diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch new file mode 100644 index 0000000000..ddb035c972 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 | ||
2 | From: 4ugustus <wangdw.augustus@qq.com> | ||
3 | Date: Thu, 10 Mar 2022 08:48:00 +0000 | ||
4 | Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) | ||
5 | |||
6 | CVE: CVE-2022-0924 | ||
7 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/] | ||
8 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
9 | Comment: No change in any hunk | ||
10 | |||
11 | --- | ||
12 | tools/tiffcp.c | 17 ++++++++++++++++- | ||
13 | 1 file changed, 16 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
16 | index 224583e0..aa32b118 100644 | ||
17 | --- a/tools/tiffcp.c | ||
18 | +++ b/tools/tiffcp.c | ||
19 | @@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt | ||
20 | tdata_t obuf; | ||
21 | tstrip_t strip = 0; | ||
22 | tsample_t s; | ||
23 | + uint16 bps = 0, bytes_per_sample; | ||
24 | |||
25 | obuf = _TIFFmalloc(stripsize); | ||
26 | if (obuf == NULL) | ||
27 | return (0); | ||
28 | _TIFFmemset(obuf, 0, stripsize); | ||
29 | (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); | ||
30 | + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); | ||
31 | + if( bps == 0 ) | ||
32 | + { | ||
33 | + TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); | ||
34 | + _TIFFfree(obuf); | ||
35 | + return 0; | ||
36 | + } | ||
37 | + if( (bps % 8) != 0 ) | ||
38 | + { | ||
39 | + TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); | ||
40 | + _TIFFfree(obuf); | ||
41 | + return 0; | ||
42 | + } | ||
43 | + bytes_per_sample = bps/8; | ||
44 | for (s = 0; s < spp; s++) { | ||
45 | uint32 row; | ||
46 | for (row = 0; row < imagelength; row += rowsperstrip) { | ||
47 | @@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt | ||
48 | |||
49 | cpContigBufToSeparateBuf( | ||
50 | obuf, (uint8*) buf + row*rowsize + s, | ||
51 | - nrows, imagewidth, 0, 0, spp, 1); | ||
52 | + nrows, imagewidth, 0, 0, spp, bytes_per_sample); | ||
53 | if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { | ||
54 | TIFFError(TIFFFileName(out), | ||
55 | "Error, can't write strip %u", | ||
56 | -- | ||
57 | GitLab | ||
58 | |||