1 files changed, 0 insertions, 103 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
deleted file mode 100644
index 04c5410930..0000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-libtiff: fix CVE-2019-17546
-Added after 4.0.10 release.
-CVE: CVE-2019-17546
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff]
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
-commit 4bb584a35f87af42d6cf09d15e9ce8909a839145
-Author: Even Rouault <even.rouault@spatialys.com>
-Date:   Thu Aug 15 15:05:28 2019 +0200
-    RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index c88b5fa..4da785d 100644
--- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-        fromskew = (w < imagewidth ? imagewidth - w : 0);
-        for (row = 0; row < h; row += nrow)
-        {
-+               uint32 temp;
-                rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
-                nrow = (row + rowstoread > h ? h - row : rowstoread);
-                nrowsub = nrow;
-                if ((nrowsub%subsamplingver)!=0)
-                        nrowsub+=subsamplingver-nrowsub%subsamplingver;
-+               temp = (row + img->row_offset)%rowsperstrip + nrowsub;
-+               if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
-+               {
-+                       TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
-+                       return 0;
-+               }
-                if (_TIFFReadEncodedStripAndAllocBuffer(tif,
-                    TIFFComputeStrip(tif,row+img->row_offset, 0),
-                    (void**)(&buf),
-                     maxstripsize,
-                   ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
-+                   temp * scanline)==(tmsize_t)(-1)
-                    && (buf == NULL || img->stoponerr))
-                {
-                        ret = 0;
-@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-        fromskew = (w < imagewidth ? imagewidth - w : 0);
-        for (row = 0; row < h; row += nrow)
-        {
-+                uint32 temp;
-                rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
-                nrow = (row + rowstoread > h ? h - row : rowstoread);
-                offset_row = row + img->row_offset;
-+                temp = (row + img->row_offset)%rowsperstrip + nrow;
-+                if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
-+                {
-+                        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
-+                        return 0;
-+                }
-                 if( buf == NULL )
-                 {
-                     if (_TIFFReadEncodedStripAndAllocBuffer(
-                             tif, TIFFComputeStrip(tif, offset_row, 0),
-                             (void**) &buf, bufsize,
-                            ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+                            temp * scanline)==(tmsize_t)(-1)
-                         && (buf == NULL || img->stoponerr))
-                     {
-                             ret = 0;
-@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-                     }
-                 }
-                else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
-                   p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+                   p0, temp * scanline)==(tmsize_t)(-1)
-                    && img->stoponerr)
-                {
-                        ret = 0;
-@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-                }
-                if (colorchannels > 1 
-                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
-                                            p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
-+                                            p1, temp * scanline) == (tmsize_t)(-1)
-                    && img->stoponerr)
-                {
-                        ret = 0;
-@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-                }
-                if (colorchannels > 1 
-                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
-                                            p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
-+                                            p2, temp * scanline) == (tmsize_t)(-1)
-                    && img->stoponerr)
-                {
-                        ret = 0;
-@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-                if (alpha)
-                {
-                        if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
-                           pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+                           pa, temp * scanline)==(tmsize_t)(-1)
-                            && img->stoponerr)
-                        {
-                                ret = 0;

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch deleted file mode 100644 index 04c5410930..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch +++ /dev/null
@@ -1,103 +0,0 @@
1	libtiff: fix CVE-2019-17546
2
3	Added after 4.0.10 release.
4
5	CVE: CVE-2019-17546
6	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff]
7	Signed-off-by: Joe Slater <joe.slater@windriver.com>
8
9	commit 4bb584a35f87af42d6cf09d15e9ce8909a839145
10	Author: Even Rouault <even.rouault@spatialys.com>
11	Date: Thu Aug 15 15:05:28 2019 +0200
12
13	RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
14
15	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
16	index c88b5fa..4da785d 100644
17	--- a/libtiff/tif_getimage.c
18	+++ b/libtiff/tif_getimage.c
19	@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
20	fromskew = (w < imagewidth ? imagewidth - w : 0);
21	for (row = 0; row < h; row += nrow)
22	{
23	+ uint32 temp;
24	rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
25	nrow = (row + rowstoread > h ? h - row : rowstoread);
26	nrowsub = nrow;
27	if ((nrowsub%subsamplingver)!=0)
28	nrowsub+=subsamplingver-nrowsub%subsamplingver;
29	+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
30	+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
31	+ {
32	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
33	+ return 0;
34	+ }
35	if (_TIFFReadEncodedStripAndAllocBuffer(tif,
36	TIFFComputeStrip(tif,row+img->row_offset, 0),
37	(void**)(&buf),
38	maxstripsize,
39	- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
40	+ temp * scanline)==(tmsize_t)(-1)
41	&& (buf == NULL \|\| img->stoponerr))
42	{
43	ret = 0;
44	@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
45	fromskew = (w < imagewidth ? imagewidth - w : 0);
46	for (row = 0; row < h; row += nrow)
47	{
48	+ uint32 temp;
49	rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
50	nrow = (row + rowstoread > h ? h - row : rowstoread);
51	offset_row = row + img->row_offset;
52	+ temp = (row + img->row_offset)%rowsperstrip + nrow;
53	+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
54	+ {
55	+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
56	+ return 0;
57	+ }
58	if( buf == NULL )
59	{
60	if (_TIFFReadEncodedStripAndAllocBuffer(
61	tif, TIFFComputeStrip(tif, offset_row, 0),
62	(void**) &buf, bufsize,
63	- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
64	+ temp * scanline)==(tmsize_t)(-1)
65	&& (buf == NULL \|\| img->stoponerr))
66	{
67	ret = 0;
68	@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
69	}
70	}
71	else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
72	- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
73	+ p0, temp * scanline)==(tmsize_t)(-1)
74	&& img->stoponerr)
75	{
76	ret = 0;
77	@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
78	}
79	if (colorchannels > 1
80	&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
81	- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
82	+ p1, temp * scanline) == (tmsize_t)(-1)
83	&& img->stoponerr)
84	{
85	ret = 0;
86	@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
87	}
88	if (colorchannels > 1
89	&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
90	- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
91	+ p2, temp * scanline) == (tmsize_t)(-1)
92	&& img->stoponerr)
93	{
94	ret = 0;
95	@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
96	if (alpha)
97	{
98	if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
99	- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
100	+ pa, temp * scanline)==(tmsize_t)(-1)
101	&& img->stoponerr)
102	{
103	ret = 0;