1 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..129721ff3e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,119 @@
+From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
+fixes #207
+fixes #209
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+---
+CVE: CVE-2020-35521
+CVE: CVE-2020-35522
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index fbc383aa..764395f6 100644
+--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
+@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+/* malloc size limit (in bytes)
+ * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+ 
+ 
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -75,8 +79,11 @@ main(int argc, char* argv[])
+        extern char *optarg;
+ #endif
+ 
+-       while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
+       while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
+                switch (c) {
+                       case 'M':
+                               maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+                               break;
+                        case 'b':
+                                process_by_block = 1;
+                                break;
+@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+                  (unsigned long)width, (unsigned long)height);
+         return 0;
+     }
+    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
+       TIFFError(TIFFFileName(in),
+                 "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
+                 (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
+        return 0;
+    }
+ 
+     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out)
+        TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+        CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ 
+       if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
+       {
+               TIFFError(TIFFFileName(in),
+                         "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
+                         (uint64)TIFFStripSize(in), (uint64)maxMalloc);
+               return 0;
+       }
+         if( process_by_block && TIFFIsTiled( in ) )
+             return( cvt_by_tile( in, out ) );
+         else if( process_by_block )
+@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+ 
+ static const char* stuff[] = {
+-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+     " zip\t\tZip/Deflate encoding",
+@@ -551,6 +571,7 @@ static const char* stuff[] = {
+     " -b (progress by block rather than as a whole image)",
+     " -n don't emit alpha component.",
+     " -8 write BigTIFF file instead of ClassicTIFF",
+    " -M set the memory allocation limit in MiB. 0 to disable limit",
+     NULL
+ };
+ 
+-- 
+GitLab
+From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:08:42 +0100
+Subject: [PATCH 2/2] tiff2rgba.1: -M option
+---
+ man/tiff2rgba.1 | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
+index d9c9baae..fe9ebb2c 100644
+--- a/man/tiff2rgba.1
+++ b/man/tiff2rgba.1
+@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
+ Currently this does not work if the
+ .B \-b
+ flag is also in effect.
+.TP
+.BI \-M " size"
+Set maximum memory allocation size (in MiB). The default is 256MiB.
+Set to 0 to disable the limit.
+ .SH "SEE ALSO"
+ .BR tiff2bw (1),
+ .BR TIFFReadRGBAImage (3t),
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..129721ff3e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,119 @@
	1	From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001
	2	From: Thomas Bernard <miniupnp@free.fr>
	3	Date: Sun, 15 Nov 2020 17:02:51 +0100
	4	Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
	5
	6	fixes #207
	7	fixes #209
	8
	9	Signed-off-by: akash hadke <akash.hadke@kpit.com>
	10	---
	11	tools/tiff2rgba.c \| 25 +++++++++++++++++++++++--
	12	1 file changed, 23 insertions(+), 2 deletions(-)
	13	---
	14	CVE: CVE-2020-35521
	15	CVE: CVE-2020-35522
	16	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch]
	17	---
	18	diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
	19	index fbc383aa..764395f6 100644
	20	--- a/tools/tiff2rgba.c
	21	+++ b/tools/tiff2rgba.c
	22	@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1;
	23	int process_by_block = 0; /* default is whole image at once */
	24	int no_alpha = 0;
	25	int bigtiff_output = 0;
	26	+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
	27	+/* malloc size limit (in bytes)
	28	+ * disabled when set to 0 */
	29	+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
	30
	31
	32	static int tiffcvt(TIFF* in, TIFF* out);
	33	@@ -75,8 +79,11 @@ main(int argc, char* argv[])
	34	extern char *optarg;
	35	#endif
	36
	37	- while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
	38	+ while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
	39	switch (c) {
	40	+ case 'M':
	41	+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
	42	+ break;
	43	case 'b':
	44	process_by_block = 1;
	45	break;
	46	@@ -405,6 +412,12 @@ cvt_whole_image( TIFF in, TIFF out )
	47	(unsigned long)width, (unsigned long)height);
	48	return 0;
	49	}
	50	+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
	51	+ TIFFError(TIFFFileName(in),
	52	+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
	53	+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
	54	+ return 0;
	55	+ }
	56
	57	rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
	58	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
	59	@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out)
	60	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
	61	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
	62
	63	+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
	64	+ {
	65	+ TIFFError(TIFFFileName(in),
	66	+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
	67	+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
	68	+ return 0;
	69	+ }
	70	if( process_by_block && TIFFIsTiled( in ) )
	71	return( cvt_by_tile( in, out ) );
	72	else if( process_by_block )
	73	@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out)
	74	}
	75
	76	static const char* stuff[] = {
	77	- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
	78	+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
	79	"where comp is one of the following compression algorithms:",
	80	" jpeg\t\tJPEG encoding",
	81	" zip\t\tZip/Deflate encoding",
	82	@@ -551,6 +571,7 @@ static const char* stuff[] = {
	83	" -b (progress by block rather than as a whole image)",
	84	" -n don't emit alpha component.",
	85	" -8 write BigTIFF file instead of ClassicTIFF",
	86	+ " -M set the memory allocation limit in MiB. 0 to disable limit",
	87	NULL
	88	};
	89
	90	--
	91	GitLab
	92
	93
	94	From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001
	95	From: Thomas Bernard <miniupnp@free.fr>
	96	Date: Sun, 15 Nov 2020 17:08:42 +0100
	97	Subject: [PATCH 2/2] tiff2rgba.1: -M option
	98
	99	---
	100	man/tiff2rgba.1 \| 4 ++++
	101	1 file changed, 4 insertions(+)
	102
	103	diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
	104	index d9c9baae..fe9ebb2c 100644
	105	--- a/man/tiff2rgba.1
	106	+++ b/man/tiff2rgba.1
	107	@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
	108	Currently this does not work if the
	109	.B \-b
	110	flag is also in effect.
	111	+.TP
	112	+.BI \-M " size"
	113	+Set maximum memory allocation size (in MiB). The default is 256MiB.
	114	+Set to 0 to disable the limit.
	115	.SH "SEE ALSO"
	116	.BR tiff2bw (1),
	117	.BR TIFFReadRGBAImage (3t),
	118	--
	119	GitLab