
+ libtiff/tif_jbig.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 74086338..8bfa4cef 100644
+--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
+@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
+         */
+        tif->tif_flags |= TIFF_NOBITREV;
+        tif->tif_flags &= ~TIFF_MAPPED;
+       /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
+        * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
+        * value to be consistent with the state of a non-memory mapped file.
+        */
+       if (tif->tif_flags&TIFF_BUFFERMMAP) {
+               tif->tif_rawdata = NULL;
+               tif->tif_rawdatasize = 0;
+               tif->tif_flags &= ~TIFF_BUFFERMMAP;
+               tif->tif_flags |= TIFF_MYBUFFER;
+       }
+ 
+        /* Setup the function pointers for encode, decode, and cleanup. */
+        tif->tif_setupdecode = JBIGSetupDecode;
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
new file mode 100644
index 0000000000..d31e9650d1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
@@ -0,0 +1,218 @@
+CVE: CVE-2022-0891
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 8 Mar 2022 17:02:44 +0000
+Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in
+ extractImageSection
+---
+ tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
+ 1 file changed, 36 insertions(+), 56 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b85c2ce7..302a7e91 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -105,8 +105,8 @@
+  *                of messages to monitor progress without enabling dump logs.
+  */
+ 
+-static   char tiffcrop_version_id[] = "2.4";
+-static   char tiffcrop_rev_date[] = "12-13-2010";
+static   char tiffcrop_version_id[] = "2.4.1";
+static   char tiffcrop_rev_date[] = "03-03-2010";
+ 
+ #include "tif_config.h"
+ #include "libport.h"
+@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   uint32_t    img_length;
+ #endif
+-  uint32_t    j, shift1, shift2, trailing_bits;
+  uint32_t    j, shift1, trailing_bits;
+   uint32_t    row, first_row, last_row, first_col, last_col;
+   uint32_t    src_offset, dst_offset, row_offset, col_offset;
+-  uint32_t    offset1, offset2, full_bytes;
+  uint32_t    offset1, full_bytes;
+   uint32_t    sect_width;
+ #ifdef DEVELMODE
+   uint32_t    sect_length;
+@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   int      k;
+   unsigned char bitset;
+-  static char *bitarray = NULL;
+ #endif
+ 
+   img_width = image->width;
+@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+   dst_offset = 0;
+ 
+ #ifdef DEVELMODE
+-  if (bitarray == NULL)
+-    {
+-    if ((bitarray = (char *)malloc(img_width)) == NULL)
+-      {
+-      TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
+-      return (-1);
+-      }
+-    }
+  char bitarray[39];
+ #endif
+ 
+-  /* rows, columns, width, length are expressed in pixels */
+  /* rows, columns, width, length are expressed in pixels
+   * first_row, last_row, .. are index into image array starting at 0 to width-1,
+   * last_col shall be also extracted.  */
+   first_row = section->y1;
+   last_row  = section->y2;
+   first_col = section->x1;
+@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   sect_length = last_row - first_row + 1;
+ #endif
+-  img_rowsize = ((img_width * bps + 7) / 8) * spp;
+-  full_bytes = (sect_width * spp * bps) / 8;   /* number of COMPLETE bytes per row in section */
+-  trailing_bits = (sect_width * bps) % 8;
+    /* The read function loadImage() used copy separate plane data into a buffer as interleaved
+     * samples rather than separate planes so the same logic works to extract regions
+     * regardless of the way the data are organized in the input file.
+     * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
+     */
+    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
+    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
+    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
+@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ 
+   if ((bps % 8) == 0)
+     {
+-    col_offset = first_col * spp * bps / 8;
+    col_offset = (first_col * spp * bps) / 8;
+     for (row = first_row; row <= last_row; row++)
+       {
+-      /* row_offset = row * img_width * spp * bps / 8; */
+       row_offset = row * img_rowsize;
+       src_offset = row_offset + col_offset;
+ 
+@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+     }
+   else
+     { /* bps != 8 */
+-    shift1  = spp * ((first_col * bps) % 8);
+-    shift2  = spp * ((last_col * bps) % 8);
+    shift1 = ((first_col * spp * bps) % 8);           /* shift1 = bits to skip in the first byte of source buffer*/
+     for (row = first_row; row <= last_row; row++)
+       {
+       /* pull out the first byte */
+       row_offset = row * img_rowsize;
+-      offset1 = row_offset + (first_col * bps / 8);
+-      offset2 = row_offset + (last_col * bps / 8);
+      offset1 = row_offset + ((first_col * spp * bps) / 8);   /* offset1 = offset into source of byte with first bits to be extracted */
+ 
+ #ifdef DEVELMODE
+       for (j = 0, k = 7; j < 8; j++, k--)
+@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+       sprintf(&bitarray[9], " ");
+       for (j = 10, k = 7; j < 18; j++, k--)
+         {
+-        bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
+        bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
+         sprintf(&bitarray[j], (bitset) ? "1" : "0");
+         }
+       bitarray[18] = '\0';
+-      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Shift2:  %"PRIu32"\n", 
+-                 row, offset1, shift1, offset2, shift2); 
+      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Trailing_bits:  %"PRIu32"\n", 
+                 row, offset1, shift1, offset1+full_bytes, trailing_bits); 
+ #endif
+ 
+       bytebuff1 = bytebuff2 = 0;
+@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ 
+         if (trailing_bits != 0)
+           {
+-         bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
+      /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+         bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
+           sect_buff[dst_offset] = bytebuff2;
+ #ifdef DEVELMODE
+          TIFFError ("", "        Trailing bits src offset:  %8"PRIu32", Dst offset: %8"PRIu32"\n",
+-                              offset2, dst_offset); 
+          offset1 + full_bytes, dst_offset);
+           for (j = 30, k = 7; j < 38; j++, k--)
+             {
+             bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
+@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+         for (j = 0; j <= full_bytes; j++) 
+           {
+-         bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+-         bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
+          /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+          /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+          bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+          bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
+           sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
+           }
+ #ifdef DEVELMODE
+@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+         dst_offset += full_bytes;
+ 
+        /* Copy the trailing_bits for the last byte in the destination buffer. 
+           Could come from one ore two bytes of the source buffer. */
+         if (trailing_bits != 0)
+           {
+ #ifdef DEVELMODE
+-           TIFFError ("", "        Trailing bits   src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
+-#endif
+-         if (shift2 > shift1)
+-            {
+-           bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
+-            bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
+-            sect_buff[dst_offset] = bytebuff2;
+-#ifdef DEVELMODE
+-           TIFFError ("", "        Shift2 > Shift1\n"); 
+          TIFFError("", "        Trailing bits %4"PRIu32"   src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
+ #endif
+          /* More than necessary bits are already copied into last destination buffer, 
+           * only masking of last byte in destination buffer is necessary.*/ 
+          sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
+             }
+-          else
+-            {
+-           if (shift2 < shift1)
+-              {
+-              bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
+-             sect_buff[dst_offset] &= bytebuff2;
+-#ifdef DEVELMODE
+-             TIFFError ("", "        Shift2 < Shift1\n"); 
+-#endif
+-              }
+-#ifdef DEVELMODE
+-            else
+-             TIFFError ("", "        Shift2 == Shift1\n"); 
+-#endif
+-            }
+-         }
+ #ifdef DEVELMODE
+          sprintf(&bitarray[28], " ");
+          sprintf(&bitarray[29], " ");
+@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
+     width  = sections[i].x2 - sections[i].x1 + 1;
+     length = sections[i].y2 - sections[i].y1 + 1;
+     sectsize = (uint32_t)
+-           ceil((width * image->bps + 7) / (double)8) * image->spp * length;
+           ceil((width * image->bps * image->spp + 7) / (double)8) * length;
+     /* allocate a buffer if we don't have one already */
+     if (createImageSection(sectsize, sect_buff_ptr))
+       {
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
new file mode 100644
index 0000000000..a0b856b9e1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
@@ -0,0 +1,93 @@
+CVE: CVE-2022-0907
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001
+From: Augustus <wangdw.augustus@qq.com>
+Date: Mon, 7 Mar 2022 18:21:49 +0800
+Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392)
+---
+ tools/tiffcrop.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 302a7e91..e407bf51 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+   if (!sect_buff)
+     {
+     sect_buff = (unsigned char *)limitMalloc(sectsize);
+-    *sect_buff_ptr = sect_buff;
+    if (!sect_buff)
+    {
+        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+        return (-1);
+    }
+     _TIFFmemset(sect_buff, 0, sectsize);
+     }
+   else
+@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+       else
+         sect_buff = new_buff;
+ 
+      if (!sect_buff)
+      {
+          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+          return (-1);
+      }
+       _TIFFmemset(sect_buff, 0, sectsize);
+       }
+     }
+ 
+-  if (!sect_buff)
+-    {
+-    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+-    return (-1);
+-    }
+   prev_sectsize = sectsize;
+   *sect_buff_ptr = sect_buff;
+ 
+@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (!crop_buff)
+     {
+     crop_buff = (unsigned char *)limitMalloc(cropsize);
+-    *crop_buff_ptr = crop_buff;
+    if (!crop_buff)
+    {
+        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+        return (-1);
+    }
+     _TIFFmemset(crop_buff, 0, cropsize);
+     prev_cropsize = cropsize;
+     }
+@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+         }
+       else
+         crop_buff = new_buff;
+      if (!crop_buff)
+      {
+          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+          return (-1);
+      }
+       _TIFFmemset(crop_buff, 0, cropsize);
+       }
+     }
+ 
+-  if (!crop_buff)
+-    {
+-    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+-    return (-1);
+-    }
+   *crop_buff_ptr = crop_buff;
+ 
+   if (crop->crop_mode & CROP_INVERT)
+@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
+  * fill-column: 78
+  * End:
+  */
+
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
new file mode 100644
index 0000000000..719dabaecc
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
@@ -0,0 +1,33 @@
+CVE: CVE-2022-0908
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #383)
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index d84147a0..4e8ce729 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+                                                                _TIFFfree(data);
+                                                        return(0);
+                                                }
+-                                               _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+                                               if (dp->tdir_count > 0 )
+                                               {
+                                                       _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+                                               }
+                                                o[(uint32_t)dp->tdir_count]=0;
+                                                if (data!=0)
+                                                        _TIFFfree(data);
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
new file mode 100644
index 0000000000..64dbe9ef92
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
@@ -0,0 +1,36 @@
+CVE: CVE-2022-0909
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393)
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index a6c254fc..77da6ea4 100644
+--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
+@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
+                break;
+        case TIFFTAG_XRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
+        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+                td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
+                break;
+        case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
+        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+                td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
+                break;
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
new file mode 100644
index 0000000000..afd5e59960
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
@@ -0,0 +1,57 @@
+CVE: CVE-2022-0924
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278)
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 1f889516..552d8fad 100644
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+        tdata_t obuf;
+        tstrip_t strip = 0;
+        tsample_t s;
+       uint16_t bps = 0, bytes_per_sample;
+ 
+        obuf = limitMalloc(stripsize);
+        if (obuf == NULL)
+                return (0);
+        _TIFFmemset(obuf, 0, stripsize);
+        (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+       (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+       if( bps == 0 )
+        {
+            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+            _TIFFfree(obuf);
+            return 0;
+        }
+        if( (bps % 8) != 0 )
+        {
+            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+            _TIFFfree(obuf);
+            return 0;
+        }
+       bytes_per_sample = bps/8;
+        for (s = 0; s < spp; s++) {
+                uint32_t row;
+                for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+ 
+                        cpContigBufToSeparateBuf(
+                            obuf, (uint8_t*) buf + row * rowsize + s,
+-                           nrows, imagewidth, 0, 0, spp, 1);
+                           nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+                        if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+                                TIFFError(TIFFFileName(out),
+                                    "Error, can't write strip %"PRIu32,
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 6b933a409b..9c9108a6af 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -11,7 +11,14 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
           file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
-           file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch"
+           file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
+           file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \
+           file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \
+           file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \
+           file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \
+           file://0005-fix-the-FPE-in-tiffcrop-393.patch \
+           file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \
+           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Ross Burton <ross@burtonini.com>	2022-03-21 13:22:25 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-03-23 12:13:50 +0000
commit	a2b1bfd957e7df8ddf167f46bb1e9d573f4761e5 (patch)
tree	1159b36e14ae83cd67f2b55f4f30d5d688a304f1 /meta/recipes-multimedia
parent	73aa8621c5987befdec66a9ff09e1e2cb4f6adcd (diff)
download	poky-a2b1bfd957e7df8ddf167f46bb1e9d573f4761e5.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch new file mode 100644 index 0000000000..f1a4ab4251 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
@@ -0,0 +1,38 @@
		1	CVE: CVE-2022-0865
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001
		6	From: Even Rouault <even.rouault@spatialys.com>
		7	Date: Thu, 24 Feb 2022 22:26:02 +0100
		8	Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple
		9	IFD in memory-mapped mode and when bit reversal is needed (fixes #385)
		10
		11	---
		12	libtiff/tif_jbig.c \| 10 ++++++++++
		13	1 file changed, 10 insertions(+)
		14
		15	diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
		16	index 74086338..8bfa4cef 100644
		17	--- a/libtiff/tif_jbig.c
		18	+++ b/libtiff/tif_jbig.c
		19	@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
		20	*/
		21	tif->tif_flags \|= TIFF_NOBITREV;
		22	tif->tif_flags &= ~TIFF_MAPPED;
		23	+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
		24	+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
		25	+ * value to be consistent with the state of a non-memory mapped file.
		26	+ */
		27	+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
		28	+ tif->tif_rawdata = NULL;
		29	+ tif->tif_rawdatasize = 0;
		30	+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
		31	+ tif->tif_flags \|= TIFF_MYBUFFER;
		32	+ }
		33
		34	/* Setup the function pointers for encode, decode, and cleanup. */
		35	tif->tif_setupdecode = JBIGSetupDecode;
		36	--
		37	2.25.1
		38


diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch new file mode 100644 index 0000000000..d31e9650d1 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
@@ -0,0 +1,218 @@
		1	CVE: CVE-2022-0891
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001
		6	From: Su Laus <sulau@freenet.de>
		7	Date: Tue, 8 Mar 2022 17:02:44 +0000
		8	Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in
		9	extractImageSection
		10
		11	---
		12	tools/tiffcrop.c \| 92 +++++++++++++++++++-----------------------------
		13	1 file changed, 36 insertions(+), 56 deletions(-)
		14
		15	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		16	index b85c2ce7..302a7e91 100644
		17	--- a/tools/tiffcrop.c
		18	+++ b/tools/tiffcrop.c
		19	@@ -105,8 +105,8 @@
		20	* of messages to monitor progress without enabling dump logs.
		21	*/
		22
		23	-static char tiffcrop_version_id[] = "2.4";
		24	-static char tiffcrop_rev_date[] = "12-13-2010";
		25	+static char tiffcrop_version_id[] = "2.4.1";
		26	+static char tiffcrop_rev_date[] = "03-03-2010";
		27
		28	#include "tif_config.h"
		29	#include "libport.h"
		30	@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data image, struct pageseg section,
		31	#ifdef DEVELMODE
		32	uint32_t img_length;
		33	#endif
		34	- uint32_t j, shift1, shift2, trailing_bits;
		35	+ uint32_t j, shift1, trailing_bits;
		36	uint32_t row, first_row, last_row, first_col, last_col;
		37	uint32_t src_offset, dst_offset, row_offset, col_offset;
		38	- uint32_t offset1, offset2, full_bytes;
		39	+ uint32_t offset1, full_bytes;
		40	uint32_t sect_width;
		41	#ifdef DEVELMODE
		42	uint32_t sect_length;
		43	@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data image, struct pageseg section,
		44	#ifdef DEVELMODE
		45	int k;
		46	unsigned char bitset;
		47	- static char *bitarray = NULL;
		48	#endif
		49
		50	img_width = image->width;
		51	@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data image, struct pageseg section,
		52	dst_offset = 0;
		53
		54	#ifdef DEVELMODE
		55	- if (bitarray == NULL)
		56	- {
		57	- if ((bitarray = (char *)malloc(img_width)) == NULL)
		58	- {
		59	- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
		60	- return (-1);
		61	- }
		62	- }
		63	+ char bitarray[39];
		64	#endif
		65
		66	- /* rows, columns, width, length are expressed in pixels */
		67	+ /* rows, columns, width, length are expressed in pixels
		68	+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
		69	+ * last_col shall be also extracted. */
		70	first_row = section->y1;
		71	last_row = section->y2;
		72	first_col = section->x1;
		73	@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data image, struct pageseg section,
		74	#ifdef DEVELMODE
		75	sect_length = last_row - first_row + 1;
		76	#endif
		77	- img_rowsize = ((img_width * bps + 7) / 8) * spp;
		78	- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
		79	- trailing_bits = (sect_width * bps) % 8;
		80	+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
		81	+ * samples rather than separate planes so the same logic works to extract regions
		82	+ * regardless of the way the data are organized in the input file.
		83	+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
		84	+ */
		85	+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
		86	+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
		87	+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
		88
		89	#ifdef DEVELMODE
		90	TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
		91	@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data image, struct pageseg section,
		92
		93	if ((bps % 8) == 0)
		94	{
		95	- col_offset = first_col * spp * bps / 8;
		96	+ col_offset = (first_col * spp * bps) / 8;
		97	for (row = first_row; row <= last_row; row++)
		98	{
		99	- /* row_offset = row * img_width * spp * bps / 8; */
		100	row_offset = row * img_rowsize;
		101	src_offset = row_offset + col_offset;
		102
		103	@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data image, struct pageseg section,
		104	}
		105	else
		106	{ /* bps != 8 */
		107	- shift1 = spp * ((first_col * bps) % 8);
		108	- shift2 = spp * ((last_col * bps) % 8);
		109	+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
		110	for (row = first_row; row <= last_row; row++)
		111	{
		112	/* pull out the first byte */
		113	row_offset = row * img_rowsize;
		114	- offset1 = row_offset + (first_col * bps / 8);
		115	- offset2 = row_offset + (last_col * bps / 8);
		116	+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
		117
		118	#ifdef DEVELMODE
		119	for (j = 0, k = 7; j < 8; j++, k--)
		120	@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data image, struct pageseg section,
		121	sprintf(&bitarray[9], " ");
		122	for (j = 10, k = 7; j < 18; j++, k--)
		123	{
		124	- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
		125	+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
		126	sprintf(&bitarray[j], (bitset) ? "1" : "0");
		127	}
		128	bitarray[18] = '\0';
		129	- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
		130	- row, offset1, shift1, offset2, shift2);
		131	+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
		132	+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
		133	#endif
		134
		135	bytebuff1 = bytebuff2 = 0;
		136	@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data image, struct pageseg section,
		137
		138	if (trailing_bits != 0)
		139	{
		140	- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
		141	+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
		142	+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
		143	sect_buff[dst_offset] = bytebuff2;
		144	#ifdef DEVELMODE
		145	TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
		146	- offset2, dst_offset);
		147	+ offset1 + full_bytes, dst_offset);
		148	for (j = 30, k = 7; j < 38; j++, k--)
		149	{
		150	bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
		151	@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data image, struct pageseg section,
		152	#endif
		153	for (j = 0; j <= full_bytes; j++)
		154	{
		155	- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
		156	- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
		157	+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
		158	+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
		159	+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
		160	+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
		161	sect_buff[dst_offset + j] = (bytebuff1 << shift1) \| (bytebuff2 >> (8 - shift1));
		162	}
		163	#ifdef DEVELMODE
		164	@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data image, struct pageseg section,
		165	#endif
		166	dst_offset += full_bytes;
		167
		168	+ /* Copy the trailing_bits for the last byte in the destination buffer.
		169	+ Could come from one ore two bytes of the source buffer. */
		170	if (trailing_bits != 0)
		171	{
		172	#ifdef DEVELMODE
		173	- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
		174	-#endif
		175	- if (shift2 > shift1)
		176	- {
		177	- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
		178	- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
		179	- sect_buff[dst_offset] = bytebuff2;
		180	-#ifdef DEVELMODE
		181	- TIFFError ("", " Shift2 > Shift1\n");
		182	+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
		183	#endif
		184	+ /* More than necessary bits are already copied into last destination buffer,
		185	+ * only masking of last byte in destination buffer is necessary.*/
		186	+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
		187	}
		188	- else
		189	- {
		190	- if (shift2 < shift1)
		191	- {
		192	- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
		193	- sect_buff[dst_offset] &= bytebuff2;
		194	-#ifdef DEVELMODE
		195	- TIFFError ("", " Shift2 < Shift1\n");
		196	-#endif
		197	- }
		198	-#ifdef DEVELMODE
		199	- else
		200	- TIFFError ("", " Shift2 == Shift1\n");
		201	-#endif
		202	- }
		203	- }
		204	#ifdef DEVELMODE
		205	sprintf(&bitarray[28], " ");
		206	sprintf(&bitarray[29], " ");
		207	@@ -7062,7 +7042,7 @@ writeImageSections(TIFF in, TIFF out, struct image_data *image,
		208	width = sections[i].x2 - sections[i].x1 + 1;
		209	length = sections[i].y2 - sections[i].y1 + 1;
		210	sectsize = (uint32_t)
		211	- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
		212	+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
		213	/* allocate a buffer if we don't have one already */
		214	if (createImageSection(sectsize, sect_buff_ptr))
		215	{
		216	--
		217	2.25.1
		218


diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch new file mode 100644 index 0000000000..a0b856b9e1 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
@@ -0,0 +1,93 @@
		1	CVE: CVE-2022-0907
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001
		6	From: Augustus <wangdw.augustus@qq.com>
		7	Date: Mon, 7 Mar 2022 18:21:49 +0800
		8	Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392)
		9
		10	---
		11	tools/tiffcrop.c \| 33 +++++++++++++++++++++------------
		12	1 file changed, 21 insertions(+), 12 deletions(-)
		13
		14	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		15	index 302a7e91..e407bf51 100644
		16	--- a/tools/tiffcrop.c
		17	+++ b/tools/tiffcrop.c
		18	@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
		19	if (!sect_buff)
		20	{
		21	sect_buff = (unsigned char *)limitMalloc(sectsize);
		22	- *sect_buff_ptr = sect_buff;
		23	+ if (!sect_buff)
		24	+ {
		25	+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
		26	+ return (-1);
		27	+ }
		28	_TIFFmemset(sect_buff, 0, sectsize);
		29	}
		30	else
		31	@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
		32	else
		33	sect_buff = new_buff;
		34
		35	+ if (!sect_buff)
		36	+ {
		37	+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
		38	+ return (-1);
		39	+ }
		40	_TIFFmemset(sect_buff, 0, sectsize);
		41	}
		42	}
		43
		44	- if (!sect_buff)
		45	- {
		46	- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
		47	- return (-1);
		48	- }
		49	prev_sectsize = sectsize;
		50	*sect_buff_ptr = sect_buff;
		51
		52	@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		53	if (!crop_buff)
		54	{
		55	crop_buff = (unsigned char *)limitMalloc(cropsize);
		56	- *crop_buff_ptr = crop_buff;
		57	+ if (!crop_buff)
		58	+ {
		59	+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
		60	+ return (-1);
		61	+ }
		62	_TIFFmemset(crop_buff, 0, cropsize);
		63	prev_cropsize = cropsize;
		64	}
		65	@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		66	}
		67	else
		68	crop_buff = new_buff;
		69	+ if (!crop_buff)
		70	+ {
		71	+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
		72	+ return (-1);
		73	+ }
		74	_TIFFmemset(crop_buff, 0, cropsize);
		75	}
		76	}
		77
		78	- if (!crop_buff)
		79	- {
		80	- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
		81	- return (-1);
		82	- }
		83	*crop_buff_ptr = crop_buff;
		84
		85	if (crop->crop_mode & CROP_INVERT)
		86	@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
		87	* fill-column: 78
		88	* End:
		89	*/
		90	+
		91	--
		92	2.25.1
		93


diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch new file mode 100644 index 0000000000..719dabaecc --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
@@ -0,0 +1,33 @@
		1	CVE: CVE-2022-0908
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001
		6	From: Even Rouault <even.rouault@spatialys.com>
		7	Date: Thu, 17 Feb 2022 15:28:43 +0100
		8	Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null
		9	source pointer and size of zero (fixes #383)
		10
		11	---
		12	libtiff/tif_dirread.c \| 5 ++++-
		13	1 file changed, 4 insertions(+), 1 deletion(-)
		14
		15	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		16	index d84147a0..4e8ce729 100644
		17	--- a/libtiff/tif_dirread.c
		18	+++ b/libtiff/tif_dirread.c
		19	@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
		20	_TIFFfree(data);
		21	return(0);
		22	}
		23	- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
		24	+ if (dp->tdir_count > 0 )
		25	+ {
		26	+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
		27	+ }
		28	o[(uint32_t)dp->tdir_count]=0;
		29	if (data!=0)
		30	_TIFFfree(data);
		31	--
		32	2.25.1
		33


diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch new file mode 100644 index 0000000000..64dbe9ef92 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
@@ -0,0 +1,36 @@
		1	CVE: CVE-2022-0909
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001
		6	From: 4ugustus <wangdw.augustus@qq.com>
		7	Date: Tue, 8 Mar 2022 16:22:04 +0000
		8	Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393)
		9
		10	---
		11	libtiff/tif_dir.c \| 4 ++--
		12	1 file changed, 2 insertions(+), 2 deletions(-)
		13
		14	diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
		15	index a6c254fc..77da6ea4 100644
		16	--- a/libtiff/tif_dir.c
		17	+++ b/libtiff/tif_dir.c
		18	@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
		19	break;
		20	case TIFFTAG_XRESOLUTION:
		21	dblval = va_arg(ap, double);
		22	- if( dblval < 0 )
		23	+ if( dblval != dblval \|\| dblval < 0 )
		24	goto badvaluedouble;
		25	td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
		26	break;
		27	case TIFFTAG_YRESOLUTION:
		28	dblval = va_arg(ap, double);
		29	- if( dblval < 0 )
		30	+ if( dblval != dblval \|\| dblval < 0 )
		31	goto badvaluedouble;
		32	td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
		33	break;
		34	--
		35	2.25.1
		36


diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch new file mode 100644 index 0000000000..afd5e59960 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
@@ -0,0 +1,57 @@
		1	CVE: CVE-2022-0924
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001
		6	From: 4ugustus <wangdw.augustus@qq.com>
		7	Date: Thu, 10 Mar 2022 08:48:00 +0000
		8	Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278)
		9
		10	---
		11	tools/tiffcp.c \| 17 ++++++++++++++++-
		12	1 file changed, 16 insertions(+), 1 deletion(-)
		13
		14	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
		15	index 1f889516..552d8fad 100644
		16	--- a/tools/tiffcp.c
		17	+++ b/tools/tiffcp.c
		18	@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
		19	tdata_t obuf;
		20	tstrip_t strip = 0;
		21	tsample_t s;
		22	+ uint16_t bps = 0, bytes_per_sample;
		23
		24	obuf = limitMalloc(stripsize);
		25	if (obuf == NULL)
		26	return (0);
		27	_TIFFmemset(obuf, 0, stripsize);
		28	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
		29	+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
		30	+ if( bps == 0 )
		31	+ {
		32	+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
		33	+ _TIFFfree(obuf);
		34	+ return 0;
		35	+ }
		36	+ if( (bps % 8) != 0 )
		37	+ {
		38	+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
		39	+ _TIFFfree(obuf);
		40	+ return 0;
		41	+ }
		42	+ bytes_per_sample = bps/8;
		43	for (s = 0; s < spp; s++) {
		44	uint32_t row;
		45	for (row = 0; row < imagelength; row += rowsperstrip) {
		46	@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
		47
		48	cpContigBufToSeparateBuf(
		49	obuf, (uint8_t) buf + row rowsize + s,
		50	- nrows, imagewidth, 0, 0, spp, 1);
		51	+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
		52	if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
		53	TIFFError(TIFFFileName(out),
		54	"Error, can't write strip %"PRIu32,
		55	--
		56	2.25.1
		57


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 6b933a409b..9c9108a6af 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -11,7 +11,14 @@ CVE_PRODUCT = "libtiff"
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12	file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \	12	file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
13	file://561599c99f987dc32ae110370cfdd7df7975586b.patch \	13	file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
14	file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch"	14	file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
		15	file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \
		16	file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \
		17	file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \
		18	file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \
		19	file://0005-fix-the-FPE-in-tiffcrop-393.patch \
		20	file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \
		21	"
15		22
16	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	23	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
17		24