1 files changed, 135 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
new file mode 100644
index 0000000000..bf1a439b4d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
@@ -0,0 +1,135 @@
+From e18be834497e0ebf68d443abb9e18187f36cd3bf Mon Sep 17 00:00:00 2001
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 21 Feb 2023 14:39:52 +0100
+Subject: [PATCH] CVE-2023-0800
+This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803,
+CVE-2023-0804.
+Bug-Debian: https://bugs.debian.org/1031632
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiffcrop.c | 73 +++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 69 insertions(+), 4 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f21a7d7..742615a 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5250,18 +5250,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ 
+       crop->regionlist[i].buffsize = buffsize;
+       crop->bufftotal += buffsize;
+
+      /* For composite images with more than one region, the
+       * combined_length or combined_width always needs to be equal,
+       * respectively.
+       * Otherwise, even the first section/region copy
+       * action might cause buffer overrun. */
+       if (crop->img_mode == COMPOSITE_IMAGES)
+         {
+         switch (crop->edge_ref)
+           {
+           case EDGE_LEFT:
+           case EDGE_RIGHT:
+               if (i > 0 && zlength != crop->combined_length)
+               {
+                   TIFFError(
+                       "computeInputPixelOffsets",
+                       "Only equal length regions can be combined for "
+                       "-E left or right");
+                   return (-1);
+               }
+                crop->combined_length = zlength;
+                crop->combined_width += zwidth;
+                break;
+           case EDGE_BOTTOM:
+           case EDGE_TOP:  /* width from left, length from top */
+           default:
+               if (i > 0 && zwidth != crop->combined_width)
+                {
+                    TIFFError("computeInputPixelOffsets",
+                              "Only equal width regions can be "
+                              "combined for -E "
+                              "top or bottom");
+                    return (-1);
+                }
+                crop->combined_width = zwidth;
+                crop->combined_length += zlength;
+               break;
+@@ -6416,6 +6438,47 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+   crop->combined_width = 0;
+   crop->combined_length = 0;
+ 
+    /* If there is more than one region, check beforehand whether all the width
+     * and length values of the regions are the same, respectively. */
+    switch (crop->edge_ref)
+    {
+        default:
+        case EDGE_TOP:
+        case EDGE_BOTTOM:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_width0 =
+                    crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+                uint32_t crop_width1 =
+                    crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+                if (crop_width0 != crop_width1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal width regions can be combined for -E "
+                              "top or bottom");
+                    return (1);
+                }
+            }
+            break;
+        case EDGE_LEFT:
+        case EDGE_RIGHT:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_length0 =
+                    crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+                uint32_t crop_length1 =
+                    crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+                if (crop_length0 != crop_length1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal length regions can be combined for "
+                              "-E left or right");
+                    return (1);
+                }
+            }
+   }
+
+
+   for (i = 0; i < crop->selections; i++)
+     {
+     /* rows, columns, width, length are expressed in pixels */
+@@ -6439,8 +6502,9 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+       default:
+       case EDGE_TOP:
+       case EDGE_BOTTOM:
+-          if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+-             {
+         if ((crop->selections > i + 1) &&
+                    (crop_width != crop->regionlist[i + 1].width))
+         {
+             TIFFError ("extractCompositeRegions", 
+                           "Only equal width regions can be combined for -E top or bottom");
+             return (1);
+@@ -6520,8 +6584,9 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+           break;
+       case EDGE_LEFT:  /* splice the pieces of each row together, side by side */
+       case EDGE_RIGHT:
+-          if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+-             {
+         if ((crop->selections > i + 1) &&
+                    (crop_length != crop->regionlist[i + 1].length))
+         {
+             TIFFError ("extractCompositeRegions", 
+                           "Only equal length regions can be combined for -E left or right");
+             return (1);

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch new file mode 100644 index 0000000000..bf1a439b4d --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
@@ -0,0 +1,135 @@
	1	From e18be834497e0ebf68d443abb9e18187f36cd3bf Mon Sep 17 00:00:00 2001
	2	From: Markus Koschany <apo@debian.org>
	3	Date: Tue, 21 Feb 2023 14:39:52 +0100
	4	Subject: [PATCH] CVE-2023-0800
	5
	6	This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803,
	7	CVE-2023-0804.
	8
	9	Bug-Debian: https://bugs.debian.org/1031632
	10	Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00
	11
	12	Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
	13	CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
	14	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	15	---
	16	tools/tiffcrop.c \| 73 +++++++++++++++++++++++++++++++++++++++++++++---
	17	1 file changed, 69 insertions(+), 4 deletions(-)
	18
	19	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
	20	index f21a7d7..742615a 100644
	21	--- a/tools/tiffcrop.c
	22	+++ b/tools/tiffcrop.c
	23	@@ -5250,18 +5250,40 @@ computeInputPixelOffsets(struct crop_mask crop, struct image_data image,
	24
	25	crop->regionlist[i].buffsize = buffsize;
	26	crop->bufftotal += buffsize;
	27	+
	28	+ /* For composite images with more than one region, the
	29	+ * combined_length or combined_width always needs to be equal,
	30	+ * respectively.
	31	+ * Otherwise, even the first section/region copy
	32	+ * action might cause buffer overrun. */
	33	if (crop->img_mode == COMPOSITE_IMAGES)
	34	{
	35	switch (crop->edge_ref)
	36	{
	37	case EDGE_LEFT:
	38	case EDGE_RIGHT:
	39	+ if (i > 0 && zlength != crop->combined_length)
	40	+ {
	41	+ TIFFError(
	42	+ "computeInputPixelOffsets",
	43	+ "Only equal length regions can be combined for "
	44	+ "-E left or right");
	45	+ return (-1);
	46	+ }
	47	crop->combined_length = zlength;
	48	crop->combined_width += zwidth;
	49	break;
	50	case EDGE_BOTTOM:
	51	case EDGE_TOP: /* width from left, length from top */
	52	default:
	53	+ if (i > 0 && zwidth != crop->combined_width)
	54	+ {
	55	+ TIFFError("computeInputPixelOffsets",
	56	+ "Only equal width regions can be "
	57	+ "combined for -E "
	58	+ "top or bottom");
	59	+ return (-1);
	60	+ }
	61	crop->combined_width = zwidth;
	62	crop->combined_length += zlength;
	63	break;
	64	@@ -6416,6 +6438,47 @@ extractCompositeRegions(struct image_data image, struct crop_mask crop,
	65	crop->combined_width = 0;
	66	crop->combined_length = 0;
	67
	68	+ /* If there is more than one region, check beforehand whether all the width
	69	+ * and length values of the regions are the same, respectively. */
	70	+ switch (crop->edge_ref)
	71	+ {
	72	+ default:
	73	+ case EDGE_TOP:
	74	+ case EDGE_BOTTOM:
	75	+ for (i = 1; i < crop->selections; i++)
	76	+ {
	77	+ uint32_t crop_width0 =
	78	+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
	79	+ uint32_t crop_width1 =
	80	+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
	81	+ if (crop_width0 != crop_width1)
	82	+ {
	83	+ TIFFError("extractCompositeRegions",
	84	+ "Only equal width regions can be combined for -E "
	85	+ "top or bottom");
	86	+ return (1);
	87	+ }
	88	+ }
	89	+ break;
	90	+ case EDGE_LEFT:
	91	+ case EDGE_RIGHT:
	92	+ for (i = 1; i < crop->selections; i++)
	93	+ {
	94	+ uint32_t crop_length0 =
	95	+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
	96	+ uint32_t crop_length1 =
	97	+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
	98	+ if (crop_length0 != crop_length1)
	99	+ {
	100	+ TIFFError("extractCompositeRegions",
	101	+ "Only equal length regions can be combined for "
	102	+ "-E left or right");
	103	+ return (1);
	104	+ }
	105	+ }
	106	+ }
	107	+
	108	+
	109	for (i = 0; i < crop->selections; i++)
	110	{
	111	/* rows, columns, width, length are expressed in pixels */
	112	@@ -6439,8 +6502,9 @@ extractCompositeRegions(struct image_data image, struct crop_mask crop,
	113	default:
	114	case EDGE_TOP:
	115	case EDGE_BOTTOM:
	116	- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
	117	- {
	118	+ if ((crop->selections > i + 1) &&
	119	+ (crop_width != crop->regionlist[i + 1].width))
	120	+ {
	121	TIFFError ("extractCompositeRegions",
	122	"Only equal width regions can be combined for -E top or bottom");
	123	return (1);
	124	@@ -6520,8 +6584,9 @@ extractCompositeRegions(struct image_data image, struct crop_mask crop,
	125	break;
	126	case EDGE_LEFT: /* splice the pieces of each row together, side by side */
	127	case EDGE_RIGHT:
	128	- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
	129	- {
	130	+ if ((crop->selections > i + 1) &&
	131	+ (crop_length != crop->regionlist[i + 1].length))
	132	+ {
	133	TIFFError ("extractCompositeRegions",
	134	"Only equal length regions can be combined for -E left or right");
	135	return (1);