1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
new file mode 100644
index 0000000000..b7a7e93764
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,90 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+Closes #527
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
+CVE: CVE-2023-26965
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 40 ++++++++++------------------------------
+ 1 file changed, 10 insertions(+), 30 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ce84414..a533089 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   uint32   tw = 0, tl = 0;       /* Tile width and length */
+   tmsize_t   tile_rowsize = 0;
+   unsigned char *read_buff = NULL;
+-  unsigned char *new_buff  = NULL;
+   int      readunit = 0;
+-  static   tmsize_t  prev_readsize = 0;
+ 
+   TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+   TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   read_buff = *read_ptr;
+   /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+   /* outside buffer */
+-  if (!read_buff)
+  if (read_buff)
+   {
+-    if( buffsize > 0xFFFFFFFFU - 3 )
+-    {
+-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-        return (-1);
+-    }
+-    read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    _TIFFfree(read_buff);
+   }
+-  else
+-    {
+-    if (prev_readsize < buffsize)
+-    {
+-      if( buffsize > 0xFFFFFFFFU - 3 )
+-      {
+-          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-          return (-1);
+-      }
+-      new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-      if (!new_buff)
+-        {
+-       free (read_buff);
+-        read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-        }
+-      else
+-        read_buff = new_buff;
+-      }
+-    }
+  if (buffsize > 0xFFFFFFFFU - 3)
+  {
+    TIFFError("loadImage", "Required read buffer size too large");
+    return (-1);
+  }
+  read_buff =
+    (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+   if (!read_buff)
+     {
+-    TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+    TIFFError("loadImage", "Unable to allocate read buffer");
+     return (-1);
+     }
+ 
+@@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   read_buff[buffsize+1] = 0;
+   read_buff[buffsize+2] = 0;
+ 
+-  prev_readsize = buffsize;
+   *read_ptr = read_buff;
+ 
+   /* N.B. The read functions used copy separate plane data into a buffer as interleaved
+-- 
+2.25.1

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch new file mode 100644 index 0000000000..b7a7e93764 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,90 @@
	1	From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
	2	From: Su_Laus <sulau@freenet.de>
	3	Date: Tue, 14 Feb 2023 20:43:43 +0100
	4	Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
	5	Fix issue 527
	6
	7	Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
	8
	9	Closes #527
	10
	11	Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
	12	CVE: CVE-2023-26965
	13	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	14	---
	15	tools/tiffcrop.c \| 40 ++++++++++------------------------------
	16	1 file changed, 10 insertions(+), 30 deletions(-)
	17
	18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
	19	index ce84414..a533089 100644
	20	--- a/tools/tiffcrop.c
	21	+++ b/tools/tiffcrop.c
	22	@@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
	23	uint32 tw = 0, tl = 0; /* Tile width and length */
	24	tmsize_t tile_rowsize = 0;
	25	unsigned char *read_buff = NULL;
	26	- unsigned char *new_buff = NULL;
	27	int readunit = 0;
	28	- static tmsize_t prev_readsize = 0;
	29
	30	TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
	31	TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
	32	@@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
	33	read_buff = *read_ptr;
	34	/* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
	35	/* outside buffer */
	36	- if (!read_buff)
	37	+ if (read_buff)
	38	{
	39	- if( buffsize > 0xFFFFFFFFU - 3 )
	40	- {
	41	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
	42	- return (-1);
	43	- }
	44	- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
	45	+ _TIFFfree(read_buff);
	46	}
	47	- else
	48	- {
	49	- if (prev_readsize < buffsize)
	50	- {
	51	- if( buffsize > 0xFFFFFFFFU - 3 )
	52	- {
	53	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
	54	- return (-1);
	55	- }
	56	- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
	57	- if (!new_buff)
	58	- {
	59	- free (read_buff);
	60	- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
	61	- }
	62	- else
	63	- read_buff = new_buff;
	64	- }
	65	- }
	66	+ if (buffsize > 0xFFFFFFFFU - 3)
	67	+ {
	68	+ TIFFError("loadImage", "Required read buffer size too large");
	69	+ return (-1);
	70	+ }
	71	+ read_buff =
	72	+ (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
	73	if (!read_buff)
	74	{
	75	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
	76	+ TIFFError("loadImage", "Unable to allocate read buffer");
	77	return (-1);
	78	}
	79
	80	@@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
	81	read_buff[buffsize+1] = 0;
	82	read_buff[buffsize+2] = 0;
	83
	84	- prev_readsize = buffsize;
	85	*read_ptr = read_buff;
	86
	87	/* N.B. The read functions used copy separate plane data into a buffer as interleaved
	88	--
	89	2.25.1
	90