1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
new file mode 100644
index 0000000000..1f30b32799
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
@@ -0,0 +1,55 @@
+From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:54:30 +0100
+Subject: [PATCH] gtTileContig(): check Tile width for overflow
+fixes #211
+Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ]
+CVE: CVE-2020-35523
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ libtiff/tif_getimage.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 4da785d3..96ab1460 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -29,6 +29,7 @@
+  */
+ #include "tiffiop.h"
+ #include <stdio.h>
+#include <limits.h>
+ 
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 
+     flip = setorientation(img);
+     if (flip & FLIP_VERTICALLY) {
+-           y = h - 1;
+-           toskew = -(int32)(tw + w);
+        if ((tw + w) > INT_MAX) {
+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+            return (0);
+        }
+        y = h - 1;
+        toskew = -(int32)(tw + w);
+     }
+     else {
+-           y = 0;
+-           toskew = -(int32)(tw - w);
+        if (tw > (INT_MAX + w)) {
+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+            return (0);
+        }
+        y = 0;
+        toskew = -(int32)(tw - w);
+     }
+      
+     /*
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch new file mode 100644 index 0000000000..1f30b32799 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
@@ -0,0 +1,55 @@
	1	From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
	2	From: Thomas Bernard <miniupnp@free.fr>
	3	Date: Tue, 10 Nov 2020 01:54:30 +0100
	4	Subject: [PATCH] gtTileContig(): check Tile width for overflow
	5
	6	fixes #211
	7
	8	Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ]
	9	CVE: CVE-2020-35523
	10	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	11	---
	12	libtiff/tif_getimage.c \| 17 +++++++++++++----
	13	1 file changed, 13 insertions(+), 4 deletions(-)
	14
	15	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
	16	index 4da785d3..96ab1460 100644
	17	--- a/libtiff/tif_getimage.c
	18	+++ b/libtiff/tif_getimage.c
	19	@@ -29,6 +29,7 @@
	20	*/
	21	#include "tiffiop.h"
	22	#include <stdio.h>
	23	+#include <limits.h>
	24
	25	static int gtTileContig(TIFFRGBAImage, uint32, uint32, uint32);
	26	static int gtTileSeparate(TIFFRGBAImage, uint32, uint32, uint32);
	27	@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
	28
	29	flip = setorientation(img);
	30	if (flip & FLIP_VERTICALLY) {
	31	- y = h - 1;
	32	- toskew = -(int32)(tw + w);
	33	+ if ((tw + w) > INT_MAX) {
	34	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
	35	+ return (0);
	36	+ }
	37	+ y = h - 1;
	38	+ toskew = -(int32)(tw + w);
	39	}
	40	else {
	41	- y = 0;
	42	- toskew = -(int32)(tw - w);
	43	+ if (tw > (INT_MAX + w)) {
	44	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
	45	+ return (0);
	46	+ }
	47	+ y = 0;
	48	+ toskew = -(int32)(tw - w);
	49	}
	50
	51	/*
	52	--
	53	GitLab
	54
	55