1 files changed, 159 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
new file mode 100644
index 0000000000..131ff94119
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
+From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 9 Feb 2022 21:31:29 +0000
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+ uint32_t underflow.
+CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+Index: tiff-4.1.0/tools/tiffcrop.c
+===================================================================
+--- tiff-4.1.0.orig/tools/tiffcrop.c
+++ tiff-4.1.0/tools/tiffcrop.c
+@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
+        y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+        y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+        }
+-      if (x1 < 1)
+-        crop->regionlist[i].x1 = 0;
+-      else
+-        crop->regionlist[i].x1 = (uint32) (x1 - 1);
+      /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 
+       * b) Corners are expected to be submitted as top-left to bottom-right.
+       *    Therefore, check that and reorder input.
+       * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+       */
+      uint32_t aux;
+      if (x1 > x2) {
+        aux = x1;
+        x1 = x2;
+        x2 = aux;
+      }
+      if (y1 > y2) {
+        aux = y1;
+        y1 = y2;
+        y2 = aux;
+      }
+      if (x1 > image->width - 1)
+        crop->regionlist[i].x1 = image->width - 1;
+      else if (x1 > 0)
+        crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+ 
+       if (x2 > image->width - 1)
+         crop->regionlist[i].x2 = image->width - 1;
+-      else
+-        crop->regionlist[i].x2 = (uint32) (x2 - 1);
+-      zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; 
+-
+-      if (y1 < 1)
+-        crop->regionlist[i].y1 = 0;
+-      else
+-        crop->regionlist[i].y1 = (uint32) (y1 - 1);
+      else if (x2 > 0)
+        crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
+
+      zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+      if (y1 > image->length - 1)
+        crop->regionlist[i].y1 = image->length - 1;
+      else if (y1 > 0)
+        crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+ 
+       if (y2 > image->length - 1)
+         crop->regionlist[i].y2 = image->length - 1;
+-      else
+-        crop->regionlist[i].y2 = (uint32) (y2 - 1);
+-
+-      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; 
+      else if (y2 > 0)
+        crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+ 
+      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+       if (zwidth > max_width)
+         max_width = zwidth;
+       if (zlength > max_length)
+@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
+        }
+       }
+     return (0);
+-    }
+    }  /* crop_mode == CROP_REGIONS */
+   
+   /* Convert crop margins into offsets into image
+    * Margins are expressed as pixel rows and columns, not bytes
+@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
+       bmargin = (uint32) 0;
+       return (-1);
+       }
+-    }
+    }  /* crop_mode == CROP_MARGINS */
+   else
+     { /* no margins requested */
+     tmargin = (uint32) 0;
+@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
+   off->endx   = endx;
+   off->endy   = endy;
+ 
+-  crop_width  = endx - startx + 1;
+-  crop_length = endy - starty + 1;
+-
+-  if (crop_width <= 0)
+  if (endx + 1 <= startx)
+     {
+     TIFFError("computeInputPixelOffsets", 
+                "Invalid left/right margins and /or image crop width requested");
+     return (-1);
+     }
+  crop_width  = endx - startx + 1;
+   if (crop_width > image->width)
+     crop_width = image->width;
+ 
+-  if (crop_length <= 0)
+  if (endy + 1 <= starty)
+     {
+     TIFFError("computeInputPixelOffsets", 
+               "Invalid top/bottom margins and /or image crop length requested");
+     return (-1);
+     }
+  crop_length = endy - starty + 1;
+   if (crop_length > image->length)
+     crop_length = image->length;
+ 
+@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
+   else
+     crop->selections = crop->zones;
+ 
+-  for (i = 0; i < crop->zones; i++)
+  /* Initialize regions iterator i */
+  i = 0;
+  for (int j = 0; j < crop->zones; j++)
+     {
+-    seg = crop->zonelist[i].position;
+-    total = crop->zonelist[i].total;
+    seg = crop->zonelist[j].position;
+    total = crop->zonelist[j].total;
+
+    /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+    if (seg == 0 || total == 0 || seg > total) {
+        continue;
+    }
+ 
+     switch (crop->edge_ref) 
+       {
+@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
+                     i + 1, (uint32)zwidth, (uint32)zlength,
+                    crop->regionlist[i].x1, crop->regionlist[i].x2, 
+                     crop->regionlist[i].y1, crop->regionlist[i].y2);
+  /* increment regions iterator */
+  i++;
+     }
+-
+    /* set number of generated regions out of given zones */
+    crop->selections = i;
+   return (0);
+   } /* end getCropOffsets */
+ 
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000000..131ff94119 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
	1	From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
	2	From: Su Laus <sulau@freenet.de>
	3	Date: Wed, 9 Feb 2022 21:31:29 +0000
	4	Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
	5	uint32_t underflow.
	6
	7	CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
	8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
	9	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
	10	---
	11	Index: tiff-4.1.0/tools/tiffcrop.c
	12	===================================================================
	13	--- tiff-4.1.0.orig/tools/tiffcrop.c
	14	+++ tiff-4.1.0/tools/tiffcrop.c
	15	@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
	16	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
	17	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
	18	}
	19	- if (x1 < 1)
	20	- crop->regionlist[i].x1 = 0;
	21	- else
	22	- crop->regionlist[i].x1 = (uint32) (x1 - 1);
	23	+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
	24	+ * b) Corners are expected to be submitted as top-left to bottom-right.
	25	+ * Therefore, check that and reorder input.
	26	+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
	27	+ */
	28	+ uint32_t aux;
	29	+ if (x1 > x2) {
	30	+ aux = x1;
	31	+ x1 = x2;
	32	+ x2 = aux;
	33	+ }
	34	+ if (y1 > y2) {
	35	+ aux = y1;
	36	+ y1 = y2;
	37	+ y2 = aux;
	38	+ }
	39	+ if (x1 > image->width - 1)
	40	+ crop->regionlist[i].x1 = image->width - 1;
	41	+ else if (x1 > 0)
	42	+ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
	43
	44	if (x2 > image->width - 1)
	45	crop->regionlist[i].x2 = image->width - 1;
	46	- else
	47	- crop->regionlist[i].x2 = (uint32) (x2 - 1);
	48	- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
	49	-
	50	- if (y1 < 1)
	51	- crop->regionlist[i].y1 = 0;
	52	- else
	53	- crop->regionlist[i].y1 = (uint32) (y1 - 1);
	54	+ else if (x2 > 0)
	55	+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
	56	+
	57	+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
	58	+
	59	+ if (y1 > image->length - 1)
	60	+ crop->regionlist[i].y1 = image->length - 1;
	61	+ else if (y1 > 0)
	62	+ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
	63
	64	if (y2 > image->length - 1)
	65	crop->regionlist[i].y2 = image->length - 1;
	66	- else
	67	- crop->regionlist[i].y2 = (uint32) (y2 - 1);
	68	-
	69	- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
	70	+ else if (y2 > 0)
	71	+ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
	72
	73	+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
	74	if (zwidth > max_width)
	75	max_width = zwidth;
	76	if (zlength > max_length)
	77	@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
	78	}
	79	}
	80	return (0);
	81	- }
	82	+ } /* crop_mode == CROP_REGIONS */
	83
	84	/* Convert crop margins into offsets into image
	85	* Margins are expressed as pixel rows and columns, not bytes
	86	@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
	87	bmargin = (uint32) 0;
	88	return (-1);
	89	}
	90	- }
	91	+ } /* crop_mode == CROP_MARGINS */
	92	else
	93	{ /* no margins requested */
	94	tmargin = (uint32) 0;
	95	@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
	96	off->endx = endx;
	97	off->endy = endy;
	98
	99	- crop_width = endx - startx + 1;
	100	- crop_length = endy - starty + 1;
	101	-
	102	- if (crop_width <= 0)
	103	+ if (endx + 1 <= startx)
	104	{
	105	TIFFError("computeInputPixelOffsets",
	106	"Invalid left/right margins and /or image crop width requested");
	107	return (-1);
	108	}
	109	+ crop_width = endx - startx + 1;
	110	if (crop_width > image->width)
	111	crop_width = image->width;
	112
	113	- if (crop_length <= 0)
	114	+ if (endy + 1 <= starty)
	115	{
	116	TIFFError("computeInputPixelOffsets",
	117	"Invalid top/bottom margins and /or image crop length requested");
	118	return (-1);
	119	}
	120	+ crop_length = endy - starty + 1;
	121	if (crop_length > image->length)
	122	crop_length = image->length;
	123
	124	@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
	125	else
	126	crop->selections = crop->zones;
	127
	128	- for (i = 0; i < crop->zones; i++)
	129	+ /* Initialize regions iterator i */
	130	+ i = 0;
	131	+ for (int j = 0; j < crop->zones; j++)
	132	{
	133	- seg = crop->zonelist[i].position;
	134	- total = crop->zonelist[i].total;
	135	+ seg = crop->zonelist[j].position;
	136	+ total = crop->zonelist[j].total;
	137	+
	138	+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
	139	+ if (seg == 0 \|\| total == 0 \|\| seg > total) {
	140	+ continue;
	141	+ }
	142
	143	switch (crop->edge_ref)
	144	{
	145	@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
	146	i + 1, (uint32)zwidth, (uint32)zlength,
	147	crop->regionlist[i].x1, crop->regionlist[i].x2,
	148	crop->regionlist[i].y1, crop->regionlist[i].y2);
	149	+ /* increment regions iterator */
	150	+ i++;
	151	}
	152	-
	153	+ /* set number of generated regions out of given zones */
	154	+ crop->selections = i;
	155	return (0);
	156	} /* end getCropOffsets */
	157
	158	--
	159	GitLab