1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
new file mode 100644
index 0000000000..9915b77645
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
@@ -0,0 +1,91 @@
+From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 16 Mar 2023 16:16:54 +0800
+Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
+CVE: CVE-2023-1916
+Upstream-Status: Submitted [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ archive/tools/tiffcrop.c | 62 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 45 insertions(+), 17 deletions(-)
+--- tiff-4.1.0+git191117.orig/tools/tiffcrop.c
+++ tiff-4.1.0+git191117/tools/tiffcrop.c
+@@ -5549,6 +5549,15 @@ getCropOffsets(struct image_data *image,
+              crop->combined_width += (uint32)zwidth;
+            else
+              crop->combined_width = (uint32)zwidth;
+
+           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+               return -1;
+           }
+
+            break;
+       case EDGE_BOTTOM: /* width from left, zones from bottom to top */
+            zwidth = offsets.crop_width;
+@@ -5579,6 +5588,15 @@ getCropOffsets(struct image_data *image,
+            else
+              crop->combined_length = (uint32)zlength;
+            crop->combined_width = (uint32)zwidth;
+
+           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+               return -1;
+           }
+
+            break;
+       case EDGE_RIGHT: /* zones from right to left, length from top */
+            zlength = offsets.crop_length;
+@@ -5606,6 +5624,15 @@ getCropOffsets(struct image_data *image,
+              crop->combined_width += (uint32)zwidth;
+            else
+              crop->combined_width = (uint32)zwidth;
+
+           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+               return -1;
+           }
+
+            break;
+       case EDGE_TOP: /* width from left, zones from top to bottom */
+       default:
+@@ -5632,6 +5659,15 @@ getCropOffsets(struct image_data *image,
+            else
+              crop->combined_length = (uint32)zlength;
+            crop->combined_width = (uint32)zwidth;
+
+           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+               return -1;
+           }
+
+            break;
+       } /* end switch statement */
+ 
+@@ -6827,9 +6863,9 @@ extractImageSection(struct image_data *i
+      * regardless of the way the data are organized in the input file.
+      * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
+      */
+-    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
+-    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
+-    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+    img_rowsize = (((img_width * spp * bps) + 7) / 8);  /* row size in full bytes of source image */
+    full_bytes = (sect_width * spp * bps) / 8;          /* number of COMPLETE bytes per row in section */
+    trailing_bits = (sect_width * spp * bps) % 8;       /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch new file mode 100644 index 0000000000..9915b77645 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
@@ -0,0 +1,91 @@
	1	From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
	2	From: zhailiangliang <zhailiangliang@loongson.cn>
	3	Date: Thu, 16 Mar 2023 16:16:54 +0800
	4	Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
	5
	6	CVE: CVE-2023-1916
	7	Upstream-Status: Submitted [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
	8	Signed-off-by: Marek Vasut <marex@denx.de>
	9	---
	10	archive/tools/tiffcrop.c \| 62 +++++++++++++++++++++++++++++-----------
	11	1 file changed, 45 insertions(+), 17 deletions(-)
	12
	13	--- tiff-4.1.0+git191117.orig/tools/tiffcrop.c
	14	+++ tiff-4.1.0+git191117/tools/tiffcrop.c
	15	@@ -5549,6 +5549,15 @@ getCropOffsets(struct image_data *image,
	16	crop->combined_width += (uint32)zwidth;
	17	else
	18	crop->combined_width = (uint32)zwidth;
	19	+
	20	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
	21	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
	22	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
	23	+ {
	24	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
	25	+ return -1;
	26	+ }
	27	+
	28	break;
	29	case EDGE_BOTTOM: /* width from left, zones from bottom to top */
	30	zwidth = offsets.crop_width;
	31	@@ -5579,6 +5588,15 @@ getCropOffsets(struct image_data *image,
	32	else
	33	crop->combined_length = (uint32)zlength;
	34	crop->combined_width = (uint32)zwidth;
	35	+
	36	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
	37	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
	38	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
	39	+ {
	40	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
	41	+ return -1;
	42	+ }
	43	+
	44	break;
	45	case EDGE_RIGHT: /* zones from right to left, length from top */
	46	zlength = offsets.crop_length;
	47	@@ -5606,6 +5624,15 @@ getCropOffsets(struct image_data *image,
	48	crop->combined_width += (uint32)zwidth;
	49	else
	50	crop->combined_width = (uint32)zwidth;
	51	+
	52	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
	53	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
	54	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
	55	+ {
	56	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
	57	+ return -1;
	58	+ }
	59	+
	60	break;
	61	case EDGE_TOP: /* width from left, zones from top to bottom */
	62	default:
	63	@@ -5632,6 +5659,15 @@ getCropOffsets(struct image_data *image,
	64	else
	65	crop->combined_length = (uint32)zlength;
	66	crop->combined_width = (uint32)zwidth;
	67	+
	68	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
	69	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
	70	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
	71	+ {
	72	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
	73	+ return -1;
	74	+ }
	75	+
	76	break;
	77	} /* end switch statement */
	78
	79	@@ -6827,9 +6863,9 @@ extractImageSection(struct image_data *i
	80	* regardless of the way the data are organized in the input file.
	81	* Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
	82	*/
	83	- img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
	84	- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
	85	- trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
	86	+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
	87	+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
	88	+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
	89
	90	#ifdef DEVELMODE
	91	TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",