summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorVijay Anusuri <vanusuri@mvista.com>2024-03-22 18:34:35 +0530
committerSteve Sakoman <steve@sakoman.com>2024-04-05 06:34:42 -0700
commite555aefeef5e87927560aa941bb937511425f7a6 (patch)
treef0c2cd8de187737acd21705e794434b0deac3373 /meta
parent1c2fbec01fafc81c6cb2e62f8b18625d81a8066a (diff)
downloadpoky-e555aefeef5e87927560aa941bb937511425f7a6.tar.gz
libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356
import patches from ubuntu to fix CVE-2023-6277 CVE-2023-52356 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a & https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa & https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3 & https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a & https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] (From OE-Core rev: 15abae1f6a9861e28ce35b015cb3ddc434f9fca4) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch53
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch191
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch152
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch46
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch94
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.1.0.bb5
6 files changed, 541 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
new file mode 100644
index 0000000000..1b651e6529
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
@@ -0,0 +1,53 @@
1[Ubuntu note: Backport of the following patch from upstream, with a few changes
2to match the current version of the file in the present Ubuntu release:
3 . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
4-- Rodrigo Figueiredo Zaiden]
5
6Backport of:
7
8From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
9From: Even Rouault <even.rouault@spatialys.com>
10Date: Tue, 31 Oct 2023 15:58:41 +0100
11Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
12 col/row (fixes #622)
13
14Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
15Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
16CVE: CVE-2023-52356
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 libtiff/tif_getimage.c | 15 +++++++++++++++
20 1 file changed, 15 insertions(+)
21
22
23--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
24+++ tiff-4.1.0+git191117/libtiff/tif_getimage.c
25@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
26 }
27
28 if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
29+ if (row >= img.height)
30+ {
31+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
32+ "Invalid row passed to TIFFReadRGBAStrip().");
33+ TIFFRGBAImageEnd(&img);
34+ return (0);
35+ }
36
37 img.row_offset = row;
38 img.col_offset = 0;
39@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
40 return( 0 );
41 }
42
43+ if (col >= img.width || row >= img.height)
44+ {
45+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
46+ "Invalid row/col passed to TIFFReadRGBATile().");
47+ TIFFRGBAImageEnd(&img);
48+ return (0);
49+ }
50+
51 /*
52 * The TIFFRGBAImageGet() function doesn't allow us to get off the
53 * edge of the image, even to fill an otherwise valid tile. So we
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..e955b3f2e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
@@ -0,0 +1,191 @@
1[Ubuntu note: Backport of the following patch from upstream, with a few changes
2to match the current version of the file in the present Ubuntu release:
3 . included inttypes.h header to support PRIu32 and PRIu64;
4 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
5 . using uint64 instead of uint64_t to preserve the current code usage;
6 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
7 . calls to the check size, that is the idea of the patch, were added before
8 _TIFFCheckMalloc and may note match the original patch methods;
9-- Rodrigo Figueiredo Zaiden]
10
11Backport of:
12
13From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
14From: Su Laus <sulau@freenet.de>
15Date: Tue, 31 Oct 2023 15:43:29 +0000
16Subject: [PATCH] Prevent some out-of-memory attacks
17
18Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
19
20At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
21
22See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
23
24Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
25Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
26CVE: CVE-2023-6277
27Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
28---
29 libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
30 1 file changed, 90 insertions(+), 2 deletions(-)
31
32--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
33+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
34@@ -37,6 +37,7 @@
35 #include "tiffiop.h"
36 #include <float.h>
37 #include <stdlib.h>
38+#include <inttypes.h>
39
40 #define FAILED_FII ((uint32) -1)
41
42@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
43 datasize=(*count)*typesize;
44 assert((tmsize_t)datasize>0);
45
46+ /* Before allocating a huge amount of memory for corrupted files, check if
47+ * size of requested memory is not greater than file size.
48+ */
49+ uint64 filesize = TIFFGetFileSize(tif);
50+ if (datasize > filesize)
51+ {
52+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
53+ "Requested memory size for tag %d (0x%x) %" PRIu32
54+ " is greather than filesize %" PRIu64
55+ ". Memory not allocated, tag not read",
56+ direntry->tdir_tag, direntry->tdir_tag, datasize,
57+ filesize);
58+ return (TIFFReadDirEntryErrAlloc);
59+ }
60+
61 if( isMapped(tif) && datasize > (uint32)tif->tif_size )
62 return TIFFReadDirEntryErrIo;
63
64@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
65 if( !_TIFFFillStrilesInternal( tif, 0 ) )
66 return -1;
67
68+ /* Before allocating a huge amount of memory for corrupted files, check if
69+ * size of requested memory is not greater than file size. */
70+ uint64 filesize = TIFFGetFileSize(tif);
71+ uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
72+ if (allocsize > filesize)
73+ {
74+ TIFFWarningExt(tif->tif_clientdata, module,
75+ "Requested memory size for StripByteCounts of %" PRIu64
76+ " is greather than filesize %" PRIu64
77+ ". Memory not allocated",
78+ allocsize, filesize);
79+ return -1;
80+ }
81+
82 if (td->td_stripbytecount_p)
83 _TIFFfree(td->td_stripbytecount_p);
84 td->td_stripbytecount_p = (uint64*)
85@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
86
87 if (td->td_compression != COMPRESSION_NONE) {
88 uint64 space;
89- uint64 filesize;
90 uint16 n;
91- filesize = TIFFGetFileSize(tif);
92 if (!(tif->tif_flags&TIFF_BIGTIFF))
93 space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
94 else
95@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
96 dircount16 = (uint16)dircount64;
97 dirsize = 20;
98 }
99+ /* Before allocating a huge amount of memory for corrupted files, check
100+ * if size of requested memory is not greater than file size. */
101+ uint64 filesize = TIFFGetFileSize(tif);
102+ uint64 allocsize = (uint64)dircount16 * dirsize;
103+ if (allocsize > filesize)
104+ {
105+ TIFFWarningExt(
106+ tif->tif_clientdata, module,
107+ "Requested memory size for TIFF directory of %" PRIu64
108+ " is greather than filesize %" PRIu64
109+ ". Memory not allocated, TIFF directory not read",
110+ allocsize, filesize);
111+ return 0;
112+ }
113 origdir = _TIFFCheckMalloc(tif, dircount16,
114 dirsize, "to read TIFF directory");
115 if (origdir == NULL)
116@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
117 "Sanity check on directory count failed, zero tag directories not supported");
118 return 0;
119 }
120+ /* Before allocating a huge amount of memory for corrupted files, check
121+ * if size of requested memory is not greater than file size. */
122+ uint64 filesize = TIFFGetFileSize(tif);
123+ uint64 allocsize = (uint64)dircount16 * dirsize;
124+ if (allocsize > filesize)
125+ {
126+ TIFFWarningExt(
127+ tif->tif_clientdata, module,
128+ "Requested memory size for TIFF directory of %" PRIu64
129+ " is greather than filesize %" PRIu64
130+ ". Memory not allocated, TIFF directory not read",
131+ allocsize, filesize);
132+ return 0;
133+ }
134 origdir = _TIFFCheckMalloc(tif, dircount16,
135 dirsize,
136 "to read TIFF directory");
137@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
138 }
139 }
140 }
141+ /* No check against filesize needed here because "dir" should have same size
142+ * than "origdir" checked above. */
143 dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
144 sizeof(TIFFDirEntry),
145 "to read TIFF directory");
146@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
147 _TIFFfree(data);
148 return(0);
149 }
150-
151+ /* Before allocating a huge amount of memory for corrupted files, check
152+ * if size of requested memory is not greater than file size. */
153+ uint64 filesize = TIFFGetFileSize(tif);
154+ uint64 allocsize = (uint64)nstrips * sizeof(uint64);
155+ if (allocsize > filesize)
156+ {
157+ TIFFWarningExt(tif->tif_clientdata, module,
158+ "Requested memory size for StripArray of %" PRIu64
159+ " is greather than filesize %" PRIu64
160+ ". Memory not allocated",
161+ allocsize, filesize);
162+ _TIFFfree(data);
163+ return (0);
164+ }
165 resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
166 if (resizeddata==0) {
167 _TIFFfree(data);
168@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
169 }
170 bytecount = last_offset + last_bytecount - offset;
171
172+ /* Before allocating a huge amount of memory for corrupted files, check if
173+ * size of StripByteCount and StripOffset tags is not greater than
174+ * file size.
175+ */
176+ uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
177+ uint64 filesize = TIFFGetFileSize(tif);
178+ if (allocsize > filesize)
179+ {
180+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
181+ "Requested memory size for StripByteCount and "
182+ "StripOffsets %" PRIu64
183+ " is greather than filesize %" PRIu64
184+ ". Memory not allocated",
185+ allocsize, filesize);
186+ return;
187+ }
188+
189 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
190 "for chopped \"StripByteCounts\" array");
191 newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
new file mode 100644
index 0000000000..644b3fdb3f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
@@ -0,0 +1,152 @@
1[Ubuntu note: Backport of the following patch from upstream, with a few changes
2to match the current version of the file in the present Ubuntu release:
3 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
4 . using uint64 instead of uint64_t to preserve the current code usage;
5-- Rodrigo Figueiredo Zaiden]
6
7Backport of:
8
9From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
10From: Even Rouault <even.rouault@spatialys.com>
11Date: Tue, 31 Oct 2023 19:47:22 +0100
12Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
13 RAM requests
14
15Ammends 5320c9d89c054fa805d037d84c57da874470b01a
16
17This fixes a performance regression caught by the GDAL regression test
18suite.
19
20Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security
21Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa]
22CVE: CVE-2023-6277
23Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
24---
25 libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
26 1 file changed, 48 insertions(+), 35 deletions(-)
27
28--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
29+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
30@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead
31 datasize=(*count)*typesize;
32 assert((tmsize_t)datasize>0);
33
34- /* Before allocating a huge amount of memory for corrupted files, check if
35- * size of requested memory is not greater than file size.
36- */
37- uint64 filesize = TIFFGetFileSize(tif);
38- if (datasize > filesize)
39+ if (datasize > 100 * 1024 * 1024)
40 {
41- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
42- "Requested memory size for tag %d (0x%x) %" PRIu32
43- " is greather than filesize %" PRIu64
44- ". Memory not allocated, tag not read",
45- direntry->tdir_tag, direntry->tdir_tag, datasize,
46- filesize);
47- return (TIFFReadDirEntryErrAlloc);
48+ /* Before allocating a huge amount of memory for corrupted files, check
49+ * if size of requested memory is not greater than file size.
50+ */
51+ const uint64 filesize = TIFFGetFileSize(tif);
52+ if (datasize > filesize)
53+ {
54+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
55+ "Requested memory size for tag %d (0x%x) %" PRIu32
56+ " is greater than filesize %" PRIu64
57+ ". Memory not allocated, tag not read",
58+ direntry->tdir_tag, direntry->tdir_tag, datasize,
59+ filesize);
60+ return (TIFFReadDirEntryErrAlloc);
61+ }
62 }
63
64 if( isMapped(tif) && datasize > (uint32)tif->tif_size )
65@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
66 if( !_TIFFFillStrilesInternal( tif, 0 ) )
67 return -1;
68
69- /* Before allocating a huge amount of memory for corrupted files, check if
70- * size of requested memory is not greater than file size. */
71- uint64 filesize = TIFFGetFileSize(tif);
72- uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
73- if (allocsize > filesize)
74+ const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
75+ uint64 filesize = 0;
76+ if (allocsize > 100 * 1024 * 1024)
77 {
78- TIFFWarningExt(tif->tif_clientdata, module,
79- "Requested memory size for StripByteCounts of %" PRIu64
80- " is greather than filesize %" PRIu64
81- ". Memory not allocated",
82- allocsize, filesize);
83- return -1;
84+ /* Before allocating a huge amount of memory for corrupted files, check
85+ * if size of requested memory is not greater than file size. */
86+ filesize = TIFFGetFileSize(tif);
87+ if (allocsize > filesize)
88+ {
89+ TIFFWarningExt(
90+ tif->tif_clientdata, module,
91+ "Requested memory size for StripByteCounts of %" PRIu64
92+ " is greater than filesize %" PRIu64 ". Memory not allocated",
93+ allocsize, filesize);
94+ return -1;
95+ }
96 }
97
98 if (td->td_stripbytecount_p)
99@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
100 return -1;
101 space+=datasize;
102 }
103+ if (filesize == 0)
104+ filesize = TIFFGetFileSize(tif);
105 if( filesize < space )
106- /* we should perhaps return in error ? */
107- space = filesize;
108- else
109- space = filesize - space;
110+ /* we should perhaps return in error ? */
111+ space = filesize;
112+ else
113+ space = filesize - space;
114 if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
115 space /= td->td_samplesperpixel;
116 for (strip = 0; strip < td->td_nstrips; strip++)
117@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
118 dircount16 = (uint16)dircount64;
119 dirsize = 20;
120 }
121- /* Before allocating a huge amount of memory for corrupted files, check
122- * if size of requested memory is not greater than file size. */
123- uint64 filesize = TIFFGetFileSize(tif);
124- uint64 allocsize = (uint64)dircount16 * dirsize;
125- if (allocsize > filesize)
126+ const uint64 allocsize = (uint64)dircount16 * dirsize;
127+ if (allocsize > 100 * 1024 * 1024)
128 {
129- TIFFWarningExt(
130- tif->tif_clientdata, module,
131- "Requested memory size for TIFF directory of %" PRIu64
132- " is greather than filesize %" PRIu64
133- ". Memory not allocated, TIFF directory not read",
134- allocsize, filesize);
135- return 0;
136+ /* Before allocating a huge amount of memory for corrupted files,
137+ * check if size of requested memory is not greater than file size.
138+ */
139+ const uint64 filesize = TIFFGetFileSize(tif);
140+ if (allocsize > filesize)
141+ {
142+ TIFFWarningExt(
143+ tif->tif_clientdata, module,
144+ "Requested memory size for TIFF directory of %" PRIu64
145+ " is greater than filesize %" PRIu64
146+ ". Memory not allocated, TIFF directory not read",
147+ allocsize, filesize);
148+ return 0;
149+ }
150 }
151 origdir = _TIFFCheckMalloc(tif, dircount16,
152 dirsize, "to read TIFF directory");
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
new file mode 100644
index 0000000000..ed7d7e7b96
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
1Backport of:
2
3From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
4From: Even Rouault <even.rouault@spatialys.com>
5Date: Tue, 31 Oct 2023 20:13:45 +0100
6Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
7 check
8
9CoverityScan rightly points that the max value for dircount16 * dirsize
10is 4096 * 20. That's small enough not to do any check
11
12Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security
13Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3]
14CVE: CVE-2023-6277
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 libtiff/tif_dirread.c | 18 ------------------
18 1 file changed, 18 deletions(-)
19
20--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
21+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
22@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
23 dircount16 = (uint16)dircount64;
24 dirsize = 20;
25 }
26- const uint64 allocsize = (uint64)dircount16 * dirsize;
27- if (allocsize > 100 * 1024 * 1024)
28- {
29- /* Before allocating a huge amount of memory for corrupted files,
30- * check if size of requested memory is not greater than file size.
31- */
32- const uint64 filesize = TIFFGetFileSize(tif);
33- if (allocsize > filesize)
34- {
35- TIFFWarningExt(
36- tif->tif_clientdata, module,
37- "Requested memory size for TIFF directory of %" PRIu64
38- " is greater than filesize %" PRIu64
39- ". Memory not allocated, TIFF directory not read",
40- allocsize, filesize);
41- return 0;
42- }
43- }
44 origdir = _TIFFCheckMalloc(tif, dircount16,
45 dirsize, "to read TIFF directory");
46 if (origdir == NULL)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
new file mode 100644
index 0000000000..1a43fd3230
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
@@ -0,0 +1,94 @@
1[Ubuntu note: Backport of the following patch from upstream, with a few changes
2to match the current version of the file in the present Ubuntu release:
3 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
4 . using uint64 instead of uint64_t to preserve the current code usage;
5 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
6-- Rodrigo Figueiredo Zaiden]
7
8Backport of:
9
10From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
11From: Even Rouault <even.rouault@spatialys.com>
12Date: Tue, 31 Oct 2023 21:30:58 +0100
13Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
14 RAM requests
15
16Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security
17Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a]
18CVE: CVE-2023-6277
19Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
20---
21 libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
22 1 file changed, 31 insertions(+), 23 deletions(-)
23
24--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
25+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
26@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
27 _TIFFfree(data);
28 return(0);
29 }
30- /* Before allocating a huge amount of memory for corrupted files, check
31- * if size of requested memory is not greater than file size. */
32- uint64 filesize = TIFFGetFileSize(tif);
33- uint64 allocsize = (uint64)nstrips * sizeof(uint64);
34- if (allocsize > filesize)
35+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64);
36+ if (allocsize > 100 * 1024 * 1024)
37 {
38- TIFFWarningExt(tif->tif_clientdata, module,
39- "Requested memory size for StripArray of %" PRIu64
40- " is greather than filesize %" PRIu64
41- ". Memory not allocated",
42- allocsize, filesize);
43- _TIFFfree(data);
44- return (0);
45+ /* Before allocating a huge amount of memory for corrupted files,
46+ * check if size of requested memory is not greater than file size.
47+ */
48+ const uint64 filesize = TIFFGetFileSize(tif);
49+ if (allocsize > filesize)
50+ {
51+ TIFFWarningExt(
52+ tif->tif_clientdata, module,
53+ "Requested memory size for StripArray of %" PRIu64
54+ " is greater than filesize %" PRIu64
55+ ". Memory not allocated",
56+ allocsize, filesize);
57+ _TIFFfree(data);
58+ return (0);
59+ }
60 }
61 resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
62 if (resizeddata==0) {
63@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI
64 * size of StripByteCount and StripOffset tags is not greater than
65 * file size.
66 */
67- uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
68- uint64 filesize = TIFFGetFileSize(tif);
69- if (allocsize > filesize)
70- {
71- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
72- "Requested memory size for StripByteCount and "
73- "StripOffsets %" PRIu64
74- " is greather than filesize %" PRIu64
75- ". Memory not allocated",
76- allocsize, filesize);
77- return;
78+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
79+ if (allocsize > 100 * 1024 * 1024)
80+ {
81+ const uint64 filesize = TIFFGetFileSize(tif);
82+ if (allocsize > filesize)
83+ {
84+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
85+ "Requested memory size for StripByteCount and "
86+ "StripOffsets %" PRIu64
87+ " is greater than filesize %" PRIu64
88+ ". Memory not allocated",
89+ allocsize, filesize);
90+ return;
91+ }
92 }
93
94 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index c739f3a7fa..7efaba3a38 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -49,6 +49,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
49 file://CVE-2023-41175.patch \ 49 file://CVE-2023-41175.patch \
50 file://CVE-2022-40090.patch \ 50 file://CVE-2022-40090.patch \
51 file://CVE-2023-6228.patch \ 51 file://CVE-2023-6228.patch \
52 file://CVE-2023-6277-1.patch \
53 file://CVE-2023-6277-2.patch \
54 file://CVE-2023-6277-3.patch \
55 file://CVE-2023-6277-4.patch \
56 file://CVE-2023-52356.patch \
52 " 57 "
53SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" 58SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
54SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" 59SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-02 19:16:07 +0000