1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
new file mode 100644
index 0000000000..1b651e6529
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
@@ -0,0 +1,53 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+Backport of:
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
+CVE: CVE-2023-52356
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
+++ tiff-4.1.0+git191117/libtiff/tif_getimage.c
+@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
+     }
+ 
+     if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
+        if (row >= img.height)
+        {
+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+                          "Invalid row passed to TIFFReadRGBAStrip().");
+            TIFFRGBAImageEnd(&img);
+            return (0);
+        }
+ 
+         img.row_offset = row;
+         img.col_offset = 0;
+@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
+            return( 0 );
+     }
+ 
+    if (col >= img.width || row >= img.height)
+    {
+        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+                      "Invalid row/col passed to TIFFReadRGBATile().");
+        TIFFRGBAImageEnd(&img);
+        return (0);
+    }
+
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch new file mode 100644 index 0000000000..1b651e6529 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
@@ -0,0 +1,53 @@
	1	[Ubuntu note: Backport of the following patch from upstream, with a few changes
	2	to match the current version of the file in the present Ubuntu release:
	3	. using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
	4	-- Rodrigo Figueiredo Zaiden]
	5
	6	Backport of:
	7
	8	From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
	9	From: Even Rouault <even.rouault@spatialys.com>
	10	Date: Tue, 31 Oct 2023 15:58:41 +0100
	11	Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
	12	col/row (fixes #622)
	13
	14	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
	15	Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
	16	CVE: CVE-2023-52356
	17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	18	---
	19	libtiff/tif_getimage.c \| 15 +++++++++++++++
	20	1 file changed, 15 insertions(+)
	21
	22
	23	--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
	24	+++ tiff-4.1.0+git191117/libtiff/tif_getimage.c
	25	@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
	26	}
	27
	28	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
	29	+ if (row >= img.height)
	30	+ {
	31	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
	32	+ "Invalid row passed to TIFFReadRGBAStrip().");
	33	+ TIFFRGBAImageEnd(&img);
	34	+ return (0);
	35	+ }
	36
	37	img.row_offset = row;
	38	img.col_offset = 0;
	39	@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
	40	return( 0 );
	41	}
	42
	43	+ if (col >= img.width \|\| row >= img.height)
	44	+ {
	45	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
	46	+ "Invalid row/col passed to TIFFReadRGBATile().");
	47	+ TIFFRGBAImageEnd(&img);
	48	+ return (0);
	49	+ }
	50	+
	51	/*
	52	* The TIFFRGBAImageGet() function doesn't allow us to get off the
	53	* edge of the image, even to fill an otherwise valid tile. So we