1 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
new file mode 100644
index 0000000000..5232eacb50
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
@@ -0,0 +1,42 @@
+From c6a12721b46f1a72974f91177890301730d7b330 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:01:59 +0100
+Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
+ YCbCr
+fixes #220
+Upstream-Status: Backport
+https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330
+https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
+CVE: CVE-2021-35524
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiff2pdf.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 719811ea..dc69d2f9 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -2087,9 +2087,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+                (void) 0;
+        }
+-       k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+-       if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+-               k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+       if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+          && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+               k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+       } else {
+               k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+               if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+                       k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+               }
+        }
+        if (k == 0) {
+                /* Assume we had overflow inside TIFFScanlineSize */
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch new file mode 100644 index 0000000000..5232eacb50 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
@@ -0,0 +1,42 @@
	1	From c6a12721b46f1a72974f91177890301730d7b330 Mon Sep 17 00:00:00 2001
	2	From: Thomas Bernard <miniupnp@free.fr>
	3	Date: Tue, 10 Nov 2020 01:01:59 +0100
	4	Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
	5	YCbCr
	6
	7	fixes #220
	8	Upstream-Status: Backport
	9	https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330
	10	https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
	11	CVE: CVE-2021-35524
	12	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	13
	14	---
	15	tools/tiff2pdf.c \| 11 ++++++++---
	16	1 file changed, 8 insertions(+), 3 deletions(-)
	17
	18	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
	19	index 719811ea..dc69d2f9 100644
	20	--- a/tools/tiff2pdf.c
	21	+++ b/tools/tiff2pdf.c
	22	@@ -2087,9 +2087,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
	23	#endif
	24	(void) 0;
	25	}
	26	- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
	27	- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
	28	- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
	29	+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
	30	+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
	31	+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
	32	+ } else {
	33	+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
	34	+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
	35	+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
	36	+ }
	37	}
	38	if (k == 0) {
	39	/* Assume we had overflow inside TIFFScanlineSize */
	40	--
	41	GitLab
	42