diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..129721ff3e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Sun, 15 Nov 2020 17:02:51 +0100 | ||
4 | Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba | ||
5 | |||
6 | fixes #207 | ||
7 | fixes #209 | ||
8 | |||
9 | Signed-off-by: akash hadke <akash.hadke@kpit.com> | ||
10 | --- | ||
11 | tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- | ||
12 | 1 file changed, 23 insertions(+), 2 deletions(-) | ||
13 | --- | ||
14 | CVE: CVE-2020-35521 | ||
15 | CVE: CVE-2020-35522 | ||
16 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch] | ||
17 | --- | ||
18 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
19 | index fbc383aa..764395f6 100644 | ||
20 | --- a/tools/tiff2rgba.c | ||
21 | +++ b/tools/tiff2rgba.c | ||
22 | @@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1; | ||
23 | int process_by_block = 0; /* default is whole image at once */ | ||
24 | int no_alpha = 0; | ||
25 | int bigtiff_output = 0; | ||
26 | +#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) | ||
27 | +/* malloc size limit (in bytes) | ||
28 | + * disabled when set to 0 */ | ||
29 | +static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; | ||
30 | |||
31 | |||
32 | static int tiffcvt(TIFF* in, TIFF* out); | ||
33 | @@ -75,8 +79,11 @@ main(int argc, char* argv[]) | ||
34 | extern char *optarg; | ||
35 | #endif | ||
36 | |||
37 | - while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1) | ||
38 | + while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1) | ||
39 | switch (c) { | ||
40 | + case 'M': | ||
41 | + maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; | ||
42 | + break; | ||
43 | case 'b': | ||
44 | process_by_block = 1; | ||
45 | break; | ||
46 | @@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) | ||
47 | (unsigned long)width, (unsigned long)height); | ||
48 | return 0; | ||
49 | } | ||
50 | + if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { | ||
51 | + TIFFError(TIFFFileName(in), | ||
52 | + "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", | ||
53 | + (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); | ||
54 | + return 0; | ||
55 | + } | ||
56 | |||
57 | rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); | ||
58 | TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); | ||
59 | @@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out) | ||
60 | TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); | ||
61 | CopyField(TIFFTAG_DOCUMENTNAME, stringv); | ||
62 | |||
63 | + if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) | ||
64 | + { | ||
65 | + TIFFError(TIFFFileName(in), | ||
66 | + "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", | ||
67 | + (uint64)TIFFStripSize(in), (uint64)maxMalloc); | ||
68 | + return 0; | ||
69 | + } | ||
70 | if( process_by_block && TIFFIsTiled( in ) ) | ||
71 | return( cvt_by_tile( in, out ) ); | ||
72 | else if( process_by_block ) | ||
73 | @@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out) | ||
74 | } | ||
75 | |||
76 | static const char* stuff[] = { | ||
77 | - "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", | ||
78 | + "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", | ||
79 | "where comp is one of the following compression algorithms:", | ||
80 | " jpeg\t\tJPEG encoding", | ||
81 | " zip\t\tZip/Deflate encoding", | ||
82 | @@ -551,6 +571,7 @@ static const char* stuff[] = { | ||
83 | " -b (progress by block rather than as a whole image)", | ||
84 | " -n don't emit alpha component.", | ||
85 | " -8 write BigTIFF file instead of ClassicTIFF", | ||
86 | + " -M set the memory allocation limit in MiB. 0 to disable limit", | ||
87 | NULL | ||
88 | }; | ||
89 | |||
90 | -- | ||
91 | GitLab | ||
92 | |||
93 | |||
94 | From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001 | ||
95 | From: Thomas Bernard <miniupnp@free.fr> | ||
96 | Date: Sun, 15 Nov 2020 17:08:42 +0100 | ||
97 | Subject: [PATCH 2/2] tiff2rgba.1: -M option | ||
98 | |||
99 | --- | ||
100 | man/tiff2rgba.1 | 4 ++++ | ||
101 | 1 file changed, 4 insertions(+) | ||
102 | |||
103 | diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1 | ||
104 | index d9c9baae..fe9ebb2c 100644 | ||
105 | --- a/man/tiff2rgba.1 | ||
106 | +++ b/man/tiff2rgba.1 | ||
107 | @@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file. | ||
108 | Currently this does not work if the | ||
109 | .B \-b | ||
110 | flag is also in effect. | ||
111 | +.TP | ||
112 | +.BI \-M " size" | ||
113 | +Set maximum memory allocation size (in MiB). The default is 256MiB. | ||
114 | +Set to 0 to disable the limit. | ||
115 | .SH "SEE ALSO" | ||
116 | .BR tiff2bw (1), | ||
117 | .BR TIFFReadRGBAImage (3t), | ||
118 | -- | ||
119 | GitLab | ||