diff options
Diffstat (limited to 'meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch deleted file mode 100644 index afd5e59960..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | CVE: CVE-2022-0924 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001 | ||
6 | From: 4ugustus <wangdw.augustus@qq.com> | ||
7 | Date: Thu, 10 Mar 2022 08:48:00 +0000 | ||
8 | Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278) | ||
9 | |||
10 | --- | ||
11 | tools/tiffcp.c | 17 ++++++++++++++++- | ||
12 | 1 file changed, 16 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
15 | index 1f889516..552d8fad 100644 | ||
16 | --- a/tools/tiffcp.c | ||
17 | +++ b/tools/tiffcp.c | ||
18 | @@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) | ||
19 | tdata_t obuf; | ||
20 | tstrip_t strip = 0; | ||
21 | tsample_t s; | ||
22 | + uint16_t bps = 0, bytes_per_sample; | ||
23 | |||
24 | obuf = limitMalloc(stripsize); | ||
25 | if (obuf == NULL) | ||
26 | return (0); | ||
27 | _TIFFmemset(obuf, 0, stripsize); | ||
28 | (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); | ||
29 | + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); | ||
30 | + if( bps == 0 ) | ||
31 | + { | ||
32 | + TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); | ||
33 | + _TIFFfree(obuf); | ||
34 | + return 0; | ||
35 | + } | ||
36 | + if( (bps % 8) != 0 ) | ||
37 | + { | ||
38 | + TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); | ||
39 | + _TIFFfree(obuf); | ||
40 | + return 0; | ||
41 | + } | ||
42 | + bytes_per_sample = bps/8; | ||
43 | for (s = 0; s < spp; s++) { | ||
44 | uint32_t row; | ||
45 | for (row = 0; row < imagelength; row += rowsperstrip) { | ||
46 | @@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) | ||
47 | |||
48 | cpContigBufToSeparateBuf( | ||
49 | obuf, (uint8_t*) buf + row * rowsize + s, | ||
50 | - nrows, imagewidth, 0, 0, spp, 1); | ||
51 | + nrows, imagewidth, 0, 0, spp, bytes_per_sample); | ||
52 | if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { | ||
53 | TIFFError(TIFFFileName(out), | ||
54 | "Error, can't write strip %"PRIu32, | ||
55 | -- | ||
56 | 2.25.1 | ||
57 | |||