1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
new file mode 100644
index 0000000000..ea70827cbe
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
@@ -0,0 +1,45 @@
+From 7e87352217d1f0c77eee7033ac59e3aab08532bb Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 8 Nov 2022 15:16:58 +0100
+Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2022-3970
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2023-01-17
+ strips/tiles > 2 GB
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 96ab146..0b90dcc 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -3042,15 +3042,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
+         return( ok );
+ 
+     for( i_row = 0; i_row < read_ysize; i_row++ ) {
+-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+-                 raster + (read_ysize - i_row - 1) * read_xsize,
+        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+                  read_xsize * sizeof(uint32) );
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+                      0, sizeof(uint32) * (tile_xsize - read_xsize) );
+     }
+ 
+     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                      0, sizeof(uint32) * tile_xsize );
+     }
+

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch new file mode 100644 index 0000000000..ea70827cbe --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
@@ -0,0 +1,45 @@
	1	From 7e87352217d1f0c77eee7033ac59e3aab08532bb Mon Sep 17 00:00:00 2001
	2	From: Even Rouault <even.rouault@spatialys.com>
	3	Date: Tue, 8 Nov 2022 15:16:58 +0100
	4	Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
	5
	6	Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
	7	CVE: CVE-2022-3970
	8	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	9
	10	Origin: https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
	11	Reviewed-by: Sylvain Beucler <beuc@debian.org>
	12	Last-Update: 2023-01-17
	13
	14	strips/tiles > 2 GB
	15
	16	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
	17
	18	---
	19	libtiff/tif_getimage.c \| 8 ++++----
	20	1 file changed, 4 insertions(+), 4 deletions(-)
	21
	22	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
	23	index 96ab146..0b90dcc 100644
	24	--- a/libtiff/tif_getimage.c
	25	+++ b/libtiff/tif_getimage.c
	26	@@ -3042,15 +3042,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
	27	return( ok );
	28
	29	for( i_row = 0; i_row < read_ysize; i_row++ ) {
	30	- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
	31	- raster + (read_ysize - i_row - 1) * read_xsize,
	32	+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
	33	+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
	34	read_xsize * sizeof(uint32) );
	35	- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
	36	+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
	37	0, sizeof(uint32) * (tile_xsize - read_xsize) );
	38	}
	39
	40	for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
	41	- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
	42	+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
	43	0, sizeof(uint32) * tile_xsize );
	44	}
	45