diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch new file mode 100644 index 0000000000..18a4b4e0ff --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch | |||
@@ -0,0 +1,123 @@ | |||
1 | From f7c06c395daf1b2c52ab431e00db2d9fc2ac993e Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Tue, 10 May 2022 20:03:17 +0000 | ||
4 | Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349 | ||
5 | |||
6 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ] | ||
7 | CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627 | ||
8 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
9 | |||
10 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/e319508023580e2f70e6e626f745b5b2a1707313 | ||
11 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf | ||
12 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba | ||
13 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 | ||
14 | Reviewed-by: Sylvain Beucler <beuc@debian.org> | ||
15 | Last-Update: 2023-01-17 | ||
16 | |||
17 | --- | ||
18 | tools/tiffcrop.c | 50 ++++++++++++++++++++++++++++++++++++++++-------- | ||
19 | 1 file changed, 42 insertions(+), 8 deletions(-) | ||
20 | |||
21 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
22 | index c923920..a0789a3 100644 | ||
23 | --- a/tools/tiffcrop.c | ||
24 | +++ b/tools/tiffcrop.c | ||
25 | @@ -103,7 +103,12 @@ | ||
26 | * selects which functions dump data, with higher numbers selecting | ||
27 | * lower level, scanline level routines. Debug reports a limited set | ||
28 | * of messages to monitor progess without enabling dump logs. | ||
29 | - */ | ||
30 | + * | ||
31 | + * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. | ||
32 | + * In no case should the options be applied to a given selection successively. | ||
33 | + * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options | ||
34 | + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. | ||
35 | + */ | ||
36 | |||
37 | static char tiffcrop_version_id[] = "2.4.1"; | ||
38 | static char tiffcrop_rev_date[] = "03-03-2010"; | ||
39 | @@ -176,12 +181,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring); | ||
40 | #define ROTATECW_270 32 | ||
41 | #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) | ||
42 | |||
43 | -#define CROP_NONE 0 | ||
44 | -#define CROP_MARGINS 1 | ||
45 | -#define CROP_WIDTH 2 | ||
46 | -#define CROP_LENGTH 4 | ||
47 | -#define CROP_ZONES 8 | ||
48 | -#define CROP_REGIONS 16 | ||
49 | +#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ | ||
50 | +#define CROP_MARGINS 1 /* "-m" */ | ||
51 | +#define CROP_WIDTH 2 /* "-X" */ | ||
52 | +#define CROP_LENGTH 4 /* "-Y" */ | ||
53 | +#define CROP_ZONES 8 /* "-Z" */ | ||
54 | +#define CROP_REGIONS 16 /* "-z" */ | ||
55 | #define CROP_ROTATE 32 | ||
56 | #define CROP_MIRROR 64 | ||
57 | #define CROP_INVERT 128 | ||
58 | @@ -323,7 +328,7 @@ struct crop_mask { | ||
59 | #define PAGE_MODE_RESOLUTION 1 | ||
60 | #define PAGE_MODE_PAPERSIZE 2 | ||
61 | #define PAGE_MODE_MARGINS 4 | ||
62 | -#define PAGE_MODE_ROWSCOLS 8 | ||
63 | +#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ | ||
64 | |||
65 | #define INVERT_DATA_ONLY 10 | ||
66 | #define INVERT_DATA_AND_TAG 11 | ||
67 | @@ -754,6 +759,12 @@ static char* usage_info[] = { | ||
68 | " The four debug/dump options are independent, though it makes little sense to", | ||
69 | " specify a dump file without specifying a detail level.", | ||
70 | " ", | ||
71 | +"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.", | ||
72 | +" In no case should the options be applied to a given selection successively.", | ||
73 | +" ", | ||
74 | +"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options", | ||
75 | +" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.", | ||
76 | +" ", | ||
77 | NULL | ||
78 | }; | ||
79 | |||
80 | @@ -2112,6 +2123,27 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 | ||
81 | /*NOTREACHED*/ | ||
82 | } | ||
83 | } | ||
84 | + /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ | ||
85 | + char XY, Z, R, S; | ||
86 | + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; | ||
87 | + Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; | ||
88 | + R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; | ||
89 | + S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; | ||
90 | + if (XY + Z + R + S > 1) { | ||
91 | + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); | ||
92 | + exit(EXIT_FAILURE); | ||
93 | + } | ||
94 | + | ||
95 | + /* Check for not allowed combination: | ||
96 | + * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options | ||
97 | + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. | ||
98 | +. */ | ||
99 | + if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { | ||
100 | + TIFFError("tiffcrop input error", | ||
101 | + "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); | ||
102 | + exit(EXIT_FAILURE); | ||
103 | + } | ||
104 | + | ||
105 | } /* end process_command_opts */ | ||
106 | |||
107 | /* Start a new output file if one has not been previously opened or | ||
108 | @@ -2384,6 +2416,7 @@ main(int argc, char* argv[]) | ||
109 | exit (-1); | ||
110 | } | ||
111 | |||
112 | + /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ | ||
113 | if (crop.selections > 0) | ||
114 | { | ||
115 | if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) | ||
116 | @@ -2400,6 +2433,7 @@ main(int argc, char* argv[]) | ||
117 | exit (-1); | ||
118 | } | ||
119 | } | ||
120 | + /* Format and write selected image parts to output file(s). */ | ||
121 | if (page.mode == PAGE_MODE_NONE) | ||
122 | { /* Whole image or sections not based on output page size */ | ||
123 | if (crop.selections > 0) | ||