1 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
new file mode 100644
index 0000000000..ddb035c972
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
@@ -0,0 +1,58 @@
+From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
+CVE: CVE-2022-0924
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 224583e0..aa32b118 100644
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+        tdata_t obuf;
+        tstrip_t strip = 0;
+        tsample_t s;
+       uint16 bps = 0, bytes_per_sample;
+ 
+        obuf = _TIFFmalloc(stripsize);
+        if (obuf == NULL)
+                return (0);
+        _TIFFmemset(obuf, 0, stripsize);
+        (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+       (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+       if( bps == 0 )
+        {
+            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+            _TIFFfree(obuf);
+            return 0;
+        }
+        if( (bps % 8) != 0 )
+        {
+            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+            _TIFFfree(obuf);
+            return 0;
+        }
+       bytes_per_sample = bps/8;
+        for (s = 0; s < spp; s++) {
+                uint32 row;
+                for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+ 
+                        cpContigBufToSeparateBuf(
+                            obuf, (uint8*) buf + row*rowsize + s,
+-                           nrows, imagewidth, 0, 0, spp, 1);
+                           nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+                        if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+                                TIFFError(TIFFFileName(out),
+                                    "Error, can't write strip %u",
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch new file mode 100644 index 0000000000..ddb035c972 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
@@ -0,0 +1,58 @@
	1	From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
	2	From: 4ugustus <wangdw.augustus@qq.com>
	3	Date: Thu, 10 Mar 2022 08:48:00 +0000
	4	Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
	5
	6	CVE: CVE-2022-0924
	7	Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/]
	8	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
	9	Comment: No change in any hunk
	10
	11	---
	12	tools/tiffcp.c \| 17 ++++++++++++++++-
	13	1 file changed, 16 insertions(+), 1 deletion(-)
	14
	15	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
	16	index 224583e0..aa32b118 100644
	17	--- a/tools/tiffcp.c
	18	+++ b/tools/tiffcp.c
	19	@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
	20	tdata_t obuf;
	21	tstrip_t strip = 0;
	22	tsample_t s;
	23	+ uint16 bps = 0, bytes_per_sample;
	24
	25	obuf = _TIFFmalloc(stripsize);
	26	if (obuf == NULL)
	27	return (0);
	28	_TIFFmemset(obuf, 0, stripsize);
	29	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
	30	+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
	31	+ if( bps == 0 )
	32	+ {
	33	+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
	34	+ _TIFFfree(obuf);
	35	+ return 0;
	36	+ }
	37	+ if( (bps % 8) != 0 )
	38	+ {
	39	+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
	40	+ _TIFFfree(obuf);
	41	+ return 0;
	42	+ }
	43	+ bytes_per_sample = bps/8;
	44	for (s = 0; s < spp; s++) {
	45	uint32 row;
	46	for (row = 0; row < imagelength; row += rowsperstrip) {
	47	@@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
	48
	49	cpContigBufToSeparateBuf(
	50	obuf, (uint8) buf + rowrowsize + s,
	51	- nrows, imagewidth, 0, 0, spp, 1);
	52	+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
	53	if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
	54	TIFFError(TIFFFileName(out),
	55	"Error, can't write strip %u",
	56	--
	57	GitLab
	58