diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch | 191 |
1 files changed, 191 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch new file mode 100644 index 0000000000..e955b3f2e4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch | |||
@@ -0,0 +1,191 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . included inttypes.h header to support PRIu32 and PRIu64; | ||
4 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
5 | . using uint64 instead of uint64_t to preserve the current code usage; | ||
6 | . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); | ||
7 | . calls to the check size, that is the idea of the patch, were added before | ||
8 | _TIFFCheckMalloc and may note match the original patch methods; | ||
9 | -- Rodrigo Figueiredo Zaiden] | ||
10 | |||
11 | Backport of: | ||
12 | |||
13 | From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 | ||
14 | From: Su Laus <sulau@freenet.de> | ||
15 | Date: Tue, 31 Oct 2023 15:43:29 +0000 | ||
16 | Subject: [PATCH] Prevent some out-of-memory attacks | ||
17 | |||
18 | Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. | ||
19 | |||
20 | At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. | ||
21 | |||
22 | See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 | ||
23 | |||
24 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security | ||
25 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a] | ||
26 | CVE: CVE-2023-6277 | ||
27 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
28 | --- | ||
29 | libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++- | ||
30 | 1 file changed, 90 insertions(+), 2 deletions(-) | ||
31 | |||
32 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c | ||
33 | +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c | ||
34 | @@ -37,6 +37,7 @@ | ||
35 | #include "tiffiop.h" | ||
36 | #include <float.h> | ||
37 | #include <stdlib.h> | ||
38 | +#include <inttypes.h> | ||
39 | |||
40 | #define FAILED_FII ((uint32) -1) | ||
41 | |||
42 | @@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead | ||
43 | datasize=(*count)*typesize; | ||
44 | assert((tmsize_t)datasize>0); | ||
45 | |||
46 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
47 | + * size of requested memory is not greater than file size. | ||
48 | + */ | ||
49 | + uint64 filesize = TIFFGetFileSize(tif); | ||
50 | + if (datasize > filesize) | ||
51 | + { | ||
52 | + TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
53 | + "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
54 | + " is greather than filesize %" PRIu64 | ||
55 | + ". Memory not allocated, tag not read", | ||
56 | + direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
57 | + filesize); | ||
58 | + return (TIFFReadDirEntryErrAlloc); | ||
59 | + } | ||
60 | + | ||
61 | if( isMapped(tif) && datasize > (uint32)tif->tif_size ) | ||
62 | return TIFFReadDirEntryErrIo; | ||
63 | |||
64 | @@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
65 | if( !_TIFFFillStrilesInternal( tif, 0 ) ) | ||
66 | return -1; | ||
67 | |||
68 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
69 | + * size of requested memory is not greater than file size. */ | ||
70 | + uint64 filesize = TIFFGetFileSize(tif); | ||
71 | + uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); | ||
72 | + if (allocsize > filesize) | ||
73 | + { | ||
74 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
75 | + "Requested memory size for StripByteCounts of %" PRIu64 | ||
76 | + " is greather than filesize %" PRIu64 | ||
77 | + ". Memory not allocated", | ||
78 | + allocsize, filesize); | ||
79 | + return -1; | ||
80 | + } | ||
81 | + | ||
82 | if (td->td_stripbytecount_p) | ||
83 | _TIFFfree(td->td_stripbytecount_p); | ||
84 | td->td_stripbytecount_p = (uint64*) | ||
85 | @@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
86 | |||
87 | if (td->td_compression != COMPRESSION_NONE) { | ||
88 | uint64 space; | ||
89 | - uint64 filesize; | ||
90 | uint16 n; | ||
91 | - filesize = TIFFGetFileSize(tif); | ||
92 | if (!(tif->tif_flags&TIFF_BIGTIFF)) | ||
93 | space=sizeof(TIFFHeaderClassic)+2+dircount*12+4; | ||
94 | else | ||
95 | @@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
96 | dircount16 = (uint16)dircount64; | ||
97 | dirsize = 20; | ||
98 | } | ||
99 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
100 | + * if size of requested memory is not greater than file size. */ | ||
101 | + uint64 filesize = TIFFGetFileSize(tif); | ||
102 | + uint64 allocsize = (uint64)dircount16 * dirsize; | ||
103 | + if (allocsize > filesize) | ||
104 | + { | ||
105 | + TIFFWarningExt( | ||
106 | + tif->tif_clientdata, module, | ||
107 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
108 | + " is greather than filesize %" PRIu64 | ||
109 | + ". Memory not allocated, TIFF directory not read", | ||
110 | + allocsize, filesize); | ||
111 | + return 0; | ||
112 | + } | ||
113 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
114 | dirsize, "to read TIFF directory"); | ||
115 | if (origdir == NULL) | ||
116 | @@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
117 | "Sanity check on directory count failed, zero tag directories not supported"); | ||
118 | return 0; | ||
119 | } | ||
120 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
121 | + * if size of requested memory is not greater than file size. */ | ||
122 | + uint64 filesize = TIFFGetFileSize(tif); | ||
123 | + uint64 allocsize = (uint64)dircount16 * dirsize; | ||
124 | + if (allocsize > filesize) | ||
125 | + { | ||
126 | + TIFFWarningExt( | ||
127 | + tif->tif_clientdata, module, | ||
128 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
129 | + " is greather than filesize %" PRIu64 | ||
130 | + ". Memory not allocated, TIFF directory not read", | ||
131 | + allocsize, filesize); | ||
132 | + return 0; | ||
133 | + } | ||
134 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
135 | dirsize, | ||
136 | "to read TIFF directory"); | ||
137 | @@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
138 | } | ||
139 | } | ||
140 | } | ||
141 | + /* No check against filesize needed here because "dir" should have same size | ||
142 | + * than "origdir" checked above. */ | ||
143 | dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16, | ||
144 | sizeof(TIFFDirEntry), | ||
145 | "to read TIFF directory"); | ||
146 | @@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn | ||
147 | _TIFFfree(data); | ||
148 | return(0); | ||
149 | } | ||
150 | - | ||
151 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
152 | + * if size of requested memory is not greater than file size. */ | ||
153 | + uint64 filesize = TIFFGetFileSize(tif); | ||
154 | + uint64 allocsize = (uint64)nstrips * sizeof(uint64); | ||
155 | + if (allocsize > filesize) | ||
156 | + { | ||
157 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
158 | + "Requested memory size for StripArray of %" PRIu64 | ||
159 | + " is greather than filesize %" PRIu64 | ||
160 | + ". Memory not allocated", | ||
161 | + allocsize, filesize); | ||
162 | + _TIFFfree(data); | ||
163 | + return (0); | ||
164 | + } | ||
165 | resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); | ||
166 | if (resizeddata==0) { | ||
167 | _TIFFfree(data); | ||
168 | @@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI | ||
169 | } | ||
170 | bytecount = last_offset + last_bytecount - offset; | ||
171 | |||
172 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
173 | + * size of StripByteCount and StripOffset tags is not greater than | ||
174 | + * file size. | ||
175 | + */ | ||
176 | + uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; | ||
177 | + uint64 filesize = TIFFGetFileSize(tif); | ||
178 | + if (allocsize > filesize) | ||
179 | + { | ||
180 | + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
181 | + "Requested memory size for StripByteCount and " | ||
182 | + "StripOffsets %" PRIu64 | ||
183 | + " is greather than filesize %" PRIu64 | ||
184 | + ". Memory not allocated", | ||
185 | + allocsize, filesize); | ||
186 | + return; | ||
187 | + } | ||
188 | + | ||
189 | newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
190 | "for chopped \"StripByteCounts\" array"); | ||
191 | newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||