1 files changed, 157 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
new file mode 100644
index 0000000000..253018525a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,157 @@
+From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 21 Feb 2023 14:26:43 +0100
+Subject: [PATCH] CVE-2023-0795
+This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
+CVE-2023-0799.
+Bug-Debian: https://bugs.debian.org/1031632
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 30 insertions(+), 21 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 8aed9cd..f21a7d7 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -277,7 +277,6 @@ struct  region {
+   uint32 width;     /* width in pixels */
+   uint32 length;    /* length in pixels */
+   uint32 buffsize;  /* size of buffer needed to hold the cropped region */
+-  unsigned char *buffptr; /* address of start of the region */
+ };
+ 
+ /* Cropping parameters from command line and image data 
+@@ -532,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
+                                      uint32,   uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+-                      unsigned char **);
+                      unsigned char **, int);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+                       unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -5112,7 +5111,6 @@ initCropMasks (struct crop_mask *cps)
+      cps->regionlist[i].width = 0;
+      cps->regionlist[i].length = 0;
+      cps->regionlist[i].buffsize = 0;
+-     cps->regionlist[i].buffptr = NULL;
+      cps->zonelist[i].position = 0;
+      cps->zonelist[i].total = 0;
+      }
+@@ -6358,8 +6356,13 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+                   image->adjustments & ROTATE_ANY);
+       return (-1);
+       }
+- 
+-    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+
+      /* Dummy variable in order not to switch two times the
+       * image->width,->length within rotateImage(),
+       * but switch xres, yres there. */
+      uint32_t width = image->width;
+      uint32_t length = image->length;
+      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
+       {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+@@ -6427,7 +6430,6 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+     /* These should not be needed for composite images */
+     crop->regionlist[i].width = crop_width;
+     crop->regionlist[i].length = crop_length;
+-    crop->regionlist[i].buffptr = crop_buff;
+ 
+     src_rowsize = ((img_width * bps * spp) + 7) / 8;
+     dst_rowsize = (((crop_width * bps * count) + 7) / 8);
+@@ -6664,7 +6666,6 @@ extractSeparateRegion(struct image_data *image,  struct crop_mask *crop,
+ 
+   crop->regionlist[region].width = crop_width;
+   crop->regionlist[region].length = crop_length;
+-  crop->regionlist[region].buffptr = crop_buff;
+ 
+   src = read_buff;
+   dst = crop_buff;
+@@ -7542,7 +7543,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+       {
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff))
+                      &crop->combined_length, &crop_buff, FALSE))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7648,7 +7649,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+       if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+         {
+        if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
+-                       &crop->regionlist[i].length, &crop_buff))
+                       &crop->regionlist[i].length, &crop_buff, FALSE))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7780,7 +7781,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr))
+                    &crop->combined_length, crop_buff_ptr, TRUE))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8443,7 +8444,7 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, 
+-            uint32 *img_length, unsigned char **ibuff_ptr)
+            uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
+   {
+   int      shift_width;
+   uint32   bytes_per_pixel, bytes_per_sample;
+@@ -8634,11 +8635,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+ 
+               *img_width = length;
+               *img_length = width;
+-              image->width = length;
+-              image->length = width;
+-              res_temp = image->xres;
+-              image->xres = image->yres;
+-              image->yres = res_temp;
+            /* Only toggle image parameters if whole input image is rotated. */
+            if (rot_image_params)
+            {
+                image->width = length;
+                image->length = width;
+                res_temp = image->xres;
+                image->xres = image->yres;
+                image->yres = res_temp;
+            }
+              break;
+ 
+     case 270: if ((bps % 8) == 0) /* byte aligned data */
+@@ -8711,11 +8716,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+ 
+               *img_width = length;
+               *img_length = width;
+-              image->width = length;
+-              image->length = width;
+-              res_temp = image->xres;
+-              image->xres = image->yres;
+-              image->yres = res_temp;
+            /* Only toggle image parameters if whole input image is rotated. */
+            if (rot_image_params)
+            {
+                image->width = length;
+                image->length = width;
+                res_temp = image->xres;
+                image->xres = image->yres;
+                image->yres = res_temp;
+            }
+               break;
+     default:
+               break;

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch new file mode 100644 index 0000000000..253018525a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,157 @@
	1	From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001
	2	From: Markus Koschany <apo@debian.org>
	3	Date: Tue, 21 Feb 2023 14:26:43 +0100
	4	Subject: [PATCH] CVE-2023-0795
	5
	6	This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
	7	CVE-2023-0799.
	8
	9	Bug-Debian: https://bugs.debian.org/1031632
	10	Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
	11
	12	Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
	13	CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
	14	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	15	---
	16	tools/tiffcrop.c \| 51 ++++++++++++++++++++++++++++--------------------
	17	1 file changed, 30 insertions(+), 21 deletions(-)
	18
	19	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
	20	index 8aed9cd..f21a7d7 100644
	21	--- a/tools/tiffcrop.c
	22	+++ b/tools/tiffcrop.c
	23	@@ -277,7 +277,6 @@ struct region {
	24	uint32 width; /* width in pixels */
	25	uint32 length; /* length in pixels */
	26	uint32 buffsize; /* size of buffer needed to hold the cropped region */
	27	- unsigned char buffptr; / address of start of the region */
	28	};
	29
	30	/* Cropping parameters from command line and image data
	31	@@ -532,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
	32	static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
	33	uint32, uint32, uint8 , uint8 );
	34	static int rotateImage(uint16, struct image_data , uint32 , uint32 *,
	35	- unsigned char **);
	36	+ unsigned char **, int);
	37	static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
	38	unsigned char *);
	39	static int invertImage(uint16, uint16, uint16, uint32, uint32,
	40	@@ -5112,7 +5111,6 @@ initCropMasks (struct crop_mask *cps)
	41	cps->regionlist[i].width = 0;
	42	cps->regionlist[i].length = 0;
	43	cps->regionlist[i].buffsize = 0;
	44	- cps->regionlist[i].buffptr = NULL;
	45	cps->zonelist[i].position = 0;
	46	cps->zonelist[i].total = 0;
	47	}
	48	@@ -6358,8 +6356,13 @@ static int correct_orientation(struct image_data image, unsigned char *work_b
	49	image->adjustments & ROTATE_ANY);
	50	return (-1);
	51	}
	52	-
	53	- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
	54	+
	55	+ /* Dummy variable in order not to switch two times the
	56	+ * image->width,->length within rotateImage(),
	57	+ * but switch xres, yres there. */
	58	+ uint32_t width = image->width;
	59	+ uint32_t length = image->length;
	60	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
	61	{
	62	TIFFError ("correct_orientation", "Unable to rotate image");
	63	return (-1);
	64	@@ -6427,7 +6430,6 @@ extractCompositeRegions(struct image_data image, struct crop_mask crop,
	65	/* These should not be needed for composite images */
	66	crop->regionlist[i].width = crop_width;
	67	crop->regionlist[i].length = crop_length;
	68	- crop->regionlist[i].buffptr = crop_buff;
	69
	70	src_rowsize = ((img_width * bps * spp) + 7) / 8;
	71	dst_rowsize = (((crop_width * bps * count) + 7) / 8);
	72	@@ -6664,7 +6666,6 @@ extractSeparateRegion(struct image_data image, struct crop_mask crop,
	73
	74	crop->regionlist[region].width = crop_width;
	75	crop->regionlist[region].length = crop_length;
	76	- crop->regionlist[region].buffptr = crop_buff;
	77
	78	src = read_buff;
	79	dst = crop_buff;
	80	@@ -7542,7 +7543,7 @@ processCropSelections(struct image_data image, struct crop_mask crop,
	81	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
	82	{
	83	if (rotateImage(crop->rotation, image, &crop->combined_width,
	84	- &crop->combined_length, &crop_buff))
	85	+ &crop->combined_length, &crop_buff, FALSE))
	86	{
	87	TIFFError("processCropSelections",
	88	"Failed to rotate composite regions by %d degrees", crop->rotation);
	89	@@ -7648,7 +7649,7 @@ processCropSelections(struct image_data image, struct crop_mask crop,
	90	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
	91	{
	92	if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
	93	- &crop->regionlist[i].length, &crop_buff))
	94	+ &crop->regionlist[i].length, &crop_buff, FALSE))
	95	{
	96	TIFFError("processCropSelections",
	97	"Failed to rotate crop region by %d degrees", crop->rotation);
	98	@@ -7780,7 +7781,7 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
	99	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
	100	{
	101	if (rotateImage(crop->rotation, image, &crop->combined_width,
	102	- &crop->combined_length, crop_buff_ptr))
	103	+ &crop->combined_length, crop_buff_ptr, TRUE))
	104	{
	105	TIFFError("createCroppedImage",
	106	"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
	107	@@ -8443,7 +8444,7 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
	108	/* Rotate an image by a multiple of 90 degrees clockwise */
	109	static int
	110	rotateImage(uint16 rotation, struct image_data image, uint32 img_width,
	111	- uint32 img_length, unsigned char *ibuff_ptr)
	112	+ uint32 img_length, unsigned char *ibuff_ptr, int rot_image_params)
	113	{
	114	int shift_width;
	115	uint32 bytes_per_pixel, bytes_per_sample;
	116	@@ -8634,11 +8635,15 @@ rotateImage(uint16 rotation, struct image_data image, uint32 img_width,
	117
	118	*img_width = length;
	119	*img_length = width;
	120	- image->width = length;
	121	- image->length = width;
	122	- res_temp = image->xres;
	123	- image->xres = image->yres;
	124	- image->yres = res_temp;
	125	+ /* Only toggle image parameters if whole input image is rotated. */
	126	+ if (rot_image_params)
	127	+ {
	128	+ image->width = length;
	129	+ image->length = width;
	130	+ res_temp = image->xres;
	131	+ image->xres = image->yres;
	132	+ image->yres = res_temp;
	133	+ }
	134	break;
	135
	136	case 270: if ((bps % 8) == 0) /* byte aligned data */
	137	@@ -8711,11 +8716,15 @@ rotateImage(uint16 rotation, struct image_data image, uint32 img_width,
	138
	139	*img_width = length;
	140	*img_length = width;
	141	- image->width = length;
	142	- image->length = width;
	143	- res_temp = image->xres;
	144	- image->xres = image->yres;
	145	- image->yres = res_temp;
	146	+ /* Only toggle image parameters if whole input image is rotated. */
	147	+ if (rot_image_params)
	148	+ {
	149	+ image->width = length;
	150	+ image->length = width;
	151	+ res_temp = image->xres;
	152	+ image->xres = image->yres;
	153	+ image->yres = res_temp;
	154	+ }
	155	break;
	156	default:
	157	break;