summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch99
1 files changed, 0 insertions, 99 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
deleted file mode 100644
index 5fdc1ed013..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
+++ /dev/null
@@ -1,99 +0,0 @@
1From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Tue, 14 Feb 2023 20:43:43 +0100
4Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
5 Fix issue 527
6
7Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
8
9Closes #527
10
11CVE: CVE-2023-26965
12Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
13Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
14---
15 tools/tiffcrop.c | 47 +++++++++++++----------------------------------
16 1 file changed, 13 insertions(+), 34 deletions(-)
17
18diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
19index d7ad5ca8..d3e11ba2 100644
20--- a/tools/tiffcrop.c
21+++ b/tools/tiffcrop.c
22@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
23 uint32_t tw = 0, tl = 0; /* Tile width and length */
24 tmsize_t tile_rowsize = 0;
25 unsigned char *read_buff = NULL;
26- unsigned char *new_buff = NULL;
27 int readunit = 0;
28- static tmsize_t prev_readsize = 0;
29
30 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
31 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
32@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
33 }
34
35 read_buff = *read_ptr;
36- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
37- /* outside buffer */
38- if (!read_buff)
39+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
40+ * outside buffer */
41+ /* Reuse of read_buff from previous image is quite unsafe, because other
42+ * functions (like rotateImage() etc.) reallocate that buffer with different
43+ * size without updating the local prev_readsize value. */
44+ if (read_buff)
45 {
46- if (buffsize > 0xFFFFFFFFU - 3)
47- {
48- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
49- return (-1);
50- }
51- read_buff =
52- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
53+ _TIFFfree(read_buff);
54 }
55- else
56+ if (buffsize > 0xFFFFFFFFU - 3)
57 {
58- if (prev_readsize < buffsize)
59- {
60- if (buffsize > 0xFFFFFFFFU - 3)
61- {
62- TIFFError("loadImage",
63- "Unable to allocate/reallocate read buffer");
64- return (-1);
65- }
66- new_buff =
67- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
68- if (!new_buff)
69- {
70- free(read_buff);
71- read_buff = (unsigned char *)limitMalloc(
72- buffsize + NUM_BUFF_OVERSIZE_BYTES);
73- }
74- else
75- read_buff = new_buff;
76- }
77+ TIFFError("loadImage", "Required read buffer size too large");
78+ return (-1);
79 }
80+ read_buff =
81+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
82 if (!read_buff)
83 {
84- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
85+ TIFFError("loadImage", "Unable to allocate read buffer");
86 return (-1);
87 }
88
89@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
90 read_buff[buffsize + 1] = 0;
91 read_buff[buffsize + 2] = 0;
92
93- prev_readsize = buffsize;
94 *read_ptr = read_buff;
95
96 /* N.B. The read functions used copy separate plane data into a buffer as
97--
982.39.0
99