diff options
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch | 67 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch new file mode 100644 index 0000000000..3f44a42012 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 4cc97e3dfa6559f4d17af0d0687bcae07ca4b73d Mon Sep 17 00:00:00 2001 | ||
2 | From: Arie Haenel <arie.haenel@jct.ac.il> | ||
3 | Date: Wed, 19 Jul 2023 19:40:01 +0000 | ||
4 | Subject: raw2tiff: fix integer overflow and bypass of the check (fixes #592) | ||
5 | |||
6 | Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz | ||
7 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] | ||
8 | CVE: CVE-2023-41175 | ||
9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
10 | --- | ||
11 | tools/raw2tiff.c | 26 ++++++++++++++++++++++++++ | ||
12 | 1 file changed, 26 insertions(+) | ||
13 | |||
14 | diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c | ||
15 | index ab36ff4e..a905da52 100644 | ||
16 | --- a/tools/raw2tiff.c | ||
17 | +++ b/tools/raw2tiff.c | ||
18 | @@ -35,6 +35,7 @@ | ||
19 | #include <sys/types.h> | ||
20 | #include <math.h> | ||
21 | #include <ctype.h> | ||
22 | +#include <limits.h> | ||
23 | |||
24 | #ifdef HAVE_UNISTD_H | ||
25 | # include <unistd.h> | ||
26 | @@ -101,6 +102,7 @@ main(int argc, char* argv[]) | ||
27 | int fd; | ||
28 | char *outfilename = NULL; | ||
29 | TIFF *out; | ||
30 | + uint32 temp_limit_check = 0; | ||
31 | |||
32 | uint32 row, col, band; | ||
33 | int c; | ||
34 | @@ -212,6 +214,30 @@ main(int argc, char* argv[]) | ||
35 | if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) | ||
36 | return 1; | ||
37 | |||
38 | + if ((width == 0) || (length == 0) ){ | ||
39 | + fprintf(stderr, "Too large nbands value specified.\n"); | ||
40 | + return (EXIT_FAILURE); | ||
41 | + } | ||
42 | + | ||
43 | + temp_limit_check = nbands * depth; | ||
44 | + | ||
45 | + if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { | ||
46 | + fprintf(stderr, "Too large length size specified.\n"); | ||
47 | + return (EXIT_FAILURE); | ||
48 | + } | ||
49 | + temp_limit_check = temp_limit_check * length; | ||
50 | + | ||
51 | + if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { | ||
52 | + fprintf(stderr, "Too large width size specified.\n"); | ||
53 | + return (EXIT_FAILURE); | ||
54 | + } | ||
55 | + temp_limit_check = temp_limit_check * width; | ||
56 | + | ||
57 | + if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { | ||
58 | + fprintf(stderr, "Too large header size specified.\n"); | ||
59 | + return (EXIT_FAILURE); | ||
60 | + } | ||
61 | + | ||
62 | if (outfilename == NULL) | ||
63 | outfilename = argv[optind+1]; | ||
64 | out = TIFFOpen(outfilename, "w"); | ||
65 | -- | ||
66 | 2.30.2 | ||
67 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 31e7db19aa..2697a28463 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | |||
@@ -46,6 +46,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
46 | file://CVE-2023-3576.patch \ | 46 | file://CVE-2023-3576.patch \ |
47 | file://CVE-2023-3618.patch \ | 47 | file://CVE-2023-3618.patch \ |
48 | file://CVE-2023-40745.patch \ | 48 | file://CVE-2023-40745.patch \ |
49 | file://CVE-2023-41175.patch \ | ||
49 | " | 50 | " |
50 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" | 51 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" |
51 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" | 52 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" |