diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch new file mode 100644 index 0000000000..1b651e6529 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet); | ||
4 | -- Rodrigo Figueiredo Zaiden] | ||
5 | |||
6 | Backport of: | ||
7 | |||
8 | From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 | ||
9 | From: Even Rouault <even.rouault@spatialys.com> | ||
10 | Date: Tue, 31 Oct 2023 15:58:41 +0100 | ||
11 | Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of | ||
12 | col/row (fixes #622) | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] | ||
16 | CVE: CVE-2023-52356 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | libtiff/tif_getimage.c | 15 +++++++++++++++ | ||
20 | 1 file changed, 15 insertions(+) | ||
21 | |||
22 | |||
23 | --- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c | ||
24 | +++ tiff-4.1.0+git191117/libtiff/tif_getimage.c | ||
25 | @@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r | ||
26 | } | ||
27 | |||
28 | if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { | ||
29 | + if (row >= img.height) | ||
30 | + { | ||
31 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), | ||
32 | + "Invalid row passed to TIFFReadRGBAStrip()."); | ||
33 | + TIFFRGBAImageEnd(&img); | ||
34 | + return (0); | ||
35 | + } | ||
36 | |||
37 | img.row_offset = row; | ||
38 | img.col_offset = 0; | ||
39 | @@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co | ||
40 | return( 0 ); | ||
41 | } | ||
42 | |||
43 | + if (col >= img.width || row >= img.height) | ||
44 | + { | ||
45 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), | ||
46 | + "Invalid row/col passed to TIFFReadRGBATile()."); | ||
47 | + TIFFRGBAImageEnd(&img); | ||
48 | + return (0); | ||
49 | + } | ||
50 | + | ||
51 | /* | ||
52 | * The TIFFRGBAImageGet() function doesn't allow us to get off the | ||
53 | * edge of the image, even to fill an otherwise valid tile. So we | ||