1 files changed, 212 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
new file mode 100644
index 0000000000..71b85cac10
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
@@ -0,0 +1,212 @@
+From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 5 Dec 2021 14:37:46 +0100
+Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
+to avoid having the size of the strip arrays inconsistent with the
+number of strips returned by TIFFNumberOfStrips(), which may cause
+out-ouf-bounds array read afterwards.
+One of the OJPEG hack that alters SamplesPerPixel may influence the
+number of strips. Hence compute tif_dir.td_nstrips only afterwards.
+CVE: CVE-2022-1354
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
+ 1 file changed, 83 insertions(+), 79 deletions(-)
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 8f434ef5..14c031d1 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
+                MissingRequired(tif,"ImageLength");
+                goto bad;
+        }
+-       /*
+-        * Setup appropriate structures (by strip or by tile)
+-        */
+-       if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
+-               tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);  
+-               tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
+-               tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
+-               tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
+-               tif->tif_flags &= ~TIFF_ISTILED;
+-       } else {
+-               tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
+-               tif->tif_flags |= TIFF_ISTILED;
+-       }
+-       if (!tif->tif_dir.td_nstrips) {
+-               TIFFErrorExt(tif->tif_clientdata, module,
+-                   "Cannot handle zero number of %s",
+-                   isTiled(tif) ? "tiles" : "strips");
+-               goto bad;
+-       }
+-       tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+-       if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+-               tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
+-       if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
+-#ifdef OJPEG_SUPPORT
+-               if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
+-                   (isTiled(tif)==0) &&
+-                   (tif->tif_dir.td_nstrips==1)) {
+-                       /*
+-                        * XXX: OJPEG hack.
+-                        * If a) compression is OJPEG, b) it's not a tiled TIFF,
+-                        * and c) the number of strips is 1,
+-                        * then we tolerate the absence of stripoffsets tag,
+-                        * because, presumably, all required data is in the
+-                        * JpegInterchangeFormat stream.
+-                        */
+-                       TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
+-               } else
+-#endif
+-        {
+-                       MissingRequired(tif,
+-                               isTiled(tif) ? "TileOffsets" : "StripOffsets");
+-                       goto bad;
+-               }
+-       }
+
+        /*
+         * Second pass: extract other information.
+         */
+@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
+                        } /* -- if (!dp->tdir_ignore) */
+                } /* -- for-loop -- */
+ 
+-        if( tif->tif_mode == O_RDWR &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
+-        {
+-            /* Directory typically created with TIFFDeferStrileArrayWriting() */
+-            TIFFSetupStrips(tif);
+-        }
+-        else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
+-        {
+-            if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
+-            {
+-                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
+-                                         tif->tif_dir.td_nstrips,
+-                                         &tif->tif_dir.td_stripoffset_p))
+-                {
+-                    goto bad;
+-                }
+-            }
+-            if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
+-            {
+-                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
+-                                         tif->tif_dir.td_nstrips,
+-                                         &tif->tif_dir.td_stripbytecount_p))
+-                {
+-                    goto bad;
+-                }
+-            }
+-        }
+-
+        /*
+         * OJPEG hack:
+         * - If a) compression is OJPEG, and b) photometric tag is missing,
+@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
+                }
+        }
+ 
+       /*
+        * Setup appropriate structures (by strip or by tile)
+        * We do that only after the above OJPEG hack which alters SamplesPerPixel
+        * and thus influences the number of strips in the separate planarconfig.
+        */
+       if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
+               tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);  
+               tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
+               tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
+               tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
+               tif->tif_flags &= ~TIFF_ISTILED;
+       } else {
+               tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
+               tif->tif_flags |= TIFF_ISTILED;
+       }
+       if (!tif->tif_dir.td_nstrips) {
+               TIFFErrorExt(tif->tif_clientdata, module,
+                   "Cannot handle zero number of %s",
+                   isTiled(tif) ? "tiles" : "strips");
+               goto bad;
+       }
+       tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+       if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+               tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
+       if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
+#ifdef OJPEG_SUPPORT
+               if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
+                   (isTiled(tif)==0) &&
+                   (tif->tif_dir.td_nstrips==1)) {
+                       /*
+                        * XXX: OJPEG hack.
+                        * If a) compression is OJPEG, b) it's not a tiled TIFF,
+                        * and c) the number of strips is 1,
+                        * then we tolerate the absence of stripoffsets tag,
+                        * because, presumably, all required data is in the
+                        * JpegInterchangeFormat stream.
+                        */
+                       TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
+               } else
+#endif
+        {
+                       MissingRequired(tif,
+                               isTiled(tif) ? "TileOffsets" : "StripOffsets");
+                       goto bad;
+               }
+       }
+
+        if( tif->tif_mode == O_RDWR &&
+            tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
+            tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
+            tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
+            tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
+            tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
+            tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
+            tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
+            tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
+        {
+            /* Directory typically created with TIFFDeferStrileArrayWriting() */
+            TIFFSetupStrips(tif);
+        }
+        else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
+        {
+            if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
+            {
+                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
+                                         tif->tif_dir.td_nstrips,
+                                         &tif->tif_dir.td_stripoffset_p))
+                {
+                    goto bad;
+                }
+            }
+            if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
+            {
+                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
+                                         tif->tif_dir.td_nstrips,
+                                         &tif->tif_dir.td_stripbytecount_p))
+                {
+                    goto bad;
+                }
+            }
+        }
+
+        /*
+         * Make sure all non-color channels are extrasamples.
+         * If it's not the case, define them as such.
+-- 
+2.25.1

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch new file mode 100644 index 0000000000..71b85cac10 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
@@ -0,0 +1,212 @@
	1	From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
	2	From: Even Rouault <even.rouault@spatialys.com>
	3	Date: Sun, 5 Dec 2021 14:37:46 +0100
	4	Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
	5
	6	to avoid having the size of the strip arrays inconsistent with the
	7	number of strips returned by TIFFNumberOfStrips(), which may cause
	8	out-ouf-bounds array read afterwards.
	9
	10	One of the OJPEG hack that alters SamplesPerPixel may influence the
	11	number of strips. Hence compute tif_dir.td_nstrips only afterwards.
	12
	13	CVE: CVE-2022-1354
	14
	15	Upstream-Status: Backport
	16	[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
	17
	18	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	19	---
	20	libtiff/tif_dirread.c \| 162 ++++++++++++++++++++++--------------------
	21	1 file changed, 83 insertions(+), 79 deletions(-)
	22
	23	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
	24	index 8f434ef5..14c031d1 100644
	25	--- a/libtiff/tif_dirread.c
	26	+++ b/libtiff/tif_dirread.c
	27	@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
	28	MissingRequired(tif,"ImageLength");
	29	goto bad;
	30	}
	31	- /*
	32	- * Setup appropriate structures (by strip or by tile)
	33	- */
	34	- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
	35	- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
	36	- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
	37	- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
	38	- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
	39	- tif->tif_flags &= ~TIFF_ISTILED;
	40	- } else {
	41	- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
	42	- tif->tif_flags \|= TIFF_ISTILED;
	43	- }
	44	- if (!tif->tif_dir.td_nstrips) {
	45	- TIFFErrorExt(tif->tif_clientdata, module,
	46	- "Cannot handle zero number of %s",
	47	- isTiled(tif) ? "tiles" : "strips");
	48	- goto bad;
	49	- }
	50	- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
	51	- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
	52	- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
	53	- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
	54	-#ifdef OJPEG_SUPPORT
	55	- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
	56	- (isTiled(tif)==0) &&
	57	- (tif->tif_dir.td_nstrips==1)) {
	58	- /*
	59	- * XXX: OJPEG hack.
	60	- * If a) compression is OJPEG, b) it's not a tiled TIFF,
	61	- * and c) the number of strips is 1,
	62	- * then we tolerate the absence of stripoffsets tag,
	63	- * because, presumably, all required data is in the
	64	- * JpegInterchangeFormat stream.
	65	- */
	66	- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
	67	- } else
	68	-#endif
	69	- {
	70	- MissingRequired(tif,
	71	- isTiled(tif) ? "TileOffsets" : "StripOffsets");
	72	- goto bad;
	73	- }
	74	- }
	75	+
	76	/*
	77	* Second pass: extract other information.
	78	*/
	79	@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
	80	} /* -- if (!dp->tdir_ignore) */
	81	} /* -- for-loop -- */
	82
	83	- if( tif->tif_mode == O_RDWR &&
	84	- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
	85	- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
	86	- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
	87	- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
	88	- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
	89	- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
	90	- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
	91	- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
	92	- {
	93	- /* Directory typically created with TIFFDeferStrileArrayWriting() */
	94	- TIFFSetupStrips(tif);
	95	- }
	96	- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
	97	- {
	98	- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
	99	- {
	100	- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
	101	- tif->tif_dir.td_nstrips,
	102	- &tif->tif_dir.td_stripoffset_p))
	103	- {
	104	- goto bad;
	105	- }
	106	- }
	107	- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
	108	- {
	109	- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
	110	- tif->tif_dir.td_nstrips,
	111	- &tif->tif_dir.td_stripbytecount_p))
	112	- {
	113	- goto bad;
	114	- }
	115	- }
	116	- }
	117	-
	118	/*
	119	* OJPEG hack:
	120	* - If a) compression is OJPEG, and b) photometric tag is missing,
	121	@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
	122	}
	123	}
	124
	125	+ /*
	126	+ * Setup appropriate structures (by strip or by tile)
	127	+ * We do that only after the above OJPEG hack which alters SamplesPerPixel
	128	+ * and thus influences the number of strips in the separate planarconfig.
	129	+ */
	130	+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
	131	+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
	132	+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
	133	+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
	134	+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
	135	+ tif->tif_flags &= ~TIFF_ISTILED;
	136	+ } else {
	137	+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
	138	+ tif->tif_flags \|= TIFF_ISTILED;
	139	+ }
	140	+ if (!tif->tif_dir.td_nstrips) {
	141	+ TIFFErrorExt(tif->tif_clientdata, module,
	142	+ "Cannot handle zero number of %s",
	143	+ isTiled(tif) ? "tiles" : "strips");
	144	+ goto bad;
	145	+ }
	146	+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
	147	+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
	148	+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
	149	+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
	150	+#ifdef OJPEG_SUPPORT
	151	+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
	152	+ (isTiled(tif)==0) &&
	153	+ (tif->tif_dir.td_nstrips==1)) {
	154	+ /*
	155	+ * XXX: OJPEG hack.
	156	+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
	157	+ * and c) the number of strips is 1,
	158	+ * then we tolerate the absence of stripoffsets tag,
	159	+ * because, presumably, all required data is in the
	160	+ * JpegInterchangeFormat stream.
	161	+ */
	162	+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
	163	+ } else
	164	+#endif
	165	+ {
	166	+ MissingRequired(tif,
	167	+ isTiled(tif) ? "TileOffsets" : "StripOffsets");
	168	+ goto bad;
	169	+ }
	170	+ }
	171	+
	172	+ if( tif->tif_mode == O_RDWR &&
	173	+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
	174	+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
	175	+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
	176	+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
	177	+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
	178	+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
	179	+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
	180	+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
	181	+ {
	182	+ /* Directory typically created with TIFFDeferStrileArrayWriting() */
	183	+ TIFFSetupStrips(tif);
	184	+ }
	185	+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
	186	+ {
	187	+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
	188	+ {
	189	+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
	190	+ tif->tif_dir.td_nstrips,
	191	+ &tif->tif_dir.td_stripoffset_p))
	192	+ {
	193	+ goto bad;
	194	+ }
	195	+ }
	196	+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
	197	+ {
	198	+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
	199	+ tif->tif_dir.td_nstrips,
	200	+ &tif->tif_dir.td_stripbytecount_p))
	201	+ {
	202	+ goto bad;
	203	+ }
	204	+ }
	205	+ }
	206	+
	207	/*
	208	* Make sure all non-color channels are extrasamples.
	209	* If it's not the case, define them as such.
	210	--
	211	2.25.1
	212