diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch new file mode 100644 index 0000000000..b7a7e93764 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Tue, 14 Feb 2023 20:43:43 +0100 | ||
4 | Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. | ||
5 | Fix issue 527 | ||
6 | |||
7 | Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. | ||
8 | |||
9 | Closes #527 | ||
10 | |||
11 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] | ||
12 | CVE: CVE-2023-26965 | ||
13 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
14 | --- | ||
15 | tools/tiffcrop.c | 40 ++++++++++------------------------------ | ||
16 | 1 file changed, 10 insertions(+), 30 deletions(-) | ||
17 | |||
18 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
19 | index ce84414..a533089 100644 | ||
20 | --- a/tools/tiffcrop.c | ||
21 | +++ b/tools/tiffcrop.c | ||
22 | @@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
23 | uint32 tw = 0, tl = 0; /* Tile width and length */ | ||
24 | tmsize_t tile_rowsize = 0; | ||
25 | unsigned char *read_buff = NULL; | ||
26 | - unsigned char *new_buff = NULL; | ||
27 | int readunit = 0; | ||
28 | - static tmsize_t prev_readsize = 0; | ||
29 | |||
30 | TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); | ||
31 | TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); | ||
32 | @@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
33 | read_buff = *read_ptr; | ||
34 | /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ | ||
35 | /* outside buffer */ | ||
36 | - if (!read_buff) | ||
37 | + if (read_buff) | ||
38 | { | ||
39 | - if( buffsize > 0xFFFFFFFFU - 3 ) | ||
40 | - { | ||
41 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
42 | - return (-1); | ||
43 | - } | ||
44 | - read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
45 | + _TIFFfree(read_buff); | ||
46 | } | ||
47 | - else | ||
48 | - { | ||
49 | - if (prev_readsize < buffsize) | ||
50 | - { | ||
51 | - if( buffsize > 0xFFFFFFFFU - 3 ) | ||
52 | - { | ||
53 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
54 | - return (-1); | ||
55 | - } | ||
56 | - new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
57 | - if (!new_buff) | ||
58 | - { | ||
59 | - free (read_buff); | ||
60 | - read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
61 | - } | ||
62 | - else | ||
63 | - read_buff = new_buff; | ||
64 | - } | ||
65 | - } | ||
66 | + if (buffsize > 0xFFFFFFFFU - 3) | ||
67 | + { | ||
68 | + TIFFError("loadImage", "Required read buffer size too large"); | ||
69 | + return (-1); | ||
70 | + } | ||
71 | + read_buff = | ||
72 | + (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
73 | if (!read_buff) | ||
74 | { | ||
75 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
76 | + TIFFError("loadImage", "Unable to allocate read buffer"); | ||
77 | return (-1); | ||
78 | } | ||
79 | |||
80 | @@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
81 | read_buff[buffsize+1] = 0; | ||
82 | read_buff[buffsize+2] = 0; | ||
83 | |||
84 | - prev_readsize = buffsize; | ||
85 | *read_ptr = read_buff; | ||
86 | |||
87 | /* N.B. The read functions used copy separate plane data into a buffer as interleaved | ||
88 | -- | ||
89 | 2.25.1 | ||
90 | |||