1 files changed, 178 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..453df897ac
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
@@ -0,0 +1,178 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a 
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+Backport of:
+From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 31 Oct 2023 15:43:29 +0000
+Subject: [PATCH] Prevent some out-of-memory attacks
+Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
+At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
+See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
+---
+ libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 90 insertions(+), 2 deletions(-)
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
+++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead
+        datasize=(*count)*typesize;
+        assert((tmsize_t)datasize>0);
+ 
+       /* Before allocating a huge amount of memory for corrupted files, check if
+        * size of requested memory is not greater than file size.
+        */
+       uint64_t filesize = TIFFGetFileSize(tif);
+       if (datasize > filesize)
+       {
+               TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+                                               "Requested memory size for tag %d (0x%x) %" PRIu32
+                                               " is greather than filesize %" PRIu64
+                                               ". Memory not allocated, tag not read",
+                                               direntry->tdir_tag, direntry->tdir_tag, datasize,
+                                               filesize);
+               return (TIFFReadDirEntryErrAlloc);
+       }
+
+        if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
+                return TIFFReadDirEntryErrIo;
+ 
+@@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+         if( !_TIFFFillStrilesInternal( tif, 0 ) )
+             return -1;
+ 
+       /* Before allocating a huge amount of memory for corrupted files, check if
+        * size of requested memory is not greater than file size. */
+       uint64_t filesize = TIFFGetFileSize(tif);
+       uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+       if (allocsize > filesize)
+       {
+               TIFFWarningExt(tif->tif_clientdata, module,
+                                               "Requested memory size for StripByteCounts of %" PRIu64
+                                               " is greather than filesize %" PRIu64
+                                               ". Memory not allocated",
+                                               allocsize, filesize);
+               return -1;
+       }
+
+        if (td->td_stripbytecount_p)
+                _TIFFfree(td->td_stripbytecount_p);
+        td->td_stripbytecount_p = (uint64_t*)
+@@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ 
+        if (td->td_compression != COMPRESSION_NONE) {
+                uint64_t space;
+-               uint64_t filesize;
+                uint16_t n;
+-               filesize = TIFFGetFileSize(tif);
+                if (!(tif->tif_flags&TIFF_BIGTIFF))
+                        space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
+                else
+@@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+                        dircount16 = (uint16_t)dircount64;
+                        dirsize = 20;
+                }
+               /* Before allocating a huge amount of memory for corrupted files, check
+                * if size of requested memory is not greater than file size. */
+               uint64_t filesize = TIFFGetFileSize(tif);
+               uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+               if (allocsize > filesize)
+               {
+                       TIFFWarningExt(
+                               tif->tif_clientdata, module,
+                               "Requested memory size for TIFF directory of %" PRIu64
+                               " is greather than filesize %" PRIu64
+                               ". Memory not allocated, TIFF directory not read",
+                               allocsize, filesize);
+                       return 0;
+               }
+                origdir = _TIFFCheckMalloc(tif, dircount16,
+                    dirsize, "to read TIFF directory");
+                if (origdir == NULL)
+@@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+                                     "Sanity check on directory count failed, zero tag directories not supported");
+                        return 0;
+                }
+               /* Before allocating a huge amount of memory for corrupted files, check
+                * if size of requested memory is not greater than file size. */
+               uint64_t filesize = TIFFGetFileSize(tif);
+               uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+               if (allocsize > filesize)
+               {
+                       TIFFWarningExt(
+                               tif->tif_clientdata, module,
+                               "Requested memory size for TIFF directory of %" PRIu64
+                               " is greather than filesize %" PRIu64
+                               ". Memory not allocated, TIFF directory not read",
+                               allocsize, filesize);
+                       return 0;
+               }
+                origdir = _TIFFCheckMalloc(tif, dircount16,
+                                                dirsize,
+                                                "to read TIFF directory");
+@@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+                        }
+                }
+        }
+       /* No check against filesize needed here because "dir" should have same size
+        * than "origdir" checked above. */
+        dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
+                                                sizeof(TIFFDirEntry),
+                                                "to read TIFF directory");
+@@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+                        return(0);
+                }
+ 
+               /* Before allocating a huge amount of memory for corrupted files, check
+                * if size of requested memory is not greater than file size. */
+               uint64_t filesize = TIFFGetFileSize(tif);
+               uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+               if (allocsize > filesize)
+               {
+                       TIFFWarningExt(tif->tif_clientdata, module,
+                                                       "Requested memory size for StripArray of %" PRIu64
+                                                       " is greather than filesize %" PRIu64
+                                                       ". Memory not allocated",
+                                                       allocsize, filesize);
+                       _TIFFfree(data);
+                       return (0);
+               }
+                resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
+                if (resizeddata==0) {
+                        _TIFFfree(data);
+@@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI
+     }
+     bytecount = last_offset + last_bytecount - offset;
+ 
+       /* Before allocating a huge amount of memory for corrupted files, check if
+        * size of StripByteCount and StripOffset tags is not greater than
+        * file size.
+        */
+       uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+       uint64_t filesize = TIFFGetFileSize(tif);
+       if (allocsize > filesize)
+       {
+               TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+                                               "Requested memory size for StripByteCount and "
+                                               "StripOffsets %" PRIu64
+                                               " is greather than filesize %" PRIu64
+                                               ". Memory not allocated",
+                                               allocsize, filesize);
+               return;
+       }
+
+     newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
+                                              "for chopped \"StripByteCounts\" array");
+     newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch new file mode 100644 index 0000000000..453df897ac --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
@@ -0,0 +1,178 @@
	1	CVE: CVE-2023-6277
	2	Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
	3	ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
	4	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
	5
	6	[Ubuntu note: Backport of the following patch from upstream, with a few changes
	7	to match the current version of the file in the present Ubuntu release:
	8	. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
	9	. calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
	10	-- Rodrigo Figueiredo Zaiden]
	11
	12	Backport of:
	13
	14	From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
	15	From: Su Laus <sulau@freenet.de>
	16	Date: Tue, 31 Oct 2023 15:43:29 +0000
	17	Subject: [PATCH] Prevent some out-of-memory attacks
	18
	19	Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
	20
	21	At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
	22
	23	See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
	24	---
	25	libtiff/tif_dirread.c \| 92 ++++++++++++++++++++++++++++++++++++++++++-
	26	1 file changed, 90 insertions(+), 2 deletions(-)
	27
	28	--- tiff-4.3.0.orig/libtiff/tif_dirread.c
	29	+++ tiff-4.3.0/libtiff/tif_dirread.c
	30	@@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead
	31	datasize=(count)typesize;
	32	assert((tmsize_t)datasize>0);
	33
	34	+ /* Before allocating a huge amount of memory for corrupted files, check if
	35	+ * size of requested memory is not greater than file size.
	36	+ */
	37	+ uint64_t filesize = TIFFGetFileSize(tif);
	38	+ if (datasize > filesize)
	39	+ {
	40	+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
	41	+ "Requested memory size for tag %d (0x%x) %" PRIu32
	42	+ " is greather than filesize %" PRIu64
	43	+ ". Memory not allocated, tag not read",
	44	+ direntry->tdir_tag, direntry->tdir_tag, datasize,
	45	+ filesize);
	46	+ return (TIFFReadDirEntryErrAlloc);
	47	+ }
	48	+
	49	if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
	50	return TIFFReadDirEntryErrIo;
	51
	52	@@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
	53	if( !_TIFFFillStrilesInternal( tif, 0 ) )
	54	return -1;
	55
	56	+ /* Before allocating a huge amount of memory for corrupted files, check if
	57	+ * size of requested memory is not greater than file size. */
	58	+ uint64_t filesize = TIFFGetFileSize(tif);
	59	+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
	60	+ if (allocsize > filesize)
	61	+ {
	62	+ TIFFWarningExt(tif->tif_clientdata, module,
	63	+ "Requested memory size for StripByteCounts of %" PRIu64
	64	+ " is greather than filesize %" PRIu64
	65	+ ". Memory not allocated",
	66	+ allocsize, filesize);
	67	+ return -1;
	68	+ }
	69	+
	70	if (td->td_stripbytecount_p)
	71	_TIFFfree(td->td_stripbytecount_p);
	72	td->td_stripbytecount_p = (uint64_t*)
	73	@@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
	74
	75	if (td->td_compression != COMPRESSION_NONE) {
	76	uint64_t space;
	77	- uint64_t filesize;
	78	uint16_t n;
	79	- filesize = TIFFGetFileSize(tif);
	80	if (!(tif->tif_flags&TIFF_BIGTIFF))
	81	space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
	82	else
	83	@@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
	84	dircount16 = (uint16_t)dircount64;
	85	dirsize = 20;
	86	}
	87	+ /* Before allocating a huge amount of memory for corrupted files, check
	88	+ * if size of requested memory is not greater than file size. */
	89	+ uint64_t filesize = TIFFGetFileSize(tif);
	90	+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
	91	+ if (allocsize > filesize)
	92	+ {
	93	+ TIFFWarningExt(
	94	+ tif->tif_clientdata, module,
	95	+ "Requested memory size for TIFF directory of %" PRIu64
	96	+ " is greather than filesize %" PRIu64
	97	+ ". Memory not allocated, TIFF directory not read",
	98	+ allocsize, filesize);
	99	+ return 0;
	100	+ }
	101	origdir = _TIFFCheckMalloc(tif, dircount16,
	102	dirsize, "to read TIFF directory");
	103	if (origdir == NULL)
	104	@@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
	105	"Sanity check on directory count failed, zero tag directories not supported");
	106	return 0;
	107	}
	108	+ /* Before allocating a huge amount of memory for corrupted files, check
	109	+ * if size of requested memory is not greater than file size. */
	110	+ uint64_t filesize = TIFFGetFileSize(tif);
	111	+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
	112	+ if (allocsize > filesize)
	113	+ {
	114	+ TIFFWarningExt(
	115	+ tif->tif_clientdata, module,
	116	+ "Requested memory size for TIFF directory of %" PRIu64
	117	+ " is greather than filesize %" PRIu64
	118	+ ". Memory not allocated, TIFF directory not read",
	119	+ allocsize, filesize);
	120	+ return 0;
	121	+ }
	122	origdir = _TIFFCheckMalloc(tif, dircount16,
	123	dirsize,
	124	"to read TIFF directory");
	125	@@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
	126	}
	127	}
	128	}
	129	+ /* No check against filesize needed here because "dir" should have same size
	130	+ * than "origdir" checked above. */
	131	dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
	132	sizeof(TIFFDirEntry),
	133	"to read TIFF directory");
	134	@@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
	135	return(0);
	136	}
	137
	138	+ /* Before allocating a huge amount of memory for corrupted files, check
	139	+ * if size of requested memory is not greater than file size. */
	140	+ uint64_t filesize = TIFFGetFileSize(tif);
	141	+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
	142	+ if (allocsize > filesize)
	143	+ {
	144	+ TIFFWarningExt(tif->tif_clientdata, module,
	145	+ "Requested memory size for StripArray of %" PRIu64
	146	+ " is greather than filesize %" PRIu64
	147	+ ". Memory not allocated",
	148	+ allocsize, filesize);
	149	+ _TIFFfree(data);
	150	+ return (0);
	151	+ }
	152	resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
	153	if (resizeddata==0) {
	154	_TIFFfree(data);
	155	@@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI
	156	}
	157	bytecount = last_offset + last_bytecount - offset;
	158
	159	+ /* Before allocating a huge amount of memory for corrupted files, check if
	160	+ * size of StripByteCount and StripOffset tags is not greater than
	161	+ * file size.
	162	+ */
	163	+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
	164	+ uint64_t filesize = TIFFGetFileSize(tif);
	165	+ if (allocsize > filesize)
	166	+ {
	167	+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
	168	+ "Requested memory size for StripByteCount and "
	169	+ "StripOffsets %" PRIu64
	170	+ " is greather than filesize %" PRIu64
	171	+ ". Memory not allocated",
	172	+ allocsize, filesize);
	173	+ return;
	174	+ }
	175	+
	176	newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
	177	"for chopped \"StripByteCounts\" array");
	178	newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),