1 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
new file mode 100644
index 0000000000..1a43fd3230
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
@@ -0,0 +1,94 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+Backport of:
+From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 21:30:58 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 23 deletions(-)
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+                        _TIFFfree(data);
+                        return(0);
+                }
+-               /* Before allocating a huge amount of memory for corrupted files, check
+-                * if size of requested memory is not greater than file size. */
+-               uint64 filesize = TIFFGetFileSize(tif);
+-               uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+-               if (allocsize > filesize)
+               const uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+               if (allocsize > 100 * 1024 * 1024)
+                {
+-                       TIFFWarningExt(tif->tif_clientdata, module,
+-                                                       "Requested memory size for StripArray of %" PRIu64
+-                                                       " is greather than filesize %" PRIu64
+-                                                       ". Memory not allocated",
+-                                                       allocsize, filesize);
+-                       _TIFFfree(data);
+-                       return (0);
+                       /* Before allocating a huge amount of memory for corrupted files,
+                               * check if size of requested memory is not greater than file size.
+                               */
+                       const uint64 filesize = TIFFGetFileSize(tif);
+                       if (allocsize > filesize)
+                       {
+                               TIFFWarningExt(
+                                       tif->tif_clientdata, module,
+                                       "Requested memory size for StripArray of %" PRIu64
+                                       " is greater than filesize %" PRIu64
+                                       ". Memory not allocated",
+                                       allocsize, filesize);
+                               _TIFFfree(data);
+                               return (0);
+                       }
+                }
+                resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
+                if (resizeddata==0) {
+@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI
+         * size of StripByteCount and StripOffset tags is not greater than
+         * file size.
+         */
+-       uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+-       uint64 filesize = TIFFGetFileSize(tif);
+-       if (allocsize > filesize)
+-       {
+-               TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+-                                               "Requested memory size for StripByteCount and "
+-                                               "StripOffsets %" PRIu64
+-                                               " is greather than filesize %" PRIu64
+-                                               ". Memory not allocated",
+-                                               allocsize, filesize);
+-               return;
+    const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+    if (allocsize > 100 * 1024 * 1024)
+    {
+        const uint64 filesize = TIFFGetFileSize(tif);
+        if (allocsize > filesize)
+        {
+            TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+                            "Requested memory size for StripByteCount and "
+                            "StripOffsets %" PRIu64
+                            " is greater than filesize %" PRIu64
+                            ". Memory not allocated",
+                            allocsize, filesize);
+            return;
+        }
+        }
+ 
+     newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch new file mode 100644 index 0000000000..1a43fd3230 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
@@ -0,0 +1,94 @@
	1	[Ubuntu note: Backport of the following patch from upstream, with a few changes
	2	to match the current version of the file in the present Ubuntu release:
	3	. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
	4	. using uint64 instead of uint64_t to preserve the current code usage;
	5	. calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
	6	-- Rodrigo Figueiredo Zaiden]
	7
	8	Backport of:
	9
	10	From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
	11	From: Even Rouault <even.rouault@spatialys.com>
	12	Date: Tue, 31 Oct 2023 21:30:58 +0100
	13	Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
	14	RAM requests
	15
	16	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security
	17	Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a]
	18	CVE: CVE-2023-6277
	19	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	20	---
	21	libtiff/tif_dirread.c \| 54 +++++++++++++++++++++++++------------------
	22	1 file changed, 31 insertions(+), 23 deletions(-)
	23
	24	--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
	25	+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
	26	@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
	27	_TIFFfree(data);
	28	return(0);
	29	}
	30	- /* Before allocating a huge amount of memory for corrupted files, check
	31	- * if size of requested memory is not greater than file size. */
	32	- uint64 filesize = TIFFGetFileSize(tif);
	33	- uint64 allocsize = (uint64)nstrips * sizeof(uint64);
	34	- if (allocsize > filesize)
	35	+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64);
	36	+ if (allocsize > 100 * 1024 * 1024)
	37	{
	38	- TIFFWarningExt(tif->tif_clientdata, module,
	39	- "Requested memory size for StripArray of %" PRIu64
	40	- " is greather than filesize %" PRIu64
	41	- ". Memory not allocated",
	42	- allocsize, filesize);
	43	- _TIFFfree(data);
	44	- return (0);
	45	+ /* Before allocating a huge amount of memory for corrupted files,
	46	+ * check if size of requested memory is not greater than file size.
	47	+ */
	48	+ const uint64 filesize = TIFFGetFileSize(tif);
	49	+ if (allocsize > filesize)
	50	+ {
	51	+ TIFFWarningExt(
	52	+ tif->tif_clientdata, module,
	53	+ "Requested memory size for StripArray of %" PRIu64
	54	+ " is greater than filesize %" PRIu64
	55	+ ". Memory not allocated",
	56	+ allocsize, filesize);
	57	+ _TIFFfree(data);
	58	+ return (0);
	59	+ }
	60	}
	61	resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
	62	if (resizeddata==0) {
	63	@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI
	64	* size of StripByteCount and StripOffset tags is not greater than
	65	* file size.
	66	*/
	67	- uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
	68	- uint64 filesize = TIFFGetFileSize(tif);
	69	- if (allocsize > filesize)
	70	- {
	71	- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
	72	- "Requested memory size for StripByteCount and "
	73	- "StripOffsets %" PRIu64
	74	- " is greather than filesize %" PRIu64
	75	- ". Memory not allocated",
	76	- allocsize, filesize);
	77	- return;
	78	+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
	79	+ if (allocsize > 100 * 1024 * 1024)
	80	+ {
	81	+ const uint64 filesize = TIFFGetFileSize(tif);
	82	+ if (allocsize > filesize)
	83	+ {
	84	+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
	85	+ "Requested memory size for StripByteCount and "
	86	+ "StripOffsets %" PRIu64
	87	+ " is greater than filesize %" PRIu64
	88	+ ". Memory not allocated",
	89	+ allocsize, filesize);
	90	+ return;
	91	+ }
	92	}
	93
	94	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),