diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch new file mode 100644 index 0000000000..1f30b32799 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Tue, 10 Nov 2020 01:54:30 +0100 | ||
4 | Subject: [PATCH] gtTileContig(): check Tile width for overflow | ||
5 | |||
6 | fixes #211 | ||
7 | |||
8 | Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ] | ||
9 | CVE: CVE-2020-35523 | ||
10 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
11 | --- | ||
12 | libtiff/tif_getimage.c | 17 +++++++++++++---- | ||
13 | 1 file changed, 13 insertions(+), 4 deletions(-) | ||
14 | |||
15 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
16 | index 4da785d3..96ab1460 100644 | ||
17 | --- a/libtiff/tif_getimage.c | ||
18 | +++ b/libtiff/tif_getimage.c | ||
19 | @@ -29,6 +29,7 @@ | ||
20 | */ | ||
21 | #include "tiffiop.h" | ||
22 | #include <stdio.h> | ||
23 | +#include <limits.h> | ||
24 | |||
25 | static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); | ||
26 | static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); | ||
27 | @@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
28 | |||
29 | flip = setorientation(img); | ||
30 | if (flip & FLIP_VERTICALLY) { | ||
31 | - y = h - 1; | ||
32 | - toskew = -(int32)(tw + w); | ||
33 | + if ((tw + w) > INT_MAX) { | ||
34 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); | ||
35 | + return (0); | ||
36 | + } | ||
37 | + y = h - 1; | ||
38 | + toskew = -(int32)(tw + w); | ||
39 | } | ||
40 | else { | ||
41 | - y = 0; | ||
42 | - toskew = -(int32)(tw - w); | ||
43 | + if (tw > (INT_MAX + w)) { | ||
44 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); | ||
45 | + return (0); | ||
46 | + } | ||
47 | + y = 0; | ||
48 | + toskew = -(int32)(tw - w); | ||
49 | } | ||
50 | |||
51 | /* | ||
52 | -- | ||
53 | GitLab | ||
54 | |||
55 | |||