diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch new file mode 100644 index 0000000000..9915b77645 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001 | ||
2 | From: zhailiangliang <zhailiangliang@loongson.cn> | ||
3 | Date: Thu, 16 Mar 2023 16:16:54 +0800 | ||
4 | Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection | ||
5 | |||
6 | CVE: CVE-2023-1916 | ||
7 | Upstream-Status: Submitted [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535] | ||
8 | Signed-off-by: Marek Vasut <marex@denx.de> | ||
9 | --- | ||
10 | archive/tools/tiffcrop.c | 62 +++++++++++++++++++++++++++++----------- | ||
11 | 1 file changed, 45 insertions(+), 17 deletions(-) | ||
12 | |||
13 | --- tiff-4.1.0+git191117.orig/tools/tiffcrop.c | ||
14 | +++ tiff-4.1.0+git191117/tools/tiffcrop.c | ||
15 | @@ -5549,6 +5549,15 @@ getCropOffsets(struct image_data *image, | ||
16 | crop->combined_width += (uint32)zwidth; | ||
17 | else | ||
18 | crop->combined_width = (uint32)zwidth; | ||
19 | + | ||
20 | + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ | ||
21 | + if (((crop->rotation == 90) || (crop->rotation == 270)) | ||
22 | + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) | ||
23 | + { | ||
24 | + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); | ||
25 | + return -1; | ||
26 | + } | ||
27 | + | ||
28 | break; | ||
29 | case EDGE_BOTTOM: /* width from left, zones from bottom to top */ | ||
30 | zwidth = offsets.crop_width; | ||
31 | @@ -5579,6 +5588,15 @@ getCropOffsets(struct image_data *image, | ||
32 | else | ||
33 | crop->combined_length = (uint32)zlength; | ||
34 | crop->combined_width = (uint32)zwidth; | ||
35 | + | ||
36 | + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ | ||
37 | + if (((crop->rotation == 90) || (crop->rotation == 270)) | ||
38 | + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) | ||
39 | + { | ||
40 | + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); | ||
41 | + return -1; | ||
42 | + } | ||
43 | + | ||
44 | break; | ||
45 | case EDGE_RIGHT: /* zones from right to left, length from top */ | ||
46 | zlength = offsets.crop_length; | ||
47 | @@ -5606,6 +5624,15 @@ getCropOffsets(struct image_data *image, | ||
48 | crop->combined_width += (uint32)zwidth; | ||
49 | else | ||
50 | crop->combined_width = (uint32)zwidth; | ||
51 | + | ||
52 | + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ | ||
53 | + if (((crop->rotation == 90) || (crop->rotation == 270)) | ||
54 | + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) | ||
55 | + { | ||
56 | + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); | ||
57 | + return -1; | ||
58 | + } | ||
59 | + | ||
60 | break; | ||
61 | case EDGE_TOP: /* width from left, zones from top to bottom */ | ||
62 | default: | ||
63 | @@ -5632,6 +5659,15 @@ getCropOffsets(struct image_data *image, | ||
64 | else | ||
65 | crop->combined_length = (uint32)zlength; | ||
66 | crop->combined_width = (uint32)zwidth; | ||
67 | + | ||
68 | + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ | ||
69 | + if (((crop->rotation == 90) || (crop->rotation == 270)) | ||
70 | + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) | ||
71 | + { | ||
72 | + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); | ||
73 | + return -1; | ||
74 | + } | ||
75 | + | ||
76 | break; | ||
77 | } /* end switch statement */ | ||
78 | |||
79 | @@ -6827,9 +6863,9 @@ extractImageSection(struct image_data *i | ||
80 | * regardless of the way the data are organized in the input file. | ||
81 | * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 | ||
82 | */ | ||
83 | - img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ | ||
84 | - full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ | ||
85 | - trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ | ||
86 | + img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ | ||
87 | + full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ | ||
88 | + trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ | ||
89 | |||
90 | #ifdef DEVELMODE | ||
91 | TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n", | ||