diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch new file mode 100644 index 0000000000..1a43fd3230 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
4 | . using uint64 instead of uint64_t to preserve the current code usage; | ||
5 | . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); | ||
6 | -- Rodrigo Figueiredo Zaiden] | ||
7 | |||
8 | Backport of: | ||
9 | |||
10 | From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001 | ||
11 | From: Even Rouault <even.rouault@spatialys.com> | ||
12 | Date: Tue, 31 Oct 2023 21:30:58 +0100 | ||
13 | Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough | ||
14 | RAM requests | ||
15 | |||
16 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security | ||
17 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a] | ||
18 | CVE: CVE-2023-6277 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------ | ||
22 | 1 file changed, 31 insertions(+), 23 deletions(-) | ||
23 | |||
24 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c | ||
25 | +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c | ||
26 | @@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn | ||
27 | _TIFFfree(data); | ||
28 | return(0); | ||
29 | } | ||
30 | - /* Before allocating a huge amount of memory for corrupted files, check | ||
31 | - * if size of requested memory is not greater than file size. */ | ||
32 | - uint64 filesize = TIFFGetFileSize(tif); | ||
33 | - uint64 allocsize = (uint64)nstrips * sizeof(uint64); | ||
34 | - if (allocsize > filesize) | ||
35 | + const uint64 allocsize = (uint64)nstrips * sizeof(uint64); | ||
36 | + if (allocsize > 100 * 1024 * 1024) | ||
37 | { | ||
38 | - TIFFWarningExt(tif->tif_clientdata, module, | ||
39 | - "Requested memory size for StripArray of %" PRIu64 | ||
40 | - " is greather than filesize %" PRIu64 | ||
41 | - ". Memory not allocated", | ||
42 | - allocsize, filesize); | ||
43 | - _TIFFfree(data); | ||
44 | - return (0); | ||
45 | + /* Before allocating a huge amount of memory for corrupted files, | ||
46 | + * check if size of requested memory is not greater than file size. | ||
47 | + */ | ||
48 | + const uint64 filesize = TIFFGetFileSize(tif); | ||
49 | + if (allocsize > filesize) | ||
50 | + { | ||
51 | + TIFFWarningExt( | ||
52 | + tif->tif_clientdata, module, | ||
53 | + "Requested memory size for StripArray of %" PRIu64 | ||
54 | + " is greater than filesize %" PRIu64 | ||
55 | + ". Memory not allocated", | ||
56 | + allocsize, filesize); | ||
57 | + _TIFFfree(data); | ||
58 | + return (0); | ||
59 | + } | ||
60 | } | ||
61 | resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); | ||
62 | if (resizeddata==0) { | ||
63 | @@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI | ||
64 | * size of StripByteCount and StripOffset tags is not greater than | ||
65 | * file size. | ||
66 | */ | ||
67 | - uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; | ||
68 | - uint64 filesize = TIFFGetFileSize(tif); | ||
69 | - if (allocsize > filesize) | ||
70 | - { | ||
71 | - TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
72 | - "Requested memory size for StripByteCount and " | ||
73 | - "StripOffsets %" PRIu64 | ||
74 | - " is greather than filesize %" PRIu64 | ||
75 | - ". Memory not allocated", | ||
76 | - allocsize, filesize); | ||
77 | - return; | ||
78 | + const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; | ||
79 | + if (allocsize > 100 * 1024 * 1024) | ||
80 | + { | ||
81 | + const uint64 filesize = TIFFGetFileSize(tif); | ||
82 | + if (allocsize > filesize) | ||
83 | + { | ||
84 | + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
85 | + "Requested memory size for StripByteCount and " | ||
86 | + "StripOffsets %" PRIu64 | ||
87 | + " is greater than filesize %" PRIu64 | ||
88 | + ". Memory not allocated", | ||
89 | + allocsize, filesize); | ||
90 | + return; | ||
91 | + } | ||
92 | } | ||
93 | |||
94 | newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||