1 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
new file mode 100644
index 0000000000..644b3fdb3f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
@@ -0,0 +1,152 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+-- Rodrigo Figueiredo Zaiden]
+Backport of:
+From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 19:47:22 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+Ammends 5320c9d89c054fa805d037d84c57da874470b01a
+This fixes a performance regression caught by the GDAL regression test
+suite.
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
+ 1 file changed, 48 insertions(+), 35 deletions(-)
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead
+        datasize=(*count)*typesize;
+        assert((tmsize_t)datasize>0);
+ 
+-       /* Before allocating a huge amount of memory for corrupted files, check if
+-        * size of requested memory is not greater than file size.
+-        */
+-       uint64 filesize = TIFFGetFileSize(tif);
+-       if (datasize > filesize)
+       if (datasize > 100 * 1024 * 1024)
+        {
+-               TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+-                                               "Requested memory size for tag %d (0x%x) %" PRIu32
+-                                               " is greather than filesize %" PRIu64
+-                                               ". Memory not allocated, tag not read",
+-                                               direntry->tdir_tag, direntry->tdir_tag, datasize,
+-                                               filesize);
+-               return (TIFFReadDirEntryErrAlloc);
+               /* Before allocating a huge amount of memory for corrupted files, check
+                * if size of requested memory is not greater than file size.
+                */
+               const uint64 filesize = TIFFGetFileSize(tif);
+               if (datasize > filesize)
+               {
+                       TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+                                                       "Requested memory size for tag %d (0x%x) %" PRIu32
+                                                       " is greater than filesize %" PRIu64
+                                                       ". Memory not allocated, tag not read",
+                                                       direntry->tdir_tag, direntry->tdir_tag, datasize,
+                                                       filesize);
+                       return (TIFFReadDirEntryErrAlloc);
+               }
+        }
+ 
+        if( isMapped(tif) && datasize > (uint32)tif->tif_size )
+@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+         if( !_TIFFFillStrilesInternal( tif, 0 ) )
+             return -1;
+ 
+-       /* Before allocating a huge amount of memory for corrupted files, check if
+-        * size of requested memory is not greater than file size. */
+-       uint64 filesize = TIFFGetFileSize(tif);
+-       uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+-       if (allocsize > filesize)
+       const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+       uint64 filesize = 0;
+       if (allocsize > 100 * 1024 * 1024)
+        {
+-               TIFFWarningExt(tif->tif_clientdata, module,
+-                                               "Requested memory size for StripByteCounts of %" PRIu64
+-                                               " is greather than filesize %" PRIu64
+-                                               ". Memory not allocated",
+-                                               allocsize, filesize);
+-               return -1;
+               /* Before allocating a huge amount of memory for corrupted files, check
+                * if size of requested memory is not greater than file size. */
+               filesize = TIFFGetFileSize(tif);
+               if (allocsize > filesize)
+               {
+                       TIFFWarningExt(
+                               tif->tif_clientdata, module,
+                               "Requested memory size for StripByteCounts of %" PRIu64
+                               " is greater than filesize %" PRIu64 ". Memory not allocated",
+                               allocsize, filesize);
+                       return -1;
+               }
+        }
+ 
+        if (td->td_stripbytecount_p)
+@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+                             return -1;
+                        space+=datasize;
+                }
+               if (filesize == 0)
+                       filesize = TIFFGetFileSize(tif);
+                if( filesize < space )
+-                    /* we should perhaps return in error ? */
+-                    space = filesize;
+-                else
+-                    space = filesize - space;
+                       /* we should perhaps return in error ? */
+                       space = filesize;
+               else
+                       space = filesize - space;
+                if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+                        space /= td->td_samplesperpixel;
+                for (strip = 0; strip < td->td_nstrips; strip++)
+@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+                        dircount16 = (uint16)dircount64;
+                        dirsize = 20;
+                }
+-               /* Before allocating a huge amount of memory for corrupted files, check
+-                * if size of requested memory is not greater than file size. */
+-               uint64 filesize = TIFFGetFileSize(tif);
+-               uint64 allocsize = (uint64)dircount16 * dirsize;
+-               if (allocsize > filesize)
+               const uint64 allocsize = (uint64)dircount16 * dirsize;
+               if (allocsize > 100 * 1024 * 1024)
+                {
+-                       TIFFWarningExt(
+-                               tif->tif_clientdata, module,
+-                               "Requested memory size for TIFF directory of %" PRIu64
+-                               " is greather than filesize %" PRIu64
+-                               ". Memory not allocated, TIFF directory not read",
+-                               allocsize, filesize);
+-                       return 0;
+                       /* Before allocating a huge amount of memory for corrupted files,
+                        * check if size of requested memory is not greater than file size.
+                        */
+                       const uint64 filesize = TIFFGetFileSize(tif);
+                       if (allocsize > filesize)
+                       {
+                               TIFFWarningExt(
+                                       tif->tif_clientdata, module,
+                                       "Requested memory size for TIFF directory of %" PRIu64
+                                       " is greater than filesize %" PRIu64
+                                       ". Memory not allocated, TIFF directory not read",
+                                       allocsize, filesize);
+                               return 0;
+                       }
+                }
+                origdir = _TIFFCheckMalloc(tif, dircount16,
+                    dirsize, "to read TIFF directory");

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch new file mode 100644 index 0000000000..644b3fdb3f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
@@ -0,0 +1,152 @@
	1	[Ubuntu note: Backport of the following patch from upstream, with a few changes
	2	to match the current version of the file in the present Ubuntu release:
	3	. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
	4	. using uint64 instead of uint64_t to preserve the current code usage;
	5	-- Rodrigo Figueiredo Zaiden]
	6
	7	Backport of:
	8
	9	From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
	10	From: Even Rouault <even.rouault@spatialys.com>
	11	Date: Tue, 31 Oct 2023 19:47:22 +0100
	12	Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
	13	RAM requests
	14
	15	Ammends 5320c9d89c054fa805d037d84c57da874470b01a
	16
	17	This fixes a performance regression caught by the GDAL regression test
	18	suite.
	19
	20	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security
	21	Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa]
	22	CVE: CVE-2023-6277
	23	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	24	---
	25	libtiff/tif_dirread.c \| 83 +++++++++++++++++++++++++------------------
	26	1 file changed, 48 insertions(+), 35 deletions(-)
	27
	28	--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
	29	+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
	30	@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead
	31	datasize=(count)typesize;
	32	assert((tmsize_t)datasize>0);
	33
	34	- /* Before allocating a huge amount of memory for corrupted files, check if
	35	- * size of requested memory is not greater than file size.
	36	- */
	37	- uint64 filesize = TIFFGetFileSize(tif);
	38	- if (datasize > filesize)
	39	+ if (datasize > 100 * 1024 * 1024)
	40	{
	41	- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
	42	- "Requested memory size for tag %d (0x%x) %" PRIu32
	43	- " is greather than filesize %" PRIu64
	44	- ". Memory not allocated, tag not read",
	45	- direntry->tdir_tag, direntry->tdir_tag, datasize,
	46	- filesize);
	47	- return (TIFFReadDirEntryErrAlloc);
	48	+ /* Before allocating a huge amount of memory for corrupted files, check
	49	+ * if size of requested memory is not greater than file size.
	50	+ */
	51	+ const uint64 filesize = TIFFGetFileSize(tif);
	52	+ if (datasize > filesize)
	53	+ {
	54	+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
	55	+ "Requested memory size for tag %d (0x%x) %" PRIu32
	56	+ " is greater than filesize %" PRIu64
	57	+ ". Memory not allocated, tag not read",
	58	+ direntry->tdir_tag, direntry->tdir_tag, datasize,
	59	+ filesize);
	60	+ return (TIFFReadDirEntryErrAlloc);
	61	+ }
	62	}
	63
	64	if( isMapped(tif) && datasize > (uint32)tif->tif_size )
	65	@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
	66	if( !_TIFFFillStrilesInternal( tif, 0 ) )
	67	return -1;
	68
	69	- /* Before allocating a huge amount of memory for corrupted files, check if
	70	- * size of requested memory is not greater than file size. */
	71	- uint64 filesize = TIFFGetFileSize(tif);
	72	- uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
	73	- if (allocsize > filesize)
	74	+ const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
	75	+ uint64 filesize = 0;
	76	+ if (allocsize > 100 * 1024 * 1024)
	77	{
	78	- TIFFWarningExt(tif->tif_clientdata, module,
	79	- "Requested memory size for StripByteCounts of %" PRIu64
	80	- " is greather than filesize %" PRIu64
	81	- ". Memory not allocated",
	82	- allocsize, filesize);
	83	- return -1;
	84	+ /* Before allocating a huge amount of memory for corrupted files, check
	85	+ * if size of requested memory is not greater than file size. */
	86	+ filesize = TIFFGetFileSize(tif);
	87	+ if (allocsize > filesize)
	88	+ {
	89	+ TIFFWarningExt(
	90	+ tif->tif_clientdata, module,
	91	+ "Requested memory size for StripByteCounts of %" PRIu64
	92	+ " is greater than filesize %" PRIu64 ". Memory not allocated",
	93	+ allocsize, filesize);
	94	+ return -1;
	95	+ }
	96	}
	97
	98	if (td->td_stripbytecount_p)
	99	@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
	100	return -1;
	101	space+=datasize;
	102	}
	103	+ if (filesize == 0)
	104	+ filesize = TIFFGetFileSize(tif);
	105	if( filesize < space )
	106	- /* we should perhaps return in error ? */
	107	- space = filesize;
	108	- else
	109	- space = filesize - space;
	110	+ /* we should perhaps return in error ? */
	111	+ space = filesize;
	112	+ else
	113	+ space = filesize - space;
	114	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
	115	space /= td->td_samplesperpixel;
	116	for (strip = 0; strip < td->td_nstrips; strip++)
	117	@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
	118	dircount16 = (uint16)dircount64;
	119	dirsize = 20;
	120	}
	121	- /* Before allocating a huge amount of memory for corrupted files, check
	122	- * if size of requested memory is not greater than file size. */
	123	- uint64 filesize = TIFFGetFileSize(tif);
	124	- uint64 allocsize = (uint64)dircount16 * dirsize;
	125	- if (allocsize > filesize)
	126	+ const uint64 allocsize = (uint64)dircount16 * dirsize;
	127	+ if (allocsize > 100 * 1024 * 1024)
	128	{
	129	- TIFFWarningExt(
	130	- tif->tif_clientdata, module,
	131	- "Requested memory size for TIFF directory of %" PRIu64
	132	- " is greather than filesize %" PRIu64
	133	- ". Memory not allocated, TIFF directory not read",
	134	- allocsize, filesize);
	135	- return 0;
	136	+ /* Before allocating a huge amount of memory for corrupted files,
	137	+ * check if size of requested memory is not greater than file size.
	138	+ */
	139	+ const uint64 filesize = TIFFGetFileSize(tif);
	140	+ if (allocsize > filesize)
	141	+ {
	142	+ TIFFWarningExt(
	143	+ tif->tif_clientdata, module,
	144	+ "Requested memory size for TIFF directory of %" PRIu64
	145	+ " is greater than filesize %" PRIu64
	146	+ ". Memory not allocated, TIFF directory not read",
	147	+ allocsize, filesize);
	148	+ return 0;
	149	+ }
	150	}
	151	origdir = _TIFFCheckMalloc(tif, dircount16,
	152	dirsize, "to read TIFF directory");