diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch new file mode 100644 index 0000000000..644b3fdb3f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch | |||
@@ -0,0 +1,152 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
4 | . using uint64 instead of uint64_t to preserve the current code usage; | ||
5 | -- Rodrigo Figueiredo Zaiden] | ||
6 | |||
7 | Backport of: | ||
8 | |||
9 | From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001 | ||
10 | From: Even Rouault <even.rouault@spatialys.com> | ||
11 | Date: Tue, 31 Oct 2023 19:47:22 +0100 | ||
12 | Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough | ||
13 | RAM requests | ||
14 | |||
15 | Ammends 5320c9d89c054fa805d037d84c57da874470b01a | ||
16 | |||
17 | This fixes a performance regression caught by the GDAL regression test | ||
18 | suite. | ||
19 | |||
20 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security | ||
21 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa] | ||
22 | CVE: CVE-2023-6277 | ||
23 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
24 | --- | ||
25 | libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------ | ||
26 | 1 file changed, 48 insertions(+), 35 deletions(-) | ||
27 | |||
28 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c | ||
29 | +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c | ||
30 | @@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead | ||
31 | datasize=(*count)*typesize; | ||
32 | assert((tmsize_t)datasize>0); | ||
33 | |||
34 | - /* Before allocating a huge amount of memory for corrupted files, check if | ||
35 | - * size of requested memory is not greater than file size. | ||
36 | - */ | ||
37 | - uint64 filesize = TIFFGetFileSize(tif); | ||
38 | - if (datasize > filesize) | ||
39 | + if (datasize > 100 * 1024 * 1024) | ||
40 | { | ||
41 | - TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
42 | - "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
43 | - " is greather than filesize %" PRIu64 | ||
44 | - ". Memory not allocated, tag not read", | ||
45 | - direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
46 | - filesize); | ||
47 | - return (TIFFReadDirEntryErrAlloc); | ||
48 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
49 | + * if size of requested memory is not greater than file size. | ||
50 | + */ | ||
51 | + const uint64 filesize = TIFFGetFileSize(tif); | ||
52 | + if (datasize > filesize) | ||
53 | + { | ||
54 | + TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
55 | + "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
56 | + " is greater than filesize %" PRIu64 | ||
57 | + ". Memory not allocated, tag not read", | ||
58 | + direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
59 | + filesize); | ||
60 | + return (TIFFReadDirEntryErrAlloc); | ||
61 | + } | ||
62 | } | ||
63 | |||
64 | if( isMapped(tif) && datasize > (uint32)tif->tif_size ) | ||
65 | @@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
66 | if( !_TIFFFillStrilesInternal( tif, 0 ) ) | ||
67 | return -1; | ||
68 | |||
69 | - /* Before allocating a huge amount of memory for corrupted files, check if | ||
70 | - * size of requested memory is not greater than file size. */ | ||
71 | - uint64 filesize = TIFFGetFileSize(tif); | ||
72 | - uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); | ||
73 | - if (allocsize > filesize) | ||
74 | + const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); | ||
75 | + uint64 filesize = 0; | ||
76 | + if (allocsize > 100 * 1024 * 1024) | ||
77 | { | ||
78 | - TIFFWarningExt(tif->tif_clientdata, module, | ||
79 | - "Requested memory size for StripByteCounts of %" PRIu64 | ||
80 | - " is greather than filesize %" PRIu64 | ||
81 | - ". Memory not allocated", | ||
82 | - allocsize, filesize); | ||
83 | - return -1; | ||
84 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
85 | + * if size of requested memory is not greater than file size. */ | ||
86 | + filesize = TIFFGetFileSize(tif); | ||
87 | + if (allocsize > filesize) | ||
88 | + { | ||
89 | + TIFFWarningExt( | ||
90 | + tif->tif_clientdata, module, | ||
91 | + "Requested memory size for StripByteCounts of %" PRIu64 | ||
92 | + " is greater than filesize %" PRIu64 ". Memory not allocated", | ||
93 | + allocsize, filesize); | ||
94 | + return -1; | ||
95 | + } | ||
96 | } | ||
97 | |||
98 | if (td->td_stripbytecount_p) | ||
99 | @@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
100 | return -1; | ||
101 | space+=datasize; | ||
102 | } | ||
103 | + if (filesize == 0) | ||
104 | + filesize = TIFFGetFileSize(tif); | ||
105 | if( filesize < space ) | ||
106 | - /* we should perhaps return in error ? */ | ||
107 | - space = filesize; | ||
108 | - else | ||
109 | - space = filesize - space; | ||
110 | + /* we should perhaps return in error ? */ | ||
111 | + space = filesize; | ||
112 | + else | ||
113 | + space = filesize - space; | ||
114 | if (td->td_planarconfig == PLANARCONFIG_SEPARATE) | ||
115 | space /= td->td_samplesperpixel; | ||
116 | for (strip = 0; strip < td->td_nstrips; strip++) | ||
117 | @@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
118 | dircount16 = (uint16)dircount64; | ||
119 | dirsize = 20; | ||
120 | } | ||
121 | - /* Before allocating a huge amount of memory for corrupted files, check | ||
122 | - * if size of requested memory is not greater than file size. */ | ||
123 | - uint64 filesize = TIFFGetFileSize(tif); | ||
124 | - uint64 allocsize = (uint64)dircount16 * dirsize; | ||
125 | - if (allocsize > filesize) | ||
126 | + const uint64 allocsize = (uint64)dircount16 * dirsize; | ||
127 | + if (allocsize > 100 * 1024 * 1024) | ||
128 | { | ||
129 | - TIFFWarningExt( | ||
130 | - tif->tif_clientdata, module, | ||
131 | - "Requested memory size for TIFF directory of %" PRIu64 | ||
132 | - " is greather than filesize %" PRIu64 | ||
133 | - ". Memory not allocated, TIFF directory not read", | ||
134 | - allocsize, filesize); | ||
135 | - return 0; | ||
136 | + /* Before allocating a huge amount of memory for corrupted files, | ||
137 | + * check if size of requested memory is not greater than file size. | ||
138 | + */ | ||
139 | + const uint64 filesize = TIFFGetFileSize(tif); | ||
140 | + if (allocsize > filesize) | ||
141 | + { | ||
142 | + TIFFWarningExt( | ||
143 | + tif->tif_clientdata, module, | ||
144 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
145 | + " is greater than filesize %" PRIu64 | ||
146 | + ". Memory not allocated, TIFF directory not read", | ||
147 | + allocsize, filesize); | ||
148 | + return 0; | ||
149 | + } | ||
150 | } | ||
151 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
152 | dirsize, "to read TIFF directory"); | ||