summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch609
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch87
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.3.0.bb2
3 files changed, 698 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch
new file mode 100644
index 0000000000..07acf5eb90
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch
@@ -0,0 +1,609 @@
1From e319508023580e2f70e6e626f745b5b2a1707313 Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Tue, 10 May 2022 20:03:17 +0000
4Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349
5Upstream-Status: Backport
6Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
7---
8 tools/tiffcrop.c | 282 +++++++++++++++++++++++++++++++++++------------
9 1 file changed, 210 insertions(+), 72 deletions(-)
10
11diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
12index 77cf6ed1..791ec5e7 100644
13--- a/tools/tiffcrop.c
14+++ b/tools/tiffcrop.c
15@@ -63,20 +63,24 @@
16 * units when sectioning image into columns x rows
17 * using the -S cols:rows option.
18 * -X # Horizontal dimension of region to extract expressed in current
19- * units
20+ * units, relative to the specified origin reference 'edge' left (default for X) or right.
21 * -Y # Vertical dimension of region to extract expressed in current
22- * units
23+ * units, relative to the specified origin reference 'edge' top (default for Y) or bottom.
24 * -O orient Orientation for output image, portrait, landscape, auto
25 * -P page Page size for output image segments, eg letter, legal, tabloid,
26 * etc.
27 * -S cols:rows Divide the image into equal sized segments using cols across
28 * and rows down
29- * -E t|l|r|b Edge to use as origin
30+ * -E t|l|r|b Edge to use as origin (i.e. 'side' of the image not 'corner')
31+ * top = width from left, zones from top to bottom (default)
32+ * bottom = width from left, zones from bottom to top
33+ * left = zones from left to right, length from top
34+ * right = zones from right to left, length from top
35 * -m #,#,#,# Margins from edges for selection: top, left, bottom, right
36 * (commas separated)
37 * -Z #:#,#:# Zones of the image designated as zone X of Y,
38 * eg 1:3 would be first of three equal portions measured
39- * from reference edge
40+ * from reference edge (i.e. 'side' not corner)
41 * -N odd|even|#,#-#,#|last
42 * Select sequences and/or ranges of images within file
43 * to process. The words odd or even may be used to specify
44@@ -103,10 +107,13 @@
45 * selects which functions dump data, with higher numbers selecting
46 * lower level, scanline level routines. Debug reports a limited set
47 * of messages to monitor progress without enabling dump logs.
48+ *
49+ * Note: The (-X|-Y), -Z and -z options are mutually exclusive.
50+ * In no case should the options be applied to a given selection successively.
51 */
52
53-static char tiffcrop_version_id[] = "2.4.1";
54-static char tiffcrop_rev_date[] = "03-03-2010";
55+static char tiffcrop_version_id[] = "2.5";
56+static char tiffcrop_rev_date[] = "02-09-2022";
57
58 #include "tif_config.h"
59 #include "libport.h"
60@@ -774,6 +781,9 @@ static const char usage_info[] =
61 " The four debug/dump options are independent, though it makes little sense to\n"
62 " specify a dump file without specifying a detail level.\n"
63 "\n"
64+"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
65+" In no case should the options be applied to a given selection successively.\n"
66+"\n"
67 ;
68
69 /* This function could be modified to pass starting sample offset
70@@ -2121,6 +2131,15 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
71 /*NOTREACHED*/
72 }
73 }
74+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
75+ char XY, Z, R;
76+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
77+ Z = (crop_data->crop_mode & CROP_ZONES);
78+ R = (crop_data->crop_mode & CROP_REGIONS);
79+ if ((XY && Z) || (XY && R) || (Z && R)) {
80+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
81+ exit(EXIT_FAILURE);
82+ }
83 } /* end process_command_opts */
84
85 /* Start a new output file if one has not been previously opened or
86@@ -2746,7 +2765,7 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
87 tsample_t count, uint32_t start, uint32_t end)
88 {
89 int i, bytes_per_sample, sindex;
90- uint32_t col, dst_rowsize, bit_offset;
91+ uint32_t col, dst_rowsize, bit_offset, numcols;
92 uint32_t src_byte /*, src_bit */;
93 uint8_t *src = in;
94 uint8_t *dst = out;
95@@ -2757,6 +2776,10 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
96 return (1);
97 }
98
99+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
100+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
101+ */
102+ numcols = abs(end - start);
103 if ((start > end) || (start > cols))
104 {
105 TIFFError ("extractContigSamplesBytes",
106@@ -2769,6 +2792,9 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
107 "Invalid end column value %"PRIu32" ignored", end);
108 end = cols;
109 }
110+ if (abs(end - start) > numcols) {
111+ end = start + numcols;
112+ }
113
114 dst_rowsize = (bps * (end - start) * count) / 8;
115
116@@ -2812,7 +2838,7 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
117 tsample_t count, uint32_t start, uint32_t end)
118 {
119 int ready_bits = 0, sindex = 0;
120- uint32_t col, src_byte, src_bit, bit_offset;
121+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
122 uint8_t maskbits = 0, matchbits = 0;
123 uint8_t buff1 = 0, buff2 = 0;
124 uint8_t *src = in;
125@@ -2824,6 +2850,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
126 return (1);
127 }
128
129+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
130+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
131+ */
132+ numcols = abs(end - start);
133 if ((start > end) || (start > cols))
134 {
135 TIFFError ("extractContigSamples8bits",
136@@ -2836,7 +2866,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
137 "Invalid end column value %"PRIu32" ignored", end);
138 end = cols;
139 }
140-
141+ if (abs(end - start) > numcols) {
142+ end = start + numcols;
143+ }
144+
145 ready_bits = 0;
146 maskbits = (uint8_t)-1 >> (8 - bps);
147 buff1 = buff2 = 0;
148@@ -2889,7 +2922,7 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
149 tsample_t count, uint32_t start, uint32_t end)
150 {
151 int ready_bits = 0, sindex = 0;
152- uint32_t col, src_byte, src_bit, bit_offset;
153+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
154 uint16_t maskbits = 0, matchbits = 0;
155 uint16_t buff1 = 0, buff2 = 0;
156 uint8_t bytebuff = 0;
157@@ -2902,6 +2935,10 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
158 return (1);
159 }
160
161+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
162+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
163+ */
164+ numcols = abs(end - start);
165 if ((start > end) || (start > cols))
166 {
167 TIFFError ("extractContigSamples16bits",
168@@ -2914,6 +2951,9 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
169 "Invalid end column value %"PRIu32" ignored", end);
170 end = cols;
171 }
172+ if (abs(end - start) > numcols) {
173+ end = start + numcols;
174+ }
175
176 ready_bits = 0;
177 maskbits = (uint16_t)-1 >> (16 - bps);
178@@ -2978,7 +3018,7 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
179 tsample_t count, uint32_t start, uint32_t end)
180 {
181 int ready_bits = 0, sindex = 0;
182- uint32_t col, src_byte, src_bit, bit_offset;
183+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
184 uint32_t maskbits = 0, matchbits = 0;
185 uint32_t buff1 = 0, buff2 = 0;
186 uint8_t bytebuff1 = 0, bytebuff2 = 0;
187@@ -2991,6 +3031,10 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
188 return (1);
189 }
190
191+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
192+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
193+ */
194+ numcols = abs(end - start);
195 if ((start > end) || (start > cols))
196 {
197 TIFFError ("extractContigSamples24bits",
198@@ -3003,6 +3047,9 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
199 "Invalid end column value %"PRIu32" ignored", end);
200 end = cols;
201 }
202+ if (abs(end - start) > numcols) {
203+ end = start + numcols;
204+ }
205
206 ready_bits = 0;
207 maskbits = (uint32_t)-1 >> (32 - bps);
208@@ -3087,7 +3134,7 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
209 tsample_t count, uint32_t start, uint32_t end)
210 {
211 int ready_bits = 0, sindex = 0 /*, shift_width = 0 */;
212- uint32_t col, src_byte, src_bit, bit_offset;
213+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
214 uint32_t longbuff1 = 0, longbuff2 = 0;
215 uint64_t maskbits = 0, matchbits = 0;
216 uint64_t buff1 = 0, buff2 = 0, buff3 = 0;
217@@ -3102,6 +3149,10 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
218 }
219
220
221+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
222+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
223+ */
224+ numcols = abs(end - start);
225 if ((start > end) || (start > cols))
226 {
227 TIFFError ("extractContigSamples32bits",
228@@ -3114,6 +3165,9 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
229 "Invalid end column value %"PRIu32" ignored", end);
230 end = cols;
231 }
232+ if (abs(end - start) > numcols) {
233+ end = start + numcols;
234+ }
235
236 /* shift_width = ((bps + 7) / 8) + 1; */
237 ready_bits = 0;
238@@ -3193,7 +3247,7 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
239 int shift)
240 {
241 int ready_bits = 0, sindex = 0;
242- uint32_t col, src_byte, src_bit, bit_offset;
243+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
244 uint8_t maskbits = 0, matchbits = 0;
245 uint8_t buff1 = 0, buff2 = 0;
246 uint8_t *src = in;
247@@ -3205,6 +3259,10 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
248 return (1);
249 }
250
251+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
252+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
253+ */
254+ numcols = abs(end - start);
255 if ((start > end) || (start > cols))
256 {
257 TIFFError ("extractContigSamplesShifted8bits",
258@@ -3217,6 +3275,9 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
259 "Invalid end column value %"PRIu32" ignored", end);
260 end = cols;
261 }
262+ if (abs(end - start) > numcols) {
263+ end = start + numcols;
264+ }
265
266 ready_bits = shift;
267 maskbits = (uint8_t)-1 >> (8 - bps);
268@@ -3273,7 +3334,7 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
269 int shift)
270 {
271 int ready_bits = 0, sindex = 0;
272- uint32_t col, src_byte, src_bit, bit_offset;
273+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
274 uint16_t maskbits = 0, matchbits = 0;
275 uint16_t buff1 = 0, buff2 = 0;
276 uint8_t bytebuff = 0;
277@@ -3286,6 +3347,10 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
278 return (1);
279 }
280
281+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
282+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
283+ */
284+ numcols = abs(end - start);
285 if ((start > end) || (start > cols))
286 {
287 TIFFError ("extractContigSamplesShifted16bits",
288@@ -3298,6 +3363,9 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
289 "Invalid end column value %"PRIu32" ignored", end);
290 end = cols;
291 }
292+ if (abs(end - start) > numcols) {
293+ end = start + numcols;
294+ }
295
296 ready_bits = shift;
297 maskbits = (uint16_t)-1 >> (16 - bps);
298@@ -3363,7 +3431,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
299 int shift)
300 {
301 int ready_bits = 0, sindex = 0;
302- uint32_t col, src_byte, src_bit, bit_offset;
303+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
304 uint32_t maskbits = 0, matchbits = 0;
305 uint32_t buff1 = 0, buff2 = 0;
306 uint8_t bytebuff1 = 0, bytebuff2 = 0;
307@@ -3376,6 +3444,16 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
308 return (1);
309 }
310
311+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
312+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
313+ */
314+ /*--- Remark, which is true for all those functions extractCongigSamplesXXX() --
315+ * The mitigation of the start/end test does not allways make sense, because the function is often called with e.g.:
316+ * start = 31; end = 32; cols = 32 to extract the last column in a 32x32 sample image.
317+ * If then, a worng parameter (e.g. cols = 10) is provided, the mitigated settings would be start=0; end=1.
318+ * Therefore, an error message and no copy action might be the better reaction to wrong parameter configurations.
319+ */
320+ numcols = abs(end - start);
321 if ((start > end) || (start > cols))
322 {
323 TIFFError ("extractContigSamplesShifted24bits",
324@@ -3388,6 +3466,9 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
325 "Invalid end column value %"PRIu32" ignored", end);
326 end = cols;
327 }
328+ if (abs(end - start) > numcols) {
329+ end = start + numcols;
330+ }
331
332 ready_bits = shift;
333 maskbits = (uint32_t)-1 >> (32 - bps);
334@@ -3449,7 +3530,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
335 buff2 = (buff2 << 8);
336 bytebuff2 = bytebuff1;
337 ready_bits -= 8;
338- }
339+ }
340
341 return (0);
342 } /* end extractContigSamplesShifted24bits */
343@@ -3461,7 +3542,7 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
344 int shift)
345 {
346 int ready_bits = 0, sindex = 0 /*, shift_width = 0 */;
347- uint32_t col, src_byte, src_bit, bit_offset;
348+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
349 uint32_t longbuff1 = 0, longbuff2 = 0;
350 uint64_t maskbits = 0, matchbits = 0;
351 uint64_t buff1 = 0, buff2 = 0, buff3 = 0;
352@@ -3476,6 +3557,10 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
353 }
354
355
356+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
357+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
358+ */
359+ numcols = abs(end - start);
360 if ((start > end) || (start > cols))
361 {
362 TIFFError ("extractContigSamplesShifted32bits",
363@@ -3488,6 +3573,9 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
364 "Invalid end column value %"PRIu32" ignored", end);
365 end = cols;
366 }
367+ if (abs(end - start) > numcols) {
368+ end = start + numcols;
369+ }
370
371 /* shift_width = ((bps + 7) / 8) + 1; */
372 ready_bits = shift;
373@@ -5429,7 +5517,7 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
374 {
375 struct offset offsets;
376 int i;
377- int32_t test;
378+ uint32_t uaux;
379 uint32_t seg, total, need_buff = 0;
380 uint32_t buffsize;
381 uint32_t zwidth, zlength;
382@@ -5510,8 +5598,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
383 seg = crop->zonelist[j].position;
384 total = crop->zonelist[j].total;
385
386- /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
387+ /* check for not allowed zone cases like 0:0; 4:3; or negative ones etc. and skip that input */
388+ if (crop->zonelist[j].position < 0 || crop->zonelist[j].total < 0) {
389+ TIFFError("getCropOffsets", "Negative crop zone values %d:%d are not allowed, thus skipped.", crop->zonelist[j].position, crop->zonelist[j].total);
390+ continue;
391+ }
392 if (seg == 0 || total == 0 || seg > total) {
393+ TIFFError("getCropOffsets", "Crop zone %d:%d is out of specification, thus skipped.", seg, total);
394 continue;
395 }
396
397@@ -5524,17 +5617,23 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
398
399 crop->regionlist[i].x1 = offsets.startx +
400 (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total);
401- test = (int32_t)offsets.startx +
402- (int32_t)(offsets.crop_width * 1.0 * seg / total);
403- if (test < 1 )
404- crop->regionlist[i].x2 = 0;
405- else
406- {
407- if (test > (int32_t)(image->width - 1))
408+ /* FAULT: IMHO in the old code here, the calculation of x2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/
409+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */
410+ if (crop->regionlist[i].x1 > offsets.endx) {
411+ crop->regionlist[i].x1 = offsets.endx;
412+ } else if (crop->regionlist[i].x1 >= image->width) {
413+ crop->regionlist[i].x1 = image->width - 1;
414+ }
415+
416+ crop->regionlist[i].x2 = offsets.startx + (uint32_t)(offsets.crop_width * 1.0 * seg / total);
417+ if (crop->regionlist[i].x2 > 0) crop->regionlist[i].x2 = crop->regionlist[i].x2 - 1;
418+ if (crop->regionlist[i].x2 < crop->regionlist[i].x1) {
419+ crop->regionlist[i].x2 = crop->regionlist[i].x1;
420+ } else if (crop->regionlist[i].x2 > offsets.endx) {
421+ crop->regionlist[i].x2 = offsets.endx;
422+ } else if (crop->regionlist[i].x2 >= image->width) {
423 crop->regionlist[i].x2 = image->width - 1;
424- else
425- crop->regionlist[i].x2 = test - 1;
426- }
427+ }
428 zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
429
430 /* This is passed to extractCropZone or extractCompositeZones */
431@@ -5549,22 +5648,27 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
432 crop->regionlist[i].x1 = offsets.startx;
433 crop->regionlist[i].x2 = offsets.endx;
434
435- test = offsets.endy - (uint32_t)(offsets.crop_length * 1.0 * seg / total);
436- if (test < 1 )
437- crop->regionlist[i].y1 = 0;
438- else
439- crop->regionlist[i].y1 = test + 1;
440+ /* FAULT: IMHO in the old code here, the calculation of y1/y2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/
441+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */
442+ uaux = (uint32_t)(offsets.crop_length * 1.0 * seg / total);
443+ if (uaux <= offsets.endy + 1) {
444+ crop->regionlist[i].y1 = offsets.endy - uaux + 1;
445+ } else {
446+ crop->regionlist[i].y1 = 0;
447+ }
448+ if (crop->regionlist[i].y1 < offsets.starty) {
449+ crop->regionlist[i].y1 = offsets.starty;
450+ }
451
452- test = offsets.endy - (offsets.crop_length * 1.0 * (seg - 1) / total);
453- if (test < 1 )
454- crop->regionlist[i].y2 = 0;
455- else
456- {
457- if (test > (int32_t)(image->length - 1))
458- crop->regionlist[i].y2 = image->length - 1;
459- else
460- crop->regionlist[i].y2 = test;
461- }
462+ uaux = (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total);
463+ if (uaux <= offsets.endy) {
464+ crop->regionlist[i].y2 = offsets.endy - uaux;
465+ } else {
466+ crop->regionlist[i].y2 = 0;
467+ }
468+ if (crop->regionlist[i].y2 < offsets.starty) {
469+ crop->regionlist[i].y2 = offsets.starty;
470+ }
471 zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
472
473 /* This is passed to extractCropZone or extractCompositeZones */
474@@ -5575,32 +5679,42 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
475 crop->combined_width = (uint32_t)zwidth;
476 break;
477 case EDGE_RIGHT: /* zones from right to left, length from top */
478- zlength = offsets.crop_length;
479- crop->regionlist[i].y1 = offsets.starty;
480- crop->regionlist[i].y2 = offsets.endy;
481-
482- crop->regionlist[i].x1 = offsets.startx +
483- (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total);
484- test = offsets.startx +
485- (offsets.crop_width * (total - seg + 1) * 1.0 / total);
486- if (test < 1 )
487- crop->regionlist[i].x2 = 0;
488- else
489- {
490- if (test > (int32_t)(image->width - 1))
491- crop->regionlist[i].x2 = image->width - 1;
492- else
493- crop->regionlist[i].x2 = test - 1;
494- }
495- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
496+ zlength = offsets.crop_length;
497+ crop->regionlist[i].y1 = offsets.starty;
498+ crop->regionlist[i].y2 = offsets.endy;
499+
500+ crop->regionlist[i].x1 = offsets.startx +
501+ (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total);
502+ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/
503+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */
504+ uaux = (uint32_t)(offsets.crop_width * 1.0 * seg / total);
505+ if (uaux <= offsets.endx + 1) {
506+ crop->regionlist[i].x1 = offsets.endx - uaux + 1;
507+ } else {
508+ crop->regionlist[i].x1 = 0;
509+ }
510+ if (crop->regionlist[i].x1 < offsets.startx) {
511+ crop->regionlist[i].x1 = offsets.startx;
512+ }
513
514- /* This is passed to extractCropZone or extractCompositeZones */
515- crop->combined_length = (uint32_t)zlength;
516- if (crop->exp_mode == COMPOSITE_IMAGES)
517- crop->combined_width += (uint32_t)zwidth;
518- else
519- crop->combined_width = (uint32_t)zwidth;
520- break;
521+ uaux = (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total);
522+ if (uaux <= offsets.endx) {
523+ crop->regionlist[i].x2 = offsets.endx - uaux;
524+ } else {
525+ crop->regionlist[i].x2 = 0;
526+ }
527+ if (crop->regionlist[i].x2 < offsets.startx) {
528+ crop->regionlist[i].x2 = offsets.startx;
529+ }
530+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
531+
532+ /* This is passed to extractCropZone or extractCompositeZones */
533+ crop->combined_length = (uint32_t)zlength;
534+ if (crop->exp_mode == COMPOSITE_IMAGES)
535+ crop->combined_width += (uint32_t)zwidth;
536+ else
537+ crop->combined_width = (uint32_t)zwidth;
538+ break;
539 case EDGE_TOP: /* width from left, zones from top to bottom */
540 default:
541 zwidth = offsets.crop_width;
542@@ -5608,6 +5722,14 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
543 crop->regionlist[i].x2 = offsets.endx;
544
545 crop->regionlist[i].y1 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total);
546+ if (crop->regionlist[i].y1 > offsets.endy) {
547+ crop->regionlist[i].y1 = offsets.endy;
548+ } else if (crop->regionlist[i].y1 >= image->length) {
549+ crop->regionlist[i].y1 = image->length - 1;
550+ }
551+
552+ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/
553+ /* OLD Code:
554 test = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total);
555 if (test < 1 )
556 crop->regionlist[i].y2 = 0;
557@@ -5618,6 +5740,18 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
558 else
559 crop->regionlist[i].y2 = test - 1;
560 }
561+ */
562+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */
563+ crop->regionlist[i].y2 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total);
564+ if (crop->regionlist[i].y2 > 0)crop->regionlist[i].y2 = crop->regionlist[i].y2 - 1;
565+ if (crop->regionlist[i].y2 < crop->regionlist[i].y1) {
566+ crop->regionlist[i].y2 = crop->regionlist[i].y1;
567+ } else if (crop->regionlist[i].y2 > offsets.endy) {
568+ crop->regionlist[i].y2 = offsets.endy;
569+ } else if (crop->regionlist[i].y2 >= image->length) {
570+ crop->regionlist[i].y2 = image->length - 1;
571+ }
572+
573 zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
574
575 /* This is passed to extractCropZone or extractCompositeZones */
576@@ -7551,7 +7685,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
577 total_width = total_length = 0;
578 for (i = 0; i < crop->selections; i++)
579 {
580- cropsize = crop->bufftotal;
581+
582+ cropsize = crop->bufftotal;
583 crop_buff = seg_buffs[i].buffer;
584 if (!crop_buff)
585 crop_buff = (unsigned char *)limitMalloc(cropsize);
586@@ -7640,6 +7775,9 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
587
588 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
589 {
590+ /* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed.
591+ * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
592+ */
593 if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
594 &crop->regionlist[i].length, &crop_buff))
595 {
596@@ -7655,8 +7793,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
597 seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
598 * image->spp) * crop->regionlist[i].length;
599 }
600- }
601- }
602+ } /* for crop->selections loop */
603+ } /* Separated Images (else case) */
604 return (0);
605 } /* end processCropSelections */
606
607--
6082.33.0
609
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
new file mode 100644
index 0000000000..3a3a915688
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
@@ -0,0 +1,87 @@
1CVE: CVE-2022-2953
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
5
6From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001
7From: Su_Laus <sulau@freenet.de>
8Date: Mon, 15 Aug 2022 22:11:03 +0200
9Subject: [PATCH] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
10 =?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20ti?=
11 =?UTF-8?q?ffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually?=
12 =?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),=20-?=
13 =?UTF-8?q?Z=20and=20-z.?=
14MIME-Version: 1.0
15Content-Type: text/plain; charset=UTF-8
16Content-Transfer-Encoding: 8bit
17
18This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
19
20This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
21---
22 tools/tiffcrop.c | 31 ++++++++++++++++---------------
23 1 file changed, 16 insertions(+), 15 deletions(-)
24
25diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
26index 90286a5e..c3b758ec 100644
27--- a/tools/tiffcrop.c
28+++ b/tools/tiffcrop.c
29@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
30 #define ROTATECW_270 32
31 #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
32
33-#define CROP_NONE 0
34-#define CROP_MARGINS 1
35-#define CROP_WIDTH 2
36-#define CROP_LENGTH 4
37-#define CROP_ZONES 8
38-#define CROP_REGIONS 16
39+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
40+#define CROP_MARGINS 1 /* "-m" */
41+#define CROP_WIDTH 2 /* "-X" */
42+#define CROP_LENGTH 4 /* "-Y" */
43+#define CROP_ZONES 8 /* "-Z" */
44+#define CROP_REGIONS 16 /* "-z" */
45 #define CROP_ROTATE 32
46 #define CROP_MIRROR 64
47 #define CROP_INVERT 128
48@@ -316,7 +316,7 @@ struct crop_mask {
49 #define PAGE_MODE_RESOLUTION 1
50 #define PAGE_MODE_PAPERSIZE 2
51 #define PAGE_MODE_MARGINS 4
52-#define PAGE_MODE_ROWSCOLS 8
53+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
54
55 #define INVERT_DATA_ONLY 10
56 #define INVERT_DATA_AND_TAG 11
57@@ -781,7 +781,7 @@ static const char usage_info[] =
58 " The four debug/dump options are independent, though it makes little sense to\n"
59 " specify a dump file without specifying a detail level.\n"
60 "\n"
61-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
62+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
63 " In no case should the options be applied to a given selection successively.\n"
64 "\n"
65 ;
66@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
67 /*NOTREACHED*/
68 }
69 }
70- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
71- char XY, Z, R;
72+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
73+ char XY, Z, R, S;
74 XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
75 Z = (crop_data->crop_mode & CROP_ZONES);
76 R = (crop_data->crop_mode & CROP_REGIONS);
77- if ((XY && Z) || (XY && R) || (Z && R)) {
78- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
79+ S = (page->mode & PAGE_MODE_ROWSCOLS);
80+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
81+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
82 exit(EXIT_FAILURE);
83 }
84 } /* end process_command_opts */
85--
862.34.1
87
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index f84057c46b..29a2c38d8e 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -25,6 +25,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
25 file://CVE-2022-2869.patch \ 25 file://CVE-2022-2869.patch \
26 file://CVE-2022-2867.patch \ 26 file://CVE-2022-2867.patch \
27 file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \ 27 file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
28 file://0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch \
29 file://CVE-2022-2953.patch \
28 " 30 "
29 31
30SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" 32SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-28 16:55:29 +0000