1 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
new file mode 100644
index 0000000000..ed7d7e7b96
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
+Backport of:
+From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 20:13:45 +0100
+Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
+ check
+CoverityScan rightly points that the max value for dircount16 * dirsize
+is 4096 * 20. That's small enough not to do any check
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+                        dircount16 = (uint16)dircount64;
+                        dirsize = 20;
+                }
+-               const uint64 allocsize = (uint64)dircount16 * dirsize;
+-               if (allocsize > 100 * 1024 * 1024)
+-               {
+-                       /* Before allocating a huge amount of memory for corrupted files,
+-                        * check if size of requested memory is not greater than file size.
+-                        */
+-                       const uint64 filesize = TIFFGetFileSize(tif);
+-                       if (allocsize > filesize)
+-                       {
+-                               TIFFWarningExt(
+-                                       tif->tif_clientdata, module,
+-                                       "Requested memory size for TIFF directory of %" PRIu64
+-                                       " is greater than filesize %" PRIu64
+-                                       ". Memory not allocated, TIFF directory not read",
+-                                       allocsize, filesize);
+-                               return 0;
+-                       }
+-               }
+                origdir = _TIFFCheckMalloc(tif, dircount16,
+                    dirsize, "to read TIFF directory");
+                if (origdir == NULL)

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch new file mode 100644 index 0000000000..ed7d7e7b96 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
	1	Backport of:
	2
	3	From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
	4	From: Even Rouault <even.rouault@spatialys.com>
	5	Date: Tue, 31 Oct 2023 20:13:45 +0100
	6	Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
	7	check
	8
	9	CoverityScan rightly points that the max value for dircount16 * dirsize
	10	is 4096 * 20. That's small enough not to do any check
	11
	12	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security
	13	Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3]
	14	CVE: CVE-2023-6277
	15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	16	---
	17	libtiff/tif_dirread.c \| 18 ------------------
	18	1 file changed, 18 deletions(-)
	19
	20	--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
	21	+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
	22	@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
	23	dircount16 = (uint16)dircount64;
	24	dirsize = 20;
	25	}
	26	- const uint64 allocsize = (uint64)dircount16 * dirsize;
	27	- if (allocsize > 100 * 1024 * 1024)
	28	- {
	29	- /* Before allocating a huge amount of memory for corrupted files,
	30	- * check if size of requested memory is not greater than file size.
	31	- */
	32	- const uint64 filesize = TIFFGetFileSize(tif);
	33	- if (allocsize > filesize)
	34	- {
	35	- TIFFWarningExt(
	36	- tif->tif_clientdata, module,
	37	- "Requested memory size for TIFF directory of %" PRIu64
	38	- " is greater than filesize %" PRIu64
	39	- ". Memory not allocated, TIFF directory not read",
	40	- allocsize, filesize);
	41	- return 0;
	42	- }
	43	- }
	44	origdir = _TIFFCheckMalloc(tif, dircount16,
	45	dirsize, "to read TIFF directory");
	46	if (origdir == NULL)