1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
new file mode 100644
index 0000000000..e59f5aad55
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
@@ -0,0 +1,62 @@
+From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Apr 2022 22:33:31 +0200
+Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
+CVE: CVE-2022-1355
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ tools/tiffcp.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index fd129bb7..8d944ff6 100644
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -274,19 +274,34 @@ main(int argc, char* argv[])
+                        deftilewidth = atoi(optarg);
+                        break;
+                case 'B':
+-                       *mp++ = 'b'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode) - 1))
+                       {
+                               *mp++ = 'b'; *mp = '\0';
+                       }
+                        break;
+                case 'L':
+-                       *mp++ = 'l'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode) - 1))
+                       {
+                               *mp++ = 'l'; *mp = '\0';
+                       }
+                        break;
+                case 'M':
+-                       *mp++ = 'm'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode) - 1))
+                       {
+                               *mp++ = 'm'; *mp = '\0';
+                       }
+                        break;
+                case 'C':
+-                       *mp++ = 'c'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode) - 1))
+                       {
+                               *mp++ = 'c'; *mp = '\0';
+                       }
+                        break;
+                case '8':
+-                       *mp++ = '8'; *mp = '\0';
+                       if (strlen(mode) < (sizeof(mode)-1))
+                       {
+                               *mp++ = '8'; *mp = '\0';
+                       }
+                        break;
+                case 'x':
+                        pageInSeq = 1;
+-- 
+2.25.1

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch new file mode 100644 index 0000000000..e59f5aad55 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
@@ -0,0 +1,62 @@
	1	From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
	2	From: Su_Laus <sulau@freenet.de>
	3	Date: Sat, 2 Apr 2022 22:33:31 +0200
	4	Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
	5
	6	CVE: CVE-2022-1355
	7
	8	Upstream-Status: Backport
	9	[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
	10
	11	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	12	---
	13	tools/tiffcp.c \| 25 ++++++++++++++++++++-----
	14	1 file changed, 20 insertions(+), 5 deletions(-)
	15
	16	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
	17	index fd129bb7..8d944ff6 100644
	18	--- a/tools/tiffcp.c
	19	+++ b/tools/tiffcp.c
	20	@@ -274,19 +274,34 @@ main(int argc, char* argv[])
	21	deftilewidth = atoi(optarg);
	22	break;
	23	case 'B':
	24	- mp++ = 'b'; mp = '\0';
	25	+ if (strlen(mode) < (sizeof(mode) - 1))
	26	+ {
	27	+ mp++ = 'b'; mp = '\0';
	28	+ }
	29	break;
	30	case 'L':
	31	- mp++ = 'l'; mp = '\0';
	32	+ if (strlen(mode) < (sizeof(mode) - 1))
	33	+ {
	34	+ mp++ = 'l'; mp = '\0';
	35	+ }
	36	break;
	37	case 'M':
	38	- mp++ = 'm'; mp = '\0';
	39	+ if (strlen(mode) < (sizeof(mode) - 1))
	40	+ {
	41	+ mp++ = 'm'; mp = '\0';
	42	+ }
	43	break;
	44	case 'C':
	45	- mp++ = 'c'; mp = '\0';
	46	+ if (strlen(mode) < (sizeof(mode) - 1))
	47	+ {
	48	+ mp++ = 'c'; mp = '\0';
	49	+ }
	50	break;
	51	case '8':
	52	- mp++ = '8'; mp = '\0';
	53	+ if (strlen(mode) < (sizeof(mode)-1))
	54	+ {
	55	+ mp++ = '8'; mp = '\0';
	56	+ }
	57	break;
	58	case 'x':
	59	pageInSeq = 1;
	60	--
	61	2.25.1
	62