1 files changed, 191 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..e955b3f2e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
@@ -0,0 +1,191 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . included inttypes.h header to support PRIu32 and PRIu64;
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+ . calls to the check size, that is the idea of the patch, were added before
+   _TIFFCheckMalloc and may note match the original patch methods;
+-- Rodrigo Figueiredo Zaiden]
+Backport of:
+From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 31 Oct 2023 15:43:29 +0000
+Subject: [PATCH] Prevent some out-of-memory attacks
+Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
+At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
+See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 90 insertions(+), 2 deletions(-)
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -37,6 +37,7 @@
+ #include "tiffiop.h"
+ #include <float.h>
+ #include <stdlib.h>
+#include <inttypes.h>
+ 
+ #define FAILED_FII    ((uint32) -1)
+ 
+@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
+        datasize=(*count)*typesize;
+        assert((tmsize_t)datasize>0);
+ 
+       /* Before allocating a huge amount of memory for corrupted files, check if
+        * size of requested memory is not greater than file size.
+        */
+       uint64 filesize = TIFFGetFileSize(tif);
+       if (datasize > filesize)
+       {
+               TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+                                               "Requested memory size for tag %d (0x%x) %" PRIu32
+                                               " is greather than filesize %" PRIu64
+                                               ". Memory not allocated, tag not read",
+                                               direntry->tdir_tag, direntry->tdir_tag, datasize,
+                                               filesize);
+               return (TIFFReadDirEntryErrAlloc);
+       }
+
+        if( isMapped(tif) && datasize > (uint32)tif->tif_size )
+                return TIFFReadDirEntryErrIo;
+ 
+@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+         if( !_TIFFFillStrilesInternal( tif, 0 ) )
+             return -1;
+ 
+       /* Before allocating a huge amount of memory for corrupted files, check if
+        * size of requested memory is not greater than file size. */
+       uint64 filesize = TIFFGetFileSize(tif);
+       uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+       if (allocsize > filesize)
+       {
+               TIFFWarningExt(tif->tif_clientdata, module,
+                                               "Requested memory size for StripByteCounts of %" PRIu64
+                                               " is greather than filesize %" PRIu64
+                                               ". Memory not allocated",
+                                               allocsize, filesize);
+               return -1;
+       }
+
+        if (td->td_stripbytecount_p)
+                _TIFFfree(td->td_stripbytecount_p);
+        td->td_stripbytecount_p = (uint64*)
+@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ 
+        if (td->td_compression != COMPRESSION_NONE) {
+                uint64 space;
+-               uint64 filesize;
+                uint16 n;
+-               filesize = TIFFGetFileSize(tif);
+                if (!(tif->tif_flags&TIFF_BIGTIFF))
+                        space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
+                else
+@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+                        dircount16 = (uint16)dircount64;
+                        dirsize = 20;
+                }
+               /* Before allocating a huge amount of memory for corrupted files, check
+                * if size of requested memory is not greater than file size. */
+               uint64 filesize = TIFFGetFileSize(tif);
+               uint64 allocsize = (uint64)dircount16 * dirsize;
+               if (allocsize > filesize)
+               {
+                       TIFFWarningExt(
+                               tif->tif_clientdata, module,
+                               "Requested memory size for TIFF directory of %" PRIu64
+                               " is greather than filesize %" PRIu64
+                               ". Memory not allocated, TIFF directory not read",
+                               allocsize, filesize);
+                       return 0;
+               }
+                origdir = _TIFFCheckMalloc(tif, dircount16,
+                    dirsize, "to read TIFF directory");
+                if (origdir == NULL)
+@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+                                     "Sanity check on directory count failed, zero tag directories not supported");
+                        return 0;
+                }
+               /* Before allocating a huge amount of memory for corrupted files, check
+                * if size of requested memory is not greater than file size. */
+               uint64 filesize = TIFFGetFileSize(tif);
+               uint64 allocsize = (uint64)dircount16 * dirsize;
+               if (allocsize > filesize)
+               {
+                       TIFFWarningExt(
+                               tif->tif_clientdata, module,
+                               "Requested memory size for TIFF directory of %" PRIu64
+                               " is greather than filesize %" PRIu64
+                               ". Memory not allocated, TIFF directory not read",
+                               allocsize, filesize);
+                       return 0;
+               }
+                origdir = _TIFFCheckMalloc(tif, dircount16,
+                                                dirsize,
+                                                "to read TIFF directory");
+@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+                        }
+                }
+        }
+       /* No check against filesize needed here because "dir" should have same size
+        * than "origdir" checked above. */
+        dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
+                                                sizeof(TIFFDirEntry),
+                                                "to read TIFF directory");
+@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+                        _TIFFfree(data);
+                        return(0);
+                }
+-
+               /* Before allocating a huge amount of memory for corrupted files, check
+                * if size of requested memory is not greater than file size. */
+               uint64 filesize = TIFFGetFileSize(tif);
+               uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+               if (allocsize > filesize)
+               {
+                       TIFFWarningExt(tif->tif_clientdata, module,
+                                                       "Requested memory size for StripArray of %" PRIu64
+                                                       " is greather than filesize %" PRIu64
+                                                       ". Memory not allocated",
+                                                       allocsize, filesize);
+                       _TIFFfree(data);
+                       return (0);
+               }
+                resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
+                if (resizeddata==0) {
+                        _TIFFfree(data);
+@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
+     }
+     bytecount = last_offset + last_bytecount - offset;
+ 
+       /* Before allocating a huge amount of memory for corrupted files, check if
+        * size of StripByteCount and StripOffset tags is not greater than
+        * file size.
+        */
+       uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+       uint64 filesize = TIFFGetFileSize(tif);
+       if (allocsize > filesize)
+       {
+               TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+                                               "Requested memory size for StripByteCount and "
+                                               "StripOffsets %" PRIu64
+                                               " is greather than filesize %" PRIu64
+                                               ". Memory not allocated",
+                                               allocsize, filesize);
+               return;
+       }
+
+     newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+                             "for chopped \"StripByteCounts\" array");
+     newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch new file mode 100644 index 0000000000..e955b3f2e4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
@@ -0,0 +1,191 @@
	1	[Ubuntu note: Backport of the following patch from upstream, with a few changes
	2	to match the current version of the file in the present Ubuntu release:
	3	. included inttypes.h header to support PRIu32 and PRIu64;
	4	. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
	5	. using uint64 instead of uint64_t to preserve the current code usage;
	6	. calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
	7	. calls to the check size, that is the idea of the patch, were added before
	8	_TIFFCheckMalloc and may note match the original patch methods;
	9	-- Rodrigo Figueiredo Zaiden]
	10
	11	Backport of:
	12
	13	From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
	14	From: Su Laus <sulau@freenet.de>
	15	Date: Tue, 31 Oct 2023 15:43:29 +0000
	16	Subject: [PATCH] Prevent some out-of-memory attacks
	17
	18	Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
	19
	20	At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
	21
	22	See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
	23
	24	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
	25	Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
	26	CVE: CVE-2023-6277
	27	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	28	---
	29	libtiff/tif_dirread.c \| 92 ++++++++++++++++++++++++++++++++++++++++++-
	30	1 file changed, 90 insertions(+), 2 deletions(-)
	31
	32	--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
	33	+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
	34	@@ -37,6 +37,7 @@
	35	#include "tiffiop.h"
	36	#include <float.h>
	37	#include <stdlib.h>
	38	+#include <inttypes.h>
	39
	40	#define FAILED_FII ((uint32) -1)
	41
	42	@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
	43	datasize=(count)typesize;
	44	assert((tmsize_t)datasize>0);
	45
	46	+ /* Before allocating a huge amount of memory for corrupted files, check if
	47	+ * size of requested memory is not greater than file size.
	48	+ */
	49	+ uint64 filesize = TIFFGetFileSize(tif);
	50	+ if (datasize > filesize)
	51	+ {
	52	+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
	53	+ "Requested memory size for tag %d (0x%x) %" PRIu32
	54	+ " is greather than filesize %" PRIu64
	55	+ ". Memory not allocated, tag not read",
	56	+ direntry->tdir_tag, direntry->tdir_tag, datasize,
	57	+ filesize);
	58	+ return (TIFFReadDirEntryErrAlloc);
	59	+ }
	60	+
	61	if( isMapped(tif) && datasize > (uint32)tif->tif_size )
	62	return TIFFReadDirEntryErrIo;
	63
	64	@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
	65	if( !_TIFFFillStrilesInternal( tif, 0 ) )
	66	return -1;
	67
	68	+ /* Before allocating a huge amount of memory for corrupted files, check if
	69	+ * size of requested memory is not greater than file size. */
	70	+ uint64 filesize = TIFFGetFileSize(tif);
	71	+ uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
	72	+ if (allocsize > filesize)
	73	+ {
	74	+ TIFFWarningExt(tif->tif_clientdata, module,
	75	+ "Requested memory size for StripByteCounts of %" PRIu64
	76	+ " is greather than filesize %" PRIu64
	77	+ ". Memory not allocated",
	78	+ allocsize, filesize);
	79	+ return -1;
	80	+ }
	81	+
	82	if (td->td_stripbytecount_p)
	83	_TIFFfree(td->td_stripbytecount_p);
	84	td->td_stripbytecount_p = (uint64*)
	85	@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
	86
	87	if (td->td_compression != COMPRESSION_NONE) {
	88	uint64 space;
	89	- uint64 filesize;
	90	uint16 n;
	91	- filesize = TIFFGetFileSize(tif);
	92	if (!(tif->tif_flags&TIFF_BIGTIFF))
	93	space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
	94	else
	95	@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
	96	dircount16 = (uint16)dircount64;
	97	dirsize = 20;
	98	}
	99	+ /* Before allocating a huge amount of memory for corrupted files, check
	100	+ * if size of requested memory is not greater than file size. */
	101	+ uint64 filesize = TIFFGetFileSize(tif);
	102	+ uint64 allocsize = (uint64)dircount16 * dirsize;
	103	+ if (allocsize > filesize)
	104	+ {
	105	+ TIFFWarningExt(
	106	+ tif->tif_clientdata, module,
	107	+ "Requested memory size for TIFF directory of %" PRIu64
	108	+ " is greather than filesize %" PRIu64
	109	+ ". Memory not allocated, TIFF directory not read",
	110	+ allocsize, filesize);
	111	+ return 0;
	112	+ }
	113	origdir = _TIFFCheckMalloc(tif, dircount16,
	114	dirsize, "to read TIFF directory");
	115	if (origdir == NULL)
	116	@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
	117	"Sanity check on directory count failed, zero tag directories not supported");
	118	return 0;
	119	}
	120	+ /* Before allocating a huge amount of memory for corrupted files, check
	121	+ * if size of requested memory is not greater than file size. */
	122	+ uint64 filesize = TIFFGetFileSize(tif);
	123	+ uint64 allocsize = (uint64)dircount16 * dirsize;
	124	+ if (allocsize > filesize)
	125	+ {
	126	+ TIFFWarningExt(
	127	+ tif->tif_clientdata, module,
	128	+ "Requested memory size for TIFF directory of %" PRIu64
	129	+ " is greather than filesize %" PRIu64
	130	+ ". Memory not allocated, TIFF directory not read",
	131	+ allocsize, filesize);
	132	+ return 0;
	133	+ }
	134	origdir = _TIFFCheckMalloc(tif, dircount16,
	135	dirsize,
	136	"to read TIFF directory");
	137	@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
	138	}
	139	}
	140	}
	141	+ /* No check against filesize needed here because "dir" should have same size
	142	+ * than "origdir" checked above. */
	143	dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
	144	sizeof(TIFFDirEntry),
	145	"to read TIFF directory");
	146	@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
	147	_TIFFfree(data);
	148	return(0);
	149	}
	150	-
	151	+ /* Before allocating a huge amount of memory for corrupted files, check
	152	+ * if size of requested memory is not greater than file size. */
	153	+ uint64 filesize = TIFFGetFileSize(tif);
	154	+ uint64 allocsize = (uint64)nstrips * sizeof(uint64);
	155	+ if (allocsize > filesize)
	156	+ {
	157	+ TIFFWarningExt(tif->tif_clientdata, module,
	158	+ "Requested memory size for StripArray of %" PRIu64
	159	+ " is greather than filesize %" PRIu64
	160	+ ". Memory not allocated",
	161	+ allocsize, filesize);
	162	+ _TIFFfree(data);
	163	+ return (0);
	164	+ }
	165	resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
	166	if (resizeddata==0) {
	167	_TIFFfree(data);
	168	@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
	169	}
	170	bytecount = last_offset + last_bytecount - offset;
	171
	172	+ /* Before allocating a huge amount of memory for corrupted files, check if
	173	+ * size of StripByteCount and StripOffset tags is not greater than
	174	+ * file size.
	175	+ */
	176	+ uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
	177	+ uint64 filesize = TIFFGetFileSize(tif);
	178	+ if (allocsize > filesize)
	179	+ {
	180	+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
	181	+ "Requested memory size for StripByteCount and "
	182	+ "StripOffsets %" PRIu64
	183	+ " is greather than filesize %" PRIu64
	184	+ ". Memory not allocated",
	185	+ allocsize, filesize);
	186	+ return;
	187	+ }
	188	+
	189	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
	190	"for chopped \"StripByteCounts\" array");
	191	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),