diff options
Diffstat (limited to 'meta/recipes-multimedia')
102 files changed, 7206 insertions, 12 deletions
diff --git a/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb b/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb index e2bc61fbe9..4867c798b9 100644 --- a/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb +++ b/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb | |||
@@ -1,4 +1,6 @@ | |||
1 | SUMMARY = "ALSA sound library" | 1 | SUMMARY = "ALSA sound library" |
2 | DESCRIPTION = "(Occasionally a.k.a. libasound) is a userspace library that \ | ||
3 | provides a level of abstraction over the /dev interfaces provided by the kernel modules." | ||
2 | HOMEPAGE = "http://www.alsa-project.org" | 4 | HOMEPAGE = "http://www.alsa-project.org" |
3 | BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" | 5 | BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" |
4 | SECTION = "libs/multimedia" | 6 | SECTION = "libs/multimedia" |
diff --git a/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb index 61d394b0f0..8205982fcc 100644 --- a/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb +++ b/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "ALSA Plugins" | 1 | SUMMARY = "ALSA Plugins" |
2 | DESCRIPTION = "Used to create virtual devices that can be used like normal \ | ||
3 | hardware devices but cause extra processing of the sound stream to take place. \ | ||
4 | They are used while configuring ALSA in the .asoundrc file." | ||
2 | HOMEPAGE = "http://alsa-project.org" | 5 | HOMEPAGE = "http://alsa-project.org" |
3 | BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" | 6 | BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" |
4 | SECTION = "multimedia" | 7 | SECTION = "multimedia" |
@@ -33,7 +36,7 @@ PACKAGECONFIG ??= "\ | |||
33 | speexdsp \ | 36 | speexdsp \ |
34 | ${@bb.utils.filter('DISTRO_FEATURES', 'pulseaudio', d)} \ | 37 | ${@bb.utils.filter('DISTRO_FEATURES', 'pulseaudio', d)} \ |
35 | " | 38 | " |
36 | PACKAGECONFIG[aaf] = "--enable-aaf,--disable-aaf,avtp" | 39 | PACKAGECONFIG[aaf] = "--enable-aaf,--disable-aaf,libavtp" |
37 | PACKAGECONFIG[jack] = "--enable-jack,--disable-jack,jack" | 40 | PACKAGECONFIG[jack] = "--enable-jack,--disable-jack,jack" |
38 | PACKAGECONFIG[libav] = "--enable-libav,--disable-libav,libav" | 41 | PACKAGECONFIG[libav] = "--enable-libav,--disable-libav,libav" |
39 | PACKAGECONFIG[maemo-plugin] = "--enable-maemo-plugin,--disable-maemo-plugin" | 42 | PACKAGECONFIG[maemo-plugin] = "--enable-maemo-plugin,--disable-maemo-plugin" |
diff --git a/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb b/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb index c1f4acdb03..c979d7642e 100644 --- a/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb +++ b/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "Advanced tools for certain ALSA sound card drivers" | 1 | SUMMARY = "Advanced tools for certain ALSA sound card drivers" |
2 | DESCRIPTION = "Package containing a number of tools ranging from envy24control \ | ||
3 | which provides complete control over all devices with an envy24 chip, to \ | ||
4 | firmware loaders for pcmcia, USB and the hdsp devices." | ||
2 | HOMEPAGE = "http://www.alsa-project.org" | 5 | HOMEPAGE = "http://www.alsa-project.org" |
3 | BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" | 6 | BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" |
4 | SECTION = "console/utils" | 7 | SECTION = "console/utils" |
diff --git a/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb index 5101cc7b7a..2ff5494c99 100644 --- a/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb +++ b/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "ALSA topology configuration files" | 1 | SUMMARY = "ALSA topology configuration files" |
2 | DESCRIPTION = "Provides a method for audio drivers to load their mixers, \ | ||
3 | routing, PCMs and capabilities from user space at runtime without changing \ | ||
4 | any driver source code." | ||
2 | HOMEPAGE = "https://alsa-project.org" | 5 | HOMEPAGE = "https://alsa-project.org" |
3 | BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking" | 6 | BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking" |
4 | LICENSE = "BSD-3-Clause" | 7 | LICENSE = "BSD-3-Clause" |
diff --git a/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb b/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb index a432d5de07..ee1688b421 100644 --- a/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb +++ b/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "ALSA Use Case Manager configuration" | 1 | SUMMARY = "ALSA Use Case Manager configuration" |
2 | DESCRIPTION = "This package contains ALSA Use Case Manager configuration \ | ||
3 | of audio input/output names and routing for specific audio hardware. \ | ||
4 | They can be used with the alsaucm tool. " | ||
2 | HOMEPAGE = "https://alsa-project.org" | 5 | HOMEPAGE = "https://alsa-project.org" |
3 | BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking" | 6 | BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking" |
4 | LICENSE = "BSD-3-Clause" | 7 | LICENSE = "BSD-3-Clause" |
diff --git a/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb index 1dc30f377b..54aa2f9544 100644 --- a/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb +++ b/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb | |||
@@ -1,4 +1,6 @@ | |||
1 | SUMMARY = "ALSA sound utilities" | 1 | SUMMARY = "ALSA sound utilities" |
2 | DESCRIPTION = "collection of small and often extremely powerful applications \ | ||
3 | designed to allow users to control the various parts of the ALSA system." | ||
2 | HOMEPAGE = "http://www.alsa-project.org" | 4 | HOMEPAGE = "http://www.alsa-project.org" |
3 | BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" | 5 | BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" |
4 | SECTION = "console/utils" | 6 | SECTION = "console/utils" |
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch new file mode 100644 index 0000000000..abfc024820 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul B Mahol <onemda@gmail.com> | ||
3 | Date: Mon, 27 Jan 2020 21:53:08 +0100 | ||
4 | Subject: [PATCH] avformat/tty: add probe function | ||
5 | |||
6 | CVE: CVE-2021-3566 | ||
7 | Signed-off-by: Saloni Jain <salonij@kpit.com> | ||
8 | |||
9 | Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532] | ||
10 | Comment: No changes/refreshing done. | ||
11 | --- | ||
12 | libavformat/tty.c | 21 ++++++++++++++++++++- | ||
13 | 1 file changed, 20 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/libavformat/tty.c b/libavformat/tty.c | ||
16 | index 8d48f2c45c12..60f7e9f87ee7 100644 | ||
17 | --- a/libavformat/tty.c | ||
18 | +++ b/libavformat/tty.c | ||
19 | @@ -34,6 +34,13 @@ | ||
20 | #include "internal.h" | ||
21 | #include "sauce.h" | ||
22 | |||
23 | +static int isansicode(int x) | ||
24 | +{ | ||
25 | + return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f); | ||
26 | +} | ||
27 | + | ||
28 | +static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt"; | ||
29 | + | ||
30 | typedef struct TtyDemuxContext { | ||
31 | AVClass *class; | ||
32 | int chars_per_frame; | ||
33 | @@ -42,6 +49,17 @@ typedef struct TtyDemuxContext { | ||
34 | AVRational framerate; /**< Set by a private option. */ | ||
35 | } TtyDemuxContext; | ||
36 | |||
37 | +static int read_probe(const AVProbeData *p) | ||
38 | +{ | ||
39 | + int cnt = 0; | ||
40 | + | ||
41 | + for (int i = 0; i < p->buf_size; i++) | ||
42 | + cnt += !!isansicode(p->buf[i]); | ||
43 | + | ||
44 | + return (cnt * 100LL / p->buf_size) * (cnt > 400) * | ||
45 | + !!av_match_ext(p->filename, tty_extensions); | ||
46 | +} | ||
47 | + | ||
48 | /** | ||
49 | * Parse EFI header | ||
50 | */ | ||
51 | @@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = { | ||
52 | .name = "tty", | ||
53 | .long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"), | ||
54 | .priv_data_size = sizeof(TtyDemuxContext), | ||
55 | + .read_probe = read_probe, | ||
56 | .read_header = read_header, | ||
57 | .read_packet = read_packet, | ||
58 | - .extensions = "ans,art,asc,diz,ice,nfo,txt,vt", | ||
59 | + .extensions = tty_extensions, | ||
60 | .priv_class = &tty_demuxer_class, | ||
61 | }; | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch new file mode 100644 index 0000000000..e5be985fc3 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001 | ||
2 | From: James Almer <jamrial@gmail.com> | ||
3 | Date: Wed, 21 Jul 2021 01:02:44 -0300 | ||
4 | Subject: [PATCH] avcodec/utils: don't return negative values in | ||
5 | av_get_audio_frame_duration() | ||
6 | |||
7 | In some extrme cases, like with adpcm_ms samples with an extremely high channel | ||
8 | count, get_audio_frame_duration() may return a negative frame duration value. | ||
9 | Don't propagate it, and instead return 0, signaling that a duration could not | ||
10 | be determined. | ||
11 | |||
12 | CVE: CVE-2021-3566 | ||
13 | Fixes ticket #9312 | ||
14 | Signed-off-by: James Almer <jamrial@gmail.com> | ||
15 | Signed-off-by: Saloni Jain <salonij@kpit.com> | ||
16 | |||
17 | Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1] | ||
18 | Comment: No changes/refreshing done. | ||
19 | --- | ||
20 | libavcodec/utils.c | 6 ++++-- | ||
21 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/libavcodec/utils.c b/libavcodec/utils.c | ||
24 | index 5fad782f5a..cfc07cbcb8 100644 | ||
25 | --- a/libavcodec/utils.c | ||
26 | +++ b/libavcodec/utils.c | ||
27 | @@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, | ||
28 | |||
29 | int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) | ||
30 | { | ||
31 | - return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, | ||
32 | + int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, | ||
33 | avctx->channels, avctx->block_align, | ||
34 | avctx->codec_tag, avctx->bits_per_coded_sample, | ||
35 | avctx->bit_rate, avctx->extradata, avctx->frame_size, | ||
36 | frame_bytes); | ||
37 | + return FFMAX(0, duration); | ||
38 | } | ||
39 | |||
40 | int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) | ||
41 | { | ||
42 | - return get_audio_frame_duration(par->codec_id, par->sample_rate, | ||
43 | + int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, | ||
44 | par->channels, par->block_align, | ||
45 | par->codec_tag, par->bits_per_coded_sample, | ||
46 | par->bit_rate, par->extradata, par->frame_size, | ||
47 | frame_bytes); | ||
48 | + return FFMAX(0, duration); | ||
49 | } | ||
50 | |||
51 | #if !HAVE_THREADS | ||
52 | -- | ||
53 | 2.20.1 | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch new file mode 100644 index 0000000000..bd8a08a216 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
2 | Date: Sun, 27 Feb 2022 14:43:04 +0100 | ||
3 | Subject: [PATCH] avcodec/g729_parser: Check channels | ||
4 | |||
5 | Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int' | ||
6 | Fixes: assertion failure | ||
7 | Fixes: ticket9651 | ||
8 | |||
9 | Reviewed-by: Paul B Mahol <onemda@gmail.com> | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | (cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8) | ||
12 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
13 | |||
14 | CVE: CVE-2022-1475 | ||
15 | Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f] | ||
16 | Comment: Patch is refreshed as per ffmpeg codebase | ||
17 | Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> | ||
18 | |||
19 | --- | ||
20 | libavcodec/g729_parser.c | 3 +++ | ||
21 | 1 file changed, 3 insertions(+) | ||
22 | |||
23 | Index: ffmpeg-4.2.2/libavcodec/g729_parser.c | ||
24 | =================================================================== | ||
25 | --- a/libavcodec/g729_parser.c | ||
26 | +++ b/libavcodec/g729_parser.c | ||
27 | @@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserConte | ||
28 | av_assert1(avctx->codec_id == AV_CODEC_ID_G729); | ||
29 | /* FIXME: replace this heuristic block_size with more precise estimate */ | ||
30 | s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE; | ||
31 | + // channels > 2 is invalid, we pass the packet on unchanged | ||
32 | + if (avctx->channels > 2) | ||
33 | + s->block_size = 0; | ||
34 | s->block_size *= avctx->channels; | ||
35 | s->duration = avctx->frame_size; | ||
36 | } | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch new file mode 100644 index 0000000000..febf49cff2 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
3 | Date: Tue, 15 Feb 2022 17:58:08 +0800 | ||
4 | Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc | ||
5 | |||
6 | Since the av_malloc() may fail and return NULL pointer, | ||
7 | it is needed that the 's->edge_emu_buffer' should be checked | ||
8 | whether the new allocation is success. | ||
9 | |||
10 | Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") | ||
11 | |||
12 | CVE: CVE-2022-3109 | ||
13 | Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568] | ||
14 | Comments: Refreshed hunk | ||
15 | |||
16 | Reviewed-by: Peter Ross <pross@xvid.org> | ||
17 | Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
18 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
19 | --- | ||
20 | libavcodec/vp3.c | 7 ++++++- | ||
21 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c | ||
24 | index e9ab54d73677..e2418eb6fa04 100644 | ||
25 | --- a/libavcodec/vp3.c | ||
26 | +++ b/libavcodec/vp3.c | ||
27 | @@ -2740,8 +2740,13 @@ | ||
28 | if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0) | ||
29 | goto error; | ||
30 | |||
31 | - if (!s->edge_emu_buffer) | ||
32 | + if (!s->edge_emu_buffer) { | ||
33 | s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); | ||
34 | + if (!s->edge_emu_buffer) { | ||
35 | + ret = AVERROR(ENOMEM); | ||
36 | + goto error; | ||
37 | + } | ||
38 | + } | ||
39 | |||
40 | if (s->keyframe) { | ||
41 | if (!s->theora) { | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch new file mode 100644 index 0000000000..fcbd9b3e1b --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 | ||
2 | From: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
3 | Date: Wed, 23 Feb 2022 10:31:59 +0800 | ||
4 | Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream | ||
5 | |||
6 | Check for failure of avformat_new_stream() and propagate | ||
7 | the error code. | ||
8 | |||
9 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
10 | |||
11 | CVE: CVE-2022-3341 | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e] | ||
14 | |||
15 | Comments: Refreshed Hunk | ||
16 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
17 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
18 | --- | ||
19 | libavformat/nutdec.c | 16 ++++++++++++---- | ||
20 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
21 | |||
22 | diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c | ||
23 | index 0a8a700acf..f9ad2c0af1 100644 | ||
24 | --- a/libavformat/nutdec.c | ||
25 | +++ b/libavformat/nutdec.c | ||
26 | @@ -351,8 +351,12 @@ static int decode_main_header(NUTContext *nut) | ||
27 | ret = AVERROR(ENOMEM); | ||
28 | goto fail; | ||
29 | } | ||
30 | - for (i = 0; i < stream_count; i++) | ||
31 | - avformat_new_stream(s, NULL); | ||
32 | + for (i = 0; i < stream_count; i++) { | ||
33 | + if (!avformat_new_stream(s, NULL)) { | ||
34 | + ret = AVERROR(ENOMEM); | ||
35 | + goto fail; | ||
36 | + } | ||
37 | + } | ||
38 | |||
39 | return 0; | ||
40 | fail: | ||
41 | @@ -793,19 +793,23 @@ | ||
42 | NUTContext *nut = s->priv_data; | ||
43 | AVIOContext *bc = s->pb; | ||
44 | int64_t pos; | ||
45 | - int initialized_stream_count; | ||
46 | + int initialized_stream_count, ret; | ||
47 | |||
48 | nut->avf = s; | ||
49 | |||
50 | /* main header */ | ||
51 | pos = 0; | ||
52 | + ret = 0; | ||
53 | do { | ||
54 | + if (ret == AVERROR(ENOMEM)) | ||
55 | + return ret; | ||
56 | + | ||
57 | pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; | ||
58 | if (pos < 0 + 1) { | ||
59 | av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); | ||
60 | goto fail; | ||
61 | } | ||
62 | - } while (decode_main_header(nut) < 0); | ||
63 | + } while ((ret = decode_main_header(nut)) < 0); | ||
64 | |||
65 | /* stream headers */ | ||
66 | pos = 0; | ||
67 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch new file mode 100644 index 0000000000..707073709a --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch | |||
@@ -0,0 +1,136 @@ | |||
1 | From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001 | ||
2 | From: Anton Khirnov <anton@khirnov.net> | ||
3 | Date: Fri, 2 Sep 2022 22:21:27 +0200 | ||
4 | Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in | ||
5 | worker threads | ||
6 | |||
7 | This state is not refcounted, so make sure it always has a well-defined | ||
8 | owner. | ||
9 | |||
10 | Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as | ||
11 | this commit also solves that issue in a more general way. | ||
12 | |||
13 | (cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11) | ||
14 | Signed-off-by: Anton Khirnov <anton@khirnov.net> | ||
15 | (cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda) | ||
16 | Signed-off-by: Anton Khirnov <anton@khirnov.net> | ||
17 | (cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba) | ||
18 | Signed-off-by: Anton Khirnov <anton@khirnov.net> | ||
19 | |||
20 | CVE: CVE-2022-48434 | ||
21 | Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db] | ||
22 | Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com | ||
23 | Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings | ||
24 | --- | ||
25 | libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++--------- | ||
26 | 1 file changed, 35 insertions(+), 11 deletions(-) | ||
27 | |||
28 | diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c | ||
29 | index 36ac0ac..bbc5ba6 100644 | ||
30 | --- a/libavcodec/pthread_frame.c | ||
31 | +++ b/libavcodec/pthread_frame.c | ||
32 | @@ -135,6 +135,12 @@ typedef struct FrameThreadContext { | ||
33 | * Set for the first N packets, where N is the number of threads. | ||
34 | * While it is set, ff_thread_en/decode_frame won't return any results. | ||
35 | */ | ||
36 | + | ||
37 | + /* hwaccel state is temporarily stored here in order to transfer its ownership | ||
38 | + * to the next decoding thread without the need for extra synchronization */ | ||
39 | + const AVHWAccel *stash_hwaccel; | ||
40 | + void *stash_hwaccel_context; | ||
41 | + void *stash_hwaccel_priv; | ||
42 | } FrameThreadContext; | ||
43 | |||
44 | #define THREAD_SAFE_CALLBACKS(avctx) \ | ||
45 | @@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg) | ||
46 | ff_thread_finish_setup(avctx); | ||
47 | |||
48 | if (p->hwaccel_serializing) { | ||
49 | + /* wipe hwaccel state to avoid stale pointers lying around; | ||
50 | + * the state was transferred to FrameThreadContext in | ||
51 | + * ff_thread_finish_setup(), so nothing is leaked */ | ||
52 | + avctx->hwaccel = NULL; | ||
53 | + avctx->hwaccel_context = NULL; | ||
54 | + avctx->internal->hwaccel_priv_data = NULL; | ||
55 | + | ||
56 | p->hwaccel_serializing = 0; | ||
57 | pthread_mutex_unlock(&p->parent->hwaccel_mutex); | ||
58 | } | ||
59 | + av_assert0(!avctx->hwaccel); | ||
60 | |||
61 | if (p->async_serializing) { | ||
62 | p->async_serializing = 0; | ||
63 | @@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, | ||
64 | dst->color_range = src->color_range; | ||
65 | dst->chroma_sample_location = src->chroma_sample_location; | ||
66 | |||
67 | - dst->hwaccel = src->hwaccel; | ||
68 | - dst->hwaccel_context = src->hwaccel_context; | ||
69 | - | ||
70 | dst->channels = src->channels; | ||
71 | dst->sample_rate = src->sample_rate; | ||
72 | dst->sample_fmt = src->sample_fmt; | ||
73 | dst->channel_layout = src->channel_layout; | ||
74 | - dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data; | ||
75 | |||
76 | if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx || | ||
77 | (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) { | ||
78 | @@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx, | ||
79 | pthread_mutex_unlock(&p->mutex); | ||
80 | return err; | ||
81 | } | ||
82 | + | ||
83 | + /* transfer hwaccel state stashed from previous thread, if any */ | ||
84 | + av_assert0(!p->avctx->hwaccel); | ||
85 | + FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel); | ||
86 | + FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context); | ||
87 | + FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); | ||
88 | } | ||
89 | |||
90 | av_packet_unref(&p->avpkt); | ||
91 | @@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) { | ||
92 | async_lock(p->parent); | ||
93 | } | ||
94 | |||
95 | + /* save hwaccel state for passing to the next thread; | ||
96 | + * this is done here so that this worker thread can wipe its own hwaccel | ||
97 | + * state after decoding, without requiring synchronization */ | ||
98 | + av_assert0(!p->parent->stash_hwaccel); | ||
99 | + p->parent->stash_hwaccel = avctx->hwaccel; | ||
100 | + p->parent->stash_hwaccel_context = avctx->hwaccel_context; | ||
101 | + p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data; | ||
102 | + | ||
103 | pthread_mutex_lock(&p->progress_mutex); | ||
104 | if(atomic_load(&p->state) == STATE_SETUP_FINISHED){ | ||
105 | av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n"); | ||
106 | @@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) | ||
107 | |||
108 | park_frame_worker_threads(fctx, thread_count); | ||
109 | |||
110 | - if (fctx->prev_thread && fctx->prev_thread != fctx->threads) | ||
111 | - if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) { | ||
112 | - av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n"); | ||
113 | - fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy; | ||
114 | - fctx->threads->avctx->internal->is_copy = 1; | ||
115 | - } | ||
116 | - | ||
117 | for (i = 0; i < thread_count; i++) { | ||
118 | PerThreadContext *p = &fctx->threads[i]; | ||
119 | |||
120 | @@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) | ||
121 | pthread_mutex_destroy(&fctx->async_mutex); | ||
122 | pthread_cond_destroy(&fctx->async_cond); | ||
123 | |||
124 | + /* if we have stashed hwaccel state, move it to the user-facing context, | ||
125 | + * so it will be freed in avcodec_close() */ | ||
126 | + av_assert0(!avctx->hwaccel); | ||
127 | + FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel); | ||
128 | + FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context); | ||
129 | + FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); | ||
130 | + | ||
131 | av_freep(&avctx->internal->thread_ctx); | ||
132 | |||
133 | if (avctx->priv_data && avctx->codec && avctx->codec->priv_class) | ||
134 | -- | ||
135 | 2.25.1 | ||
136 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb index 0e359848fa..f12052548f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | |||
@@ -27,7 +27,13 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | |||
27 | file://mips64_cpu_detection.patch \ | 27 | file://mips64_cpu_detection.patch \ |
28 | file://CVE-2020-12284.patch \ | 28 | file://CVE-2020-12284.patch \ |
29 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ | 29 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ |
30 | " | 30 | file://CVE-2021-3566.patch \ |
31 | file://CVE-2021-38291.patch \ | ||
32 | file://CVE-2022-1475.patch \ | ||
33 | file://CVE-2022-3109.patch \ | ||
34 | file://CVE-2022-3341.patch \ | ||
35 | file://CVE-2022-48434.patch \ | ||
36 | " | ||
31 | SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" | 37 | SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" |
32 | SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" | 38 | SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" |
33 | 39 | ||
diff --git a/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch new file mode 100644 index 0000000000..e042872dc0 --- /dev/null +++ b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch | |||
@@ -0,0 +1,197 @@ | |||
1 | From 579ff6922089cbbbd179619e40e622e279bd719f Mon Sep 17 00:00:00 2001 | ||
2 | From: Martijn van Beurden <mvanb1@gmail.com> | ||
3 | Date: Wed, 3 Aug 2022 13:52:19 +0200 | ||
4 | Subject: [PATCH] flac: Add and use _nofree variants of safe_realloc functions | ||
5 | |||
6 | Parts of the code use realloc like | ||
7 | |||
8 | x = safe_realloc(x, somesize); | ||
9 | |||
10 | when this is the case, the safe_realloc variant used must free the | ||
11 | old memory block in case it fails, otherwise it will leak. However, | ||
12 | there are also instances in the code where handling is different: | ||
13 | |||
14 | if (0 == (x = safe_realloc(y, somesize))) | ||
15 | return false | ||
16 | |||
17 | in this case, y should not be freed, as y is not set to NULL we | ||
18 | could encounter double frees. Here the safe_realloc_nofree | ||
19 | functions are used. | ||
20 | |||
21 | Upstream-Status: Backport [https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815] | ||
22 | CVE: CVE-2020-22219 | ||
23 | |||
24 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
25 | --- | ||
26 | include/share/alloc.h | 41 +++++++++++++++++++++++++++++++---- | ||
27 | src/flac/encode.c | 4 ++-- | ||
28 | src/flac/foreign_metadata.c | 2 +- | ||
29 | src/libFLAC/bitwriter.c | 2 +- | ||
30 | src/libFLAC/metadata_object.c | 2 +- | ||
31 | src/plugin_common/tags.c | 2 +- | ||
32 | src/share/utf8/iconvert.c | 2 +- | ||
33 | 7 files changed, 44 insertions(+), 11 deletions(-) | ||
34 | |||
35 | diff --git a/include/share/alloc.h b/include/share/alloc.h | ||
36 | index 914de9b..55bdd1d 100644 | ||
37 | --- a/include/share/alloc.h | ||
38 | +++ b/include/share/alloc.h | ||
39 | @@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *ptr, size_t size) | ||
40 | free(oldptr); | ||
41 | return newptr; | ||
42 | } | ||
43 | -static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2) | ||
44 | +static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2) | ||
45 | +{ | ||
46 | + size2 += size1; | ||
47 | + if(size2 < size1) | ||
48 | + return 0; | ||
49 | + return realloc(ptr, size2); | ||
50 | +} | ||
51 | + | ||
52 | +static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
53 | { | ||
54 | size2 += size1; | ||
55 | if(size2 < size1) { | ||
56 | free(ptr); | ||
57 | return 0; | ||
58 | } | ||
59 | - return realloc(ptr, size2); | ||
60 | + size3 += size2; | ||
61 | + if(size3 < size2) { | ||
62 | + free(ptr); | ||
63 | + return 0; | ||
64 | + } | ||
65 | + return safe_realloc_(ptr, size3); | ||
66 | } | ||
67 | |||
68 | -static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
69 | +static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
70 | { | ||
71 | size2 += size1; | ||
72 | if(size2 < size1) | ||
73 | @@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, | ||
74 | return realloc(ptr, size3); | ||
75 | } | ||
76 | |||
77 | -static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4) | ||
78 | +static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4) | ||
79 | { | ||
80 | size2 += size1; | ||
81 | if(size2 < size1) | ||
82 | @@ -205,6 +218,15 @@ static inline void *safe_realloc_mul_2op_(void *ptr, size_t size1, size_t size2) | ||
83 | return safe_realloc_(ptr, size1*size2); | ||
84 | } | ||
85 | |||
86 | +static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2) | ||
87 | +{ | ||
88 | + if(!size1 || !size2) | ||
89 | + return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */ | ||
90 | + if(size1 > SIZE_MAX / size2) | ||
91 | + return 0; | ||
92 | + return realloc(ptr, size1*size2); | ||
93 | +} | ||
94 | + | ||
95 | /* size1 * (size2 + size3) */ | ||
96 | static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
97 | { | ||
98 | @@ -216,4 +238,15 @@ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, | ||
99 | return safe_realloc_mul_2op_(ptr, size1, size2); | ||
100 | } | ||
101 | |||
102 | +/* size1 * (size2 + size3) */ | ||
103 | +static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
104 | +{ | ||
105 | + if(!size1 || (!size2 && !size3)) | ||
106 | + return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */ | ||
107 | + size2 += size3; | ||
108 | + if(size2 < size3) | ||
109 | + return 0; | ||
110 | + return safe_realloc_nofree_mul_2op_(ptr, size1, size2); | ||
111 | +} | ||
112 | + | ||
113 | #endif | ||
114 | diff --git a/src/flac/encode.c b/src/flac/encode.c | ||
115 | index a9b907f..f87250c 100644 | ||
116 | --- a/src/flac/encode.c | ||
117 | +++ b/src/flac/encode.c | ||
118 | @@ -1743,10 +1743,10 @@ static void static_metadata_clear(static_metadata_t *m) | ||
119 | static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete) | ||
120 | { | ||
121 | void *x; | ||
122 | - if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/))) | ||
123 | + if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/))) | ||
124 | return false; | ||
125 | m->metadata = (FLAC__StreamMetadata**)x; | ||
126 | - if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/))) | ||
127 | + if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/))) | ||
128 | return false; | ||
129 | m->needs_delete = (FLAC__bool*)x; | ||
130 | m->metadata[m->num_metadata] = d; | ||
131 | diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c | ||
132 | index 9ad9c18..fdfb3cf 100644 | ||
133 | --- a/src/flac/foreign_metadata.c | ||
134 | +++ b/src/flac/foreign_metadata.c | ||
135 | @@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE *fin, FILE *fout, size_t size, const char **er | ||
136 | |||
137 | static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error) | ||
138 | { | ||
139 | - foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/); | ||
140 | + foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/); | ||
141 | if(fb) { | ||
142 | fb[fm->num_blocks].offset = offset; | ||
143 | fb[fm->num_blocks].size = size; | ||
144 | diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c | ||
145 | index 6e86585..a510b0d 100644 | ||
146 | --- a/src/libFLAC/bitwriter.c | ||
147 | +++ b/src/libFLAC/bitwriter.c | ||
148 | @@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add) | ||
149 | FLAC__ASSERT(new_capacity > bw->capacity); | ||
150 | FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD)); | ||
151 | |||
152 | - new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity); | ||
153 | + new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity); | ||
154 | if(new_buffer == 0) | ||
155 | return false; | ||
156 | bw->buffer = new_buffer; | ||
157 | diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c | ||
158 | index de8e513..aef65be 100644 | ||
159 | --- a/src/libFLAC/metadata_object.c | ||
160 | +++ b/src/libFLAC/metadata_object.c | ||
161 | @@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC__byte **to, const FLAC__byte *from, uint | ||
162 | /* realloc() failure leaves entry unchanged */ | ||
163 | static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, uint32_t length) | ||
164 | { | ||
165 | - FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1); | ||
166 | + FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1); | ||
167 | if (x != NULL) { | ||
168 | x[length] = '\0'; | ||
169 | *entry = x; | ||
170 | diff --git a/src/plugin_common/tags.c b/src/plugin_common/tags.c | ||
171 | index ae440c5..dfa10d3 100644 | ||
172 | --- a/src/plugin_common/tags.c | ||
173 | +++ b/src/plugin_common/tags.c | ||
174 | @@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf8(FLAC__StreamMetadata *tags, const char | ||
175 | const size_t value_len = strlen(value); | ||
176 | const size_t separator_len = strlen(separator); | ||
177 | FLAC__byte *new_entry; | ||
178 | - if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1))) | ||
179 | + if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1))) | ||
180 | return false; | ||
181 | memcpy(new_entry+entry->length, separator, separator_len); | ||
182 | entry->length += separator_len; | ||
183 | diff --git a/src/share/utf8/iconvert.c b/src/share/utf8/iconvert.c | ||
184 | index 8ab53c1..876c06e 100644 | ||
185 | --- a/src/share/utf8/iconvert.c | ||
186 | +++ b/src/share/utf8/iconvert.c | ||
187 | @@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const char *tocode, | ||
188 | iconv_close(cd1); | ||
189 | return ret; | ||
190 | } | ||
191 | - newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1); | ||
192 | + newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1); | ||
193 | if (!newbuf) | ||
194 | goto fail; | ||
195 | ob = (ob - utfbuf) + newbuf; | ||
196 | -- | ||
197 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch b/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch new file mode 100644 index 0000000000..e19833a5ad --- /dev/null +++ b/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001 | ||
2 | From: Neelkamal Semwal <neelkamal.semwal@ittiam.com> | ||
3 | Date: Fri, 18 Dec 2020 22:28:36 +0530 | ||
4 | Subject: [PATCH] libFlac: Exit at EOS in verify mode | ||
5 | |||
6 | When verify mode is enabled, once decoder flags end of stream, | ||
7 | encode processing is considered complete. | ||
8 | |||
9 | CVE-2021-0561 | ||
10 | |||
11 | Signed-off-by: Ralph Giles <giles@thaumas.net> | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be] | ||
14 | CVE: CVE-2021-0561 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | src/libFLAC/stream_encoder.c | 4 +++- | ||
18 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c | ||
21 | index 4c91247fe8..7109802c27 100644 | ||
22 | --- a/src/libFLAC/stream_encoder.c | ||
23 | +++ b/src/libFLAC/stream_encoder.c | ||
24 | @@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC | ||
25 | encoder->private_->verify.needs_magic_hack = true; | ||
26 | } | ||
27 | else { | ||
28 | - if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) { | ||
29 | + if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder) | ||
30 | + || (!is_last_block | ||
31 | + && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) { | ||
32 | FLAC__bitwriter_release_buffer(encoder->private_->frame); | ||
33 | FLAC__bitwriter_clear(encoder->private_->frame); | ||
34 | if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA) | ||
diff --git a/meta/recipes-multimedia/flac/flac_1.3.3.bb b/meta/recipes-multimedia/flac/flac_1.3.3.bb index cb6692aedf..e593727ac8 100644 --- a/meta/recipes-multimedia/flac/flac_1.3.3.bb +++ b/meta/recipes-multimedia/flac/flac_1.3.3.bb | |||
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \ | |||
15 | DEPENDS = "libogg" | 15 | DEPENDS = "libogg" |
16 | 16 | ||
17 | SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \ | 17 | SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \ |
18 | file://CVE-2020-22219.patch \ | ||
19 | file://CVE-2021-0561.patch \ | ||
18 | " | 20 | " |
19 | 21 | ||
20 | SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69" | 22 | SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69" |
diff --git a/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb b/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb index cc7a7e78e2..6494013e3f 100644 --- a/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb +++ b/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb | |||
@@ -1,10 +1,13 @@ | |||
1 | SUMMARY = "GStreamer examples (including gtk-play, gst-play)" | 1 | SUMMARY = "GStreamer examples (including gtk-play, gst-play)" |
2 | DESCRIPTION = "GStreamer example applications" | ||
3 | HOMEPAGE = "https://gitlab.freedesktop.org/gstreamer/gst-examples" | ||
4 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-examples/-/issues" | ||
2 | LICENSE = "LGPL-2.0+" | 5 | LICENSE = "LGPL-2.0+" |
3 | LIC_FILES_CHKSUM = "file://playback/player/gtk/gtk-play.c;beginline=1;endline=20;md5=f8c72dae3d36823ec716a9ebcae593b9" | 6 | LIC_FILES_CHKSUM = "file://playback/player/gtk/gtk-play.c;beginline=1;endline=20;md5=f8c72dae3d36823ec716a9ebcae593b9" |
4 | 7 | ||
5 | DEPENDS = "glib-2.0 gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad gtk+3 glib-2.0-native" | 8 | DEPENDS = "glib-2.0 gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad gtk+3 glib-2.0-native" |
6 | 9 | ||
7 | SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=https \ | 10 | SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=https;branch=master \ |
8 | file://0001-Make-player-examples-installable.patch \ | 11 | file://0001-Make-player-examples-installable.patch \ |
9 | file://gst-player.desktop \ | 12 | file://gst-player.desktop \ |
10 | " | 13 | " |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb index 98355a1b75..a8ad777422 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb | |||
@@ -1,4 +1,6 @@ | |||
1 | SUMMARY = "Libav-based GStreamer 1.x plugin" | 1 | SUMMARY = "Libav-based GStreamer 1.x plugin" |
2 | DESCRIPTION = "Contains a GStreamer plugin for using the encoders, decoders, \ | ||
3 | muxers, and demuxers provided by FFmpeg." | ||
2 | HOMEPAGE = "http://gstreamer.freedesktop.org/" | 4 | HOMEPAGE = "http://gstreamer.freedesktop.org/" |
3 | SECTION = "multimedia" | 5 | SECTION = "multimedia" |
4 | 6 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb index 1aa13cf73c..46653e2392 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "OpenMAX IL plugins for GStreamer" | 1 | SUMMARY = "OpenMAX IL plugins for GStreamer" |
2 | DESCRIPTION = "Wraps available OpenMAX IL components and makes them available as standard GStreamer elements." | ||
2 | HOMEPAGE = "http://gstreamer.freedesktop.org/" | 3 | HOMEPAGE = "http://gstreamer.freedesktop.org/" |
3 | SECTION = "multimedia" | 4 | SECTION = "multimedia" |
4 | 5 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb index ffbaaf425a..f741db2172 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb | |||
@@ -1,5 +1,9 @@ | |||
1 | require gstreamer1.0-plugins-common.inc | 1 | require gstreamer1.0-plugins-common.inc |
2 | 2 | ||
3 | DESCRIPTION = "'Bad' GStreamer plugins and helper libraries " | ||
4 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues" | ||
6 | |||
3 | SRC_URI = " \ | 7 | SRC_URI = " \ |
4 | https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-${PV}.tar.xz \ | 8 | https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-${PV}.tar.xz \ |
5 | file://0001-meson-build-gir-even-when-cross-compiling-if-introsp.patch \ | 9 | file://0001-meson-build-gir-even-when-cross-compiling-if-introsp.patch \ |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch new file mode 100644 index 0000000000..3717f0cf3a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 067e759136904b82bba9c6d1d781c4408dfecfe6 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com> | ||
3 | Date: Wed, 3 Mar 2021 01:08:25 +0000 | ||
4 | Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads | ||
5 | |||
6 | Check the right variable when checking if there's | ||
7 | enough data left to read the frame size. | ||
8 | |||
9 | Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876 | ||
10 | |||
11 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1066> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [https://gstreamer.freedesktop.org/security/sa-2021-0001.html] | ||
15 | CVE: CVE-2021-3522 | ||
16 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
17 | --- | ||
18 | gst-libs/gst/tag/id3v2frames.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c | ||
22 | index 8e9f782..f39659b 100644 | ||
23 | --- a/gst-libs/gst/tag/id3v2frames.c | ||
24 | +++ b/gst-libs/gst/tag/id3v2frames.c | ||
25 | @@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work) | ||
26 | |||
27 | if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION | | ||
28 | ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) { | ||
29 | - if (work->hdr.frame_data_size <= 4) | ||
30 | + if (frame_data_size <= 4) | ||
31 | return FALSE; | ||
32 | if (ID3V2_VER_MAJOR (work->hdr.version) == 3) { | ||
33 | work->parse_size = GST_READ_UINT32_BE (frame_data); | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb index 9daaf7587e..bcfdef3bbd 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb | |||
@@ -1,5 +1,8 @@ | |||
1 | require gstreamer1.0-plugins-common.inc | 1 | require gstreamer1.0-plugins-common.inc |
2 | 2 | ||
3 | DESCRIPTION = "'Base' GStreamer plugins and helper libraries" | ||
4 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues" | ||
3 | LICENSE = "GPLv2+ & LGPLv2+" | 6 | LICENSE = "GPLv2+ & LGPLv2+" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \ | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \ |
5 | file://common/coverage/coverage-report.pl;beginline=2;endline=17;md5=a4e1830fce078028c8f0974161272607" | 8 | file://common/coverage/coverage-report.pl;beginline=2;endline=17;md5=a4e1830fce078028c8f0974161272607" |
@@ -12,6 +15,7 @@ SRC_URI = " \ | |||
12 | file://0003-ssaparse-enhance-SSA-text-lines-parsing.patch \ | 15 | file://0003-ssaparse-enhance-SSA-text-lines-parsing.patch \ |
13 | file://0005-viv-fb-Make-sure-config.h-is-included.patch \ | 16 | file://0005-viv-fb-Make-sure-config.h-is-included.patch \ |
14 | file://0009-glimagesink-Downrank-to-marginal.patch \ | 17 | file://0009-glimagesink-Downrank-to-marginal.patch \ |
18 | file://CVE-2021-3522.patch \ | ||
15 | " | 19 | " |
16 | SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4" | 20 | SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4" |
17 | SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c" | 21 | SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c" |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch new file mode 100644 index 0000000000..81f7c59a7b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch | |||
@@ -0,0 +1,207 @@ | |||
1 | From 9181191511f9c0be6a89c98b311f49d66bd46dc3 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Thu, 4 Mar 2021 13:05:19 +0200 | ||
4 | Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack | ||
5 | |||
6 | The old code had a couple of issues that all lead to potential memory | ||
7 | safety bugs. | ||
8 | |||
9 | - Use a constant for the Wavpack4Header size instead of using sizeof. | ||
10 | It's written out into the data and not from the struct and who knows | ||
11 | what special alignment/padding requirements some C compilers have. | ||
12 | - gst_buffer_set_size() does not realloc the buffer when setting a | ||
13 | bigger size than allocated, it only allows growing up to the maximum | ||
14 | allocated size. Instead use a GstAdapter to collect all the blocks | ||
15 | and take out everything at once in the end. | ||
16 | - Check that enough data is actually available in the input and | ||
17 | otherwise handle it an error in all cases instead of silently | ||
18 | ignoring it. | ||
19 | |||
20 | Among other things this fixes out of bounds writes because the code | ||
21 | assumed gst_buffer_set_size() can grow the buffer and simply wrote after | ||
22 | the end of the buffer. | ||
23 | |||
24 | Thanks to Natalie Silvanovich for reporting. | ||
25 | |||
26 | Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859 | ||
27 | |||
28 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903> | ||
29 | |||
30 | Upstream-Status: Backport | ||
31 | https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903 | ||
32 | CVE: CVE-2021-3497 | ||
33 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
34 | |||
35 | --- | ||
36 | gst/matroska/matroska-demux.c | 99 +++++++++++++++++++---------------- | ||
37 | gst/matroska/matroska-ids.h | 2 + | ||
38 | 2 files changed, 55 insertions(+), 46 deletions(-) | ||
39 | |||
40 | diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c | ||
41 | index 467815986..0e47ee7b5 100644 | ||
42 | --- a/gst/matroska/matroska-demux.c | ||
43 | +++ b/gst/matroska/matroska-demux.c | ||
44 | @@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
45 | guint32 block_samples, tmp; | ||
46 | gsize size = gst_buffer_get_size (*buf); | ||
47 | |||
48 | + if (size < 4) { | ||
49 | + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); | ||
50 | + gst_buffer_unmap (*buf, &map); | ||
51 | + return GST_FLOW_ERROR; | ||
52 | + } | ||
53 | + | ||
54 | gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32)); | ||
55 | block_samples = GUINT32_FROM_LE (tmp); | ||
56 | /* we need to reconstruct the header of the wavpack block */ | ||
57 | @@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
58 | /* -20 because ck_size is the size of the wavpack block -8 | ||
59 | * and lace_size is the size of the wavpack block + 12 | ||
60 | * (the three guint32 of the header that already are in the buffer) */ | ||
61 | - wvh.ck_size = size + sizeof (Wavpack4Header) - 20; | ||
62 | + wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20; | ||
63 | |||
64 | /* block_samples, flags and crc are already in the buffer */ | ||
65 | - newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL); | ||
66 | + newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL); | ||
67 | |||
68 | gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); | ||
69 | data = outmap.data; | ||
70 | @@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
71 | audiocontext->wvpk_block_index += block_samples; | ||
72 | } else { | ||
73 | guint8 *outdata = NULL; | ||
74 | - guint outpos = 0; | ||
75 | - gsize buf_size, size, out_size = 0; | ||
76 | + gsize buf_size, size; | ||
77 | guint32 block_samples, flags, crc, blocksize; | ||
78 | + GstAdapter *adapter; | ||
79 | + | ||
80 | + adapter = gst_adapter_new (); | ||
81 | |||
82 | gst_buffer_map (*buf, &map, GST_MAP_READ); | ||
83 | buf_data = map.data; | ||
84 | @@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
85 | if (buf_size < 4) { | ||
86 | GST_ERROR_OBJECT (element, "Too small wavpack buffer"); | ||
87 | gst_buffer_unmap (*buf, &map); | ||
88 | + g_object_unref (adapter); | ||
89 | return GST_FLOW_ERROR; | ||
90 | } | ||
91 | |||
92 | @@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
93 | data += 4; | ||
94 | size -= 4; | ||
95 | |||
96 | - if (blocksize == 0 || size < blocksize) | ||
97 | - break; | ||
98 | - | ||
99 | - g_assert ((newbuf == NULL) == (outdata == NULL)); | ||
100 | + if (blocksize == 0 || size < blocksize) { | ||
101 | + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); | ||
102 | + gst_buffer_unmap (*buf, &map); | ||
103 | + g_object_unref (adapter); | ||
104 | + return GST_FLOW_ERROR; | ||
105 | + } | ||
106 | |||
107 | - if (newbuf == NULL) { | ||
108 | - out_size = sizeof (Wavpack4Header) + blocksize; | ||
109 | - newbuf = gst_buffer_new_allocate (NULL, out_size, NULL); | ||
110 | + g_assert (newbuf == NULL); | ||
111 | |||
112 | - gst_buffer_copy_into (newbuf, *buf, | ||
113 | - GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); | ||
114 | + newbuf = | ||
115 | + gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize, | ||
116 | + NULL); | ||
117 | + gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); | ||
118 | + outdata = outmap.data; | ||
119 | + | ||
120 | + outdata[0] = 'w'; | ||
121 | + outdata[1] = 'v'; | ||
122 | + outdata[2] = 'p'; | ||
123 | + outdata[3] = 'k'; | ||
124 | + outdata += 4; | ||
125 | + | ||
126 | + GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8); | ||
127 | + GST_WRITE_UINT16_LE (outdata + 4, wvh.version); | ||
128 | + GST_WRITE_UINT8 (outdata + 6, wvh.track_no); | ||
129 | + GST_WRITE_UINT8 (outdata + 7, wvh.index_no); | ||
130 | + GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples); | ||
131 | + GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index); | ||
132 | + GST_WRITE_UINT32_LE (outdata + 16, block_samples); | ||
133 | + GST_WRITE_UINT32_LE (outdata + 20, flags); | ||
134 | + GST_WRITE_UINT32_LE (outdata + 24, crc); | ||
135 | + outdata += 28; | ||
136 | + | ||
137 | + memcpy (outdata, data, blocksize); | ||
138 | |||
139 | - outpos = 0; | ||
140 | - gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); | ||
141 | - outdata = outmap.data; | ||
142 | - } else { | ||
143 | - gst_buffer_unmap (newbuf, &outmap); | ||
144 | - out_size += sizeof (Wavpack4Header) + blocksize; | ||
145 | - gst_buffer_set_size (newbuf, out_size); | ||
146 | - gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); | ||
147 | - outdata = outmap.data; | ||
148 | - } | ||
149 | + gst_buffer_unmap (newbuf, &outmap); | ||
150 | + gst_adapter_push (adapter, newbuf); | ||
151 | + newbuf = NULL; | ||
152 | |||
153 | - outdata[outpos] = 'w'; | ||
154 | - outdata[outpos + 1] = 'v'; | ||
155 | - outdata[outpos + 2] = 'p'; | ||
156 | - outdata[outpos + 3] = 'k'; | ||
157 | - outpos += 4; | ||
158 | - | ||
159 | - GST_WRITE_UINT32_LE (outdata + outpos, | ||
160 | - blocksize + sizeof (Wavpack4Header) - 8); | ||
161 | - GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version); | ||
162 | - GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no); | ||
163 | - GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no); | ||
164 | - GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples); | ||
165 | - GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index); | ||
166 | - GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples); | ||
167 | - GST_WRITE_UINT32_LE (outdata + outpos + 20, flags); | ||
168 | - GST_WRITE_UINT32_LE (outdata + outpos + 24, crc); | ||
169 | - outpos += 28; | ||
170 | - | ||
171 | - memmove (outdata + outpos, data, blocksize); | ||
172 | - outpos += blocksize; | ||
173 | data += blocksize; | ||
174 | size -= blocksize; | ||
175 | } | ||
176 | gst_buffer_unmap (*buf, &map); | ||
177 | - gst_buffer_unref (*buf); | ||
178 | |||
179 | - if (newbuf) | ||
180 | - gst_buffer_unmap (newbuf, &outmap); | ||
181 | + newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); | ||
182 | + g_object_unref (adapter); | ||
183 | |||
184 | + gst_buffer_copy_into (newbuf, *buf, | ||
185 | + GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); | ||
186 | + gst_buffer_unref (*buf); | ||
187 | *buf = newbuf; | ||
188 | + | ||
189 | audiocontext->wvpk_block_index += block_samples; | ||
190 | } | ||
191 | |||
192 | diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h | ||
193 | index 429213f77..8d4a685a9 100644 | ||
194 | --- a/gst/matroska/matroska-ids.h | ||
195 | +++ b/gst/matroska/matroska-ids.h | ||
196 | @@ -688,6 +688,8 @@ typedef struct _Wavpack4Header { | ||
197 | guint32 crc; /* crc for actual decoded data */ | ||
198 | } Wavpack4Header; | ||
199 | |||
200 | +#define WAVPACK4_HEADER_SIZE (32) | ||
201 | + | ||
202 | typedef enum { | ||
203 | GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0), | ||
204 | GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1), | ||
205 | -- | ||
206 | GitLab | ||
207 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch new file mode 100644 index 0000000000..d3de2d5014 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 02174790726dd20a5c73ce2002189bf240ad4fe0 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 3 Mar 2021 11:31:52 +0200 | ||
4 | Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL | ||
5 | before parsing | ||
6 | |||
7 | Various error return paths don't set it to NULL and callers are only | ||
8 | checking if the pointer is NULL. As it's allocated on the stack this | ||
9 | usually contains random stack memory, and more often than not the memory | ||
10 | of a previously parsed track. | ||
11 | |||
12 | This then causes all kinds of memory corruptions further down the line. | ||
13 | |||
14 | Thanks to Natalie Silvanovich for reporting. | ||
15 | |||
16 | Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858 | ||
17 | |||
18 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903> | ||
19 | |||
20 | Upstream-Status: Backport [ | ||
21 | https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903 ] | ||
22 | CVE: CVE-2021-3498 | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | |||
25 | --- | ||
26 | gst/matroska/matroska-demux.c | 2 ++ | ||
27 | 1 file changed, 2 insertions(+) | ||
28 | |||
29 | diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c | ||
30 | index 4d0234743..467815986 100644 | ||
31 | --- a/gst/matroska/matroska-demux.c | ||
32 | +++ b/gst/matroska/matroska-demux.c | ||
33 | @@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml, | ||
34 | |||
35 | DEBUG_ELEMENT_START (demux, ebml, "TrackEntry"); | ||
36 | |||
37 | + *dest_context = NULL; | ||
38 | + | ||
39 | /* start with the master */ | ||
40 | if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) { | ||
41 | DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret); | ||
42 | -- | ||
43 | GitLab | ||
44 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 10:23:15 +0300 | ||
4 | Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap | ||
5 | corruption in WavPack header handling code | ||
6 | |||
7 | blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then | ||
8 | results in allocating a very small buffer. Into that buffer blocksize | ||
9 | data is memcpy'd later which then causes out of bound writes and can | ||
10 | potentially lead to anything from crashes to remote code execution. | ||
11 | |||
12 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
13 | |||
14 | CVE: CVE-2022-1920 | ||
15 | |||
16 | https://gstreamer.freedesktop.org/security/sa-2022-0004.html | ||
17 | |||
18 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 | ||
19 | |||
20 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612> | ||
21 | |||
22 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370 | ||
23 | Upstream-Status: Backport | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | .../gst/matroska/matroska-demux.c | 10 +++++++++- | ||
27 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c | ||
30 | index 64cc6be60be..01d754c3eb9 100644 | ||
31 | --- a/gst/matroska/matroska-demux.c | ||
32 | +++ b/gst/matroska/matroska-demux.c | ||
33 | @@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
34 | } else { | ||
35 | guint8 *outdata = NULL; | ||
36 | gsize buf_size, size; | ||
37 | - guint32 block_samples, flags, crc, blocksize; | ||
38 | + guint32 block_samples, flags, crc; | ||
39 | + gsize blocksize; | ||
40 | GstAdapter *adapter; | ||
41 | |||
42 | adapter = gst_adapter_new (); | ||
43 | @@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
44 | return GST_FLOW_ERROR; | ||
45 | } | ||
46 | |||
47 | + if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { | ||
48 | + GST_ERROR_OBJECT (element, "Too big wavpack buffer"); | ||
49 | + gst_buffer_unmap (*buf, &map); | ||
50 | + g_object_unref (adapter); | ||
51 | + return GST_FLOW_ERROR; | ||
52 | + } | ||
53 | + | ||
54 | g_assert (newbuf == NULL); | ||
55 | |||
56 | newbuf = | ||
57 | -- | ||
58 | GitLab | ||
59 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 12:00:48 +0300 | ||
4 | Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption | ||
5 | in DIB buffer inversion code | ||
6 | |||
7 | Check that width*bpp/8 doesn't overflow a guint and also that | ||
8 | height*stride fits into the provided buffer without overflowing. | ||
9 | |||
10 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
11 | |||
12 | CVE: CVE-2022-1921 | ||
13 | |||
14 | See https://gstreamer.freedesktop.org/security/sa-2022-0001.html | ||
15 | |||
16 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 | ||
17 | |||
18 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608> | ||
19 | |||
20 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
23 | --- | ||
24 | .../gst/avi/gstavidemux.c | 17 ++++++++++++++--- | ||
25 | 1 file changed, 14 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c | ||
28 | index eafe865494c..0d18a6495c7 100644 | ||
29 | --- a/gst/avi/gstavidemux.c | ||
30 | +++ b/gst/avi/gstavidemux.c | ||
31 | @@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) | ||
32 | static GstBuffer * | ||
33 | gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) | ||
34 | { | ||
35 | - gint y, w, h; | ||
36 | - gint bpp, stride; | ||
37 | + guint y, w, h; | ||
38 | + guint bpp, stride; | ||
39 | guint8 *tmp = NULL; | ||
40 | GstMapInfo map; | ||
41 | guint32 fourcc; | ||
42 | @@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) | ||
43 | h = stream->strf.vids->height; | ||
44 | w = stream->strf.vids->width; | ||
45 | bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; | ||
46 | + | ||
47 | + if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { | ||
48 | + GST_WARNING ("Width x stride overflows"); | ||
49 | + return buf; | ||
50 | + } | ||
51 | + | ||
52 | + if (w == 0 || h == 0) { | ||
53 | + GST_WARNING ("Zero width or height"); | ||
54 | + return buf; | ||
55 | + } | ||
56 | + | ||
57 | stride = GST_ROUND_UP_4 (w * (bpp / 8)); | ||
58 | |||
59 | buf = gst_buffer_make_writable (buf); | ||
60 | |||
61 | gst_buffer_map (buf, &map, GST_MAP_READWRITE); | ||
62 | - if (map.size < (stride * h)) { | ||
63 | + if (map.size < ((guint64) stride * (guint64) h)) { | ||
64 | GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); | ||
65 | gst_buffer_unmap (buf, &map); | ||
66 | return buf; | ||
67 | -- | ||
68 | GitLab | ||
69 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch | |||
@@ -0,0 +1,214 @@ | |||
1 | From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 11:24:37 +0300 | ||
4 | Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc | ||
5 | decompression code | ||
6 | |||
7 | Various variables were of smaller types than needed and there were no | ||
8 | checks for any overflows when doing additions on the sizes. This is all | ||
9 | checked now. | ||
10 | |||
11 | In addition the size of the decompressed data is limited to 120MB now as | ||
12 | any larger sizes are likely pathological and we can avoid out of memory | ||
13 | situations in many cases like this. | ||
14 | |||
15 | Also fix a bug where the available output size on the next iteration in | ||
16 | the zlib/bz2 decompression code was provided too large and could | ||
17 | potentially lead to out of bound writes. | ||
18 | |||
19 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
20 | |||
21 | CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 | ||
22 | |||
23 | https://gstreamer.freedesktop.org/security/sa-2022-0002.html | ||
24 | |||
25 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 | ||
26 | |||
27 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> | ||
28 | |||
29 | CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 | ||
30 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 | ||
31 | Upstream-Status: Backport | ||
32 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
33 | --- | ||
34 | .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++---- | ||
35 | 1 file changed, 61 insertions(+), 15 deletions(-) | ||
36 | |||
37 | diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c | ||
38 | index eb317644cc5..6fadbba9567 100644 | ||
39 | --- a/gst/matroska/matroska-read-common.c | ||
40 | +++ b/gst/matroska/matroska-read-common.c | ||
41 | @@ -70,6 +70,10 @@ typedef struct | ||
42 | gboolean audio_only; | ||
43 | } TargetTypeContext; | ||
44 | |||
45 | +/* 120MB as maximum decompressed data size. Anything bigger is likely | ||
46 | + * pathological, and like this we avoid out of memory situations in many cases | ||
47 | + */ | ||
48 | +#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) | ||
49 | |||
50 | static gboolean | ||
51 | gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
52 | @@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
53 | GstMatroskaTrackCompressionAlgorithm algo) | ||
54 | { | ||
55 | guint8 *new_data = NULL; | ||
56 | - guint new_size = 0; | ||
57 | + gsize new_size = 0; | ||
58 | guint8 *data = *data_out; | ||
59 | - guint size = *size_out; | ||
60 | + const gsize size = *size_out; | ||
61 | gboolean ret = TRUE; | ||
62 | |||
63 | + if (size > G_MAXUINT32) { | ||
64 | + GST_WARNING ("too large compressed data buffer."); | ||
65 | + ret = FALSE; | ||
66 | + goto out; | ||
67 | + } | ||
68 | + | ||
69 | if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { | ||
70 | #ifdef HAVE_ZLIB | ||
71 | /* zlib encoded data */ | ||
72 | z_stream zstream; | ||
73 | - guint orig_size; | ||
74 | int result; | ||
75 | |||
76 | - orig_size = size; | ||
77 | zstream.zalloc = (alloc_func) 0; | ||
78 | zstream.zfree = (free_func) 0; | ||
79 | zstream.opaque = (voidpf) 0; | ||
80 | @@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
81 | goto out; | ||
82 | } | ||
83 | zstream.next_in = (Bytef *) data; | ||
84 | - zstream.avail_in = orig_size; | ||
85 | - new_size = orig_size; | ||
86 | + zstream.avail_in = size; | ||
87 | + new_size = size; | ||
88 | new_data = g_malloc (new_size); | ||
89 | zstream.avail_out = new_size; | ||
90 | zstream.next_out = (Bytef *) new_data; | ||
91 | @@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
92 | break; | ||
93 | } | ||
94 | |||
95 | + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
96 | + GST_WARNING ("too big decompressed data"); | ||
97 | + result = Z_MEM_ERROR; | ||
98 | + break; | ||
99 | + } | ||
100 | + | ||
101 | new_size += 4096; | ||
102 | new_data = g_realloc (new_data, new_size); | ||
103 | zstream.next_out = (Bytef *) (new_data + zstream.total_out); | ||
104 | - zstream.avail_out += 4096; | ||
105 | + /* avail_out is an unsigned int */ | ||
106 | + g_assert (new_size - zstream.total_out <= G_MAXUINT); | ||
107 | + zstream.avail_out = new_size - zstream.total_out; | ||
108 | } while (zstream.avail_in > 0); | ||
109 | |||
110 | if (result != Z_STREAM_END) { | ||
111 | @@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
112 | #ifdef HAVE_BZ2 | ||
113 | /* bzip2 encoded data */ | ||
114 | bz_stream bzstream; | ||
115 | - guint orig_size; | ||
116 | int result; | ||
117 | |||
118 | bzstream.bzalloc = NULL; | ||
119 | bzstream.bzfree = NULL; | ||
120 | bzstream.opaque = NULL; | ||
121 | - orig_size = size; | ||
122 | |||
123 | if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { | ||
124 | GST_WARNING ("bzip2 initialization failed."); | ||
125 | @@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
126 | } | ||
127 | |||
128 | bzstream.next_in = (char *) data; | ||
129 | - bzstream.avail_in = orig_size; | ||
130 | - new_size = orig_size; | ||
131 | + bzstream.avail_in = size; | ||
132 | + new_size = size; | ||
133 | new_data = g_malloc (new_size); | ||
134 | bzstream.avail_out = new_size; | ||
135 | bzstream.next_out = (char *) new_data; | ||
136 | @@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
137 | break; | ||
138 | } | ||
139 | |||
140 | + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
141 | + GST_WARNING ("too big decompressed data"); | ||
142 | + result = BZ_MEM_ERROR; | ||
143 | + break; | ||
144 | + } | ||
145 | + | ||
146 | new_size += 4096; | ||
147 | new_data = g_realloc (new_data, new_size); | ||
148 | - bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); | ||
149 | - bzstream.avail_out += 4096; | ||
150 | + bzstream.next_out = | ||
151 | + (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + | ||
152 | + bzstream.total_out_lo32); | ||
153 | + /* avail_out is an unsigned int */ | ||
154 | + g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + | ||
155 | + bzstream.total_out_lo32 <= G_MAXUINT); | ||
156 | + bzstream.avail_out = | ||
157 | + new_size - ((guint64) bzstream.total_out_hi32 << 32) + | ||
158 | + bzstream.total_out_lo32; | ||
159 | } while (bzstream.avail_in > 0); | ||
160 | |||
161 | if (result != BZ_STREAM_END) { | ||
162 | ret = FALSE; | ||
163 | g_free (new_data); | ||
164 | } else { | ||
165 | - new_size = bzstream.total_out_lo32; | ||
166 | + new_size = | ||
167 | + ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; | ||
168 | } | ||
169 | BZ2_bzDecompressEnd (&bzstream); | ||
170 | |||
171 | @@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
172 | } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { | ||
173 | /* lzo encoded data */ | ||
174 | int result; | ||
175 | - int orig_size, out_size; | ||
176 | + gint orig_size, out_size; | ||
177 | + | ||
178 | + if (size > G_MAXINT) { | ||
179 | + GST_WARNING ("too large compressed data buffer."); | ||
180 | + ret = FALSE; | ||
181 | + goto out; | ||
182 | + } | ||
183 | |||
184 | orig_size = size; | ||
185 | out_size = size; | ||
186 | @@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
187 | result = lzo1x_decode (new_data, &out_size, data, &orig_size); | ||
188 | |||
189 | if (orig_size > 0) { | ||
190 | + if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
191 | + GST_WARNING ("too big decompressed data"); | ||
192 | + result = LZO_ERROR; | ||
193 | + break; | ||
194 | + } | ||
195 | new_size += 4096; | ||
196 | new_data = g_realloc (new_data, new_size); | ||
197 | } | ||
198 | @@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
199 | } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { | ||
200 | /* header stripped encoded data */ | ||
201 | if (enc->comp_settings_length > 0) { | ||
202 | + if (size > G_MAXSIZE - enc->comp_settings_length | ||
203 | + || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { | ||
204 | + GST_WARNING ("too big decompressed data"); | ||
205 | + ret = FALSE; | ||
206 | + goto out; | ||
207 | + } | ||
208 | + | ||
209 | new_data = g_malloc (size + enc->comp_settings_length); | ||
210 | new_size = size + enc->comp_settings_length; | ||
211 | |||
212 | -- | ||
213 | GitLab | ||
214 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Mon, 30 May 2022 10:15:37 +0300 | ||
4 | Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code | ||
5 | |||
6 | Various variables were of smaller types than needed and there were no | ||
7 | checks for any overflows when doing additions on the sizes. This is all | ||
8 | checked now. | ||
9 | |||
10 | In addition the size of the decompressed data is limited to 200MB now as | ||
11 | any larger sizes are likely pathological and we can avoid out of memory | ||
12 | situations in many cases like this. | ||
13 | |||
14 | Also fix a bug where the available output size on the next iteration in | ||
15 | the zlib decompression code was provided too large and could | ||
16 | potentially lead to out of bound writes. | ||
17 | |||
18 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
19 | |||
20 | CVE: tbd | ||
21 | |||
22 | https://gstreamer.freedesktop.org/security/sa-2022-0003.html | ||
23 | |||
24 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 | ||
25 | |||
26 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> | ||
27 | |||
28 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774 | ||
29 | CVE: CVE-2022-2122 | ||
30 | Upstream-Status: Backport | ||
31 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
32 | --- | ||
33 | gst/isomp4/qtdemux.c | 8 +++++++- | ||
34 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c | ||
37 | index 7cc346b1e63..97ba0799a8d 100644 | ||
38 | --- a/gst/isomp4/qtdemux.c | ||
39 | +++ b/gst/isomp4/qtdemux.c | ||
40 | @@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) | ||
41 | break; | ||
42 | } | ||
43 | |||
44 | + if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { | ||
45 | + GST_WARNING ("too big decompressed data"); | ||
46 | + ret = Z_MEM_ERROR; | ||
47 | + break; | ||
48 | + } | ||
49 | + | ||
50 | *length += 4096; | ||
51 | buffer = (guint8 *) g_realloc (buffer, *length); | ||
52 | z.next_out = (Bytef *) (buffer + z.total_out); | ||
53 | - z.avail_out += 4096; | ||
54 | + z.avail_out += *length - z.total_out; | ||
55 | } while (z.avail_in > 0); | ||
56 | |||
57 | if (ret != Z_STREAM_END) { | ||
58 | -- | ||
59 | GitLab | ||
60 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb index 75dd029109..831a317a82 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb | |||
@@ -1,9 +1,19 @@ | |||
1 | require gstreamer1.0-plugins-common.inc | 1 | require gstreamer1.0-plugins-common.inc |
2 | 2 | ||
3 | DESCRIPTION = "'Good' GStreamer plugins" | ||
4 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues" | ||
6 | |||
3 | SRC_URI = " \ | 7 | SRC_URI = " \ |
4 | https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ | 8 | https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ |
5 | file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \ | 9 | file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \ |
6 | file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ | 10 | file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ |
11 | file://CVE-2021-3497.patch \ | ||
12 | file://CVE-2021-3498.patch \ | ||
13 | file://CVE-2022-1920.patch \ | ||
14 | file://CVE-2022-1921.patch \ | ||
15 | file://CVE-2022-1922-1923-1924-1925.patch \ | ||
16 | file://CVE-2022-2122.patch \ | ||
7 | " | 17 | " |
8 | 18 | ||
9 | SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" | 19 | SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" |
@@ -30,6 +40,8 @@ X11DEPENDS = "virtual/libx11 libsm libxrender libxfixes libxdamage" | |||
30 | X11ENABLEOPTS = "-Dximagesrc=enabled -Dximagesrc-xshm=enabled -Dximagesrc-xfixes=enabled -Dximagesrc-xdamage=enabled" | 40 | X11ENABLEOPTS = "-Dximagesrc=enabled -Dximagesrc-xshm=enabled -Dximagesrc-xfixes=enabled -Dximagesrc-xdamage=enabled" |
31 | X11DISABLEOPTS = "-Dximagesrc=disabled -Dximagesrc-xshm=disabled -Dximagesrc-xfixes=disabled -Dximagesrc-xdamage=disabled" | 41 | X11DISABLEOPTS = "-Dximagesrc=disabled -Dximagesrc-xshm=disabled -Dximagesrc-xfixes=disabled -Dximagesrc-xdamage=disabled" |
32 | 42 | ||
43 | QT5WAYLANDDEPENDS = "${@bb.utils.contains("DISTRO_FEATURES", "wayland", "qtwayland", "", d)}" | ||
44 | |||
33 | PACKAGECONFIG[bz2] = "-Dbz2=enabled,-Dbz2=disabled,bzip2" | 45 | PACKAGECONFIG[bz2] = "-Dbz2=enabled,-Dbz2=disabled,bzip2" |
34 | PACKAGECONFIG[cairo] = "-Dcairo=enabled,-Dcairo=disabled,cairo" | 46 | PACKAGECONFIG[cairo] = "-Dcairo=enabled,-Dcairo=disabled,cairo" |
35 | PACKAGECONFIG[dv1394] = "-Ddv1394=enabled,-Ddv1394=disabled,libiec61883 libavc1394 libraw1394" | 47 | PACKAGECONFIG[dv1394] = "-Ddv1394=enabled,-Ddv1394=disabled,libiec61883 libavc1394 libraw1394" |
@@ -44,7 +56,7 @@ PACKAGECONFIG[libpng] = "-Dpng=enabled,-Dpng=disabled,libpng" | |||
44 | PACKAGECONFIG[libv4l2] = "-Dv4l2-libv4l2=enabled,-Dv4l2-libv4l2=disabled,v4l-utils" | 56 | PACKAGECONFIG[libv4l2] = "-Dv4l2-libv4l2=enabled,-Dv4l2-libv4l2=disabled,v4l-utils" |
45 | PACKAGECONFIG[mpg123] = "-Dmpg123=enabled,-Dmpg123=disabled,mpg123" | 57 | PACKAGECONFIG[mpg123] = "-Dmpg123=enabled,-Dmpg123=disabled,mpg123" |
46 | PACKAGECONFIG[pulseaudio] = "-Dpulse=enabled,-Dpulse=disabled,pulseaudio" | 58 | PACKAGECONFIG[pulseaudio] = "-Dpulse=enabled,-Dpulse=disabled,pulseaudio" |
47 | PACKAGECONFIG[qt5] = "-Dqt5=enabled,-Dqt5=disabled,qtbase qtdeclarative qtbase-native" | 59 | PACKAGECONFIG[qt5] = "-Dqt5=enabled,-Dqt5=disabled,qtbase qtdeclarative qtbase-native ${QT5WAYLANDDEPENDS}" |
48 | PACKAGECONFIG[soup] = "-Dsoup=enabled,-Dsoup=disabled,libsoup-2.4" | 60 | PACKAGECONFIG[soup] = "-Dsoup=enabled,-Dsoup=disabled,libsoup-2.4" |
49 | PACKAGECONFIG[speex] = "-Dspeex=enabled,-Dspeex=disabled,speex" | 61 | PACKAGECONFIG[speex] = "-Dspeex=enabled,-Dspeex=disabled,speex" |
50 | PACKAGECONFIG[taglib] = "-Dtaglib=enabled,-Dtaglib=disabled,taglib" | 62 | PACKAGECONFIG[taglib] = "-Dtaglib=enabled,-Dtaglib=disabled,taglib" |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb index d9ec82d887..afde9a013d 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb | |||
@@ -1,5 +1,9 @@ | |||
1 | require gstreamer1.0-plugins-common.inc | 1 | require gstreamer1.0-plugins-common.inc |
2 | 2 | ||
3 | DESCRIPTION = "'Ugly GStreamer plugins" | ||
4 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
5 | BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues" | ||
6 | |||
3 | LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343 \ | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343 \ |
4 | file://tests/check/elements/xingmux.c;beginline=1;endline=21;md5=4c771b8af188724855cb99cadd390068" | 8 | file://tests/check/elements/xingmux.c;beginline=1;endline=21;md5=4c771b8af188724855cb99cadd390068" |
5 | 9 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb index 14b34a2808..9c7f0e078c 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb | |||
@@ -1,4 +1,6 @@ | |||
1 | SUMMARY = "Python bindings for GStreamer 1.0" | 1 | SUMMARY = "Python bindings for GStreamer 1.0" |
2 | DESCRIPTION = "GStreamer Python binding overrides (complementing the bindings \ | ||
3 | provided by python-gi) " | ||
2 | HOMEPAGE = "http://cgit.freedesktop.org/gstreamer/gst-python/" | 4 | HOMEPAGE = "http://cgit.freedesktop.org/gstreamer/gst-python/" |
3 | SECTION = "multimedia" | 5 | SECTION = "multimedia" |
4 | 6 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb index 9d9b1b8757..af9b2c5a97 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "VA-API support to GStreamer" | 1 | SUMMARY = "VA-API support to GStreamer" |
2 | HOMEPAGE = "https://gstreamer.freedesktop.org/" | ||
2 | DESCRIPTION = "gstreamer-vaapi consists of a collection of VA-API \ | 3 | DESCRIPTION = "gstreamer-vaapi consists of a collection of VA-API \ |
3 | based plugins for GStreamer and helper libraries: `vaapidecode', \ | 4 | based plugins for GStreamer and helper libraries: `vaapidecode', \ |
4 | `vaapiconvert', and `vaapisink'." | 5 | `vaapiconvert', and `vaapisink'." |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch new file mode 100644 index 0000000000..e32f3c101f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 1db36347d05d88835519368442e9aa89c64091ad Mon Sep 17 00:00:00 2001 | ||
2 | From: Seungha Yang <seungha@centricular.com> | ||
3 | Date: Tue, 15 Sep 2020 00:54:58 +0900 | ||
4 | Subject: [PATCH] tests: seek: Don't use too strict timeout for validation | ||
5 | |||
6 | Expected segment-done message might not be seen within expected | ||
7 | time if system is not powerful enough. | ||
8 | |||
9 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/625> | ||
10 | |||
11 | Upstream-Status: Backport [https://cgit.freedesktop.org/gstreamer/gstreamer/commit?id=f44312ae5d831438fcf8041162079c65321c588c] | ||
12 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
13 | Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> | ||
14 | --- | ||
15 | tests/check/pipelines/seek.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/tests/check/pipelines/seek.c b/tests/check/pipelines/seek.c | ||
19 | index 28bb8846d..5f7447bc5 100644 | ||
20 | --- a/tests/check/pipelines/seek.c | ||
21 | +++ b/tests/check/pipelines/seek.c | ||
22 | @@ -521,7 +521,7 @@ GST_START_TEST (test_loopback_2) | ||
23 | |||
24 | GST_INFO ("wait for segment done message"); | ||
25 | |||
26 | - msg = gst_bus_timed_pop_filtered (bus, (GstClockTime) 2 * GST_SECOND, | ||
27 | + msg = gst_bus_timed_pop_filtered (bus, GST_CLOCK_TIME_NONE, | ||
28 | GST_MESSAGE_SEGMENT_DONE | GST_MESSAGE_ERROR); | ||
29 | fail_unless (msg, "no message within the timed window"); | ||
30 | fail_unless_equals_string (GST_MESSAGE_TYPE_NAME (msg), "segment-done"); | ||
31 | -- | ||
32 | 2.29.2 | ||
33 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 7afe56cd7b..14793b7fdf 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb | |||
@@ -22,6 +22,7 @@ SRC_URI = " \ | |||
22 | file://0003-meson-Add-valgrind-feature.patch \ | 22 | file://0003-meson-Add-valgrind-feature.patch \ |
23 | file://0004-meson-Add-option-for-installed-tests.patch \ | 23 | file://0004-meson-Add-option-for-installed-tests.patch \ |
24 | file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \ | 24 | file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \ |
25 | file://0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch \ | ||
25 | " | 26 | " |
26 | SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a" | 27 | SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a" |
27 | SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7" | 28 | SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7" |
@@ -40,7 +41,7 @@ PACKAGECONFIG[unwind] = "-Dlibunwind=enabled,-Dlibunwind=disabled,libunwind" | |||
40 | PACKAGECONFIG[dw] = "-Dlibdw=enabled,-Dlibdw=disabled,elfutils" | 41 | PACKAGECONFIG[dw] = "-Dlibdw=enabled,-Dlibdw=disabled,elfutils" |
41 | PACKAGECONFIG[bash-completion] = "-Dbash-completion=enabled,-Dbash-completion=disabled,bash-completion" | 42 | PACKAGECONFIG[bash-completion] = "-Dbash-completion=enabled,-Dbash-completion=disabled,bash-completion" |
42 | PACKAGECONFIG[tools] = "-Dtools=enabled,-Dtools=disabled" | 43 | PACKAGECONFIG[tools] = "-Dtools=enabled,-Dtools=disabled" |
43 | PACKAGECONFIG[setcap] = ",,libcap libcap-native" | 44 | PACKAGECONFIG[setcap] = "-Dptp-helper-permissions=capabilities,,libcap libcap-native" |
44 | 45 | ||
45 | # TODO: put this in a gettext.bbclass patch | 46 | # TODO: put this in a gettext.bbclass patch |
46 | def gettext_oemeson(d): | 47 | def gettext_oemeson(d): |
@@ -74,4 +75,20 @@ FILES_${PN}-dbg += "${datadir}/gdb ${datadir}/gstreamer-1.0/gdb" | |||
74 | 75 | ||
75 | CVE_PRODUCT = "gstreamer" | 76 | CVE_PRODUCT = "gstreamer" |
76 | 77 | ||
78 | # CPE entries for gst-plugins-base are listed as gstreamer issues | ||
79 | # so we need to ignore the false hits | ||
80 | CVE_CHECK_WHITELIST += "CVE-2021-3522" | ||
81 | |||
82 | # CPE entries for gst-plugins-good are listed as gstreamer issues | ||
83 | # so we need to ignore the false hits | ||
84 | CVE_CHECK_WHITELIST += "CVE-2021-3497" | ||
85 | CVE_CHECK_WHITELIST += "CVE-2021-3498" | ||
86 | CVE_CHECK_WHITELIST += "CVE-2022-1920" | ||
87 | CVE_CHECK_WHITELIST += "CVE-2022-1921" | ||
88 | CVE_CHECK_WHITELIST += "CVE-2022-1922" | ||
89 | CVE_CHECK_WHITELIST += "CVE-2022-1923" | ||
90 | CVE_CHECK_WHITELIST += "CVE-2022-1924" | ||
91 | CVE_CHECK_WHITELIST += "CVE-2022-1925" | ||
92 | CVE_CHECK_WHITELIST += "CVE-2022-2122" | ||
93 | |||
77 | require gstreamer1.0-ptest.inc | 94 | require gstreamer1.0-ptest.inc |
diff --git a/meta/recipes-multimedia/lame/lame_3.100.bb b/meta/recipes-multimedia/lame/lame_3.100.bb index 7f8996fb52..d007e0a495 100644 --- a/meta/recipes-multimedia/lame/lame_3.100.bb +++ b/meta/recipes-multimedia/lame/lame_3.100.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "High quality MP3 audio encoder" | 1 | SUMMARY = "High quality MP3 audio encoder" |
2 | HOMEPAGE = "http://lame.sourceforge.net/" | 2 | DESCRIPTION = "LAME is an educational tool to be used for learning about MP3 encoding." |
3 | HOMEPAGE = "https://lame.sourceforge.io/" | ||
3 | BUGTRACKER = "http://sourceforge.net/tracker/?group_id=290&atid=100290" | 4 | BUGTRACKER = "http://sourceforge.net/tracker/?group_id=290&atid=100290" |
4 | SECTION = "console/utils" | 5 | SECTION = "console/utils" |
5 | LICENSE = "LGPLv2+" | 6 | LICENSE = "LGPLv2+" |
diff --git a/meta/recipes-multimedia/liba52/liba52_0.7.4.bb b/meta/recipes-multimedia/liba52/liba52_0.7.4.bb index 8ff8889b60..0ef5d947c3 100644 --- a/meta/recipes-multimedia/liba52/liba52_0.7.4.bb +++ b/meta/recipes-multimedia/liba52/liba52_0.7.4.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "ATSC A/52 surround sound stream decoder" | 1 | SUMMARY = "ATSC A/52 surround sound stream decoder" |
2 | DESCRIPTION = "Library for decoding ATSC A/52 streams. The A/52 standard \ | ||
3 | is used in a variety of applications, including digital television \ | ||
4 | and DVD. It is also known as AC-3." | ||
2 | HOMEPAGE = "http://liba52.sourceforge.net/" | 5 | HOMEPAGE = "http://liba52.sourceforge.net/" |
3 | LICENSE = "GPLv2+" | 6 | LICENSE = "GPLv2+" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ |
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch b/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch new file mode 100644 index 0000000000..0d1d0dc381 --- /dev/null +++ b/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch | |||
@@ -0,0 +1,21 @@ | |||
1 | configure contains CFLAGS filtering code which was removing our prefix-map | ||
2 | flags. We need those to generate reproducible binaries. Allow them through. | ||
3 | |||
4 | Upstream-Status: Pending | ||
5 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
6 | |||
7 | Index: libid3tag-0.15.1b/configure.ac | ||
8 | =================================================================== | ||
9 | --- libid3tag-0.15.1b.orig/configure.ac | ||
10 | +++ libid3tag-0.15.1b/configure.ac | ||
11 | @@ -99,6 +99,10 @@ do | ||
12 | -mno-cygwin) | ||
13 | shift | ||
14 | ;; | ||
15 | + -fmacro-prefix-map*|-fdebug-prefix-map*) | ||
16 | + CFLAGS="$CFLAGS $1" | ||
17 | + shift | ||
18 | + ;; | ||
19 | -m*) | ||
20 | arch="$arch $1" | ||
21 | shift | ||
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb index 0312a610c0..80581765ac 100644 --- a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb +++ b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb | |||
@@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \ | |||
15 | file://0001-Fix-gperf-3.1-incompatibility.patch \ | 15 | file://0001-Fix-gperf-3.1-incompatibility.patch \ |
16 | file://10_utf16.patch \ | 16 | file://10_utf16.patch \ |
17 | file://unknown-encoding.patch \ | 17 | file://unknown-encoding.patch \ |
18 | file://cflags_filter.patch \ | ||
18 | " | 19 | " |
19 | UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/" | 20 | UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/" |
20 | UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$" | 21 | UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$" |
diff --git a/meta/recipes-multimedia/libpng/files/run-ptest b/meta/recipes-multimedia/libpng/files/run-ptest new file mode 100644 index 0000000000..9ab5d0c1f4 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/run-ptest | |||
@@ -0,0 +1,29 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | set -eux | ||
4 | |||
5 | ./pngfix pngtest.png &> log.txt 2>&1 | ||
6 | |||
7 | if grep -i "OK" log.txt 2>&1 ; then | ||
8 | echo "PASS: pngfix passed" | ||
9 | else | ||
10 | echo "FAIL: pngfix failed" | ||
11 | fi | ||
12 | rm -f log.txt | ||
13 | |||
14 | ./pngtest pngtest.png &> log.txt 2>&1 | ||
15 | |||
16 | if grep -i "PASS" log.txt 2>&1 ; then | ||
17 | echo "PASS: pngtest passed" | ||
18 | else | ||
19 | echo "FAIL: pngtest failed" | ||
20 | fi | ||
21 | rm -f log.txt | ||
22 | |||
23 | for i in pngstest timepng; do | ||
24 | if "./${i}" pngtest.png 2>&1; then | ||
25 | echo "PASS: $i" | ||
26 | else | ||
27 | echo "FAIL: $i" | ||
28 | fi | ||
29 | done | ||
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb index 8c53d11642..9387fc8e2e 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "PNG image format decoding library" | 1 | SUMMARY = "PNG image format decoding library" |
2 | DESCRIPTION = "An open source project to develop and maintain the reference \ | ||
3 | library for use in applications that read, create, and manipulate PNG \ | ||
4 | (Portable Network Graphics) raster image files. " | ||
2 | HOMEPAGE = "http://www.libpng.org/" | 5 | HOMEPAGE = "http://www.libpng.org/" |
3 | SECTION = "libs" | 6 | SECTION = "libs" |
4 | LICENSE = "Libpng" | 7 | LICENSE = "Libpng" |
@@ -7,7 +10,10 @@ DEPENDS = "zlib" | |||
7 | 10 | ||
8 | LIBV = "16" | 11 | LIBV = "16" |
9 | 12 | ||
10 | SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz" | 13 | SRC_URI = "\ |
14 | ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ | ||
15 | file://run-ptest \ | ||
16 | " | ||
11 | SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9" | 17 | SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9" |
12 | SRC_URI[sha256sum] = "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca" | 18 | SRC_URI[sha256sum] = "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca" |
13 | 19 | ||
@@ -17,7 +23,7 @@ UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html" | |||
17 | 23 | ||
18 | BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config" | 24 | BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config" |
19 | 25 | ||
20 | inherit autotools binconfig-disabled pkgconfig | 26 | inherit autotools binconfig-disabled pkgconfig ptest |
21 | 27 | ||
22 | # Work around missing symbols | 28 | # Work around missing symbols |
23 | EXTRA_OECONF_append_class-target = " ${@bb.utils.contains("TUNE_FEATURES", "neon", "--enable-arm-neon=on", "--enable-arm-neon=off" ,d)}" | 29 | EXTRA_OECONF_append_class-target = " ${@bb.utils.contains("TUNE_FEATURES", "neon", "--enable-arm-neon=on", "--enable-arm-neon=off" ,d)}" |
@@ -30,3 +36,11 @@ BBCLASSEXTEND = "native nativesdk" | |||
30 | 36 | ||
31 | # CVE-2019-17371 is actually a memory leak in gif2png 2.x | 37 | # CVE-2019-17371 is actually a memory leak in gif2png 2.x |
32 | CVE_CHECK_WHITELIST += "CVE-2019-17371" | 38 | CVE_CHECK_WHITELIST += "CVE-2019-17371" |
39 | |||
40 | do_install_ptest() { | ||
41 | install -m644 "${S}/pngtest.png" "${D}${PTEST_PATH}" | ||
42 | install -m755 "${B}/.libs/pngfix" "${D}${PTEST_PATH}" | ||
43 | install -m755 "${B}/.libs/pngtest" "${D}${PTEST_PATH}" | ||
44 | install -m755 "${B}/.libs/pngstest" "${D}${PTEST_PATH}" | ||
45 | install -m755 "${B}/.libs/timepng" "${D}${PTEST_PATH}" | ||
46 | } | ||
diff --git a/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch b/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch new file mode 100644 index 0000000000..b42d564b4b --- /dev/null +++ b/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch | |||
@@ -0,0 +1,13 @@ | |||
1 | Index: libsamplerate-0.1.8/configure.ac | ||
2 | =================================================================== | ||
3 | --- libsamplerate-0.1.8.orig/configure.ac | ||
4 | +++ libsamplerate-0.1.8/configure.ac | ||
5 | @@ -53,7 +53,7 @@ AC_PROG_LN_S | ||
6 | # 6. If any interfaces have been removed since the last public release, then set age | ||
7 | # to 0. | ||
8 | |||
9 | -SHARED_VERSION_INFO="1:8:1" | ||
10 | +SHARED_VERSION_INFO="1:9:1" | ||
11 | |||
12 | |||
13 | |||
diff --git a/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb b/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb index ae08189441..8345d6880f 100644 --- a/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb +++ b/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "Audio Sample Rate Conversion library" | 1 | SUMMARY = "Audio Sample Rate Conversion library" |
2 | DESCRIPTION = "Also known as Secret Rabbit Code - a library for performing sample rate conversion of audio data." | ||
2 | HOMEPAGE = "http://www.mega-nerd.com/SRC/" | 3 | HOMEPAGE = "http://www.mega-nerd.com/SRC/" |
3 | SECTION = "libs" | 4 | SECTION = "libs" |
4 | LICENSE = "BSD-2-Clause" | 5 | LICENSE = "BSD-2-Clause" |
@@ -9,6 +10,7 @@ PR = "r1" | |||
9 | 10 | ||
10 | SRC_URI = "http://www.mega-nerd.com/SRC/libsamplerate-${PV}.tar.gz \ | 11 | SRC_URI = "http://www.mega-nerd.com/SRC/libsamplerate-${PV}.tar.gz \ |
11 | file://0001-configure.ac-improve-alsa-handling.patch \ | 12 | file://0001-configure.ac-improve-alsa-handling.patch \ |
13 | file://shared_version_info.patch \ | ||
12 | " | 14 | " |
13 | 15 | ||
14 | SRC_URI[md5sum] = "2b78ae9fe63b36b9fbb6267fad93f259" | 16 | SRC_URI[md5sum] = "2b78ae9fe63b36b9fbb6267fad93f259" |
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch new file mode 100644 index 0000000000..6354f856cb --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001 | ||
2 | From: bobsayshilol <bobsayshilol@live.co.uk> | ||
3 | Date: Wed, 17 Feb 2021 23:21:48 +0000 | ||
4 | Subject: [PATCH 1/2] wavlike: Fix incorrect size check | ||
5 | |||
6 | The SF_CART_INFO_16K struct has an additional 4 byte field to hold | ||
7 | the size of 'tag_text' which the file header doesn't, so don't | ||
8 | include it as part of the check when looking for the max length. | ||
9 | |||
10 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026 | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2021-3246 patch 1 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | src/wavlike.c | 6 +++++- | ||
18 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
19 | |||
20 | Index: libsndfile-1.0.28/src/wavlike.c | ||
21 | =================================================================== | ||
22 | --- libsndfile-1.0.28.orig/src/wavlike.c | ||
23 | +++ libsndfile-1.0.28/src/wavlike.c | ||
24 | @@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf | ||
25 | return 0 ; | ||
26 | } ; | ||
27 | |||
28 | - if (chunksize >= sizeof (SF_CART_INFO_16K)) | ||
29 | + /* | ||
30 | + ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part | ||
31 | + ** of the chunk, so don't include it in the size check. | ||
32 | + */ | ||
33 | + if (chunksize >= sizeof (SF_CART_INFO_16K) - 4) | ||
34 | { psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ; | ||
35 | psf_binheader_readf (psf, "j", chunksize) ; | ||
36 | return 0 ; | ||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch new file mode 100644 index 0000000000..d6b03d7d4d --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001 | ||
2 | From: bobsayshilol <bobsayshilol@live.co.uk> | ||
3 | Date: Thu, 18 Feb 2021 21:52:09 +0000 | ||
4 | Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks | ||
5 | |||
6 | 'blockalign' is the size of a block, and each block contains 7 samples | ||
7 | per channel as part of the preamble, so check against 'samplesperblock' | ||
8 | rather than 'blockalign'. Also add an additional check that the block | ||
9 | is big enough to hold the samples it claims to hold. | ||
10 | |||
11 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803 | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2021-3246 patch 2 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | src/ms_adpcm.c | 10 ++++++++-- | ||
19 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c | ||
22 | index 5e8f1a31..a21cb994 100644 | ||
23 | --- a/src/ms_adpcm.c | ||
24 | +++ b/src/ms_adpcm.c | ||
25 | @@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) | ||
26 | if (psf->file.mode == SFM_WRITE) | ||
27 | samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; | ||
28 | |||
29 | - if (blockalign < 7 * psf->sf.channels) | ||
30 | - { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ; | ||
31 | + /* There's 7 samples per channel in the preamble of each block */ | ||
32 | + if (samplesperblock < 7 * psf->sf.channels) | ||
33 | + { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; | ||
34 | + return SFE_INTERNAL ; | ||
35 | + } ; | ||
36 | + | ||
37 | + if (2 * blockalign < samplesperblock * psf->sf.channels) | ||
38 | + { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; | ||
39 | return SFE_INTERNAL ; | ||
40 | } ; | ||
41 | |||
42 | -- | ||
43 | 2.25.1 | ||
44 | |||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch new file mode 100644 index 0000000000..f7ae82588f --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From ced91d7b971be6173b604154c39279ce90ad87cc Mon Sep 17 00:00:00 2001 | ||
2 | From: yuan <ssspeed00@gmail.com> | ||
3 | Date: Tue, 20 Apr 2021 16:16:32 +0800 | ||
4 | Subject: [PATCH] flac: Fix improper buffer reusing (#732) | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc] | ||
7 | CVE: CVE-2021-4156 | ||
8 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
9 | --- | ||
10 | src/flac.c | 4 ++++ | ||
11 | 1 file changed, 4 insertions(+) | ||
12 | |||
13 | diff --git a/src/flac.c b/src/flac.c | ||
14 | index 0be82ac..4fa5cfa 100644 | ||
15 | --- a/src/flac.c | ||
16 | +++ b/src/flac.c | ||
17 | @@ -952,7 +952,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len) | ||
18 | /* Decode some more. */ | ||
19 | while (pflac->pos < pflac->len) | ||
20 | { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0) | ||
21 | + { psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ; | ||
22 | + /* Current frame is busted, so NULL the pointer. */ | ||
23 | + pflac->frame = NULL ; | ||
24 | break ; | ||
25 | + } ; | ||
26 | state = FLAC__stream_decoder_get_state (pflac->fsd) ; | ||
27 | if (state >= FLAC__STREAM_DECODER_END_OF_STREAM) | ||
28 | { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ; | ||
29 | -- | ||
30 | 2.40.1 | ||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch new file mode 100644 index 0000000000..e22b4e9389 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001 | ||
2 | From: Alex Stewart <alex.stewart@ni.com> | ||
3 | Date: Tue, 10 Oct 2023 16:10:34 -0400 | ||
4 | Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation | ||
5 | |||
6 | The clang sanitizer warns of a possible signed integer overflow when | ||
7 | calculating the `dataend` value in `mat4_read_header()`. | ||
8 | |||
9 | ``` | ||
10 | src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' | ||
11 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in | ||
12 | src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' | ||
13 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in | ||
14 | ``` | ||
15 | |||
16 | Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of | ||
17 | `dataend` before performing the calculation, to avoid the issue. | ||
18 | |||
19 | CVE: CVE-2022-33065 | ||
20 | Fixes: https://github.com/libsndfile/libsndfile/issues/789 | ||
21 | Fixes: https://github.com/libsndfile/libsndfile/issues/833 | ||
22 | |||
23 | Signed-off-by: Alex Stewart <alex.stewart@ni.com> | ||
24 | |||
25 | Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c] | ||
26 | CVE: CVE-2022-33065 | ||
27 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
28 | --- | ||
29 | src/mat4.c | 2 +- | ||
30 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/src/mat4.c b/src/mat4.c | ||
33 | index 3c73680..e2f98b7 100644 | ||
34 | --- a/src/mat4.c | ||
35 | +++ b/src/mat4.c | ||
36 | @@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) | ||
37 | psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; | ||
38 | } | ||
39 | else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) | ||
40 | - psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; | ||
41 | + psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; | ||
42 | |||
43 | psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; | ||
44 | |||
45 | -- | ||
46 | 2.40.1 | ||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index b100108766..fb7d94ab75 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "Audio format Conversion library" | 1 | SUMMARY = "Audio format Conversion library" |
2 | DESCRIPTION = "Library for reading and writing files containing sampled \ | ||
3 | sound (such as MS Windows WAV and the Apple/SGI AIFF format) through \ | ||
4 | one standard library interface." | ||
2 | HOMEPAGE = "http://www.mega-nerd.com/libsndfile" | 5 | HOMEPAGE = "http://www.mega-nerd.com/libsndfile" |
3 | AUTHOR = "Erik de Castro Lopo" | 6 | AUTHOR = "Erik de Castro Lopo" |
4 | DEPENDS = "flac libogg libvorbis" | 7 | DEPENDS = "flac libogg libvorbis" |
@@ -17,7 +20,11 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ | |||
17 | file://CVE-2017-12562.patch \ | 20 | file://CVE-2017-12562.patch \ |
18 | file://CVE-2018-19758.patch \ | 21 | file://CVE-2018-19758.patch \ |
19 | file://CVE-2019-3832.patch \ | 22 | file://CVE-2019-3832.patch \ |
20 | " | 23 | file://CVE-2021-3246_1.patch \ |
24 | file://CVE-2021-3246_2.patch \ | ||
25 | file://CVE-2022-33065.patch \ | ||
26 | file://CVE-2021-4156.patch \ | ||
27 | " | ||
21 | 28 | ||
22 | SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" | 29 | SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" |
23 | SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9" | 30 | SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9" |
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch new file mode 100644 index 0000000000..31f867e000 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001 | ||
2 | From: 4ugustus <wangdw.augustus@qq.com> | ||
3 | Date: Tue, 25 Jan 2022 16:25:28 +0000 | ||
4 | Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where | ||
5 | count is required (fixes #355) | ||
6 | |||
7 | CVE: CVE-2022-22844 | ||
8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64] | ||
9 | Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> | ||
10 | Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> | ||
11 | Comments: Add header stdint.h in tiffset.c explicitly for UINT16_MAX | ||
12 | --- | ||
13 | tools/tiffset.c | 17 ++++++++++++++--- | ||
14 | 1 file changed, 14 insertions(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/tools/tiffset.c b/tools/tiffset.c | ||
17 | index 8c9e23c5..e7a88c09 100644 | ||
18 | --- a/tools/tiffset.c | ||
19 | +++ b/tools/tiffset.c | ||
20 | @@ -33,6 +33,7 @@ | ||
21 | #include <string.h> | ||
22 | #include <stdlib.h> | ||
23 | |||
24 | +#include <stdint.h> | ||
25 | #include "tiffio.h" | ||
26 | |||
27 | static char* usageMsg[] = { | ||
28 | @@ -146,9 +146,19 @@ main(int argc, char* argv[]) | ||
29 | |||
30 | arg_index++; | ||
31 | if (TIFFFieldDataType(fip) == TIFF_ASCII) { | ||
32 | - if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) | ||
33 | - fprintf( stderr, "Failed to set %s=%s\n", | ||
34 | - TIFFFieldName(fip), argv[arg_index] ); | ||
35 | + if(TIFFFieldPassCount( fip )) { | ||
36 | + size_t len; | ||
37 | + len = strlen(argv[arg_index]) + 1; | ||
38 | + if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), | ||
39 | + (uint16_t)len, argv[arg_index]) != 1) | ||
40 | + fprintf( stderr, "Failed to set %s=%s\n", | ||
41 | + TIFFFieldName(fip), argv[arg_index] ); | ||
42 | + } else { | ||
43 | + if (TIFFSetField(tiff, TIFFFieldTag(fip), | ||
44 | + argv[arg_index]) != 1) | ||
45 | + fprintf( stderr, "Failed to set %s=%s\n", | ||
46 | + TIFFFieldName(fip), argv[arg_index] ); | ||
47 | + } | ||
48 | } else if (TIFFFieldWriteCount(fip) > 0 | ||
49 | || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { | ||
50 | int ret = 1; | ||
51 | -- | ||
52 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..9b4724a325 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From 02875964eba5c4a2ea98c41562835428214adfe7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Sat, 7 Mar 2020 13:21:56 +0100 | ||
4 | Subject: [PATCH] tiff2rgba: output usage to stdout when using -h | ||
5 | |||
6 | also uses std C EXIT_FAILURE / EXIT_SUCCESS | ||
7 | see #17 | ||
8 | |||
9 | Signed-off-by: akash hadke <akash.hadke@kpit.com> | ||
10 | --- | ||
11 | tools/tiff2rgba.c | 39 ++++++++++++++++++++++++--------------- | ||
12 | 1 file changed, 24 insertions(+), 15 deletions(-) | ||
13 | --- | ||
14 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch] | ||
15 | --- | ||
16 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
17 | index 2eb6f6c4..ef643653 100644 | ||
18 | --- a/tools/tiff2rgba.c | ||
19 | +++ b/tools/tiff2rgba.c | ||
20 | @@ -39,6 +39,13 @@ | ||
21 | #include "tiffiop.h" | ||
22 | #include "tiffio.h" | ||
23 | |||
24 | +#ifndef EXIT_SUCCESS | ||
25 | +#define EXIT_SUCCESS 0 | ||
26 | +#endif | ||
27 | +#ifndef EXIT_FAILURE | ||
28 | +#define EXIT_FAILURE 1 | ||
29 | +#endif | ||
30 | + | ||
31 | #define streq(a,b) (strcmp(a,b) == 0) | ||
32 | #define CopyField(tag, v) \ | ||
33 | if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v) | ||
34 | @@ -68,7 +75,7 @@ main(int argc, char* argv[]) | ||
35 | extern char *optarg; | ||
36 | #endif | ||
37 | |||
38 | - while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1) | ||
39 | + while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1) | ||
40 | switch (c) { | ||
41 | case 'b': | ||
42 | process_by_block = 1; | ||
43 | @@ -86,7 +93,7 @@ main(int argc, char* argv[]) | ||
44 | else if (streq(optarg, "zip")) | ||
45 | compression = COMPRESSION_DEFLATE; | ||
46 | else | ||
47 | - usage(-1); | ||
48 | + usage(EXIT_FAILURE); | ||
49 | break; | ||
50 | |||
51 | case 'r': | ||
52 | @@ -105,17 +112,20 @@ main(int argc, char* argv[]) | ||
53 | bigtiff_output = 1; | ||
54 | break; | ||
55 | |||
56 | + case 'h': | ||
57 | + usage(EXIT_SUCCESS); | ||
58 | + /*NOTREACHED*/ | ||
59 | case '?': | ||
60 | - usage(0); | ||
61 | + usage(EXIT_FAILURE); | ||
62 | /*NOTREACHED*/ | ||
63 | } | ||
64 | |||
65 | if (argc - optind < 2) | ||
66 | - usage(-1); | ||
67 | + usage(EXIT_FAILURE); | ||
68 | |||
69 | out = TIFFOpen(argv[argc-1], bigtiff_output?"w8":"w"); | ||
70 | if (out == NULL) | ||
71 | - return (-2); | ||
72 | + return (EXIT_FAILURE); | ||
73 | |||
74 | for (; optind < argc-1; optind++) { | ||
75 | in = TIFFOpen(argv[optind], "r"); | ||
76 | @@ -132,7 +142,7 @@ main(int argc, char* argv[]) | ||
77 | } | ||
78 | } | ||
79 | (void) TIFFClose(out); | ||
80 | - return (0); | ||
81 | + return (EXIT_SUCCESS); | ||
82 | } | ||
83 | |||
84 | static int | ||
85 | @@ -166,7 +176,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
86 | if (tile_width != (rastersize / tile_height) / sizeof( uint32)) | ||
87 | { | ||
88 | TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); | ||
89 | - exit(-1); | ||
90 | + exit(EXIT_FAILURE); | ||
91 | } | ||
92 | raster = (uint32*)_TIFFmalloc(rastersize); | ||
93 | if (raster == 0) { | ||
94 | @@ -182,7 +192,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
95 | if (tile_width != wrk_linesize / sizeof (uint32)) | ||
96 | { | ||
97 | TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); | ||
98 | - exit(-1); | ||
99 | + exit(EXIT_FAILURE); | ||
100 | } | ||
101 | wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); | ||
102 | if (!wrk_line) { | ||
103 | @@ -279,7 +289,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
104 | if (width != (rastersize / rowsperstrip) / sizeof( uint32)) | ||
105 | { | ||
106 | TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); | ||
107 | - exit(-1); | ||
108 | + exit(EXIT_FAILURE); | ||
109 | } | ||
110 | raster = (uint32*)_TIFFmalloc(rastersize); | ||
111 | if (raster == 0) { | ||
112 | @@ -295,7 +305,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
113 | if (width != wrk_linesize / sizeof (uint32)) | ||
114 | { | ||
115 | TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); | ||
116 | - exit(-1); | ||
117 | + exit(EXIT_FAILURE); | ||
118 | } | ||
119 | wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); | ||
120 | if (!wrk_line) { | ||
121 | @@ -528,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out) | ||
122 | return( cvt_whole_image( in, out ) ); | ||
123 | } | ||
124 | |||
125 | -static char* stuff[] = { | ||
126 | +const static char* stuff[] = { | ||
127 | "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", | ||
128 | "where comp is one of the following compression algorithms:", | ||
129 | " jpeg\t\tJPEG encoding", | ||
130 | @@ -547,13 +557,12 @@ static char* stuff[] = { | ||
131 | static void | ||
132 | usage(int code) | ||
133 | { | ||
134 | - char buf[BUFSIZ]; | ||
135 | int i; | ||
136 | + FILE * out = (code == EXIT_SUCCESS) ? stdout : stderr; | ||
137 | |||
138 | - setbuf(stderr, buf); | ||
139 | - fprintf(stderr, "%s\n\n", TIFFGetVersion()); | ||
140 | + fprintf(out, "%s\n\n", TIFFGetVersion()); | ||
141 | for (i = 0; stuff[i] != NULL; i++) | ||
142 | - fprintf(stderr, "%s\n", stuff[i]); | ||
143 | + fprintf(out, "%s\n", stuff[i]); | ||
144 | exit(code); | ||
145 | } | ||
146 | |||
147 | -- | ||
148 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..b6e1842a54 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From ca70b5e702b9f503333344b2d46691de9feae84e Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 3 Oct 2020 18:16:27 +0200 | ||
4 | Subject: [PATCH] tiff2rgba.c: fix -Wold-style-declaration warning | ||
5 | |||
6 | Signed-off-by: akash hadke <akash.hadke@kpit.com> | ||
7 | --- | ||
8 | tools/tiff2rgba.c | 2 +- | ||
9 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
10 | --- | ||
11 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch] | ||
12 | --- | ||
13 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
14 | index ef643653..fbc383aa 100644 | ||
15 | --- a/tools/tiff2rgba.c | ||
16 | +++ b/tools/tiff2rgba.c | ||
17 | @@ -538,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out) | ||
18 | return( cvt_whole_image( in, out ) ); | ||
19 | } | ||
20 | |||
21 | -const static char* stuff[] = { | ||
22 | +static const char* stuff[] = { | ||
23 | "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", | ||
24 | "where comp is one of the following compression algorithms:", | ||
25 | " jpeg\t\tJPEG encoding", | ||
26 | -- | ||
27 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..129721ff3e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Sun, 15 Nov 2020 17:02:51 +0100 | ||
4 | Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba | ||
5 | |||
6 | fixes #207 | ||
7 | fixes #209 | ||
8 | |||
9 | Signed-off-by: akash hadke <akash.hadke@kpit.com> | ||
10 | --- | ||
11 | tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- | ||
12 | 1 file changed, 23 insertions(+), 2 deletions(-) | ||
13 | --- | ||
14 | CVE: CVE-2020-35521 | ||
15 | CVE: CVE-2020-35522 | ||
16 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch] | ||
17 | --- | ||
18 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
19 | index fbc383aa..764395f6 100644 | ||
20 | --- a/tools/tiff2rgba.c | ||
21 | +++ b/tools/tiff2rgba.c | ||
22 | @@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1; | ||
23 | int process_by_block = 0; /* default is whole image at once */ | ||
24 | int no_alpha = 0; | ||
25 | int bigtiff_output = 0; | ||
26 | +#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) | ||
27 | +/* malloc size limit (in bytes) | ||
28 | + * disabled when set to 0 */ | ||
29 | +static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; | ||
30 | |||
31 | |||
32 | static int tiffcvt(TIFF* in, TIFF* out); | ||
33 | @@ -75,8 +79,11 @@ main(int argc, char* argv[]) | ||
34 | extern char *optarg; | ||
35 | #endif | ||
36 | |||
37 | - while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1) | ||
38 | + while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1) | ||
39 | switch (c) { | ||
40 | + case 'M': | ||
41 | + maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; | ||
42 | + break; | ||
43 | case 'b': | ||
44 | process_by_block = 1; | ||
45 | break; | ||
46 | @@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) | ||
47 | (unsigned long)width, (unsigned long)height); | ||
48 | return 0; | ||
49 | } | ||
50 | + if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { | ||
51 | + TIFFError(TIFFFileName(in), | ||
52 | + "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", | ||
53 | + (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); | ||
54 | + return 0; | ||
55 | + } | ||
56 | |||
57 | rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); | ||
58 | TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); | ||
59 | @@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out) | ||
60 | TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); | ||
61 | CopyField(TIFFTAG_DOCUMENTNAME, stringv); | ||
62 | |||
63 | + if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) | ||
64 | + { | ||
65 | + TIFFError(TIFFFileName(in), | ||
66 | + "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", | ||
67 | + (uint64)TIFFStripSize(in), (uint64)maxMalloc); | ||
68 | + return 0; | ||
69 | + } | ||
70 | if( process_by_block && TIFFIsTiled( in ) ) | ||
71 | return( cvt_by_tile( in, out ) ); | ||
72 | else if( process_by_block ) | ||
73 | @@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out) | ||
74 | } | ||
75 | |||
76 | static const char* stuff[] = { | ||
77 | - "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", | ||
78 | + "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", | ||
79 | "where comp is one of the following compression algorithms:", | ||
80 | " jpeg\t\tJPEG encoding", | ||
81 | " zip\t\tZip/Deflate encoding", | ||
82 | @@ -551,6 +571,7 @@ static const char* stuff[] = { | ||
83 | " -b (progress by block rather than as a whole image)", | ||
84 | " -n don't emit alpha component.", | ||
85 | " -8 write BigTIFF file instead of ClassicTIFF", | ||
86 | + " -M set the memory allocation limit in MiB. 0 to disable limit", | ||
87 | NULL | ||
88 | }; | ||
89 | |||
90 | -- | ||
91 | GitLab | ||
92 | |||
93 | |||
94 | From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001 | ||
95 | From: Thomas Bernard <miniupnp@free.fr> | ||
96 | Date: Sun, 15 Nov 2020 17:08:42 +0100 | ||
97 | Subject: [PATCH 2/2] tiff2rgba.1: -M option | ||
98 | |||
99 | --- | ||
100 | man/tiff2rgba.1 | 4 ++++ | ||
101 | 1 file changed, 4 insertions(+) | ||
102 | |||
103 | diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1 | ||
104 | index d9c9baae..fe9ebb2c 100644 | ||
105 | --- a/man/tiff2rgba.1 | ||
106 | +++ b/man/tiff2rgba.1 | ||
107 | @@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file. | ||
108 | Currently this does not work if the | ||
109 | .B \-b | ||
110 | flag is also in effect. | ||
111 | +.TP | ||
112 | +.BI \-M " size" | ||
113 | +Set maximum memory allocation size (in MiB). The default is 256MiB. | ||
114 | +Set to 0 to disable the limit. | ||
115 | .SH "SEE ALSO" | ||
116 | .BR tiff2bw (1), | ||
117 | .BR TIFFReadRGBAImage (3t), | ||
118 | -- | ||
119 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch new file mode 100644 index 0000000000..1f30b32799 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Tue, 10 Nov 2020 01:54:30 +0100 | ||
4 | Subject: [PATCH] gtTileContig(): check Tile width for overflow | ||
5 | |||
6 | fixes #211 | ||
7 | |||
8 | Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ] | ||
9 | CVE: CVE-2020-35523 | ||
10 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
11 | --- | ||
12 | libtiff/tif_getimage.c | 17 +++++++++++++---- | ||
13 | 1 file changed, 13 insertions(+), 4 deletions(-) | ||
14 | |||
15 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
16 | index 4da785d3..96ab1460 100644 | ||
17 | --- a/libtiff/tif_getimage.c | ||
18 | +++ b/libtiff/tif_getimage.c | ||
19 | @@ -29,6 +29,7 @@ | ||
20 | */ | ||
21 | #include "tiffiop.h" | ||
22 | #include <stdio.h> | ||
23 | +#include <limits.h> | ||
24 | |||
25 | static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); | ||
26 | static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); | ||
27 | @@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) | ||
28 | |||
29 | flip = setorientation(img); | ||
30 | if (flip & FLIP_VERTICALLY) { | ||
31 | - y = h - 1; | ||
32 | - toskew = -(int32)(tw + w); | ||
33 | + if ((tw + w) > INT_MAX) { | ||
34 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); | ||
35 | + return (0); | ||
36 | + } | ||
37 | + y = h - 1; | ||
38 | + toskew = -(int32)(tw + w); | ||
39 | } | ||
40 | else { | ||
41 | - y = 0; | ||
42 | - toskew = -(int32)(tw - w); | ||
43 | + if (tw > (INT_MAX + w)) { | ||
44 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); | ||
45 | + return (0); | ||
46 | + } | ||
47 | + y = 0; | ||
48 | + toskew = -(int32)(tw - w); | ||
49 | } | ||
50 | |||
51 | /* | ||
52 | -- | ||
53 | GitLab | ||
54 | |||
55 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch new file mode 100644 index 0000000000..5232eacb50 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From c6a12721b46f1a72974f91177890301730d7b330 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Tue, 10 Nov 2020 01:01:59 +0100 | ||
4 | Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG | ||
5 | YCbCr | ||
6 | |||
7 | fixes #220 | ||
8 | Upstream-Status: Backport | ||
9 | https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330 | ||
10 | https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits | ||
11 | CVE: CVE-2021-35524 | ||
12 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
13 | |||
14 | --- | ||
15 | tools/tiff2pdf.c | 11 ++++++++--- | ||
16 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
17 | |||
18 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
19 | index 719811ea..dc69d2f9 100644 | ||
20 | --- a/tools/tiff2pdf.c | ||
21 | +++ b/tools/tiff2pdf.c | ||
22 | @@ -2087,9 +2087,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ | ||
23 | #endif | ||
24 | (void) 0; | ||
25 | } | ||
26 | - k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); | ||
27 | - if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ | ||
28 | - k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); | ||
29 | + if(t2p->pdf_compression == T2P_COMPRESS_JPEG | ||
30 | + && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) { | ||
31 | + k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p); | ||
32 | + } else { | ||
33 | + k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); | ||
34 | + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ | ||
35 | + k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); | ||
36 | + } | ||
37 | } | ||
38 | if (k == 0) { | ||
39 | /* Assume we had overflow inside TIFFScanlineSize */ | ||
40 | -- | ||
41 | GitLab | ||
42 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch new file mode 100644 index 0000000000..406d467766 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Tue, 10 Nov 2020 02:05:05 +0100 | ||
4 | Subject: [PATCH] Fix for building without JPEG support | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | https://gitlab.com/libtiff/libtiff/-/commit/d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2 | ||
8 | https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits | ||
9 | CVE: CVE-2021-35524 | ||
10 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
11 | --- | ||
12 | tools/tiff2pdf.c | 5 ++++- | ||
13 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
16 | index dc69d2f9..d0b0ede7 100644 | ||
17 | --- a/tools/tiff2pdf.c | ||
18 | +++ b/tools/tiff2pdf.c | ||
19 | @@ -2087,10 +2087,13 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ | ||
20 | #endif | ||
21 | (void) 0; | ||
22 | } | ||
23 | +#ifdef JPEG_SUPPORT | ||
24 | if(t2p->pdf_compression == T2P_COMPRESS_JPEG | ||
25 | && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) { | ||
26 | k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p); | ||
27 | - } else { | ||
28 | + } else | ||
29 | +#endif | ||
30 | + { | ||
31 | k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); | ||
32 | if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ | ||
33 | k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); | ||
34 | -- | ||
35 | GitLab | ||
36 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch new file mode 100644 index 0000000000..e2d136f587 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Thu, 24 Feb 2022 22:26:02 +0100 | ||
4 | Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD | ||
5 | in memory-mapped mode and when bit reversal is needed (fixes #385) | ||
6 | |||
7 | CVE: CVE-2022-0865 | ||
8 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0865.patch/] | ||
9 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
10 | Comment: No change in any hunk | ||
11 | |||
12 | --- | ||
13 | libtiff/tif_jbig.c | 10 ++++++++++ | ||
14 | 1 file changed, 10 insertions(+) | ||
15 | |||
16 | diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c | ||
17 | index 74086338..8bfa4cef 100644 | ||
18 | --- a/libtiff/tif_jbig.c | ||
19 | +++ b/libtiff/tif_jbig.c | ||
20 | @@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) | ||
21 | */ | ||
22 | tif->tif_flags |= TIFF_NOBITREV; | ||
23 | tif->tif_flags &= ~TIFF_MAPPED; | ||
24 | + /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and | ||
25 | + * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial | ||
26 | + * value to be consistent with the state of a non-memory mapped file. | ||
27 | + */ | ||
28 | + if (tif->tif_flags&TIFF_BUFFERMMAP) { | ||
29 | + tif->tif_rawdata = NULL; | ||
30 | + tif->tif_rawdatasize = 0; | ||
31 | + tif->tif_flags &= ~TIFF_BUFFERMMAP; | ||
32 | + tif->tif_flags |= TIFF_MYBUFFER; | ||
33 | + } | ||
34 | |||
35 | /* Setup the function pointers for encode, decode, and cleanup. */ | ||
36 | tif->tif_setupdecode = JBIGSetupDecode; | ||
37 | -- | ||
38 | GitLab | ||
39 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch new file mode 100644 index 0000000000..e2f1bd3056 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch | |||
@@ -0,0 +1,217 @@ | |||
1 | From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Tue, 8 Mar 2022 17:02:44 +0000 | ||
4 | Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in | ||
5 | extractImageSection | ||
6 | |||
7 | CVE: CVE-2022-0891 | ||
8 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0891.patch/] | ||
9 | Comment: No change in any hunk | ||
10 | Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> | ||
11 | --- | ||
12 | tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- | ||
13 | 1 file changed, 36 insertions(+), 56 deletions(-) | ||
14 | |||
15 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
16 | index f2e5474a..e62bcc71 100644 | ||
17 | --- a/tools/tiffcrop.c | ||
18 | +++ b/tools/tiffcrop.c | ||
19 | @@ -105,8 +105,8 @@ | ||
20 | * of messages to monitor progess without enabling dump logs. | ||
21 | */ | ||
22 | |||
23 | -static char tiffcrop_version_id[] = "2.4"; | ||
24 | -static char tiffcrop_rev_date[] = "12-13-2010"; | ||
25 | +static char tiffcrop_version_id[] = "2.4.1"; | ||
26 | +static char tiffcrop_rev_date[] = "03-03-2010"; | ||
27 | |||
28 | #include "tif_config.h" | ||
29 | #include "tiffiop.h" | ||
30 | @@ -6670,10 +6670,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
31 | #ifdef DEVELMODE | ||
32 | uint32 img_length; | ||
33 | #endif | ||
34 | - uint32 j, shift1, shift2, trailing_bits; | ||
35 | + uint32 j, shift1, trailing_bits; | ||
36 | uint32 row, first_row, last_row, first_col, last_col; | ||
37 | uint32 src_offset, dst_offset, row_offset, col_offset; | ||
38 | - uint32 offset1, offset2, full_bytes; | ||
39 | + uint32 offset1, full_bytes; | ||
40 | uint32 sect_width; | ||
41 | #ifdef DEVELMODE | ||
42 | uint32 sect_length; | ||
43 | @@ -6683,7 +6683,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
44 | #ifdef DEVELMODE | ||
45 | int k; | ||
46 | unsigned char bitset; | ||
47 | - static char *bitarray = NULL; | ||
48 | #endif | ||
49 | |||
50 | img_width = image->width; | ||
51 | @@ -6701,17 +6700,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
52 | dst_offset = 0; | ||
53 | |||
54 | #ifdef DEVELMODE | ||
55 | - if (bitarray == NULL) | ||
56 | - { | ||
57 | - if ((bitarray = (char *)malloc(img_width)) == NULL) | ||
58 | - { | ||
59 | - TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); | ||
60 | - return (-1); | ||
61 | - } | ||
62 | - } | ||
63 | + char bitarray[39]; | ||
64 | #endif | ||
65 | |||
66 | - /* rows, columns, width, length are expressed in pixels */ | ||
67 | + /* rows, columns, width, length are expressed in pixels | ||
68 | + * first_row, last_row, .. are index into image array starting at 0 to width-1, | ||
69 | + * last_col shall be also extracted. */ | ||
70 | first_row = section->y1; | ||
71 | last_row = section->y2; | ||
72 | first_col = section->x1; | ||
73 | @@ -6721,9 +6715,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
74 | #ifdef DEVELMODE | ||
75 | sect_length = last_row - first_row + 1; | ||
76 | #endif | ||
77 | - img_rowsize = ((img_width * bps + 7) / 8) * spp; | ||
78 | - full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ | ||
79 | - trailing_bits = (sect_width * bps) % 8; | ||
80 | + /* The read function loadImage() used copy separate plane data into a buffer as interleaved | ||
81 | + * samples rather than separate planes so the same logic works to extract regions | ||
82 | + * regardless of the way the data are organized in the input file. | ||
83 | + * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 | ||
84 | + */ | ||
85 | + img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ | ||
86 | + full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ | ||
87 | + trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ | ||
88 | |||
89 | #ifdef DEVELMODE | ||
90 | TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n", | ||
91 | @@ -6736,10 +6735,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
92 | |||
93 | if ((bps % 8) == 0) | ||
94 | { | ||
95 | - col_offset = first_col * spp * bps / 8; | ||
96 | + col_offset = (first_col * spp * bps) / 8; | ||
97 | for (row = first_row; row <= last_row; row++) | ||
98 | { | ||
99 | - /* row_offset = row * img_width * spp * bps / 8; */ | ||
100 | row_offset = row * img_rowsize; | ||
101 | src_offset = row_offset + col_offset; | ||
102 | |||
103 | @@ -6752,14 +6750,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
104 | } | ||
105 | else | ||
106 | { /* bps != 8 */ | ||
107 | - shift1 = spp * ((first_col * bps) % 8); | ||
108 | - shift2 = spp * ((last_col * bps) % 8); | ||
109 | + shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ | ||
110 | for (row = first_row; row <= last_row; row++) | ||
111 | { | ||
112 | /* pull out the first byte */ | ||
113 | row_offset = row * img_rowsize; | ||
114 | - offset1 = row_offset + (first_col * bps / 8); | ||
115 | - offset2 = row_offset + (last_col * bps / 8); | ||
116 | + offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ | ||
117 | |||
118 | #ifdef DEVELMODE | ||
119 | for (j = 0, k = 7; j < 8; j++, k--) | ||
120 | @@ -6771,12 +6767,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
121 | sprintf(&bitarray[9], " "); | ||
122 | for (j = 10, k = 7; j < 18; j++, k--) | ||
123 | { | ||
124 | - bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; | ||
125 | + bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; | ||
126 | sprintf(&bitarray[j], (bitset) ? "1" : "0"); | ||
127 | } | ||
128 | bitarray[18] = '\0'; | ||
129 | - TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n", | ||
130 | - row, offset1, shift1, offset2, shift2); | ||
131 | + TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", | ||
132 | + row, offset1, shift1, offset1+full_bytes, trailing_bits); | ||
133 | #endif | ||
134 | |||
135 | bytebuff1 = bytebuff2 = 0; | ||
136 | @@ -6800,11 +6796,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
137 | |||
138 | if (trailing_bits != 0) | ||
139 | { | ||
140 | - bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); | ||
141 | + /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ | ||
142 | + bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); | ||
143 | sect_buff[dst_offset] = bytebuff2; | ||
144 | #ifdef DEVELMODE | ||
145 | TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", | ||
146 | - offset2, dst_offset); | ||
147 | + offset1 + full_bytes, dst_offset); | ||
148 | for (j = 30, k = 7; j < 38; j++, k--) | ||
149 | { | ||
150 | bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; | ||
151 | @@ -6823,8 +6820,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
152 | #endif | ||
153 | for (j = 0; j <= full_bytes; j++) | ||
154 | { | ||
155 | - bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); | ||
156 | - bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); | ||
157 | + /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ | ||
158 | + /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ | ||
159 | + bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); | ||
160 | + bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); | ||
161 | sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); | ||
162 | } | ||
163 | #ifdef DEVELMODE | ||
164 | @@ -6840,36 +6839,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, | ||
165 | #endif | ||
166 | dst_offset += full_bytes; | ||
167 | |||
168 | + /* Copy the trailing_bits for the last byte in the destination buffer. | ||
169 | + Could come from one ore two bytes of the source buffer. */ | ||
170 | if (trailing_bits != 0) | ||
171 | { | ||
172 | #ifdef DEVELMODE | ||
173 | - TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset); | ||
174 | -#endif | ||
175 | - if (shift2 > shift1) | ||
176 | - { | ||
177 | - bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); | ||
178 | - bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); | ||
179 | - sect_buff[dst_offset] = bytebuff2; | ||
180 | -#ifdef DEVELMODE | ||
181 | - TIFFError ("", " Shift2 > Shift1\n"); | ||
182 | + TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); | ||
183 | #endif | ||
184 | + /* More than necessary bits are already copied into last destination buffer, | ||
185 | + * only masking of last byte in destination buffer is necessary.*/ | ||
186 | + sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); | ||
187 | } | ||
188 | - else | ||
189 | - { | ||
190 | - if (shift2 < shift1) | ||
191 | - { | ||
192 | - bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); | ||
193 | - sect_buff[dst_offset] &= bytebuff2; | ||
194 | -#ifdef DEVELMODE | ||
195 | - TIFFError ("", " Shift2 < Shift1\n"); | ||
196 | -#endif | ||
197 | - } | ||
198 | -#ifdef DEVELMODE | ||
199 | - else | ||
200 | - TIFFError ("", " Shift2 == Shift1\n"); | ||
201 | -#endif | ||
202 | - } | ||
203 | - } | ||
204 | #ifdef DEVELMODE | ||
205 | sprintf(&bitarray[28], " "); | ||
206 | sprintf(&bitarray[29], " "); | ||
207 | @@ -7022,7 +7002,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, | ||
208 | width = sections[i].x2 - sections[i].x1 + 1; | ||
209 | length = sections[i].y2 - sections[i].y1 + 1; | ||
210 | sectsize = (uint32) | ||
211 | - ceil((width * image->bps + 7) / (double)8) * image->spp * length; | ||
212 | + ceil((width * image->bps * image->spp + 7) / (double)8) * length; | ||
213 | /* allocate a buffer if we don't have one already */ | ||
214 | if (createImageSection(sectsize, sect_buff_ptr)) | ||
215 | { | ||
216 | -- | ||
217 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch new file mode 100644 index 0000000000..da3ead5481 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001 | ||
2 | From: Augustus <wangdw.augustus@qq.com> | ||
3 | Date: Mon, 7 Mar 2022 18:21:49 +0800 | ||
4 | Subject: [PATCH] add checks for return value of limitMalloc (#392) | ||
5 | |||
6 | CVE: CVE-2022-0907 | ||
7 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0907.patch/] | ||
8 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
9 | Comment: No change in any hunk | ||
10 | |||
11 | --- | ||
12 | tools/tiffcrop.c | 33 +++++++++++++++++++++------------ | ||
13 | 1 file changed, 21 insertions(+), 12 deletions(-) | ||
14 | |||
15 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
16 | index f2e5474a..9b8acc7e 100644 | ||
17 | --- a/tools/tiffcrop.c | ||
18 | +++ b/tools/tiffcrop.c | ||
19 | @@ -7337,7 +7337,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) | ||
20 | if (!sect_buff) | ||
21 | { | ||
22 | sect_buff = (unsigned char *)_TIFFmalloc(sectsize); | ||
23 | - *sect_buff_ptr = sect_buff; | ||
24 | + if (!sect_buff) | ||
25 | + { | ||
26 | + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
27 | + return (-1); | ||
28 | + } | ||
29 | _TIFFmemset(sect_buff, 0, sectsize); | ||
30 | } | ||
31 | else | ||
32 | @@ -7353,15 +7357,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) | ||
33 | else | ||
34 | sect_buff = new_buff; | ||
35 | |||
36 | + if (!sect_buff) | ||
37 | + { | ||
38 | + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
39 | + return (-1); | ||
40 | + } | ||
41 | _TIFFmemset(sect_buff, 0, sectsize); | ||
42 | } | ||
43 | } | ||
44 | |||
45 | - if (!sect_buff) | ||
46 | - { | ||
47 | - TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
48 | - return (-1); | ||
49 | - } | ||
50 | prev_sectsize = sectsize; | ||
51 | *sect_buff_ptr = sect_buff; | ||
52 | |||
53 | @@ -7628,7 +7632,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
54 | if (!crop_buff) | ||
55 | { | ||
56 | crop_buff = (unsigned char *)_TIFFmalloc(cropsize); | ||
57 | - *crop_buff_ptr = crop_buff; | ||
58 | + if (!crop_buff) | ||
59 | + { | ||
60 | + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
61 | + return (-1); | ||
62 | + } | ||
63 | _TIFFmemset(crop_buff, 0, cropsize); | ||
64 | prev_cropsize = cropsize; | ||
65 | } | ||
66 | @@ -7644,15 +7652,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
67 | } | ||
68 | else | ||
69 | crop_buff = new_buff; | ||
70 | + if (!crop_buff) | ||
71 | + { | ||
72 | + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
73 | + return (-1); | ||
74 | + } | ||
75 | _TIFFmemset(crop_buff, 0, cropsize); | ||
76 | } | ||
77 | } | ||
78 | |||
79 | - if (!crop_buff) | ||
80 | - { | ||
81 | - TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
82 | - return (-1); | ||
83 | - } | ||
84 | *crop_buff_ptr = crop_buff; | ||
85 | |||
86 | if (crop->crop_mode & CROP_INVERT) | ||
87 | @@ -9211,3 +9219,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui | ||
88 | * fill-column: 78 | ||
89 | * End: | ||
90 | */ | ||
91 | + | ||
92 | -- | ||
93 | GitLab | ||
94 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch new file mode 100644 index 0000000000..e65af6c600 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Thu, 17 Feb 2022 15:28:43 +0100 | ||
4 | Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null | ||
5 | source pointer and size of zero (fixes #383) | ||
6 | |||
7 | CVE: CVE-2022-0908 | ||
8 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0908.patch/] | ||
9 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
10 | Comment: No change in any hunk | ||
11 | |||
12 | --- | ||
13 | libtiff/tif_dirread.c | 5 ++++- | ||
14 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
17 | index 50ebf8ac..2ec44a4f 100644 | ||
18 | --- a/libtiff/tif_dirread.c | ||
19 | +++ b/libtiff/tif_dirread.c | ||
20 | @@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) | ||
21 | _TIFFfree(data); | ||
22 | return(0); | ||
23 | } | ||
24 | - _TIFFmemcpy(o,data,(uint32)dp->tdir_count); | ||
25 | + if (dp->tdir_count > 0 ) | ||
26 | + { | ||
27 | + _TIFFmemcpy(o,data,(uint32)dp->tdir_count); | ||
28 | + } | ||
29 | o[(uint32)dp->tdir_count]=0; | ||
30 | if (data!=0) | ||
31 | _TIFFfree(data); | ||
32 | -- | ||
33 | GitLab | ||
34 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch new file mode 100644 index 0000000000..d487f1bd95 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001 | ||
2 | From: 4ugustus <wangdw.augustus@qq.com> | ||
3 | Date: Tue, 8 Mar 2022 16:22:04 +0000 | ||
4 | Subject: [PATCH] fix the FPE in tiffcrop (#393) | ||
5 | |||
6 | CVE: CVE-2022-0909 | ||
7 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0909.patch/] | ||
8 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
9 | Comment: No change in any hunk | ||
10 | |||
11 | --- | ||
12 | libtiff/tif_dir.c | 4 ++-- | ||
13 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
14 | |||
15 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
16 | index 57055ca9..59b346ca 100644 | ||
17 | --- a/libtiff/tif_dir.c | ||
18 | +++ b/libtiff/tif_dir.c | ||
19 | @@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) | ||
20 | break; | ||
21 | case TIFFTAG_XRESOLUTION: | ||
22 | dblval = va_arg(ap, double); | ||
23 | - if( dblval < 0 ) | ||
24 | + if( dblval != dblval || dblval < 0 ) | ||
25 | goto badvaluedouble; | ||
26 | td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); | ||
27 | break; | ||
28 | case TIFFTAG_YRESOLUTION: | ||
29 | dblval = va_arg(ap, double); | ||
30 | - if( dblval < 0 ) | ||
31 | + if( dblval != dblval || dblval < 0 ) | ||
32 | goto badvaluedouble; | ||
33 | td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); | ||
34 | break; | ||
35 | -- | ||
36 | GitLab | ||
37 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch new file mode 100644 index 0000000000..ddb035c972 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 | ||
2 | From: 4ugustus <wangdw.augustus@qq.com> | ||
3 | Date: Thu, 10 Mar 2022 08:48:00 +0000 | ||
4 | Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) | ||
5 | |||
6 | CVE: CVE-2022-0924 | ||
7 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/] | ||
8 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
9 | Comment: No change in any hunk | ||
10 | |||
11 | --- | ||
12 | tools/tiffcp.c | 17 ++++++++++++++++- | ||
13 | 1 file changed, 16 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
16 | index 224583e0..aa32b118 100644 | ||
17 | --- a/tools/tiffcp.c | ||
18 | +++ b/tools/tiffcp.c | ||
19 | @@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt | ||
20 | tdata_t obuf; | ||
21 | tstrip_t strip = 0; | ||
22 | tsample_t s; | ||
23 | + uint16 bps = 0, bytes_per_sample; | ||
24 | |||
25 | obuf = _TIFFmalloc(stripsize); | ||
26 | if (obuf == NULL) | ||
27 | return (0); | ||
28 | _TIFFmemset(obuf, 0, stripsize); | ||
29 | (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); | ||
30 | + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); | ||
31 | + if( bps == 0 ) | ||
32 | + { | ||
33 | + TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); | ||
34 | + _TIFFfree(obuf); | ||
35 | + return 0; | ||
36 | + } | ||
37 | + if( (bps % 8) != 0 ) | ||
38 | + { | ||
39 | + TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); | ||
40 | + _TIFFfree(obuf); | ||
41 | + return 0; | ||
42 | + } | ||
43 | + bytes_per_sample = bps/8; | ||
44 | for (s = 0; s < spp; s++) { | ||
45 | uint32 row; | ||
46 | for (row = 0; row < imagelength; row += rowsperstrip) { | ||
47 | @@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt | ||
48 | |||
49 | cpContigBufToSeparateBuf( | ||
50 | obuf, (uint8*) buf + row*rowsize + s, | ||
51 | - nrows, imagewidth, 0, 0, spp, 1); | ||
52 | + nrows, imagewidth, 0, 0, spp, bytes_per_sample); | ||
53 | if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { | ||
54 | TIFFError(TIFFFileName(out), | ||
55 | "Error, can't write strip %u", | ||
56 | -- | ||
57 | GitLab | ||
58 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch new file mode 100644 index 0000000000..01e81349a2 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch | |||
@@ -0,0 +1,183 @@ | |||
1 | From 8261237113a53cd21029c4a8cbb62c47b4c19523 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 27 Jul 2022 11:30:18 +0530 | ||
4 | Subject: [PATCH] CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab] | ||
7 | CVE: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | libtiff/tif_aux.c | 9 +++++++ | ||
11 | libtiff/tiffiop.h | 1 + | ||
12 | tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- | ||
13 | 3 files changed, 44 insertions(+), 28 deletions(-) | ||
14 | |||
15 | diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c | ||
16 | index 8188db5..3dac542 100644 | ||
17 | --- a/libtiff/tif_aux.c | ||
18 | +++ b/libtiff/tif_aux.c | ||
19 | @@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val ) | ||
20 | return (float)val; | ||
21 | } | ||
22 | |||
23 | +uint32 _TIFFClampDoubleToUInt32(double val) | ||
24 | +{ | ||
25 | + if( val < 0 ) | ||
26 | + return 0; | ||
27 | + if( val > 0xFFFFFFFFU || val != val ) | ||
28 | + return 0xFFFFFFFFU; | ||
29 | + return (uint32)val; | ||
30 | +} | ||
31 | + | ||
32 | int _TIFFSeekOK(TIFF* tif, toff_t off) | ||
33 | { | ||
34 | /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ | ||
35 | diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h | ||
36 | index 45a7932..c6f6f93 100644 | ||
37 | --- a/libtiff/tiffiop.h | ||
38 | +++ b/libtiff/tiffiop.h | ||
39 | @@ -393,6 +393,7 @@ extern double _TIFFUInt64ToDouble(uint64); | ||
40 | extern float _TIFFUInt64ToFloat(uint64); | ||
41 | |||
42 | extern float _TIFFClampDoubleToFloat(double); | ||
43 | +extern uint32 _TIFFClampDoubleToUInt32(double); | ||
44 | |||
45 | extern tmsize_t | ||
46 | _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, | ||
47 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
48 | index c2c2052..79dd0a0 100644 | ||
49 | --- a/tools/tiffcrop.c | ||
50 | +++ b/tools/tiffcrop.c | ||
51 | @@ -5141,17 +5141,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, | ||
52 | { | ||
53 | if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) | ||
54 | { | ||
55 | - x1 = (uint32) (crop->corners[i].X1 * scale * xres); | ||
56 | - x2 = (uint32) (crop->corners[i].X2 * scale * xres); | ||
57 | - y1 = (uint32) (crop->corners[i].Y1 * scale * yres); | ||
58 | - y2 = (uint32) (crop->corners[i].Y2 * scale * yres); | ||
59 | + x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); | ||
60 | + x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); | ||
61 | + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); | ||
62 | + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); | ||
63 | } | ||
64 | else | ||
65 | { | ||
66 | - x1 = (uint32) (crop->corners[i].X1); | ||
67 | - x2 = (uint32) (crop->corners[i].X2); | ||
68 | - y1 = (uint32) (crop->corners[i].Y1); | ||
69 | - y2 = (uint32) (crop->corners[i].Y2); | ||
70 | + x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); | ||
71 | + x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); | ||
72 | + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); | ||
73 | + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); | ||
74 | } | ||
75 | if (x1 < 1) | ||
76 | crop->regionlist[i].x1 = 0; | ||
77 | @@ -5214,17 +5214,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, | ||
78 | { | ||
79 | if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) | ||
80 | { /* User has specified pixels as reference unit */ | ||
81 | - tmargin = (uint32)(crop->margins[0]); | ||
82 | - lmargin = (uint32)(crop->margins[1]); | ||
83 | - bmargin = (uint32)(crop->margins[2]); | ||
84 | - rmargin = (uint32)(crop->margins[3]); | ||
85 | + tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); | ||
86 | + lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); | ||
87 | + bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); | ||
88 | + rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); | ||
89 | } | ||
90 | else | ||
91 | { /* inches or centimeters specified */ | ||
92 | - tmargin = (uint32)(crop->margins[0] * scale * yres); | ||
93 | - lmargin = (uint32)(crop->margins[1] * scale * xres); | ||
94 | - bmargin = (uint32)(crop->margins[2] * scale * yres); | ||
95 | - rmargin = (uint32)(crop->margins[3] * scale * xres); | ||
96 | + tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); | ||
97 | + lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); | ||
98 | + bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); | ||
99 | + rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); | ||
100 | } | ||
101 | |||
102 | if ((lmargin + rmargin) > image->width) | ||
103 | @@ -5254,24 +5254,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, | ||
104 | if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) | ||
105 | { | ||
106 | if (crop->crop_mode & CROP_WIDTH) | ||
107 | - width = (uint32)crop->width; | ||
108 | + width = _TIFFClampDoubleToUInt32(crop->width); | ||
109 | else | ||
110 | width = image->width - lmargin - rmargin; | ||
111 | |||
112 | if (crop->crop_mode & CROP_LENGTH) | ||
113 | - length = (uint32)crop->length; | ||
114 | + length = _TIFFClampDoubleToUInt32(crop->length); | ||
115 | else | ||
116 | length = image->length - tmargin - bmargin; | ||
117 | } | ||
118 | else | ||
119 | { | ||
120 | if (crop->crop_mode & CROP_WIDTH) | ||
121 | - width = (uint32)(crop->width * scale * image->xres); | ||
122 | + width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); | ||
123 | else | ||
124 | width = image->width - lmargin - rmargin; | ||
125 | |||
126 | if (crop->crop_mode & CROP_LENGTH) | ||
127 | - length = (uint32)(crop->length * scale * image->yres); | ||
128 | + length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); | ||
129 | else | ||
130 | length = image->length - tmargin - bmargin; | ||
131 | } | ||
132 | @@ -5670,13 +5670,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, | ||
133 | { | ||
134 | if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) | ||
135 | { /* inches or centimeters specified */ | ||
136 | - hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8)); | ||
137 | - vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8)); | ||
138 | + hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); | ||
139 | + vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); | ||
140 | } | ||
141 | else | ||
142 | { /* Otherwise user has specified pixels as reference unit */ | ||
143 | - hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8)); | ||
144 | - vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8)); | ||
145 | + hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); | ||
146 | + vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); | ||
147 | } | ||
148 | |||
149 | if ((hmargin * 2.0) > (pwidth * page->hres)) | ||
150 | @@ -5714,13 +5714,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, | ||
151 | { | ||
152 | if (page->mode & PAGE_MODE_PAPERSIZE ) | ||
153 | { | ||
154 | - owidth = (uint32)((pwidth * page->hres) - (hmargin * 2)); | ||
155 | - olength = (uint32)((plength * page->vres) - (vmargin * 2)); | ||
156 | + owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); | ||
157 | + olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); | ||
158 | } | ||
159 | else | ||
160 | { | ||
161 | - owidth = (uint32)(iwidth - (hmargin * 2 * page->hres)); | ||
162 | - olength = (uint32)(ilength - (vmargin * 2 * page->vres)); | ||
163 | + owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); | ||
164 | + olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); | ||
165 | } | ||
166 | } | ||
167 | |||
168 | @@ -5729,6 +5729,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, | ||
169 | if (olength > ilength) | ||
170 | olength = ilength; | ||
171 | |||
172 | + if (owidth == 0 || olength == 0) | ||
173 | + { | ||
174 | + TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); | ||
175 | + exit(EXIT_FAILURE); | ||
176 | + } | ||
177 | + | ||
178 | /* Compute the number of pages required for Portrait or Landscape */ | ||
179 | switch (page->orient) | ||
180 | { | ||
181 | -- | ||
182 | 2.25.1 | ||
183 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000000..131ff94119 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch | |||
@@ -0,0 +1,159 @@ | |||
1 | From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Wed, 9 Feb 2022 21:31:29 +0000 | ||
4 | Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting | ||
5 | uint32_t underflow. | ||
6 | |||
7 | CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 | ||
8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c] | ||
9 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
10 | --- | ||
11 | Index: tiff-4.1.0/tools/tiffcrop.c | ||
12 | =================================================================== | ||
13 | --- tiff-4.1.0.orig/tools/tiffcrop.c | ||
14 | +++ tiff-4.1.0/tools/tiffcrop.c | ||
15 | @@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas | ||
16 | y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); | ||
17 | y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); | ||
18 | } | ||
19 | - if (x1 < 1) | ||
20 | - crop->regionlist[i].x1 = 0; | ||
21 | - else | ||
22 | - crop->regionlist[i].x1 = (uint32) (x1 - 1); | ||
23 | + /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 | ||
24 | + * b) Corners are expected to be submitted as top-left to bottom-right. | ||
25 | + * Therefore, check that and reorder input. | ||
26 | + * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) | ||
27 | + */ | ||
28 | + uint32_t aux; | ||
29 | + if (x1 > x2) { | ||
30 | + aux = x1; | ||
31 | + x1 = x2; | ||
32 | + x2 = aux; | ||
33 | + } | ||
34 | + if (y1 > y2) { | ||
35 | + aux = y1; | ||
36 | + y1 = y2; | ||
37 | + y2 = aux; | ||
38 | + } | ||
39 | + if (x1 > image->width - 1) | ||
40 | + crop->regionlist[i].x1 = image->width - 1; | ||
41 | + else if (x1 > 0) | ||
42 | + crop->regionlist[i].x1 = (uint32_t)(x1 - 1); | ||
43 | |||
44 | if (x2 > image->width - 1) | ||
45 | crop->regionlist[i].x2 = image->width - 1; | ||
46 | - else | ||
47 | - crop->regionlist[i].x2 = (uint32) (x2 - 1); | ||
48 | - zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; | ||
49 | - | ||
50 | - if (y1 < 1) | ||
51 | - crop->regionlist[i].y1 = 0; | ||
52 | - else | ||
53 | - crop->regionlist[i].y1 = (uint32) (y1 - 1); | ||
54 | + else if (x2 > 0) | ||
55 | + crop->regionlist[i].x2 = (uint32_t)(x2 - 1); | ||
56 | + | ||
57 | + zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; | ||
58 | + | ||
59 | + if (y1 > image->length - 1) | ||
60 | + crop->regionlist[i].y1 = image->length - 1; | ||
61 | + else if (y1 > 0) | ||
62 | + crop->regionlist[i].y1 = (uint32_t)(y1 - 1); | ||
63 | |||
64 | if (y2 > image->length - 1) | ||
65 | crop->regionlist[i].y2 = image->length - 1; | ||
66 | - else | ||
67 | - crop->regionlist[i].y2 = (uint32) (y2 - 1); | ||
68 | - | ||
69 | - zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; | ||
70 | + else if (y2 > 0) | ||
71 | + crop->regionlist[i].y2 = (uint32_t)(y2 - 1); | ||
72 | |||
73 | + zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; | ||
74 | if (zwidth > max_width) | ||
75 | max_width = zwidth; | ||
76 | if (zlength > max_length) | ||
77 | @@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas | ||
78 | } | ||
79 | } | ||
80 | return (0); | ||
81 | - } | ||
82 | + } /* crop_mode == CROP_REGIONS */ | ||
83 | |||
84 | /* Convert crop margins into offsets into image | ||
85 | * Margins are expressed as pixel rows and columns, not bytes | ||
86 | @@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas | ||
87 | bmargin = (uint32) 0; | ||
88 | return (-1); | ||
89 | } | ||
90 | - } | ||
91 | + } /* crop_mode == CROP_MARGINS */ | ||
92 | else | ||
93 | { /* no margins requested */ | ||
94 | tmargin = (uint32) 0; | ||
95 | @@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas | ||
96 | off->endx = endx; | ||
97 | off->endy = endy; | ||
98 | |||
99 | - crop_width = endx - startx + 1; | ||
100 | - crop_length = endy - starty + 1; | ||
101 | - | ||
102 | - if (crop_width <= 0) | ||
103 | + if (endx + 1 <= startx) | ||
104 | { | ||
105 | TIFFError("computeInputPixelOffsets", | ||
106 | "Invalid left/right margins and /or image crop width requested"); | ||
107 | return (-1); | ||
108 | } | ||
109 | + crop_width = endx - startx + 1; | ||
110 | if (crop_width > image->width) | ||
111 | crop_width = image->width; | ||
112 | |||
113 | - if (crop_length <= 0) | ||
114 | + if (endy + 1 <= starty) | ||
115 | { | ||
116 | TIFFError("computeInputPixelOffsets", | ||
117 | "Invalid top/bottom margins and /or image crop length requested"); | ||
118 | return (-1); | ||
119 | } | ||
120 | + crop_length = endy - starty + 1; | ||
121 | if (crop_length > image->length) | ||
122 | crop_length = image->length; | ||
123 | |||
124 | @@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image, | ||
125 | else | ||
126 | crop->selections = crop->zones; | ||
127 | |||
128 | - for (i = 0; i < crop->zones; i++) | ||
129 | + /* Initialize regions iterator i */ | ||
130 | + i = 0; | ||
131 | + for (int j = 0; j < crop->zones; j++) | ||
132 | { | ||
133 | - seg = crop->zonelist[i].position; | ||
134 | - total = crop->zonelist[i].total; | ||
135 | + seg = crop->zonelist[j].position; | ||
136 | + total = crop->zonelist[j].total; | ||
137 | + | ||
138 | + /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ | ||
139 | + if (seg == 0 || total == 0 || seg > total) { | ||
140 | + continue; | ||
141 | + } | ||
142 | |||
143 | switch (crop->edge_ref) | ||
144 | { | ||
145 | @@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image, | ||
146 | i + 1, (uint32)zwidth, (uint32)zlength, | ||
147 | crop->regionlist[i].x1, crop->regionlist[i].x2, | ||
148 | crop->regionlist[i].y1, crop->regionlist[i].y2); | ||
149 | + /* increment regions iterator */ | ||
150 | + i++; | ||
151 | } | ||
152 | - | ||
153 | + /* set number of generated regions out of given zones */ | ||
154 | + crop->selections = i; | ||
155 | return (0); | ||
156 | } /* end getCropOffsets */ | ||
157 | |||
158 | -- | ||
159 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch new file mode 100644 index 0000000000..cf440ce55f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 06386cc9dff5dc162006abe11fd4d1a6fad616cc Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 18 Aug 2022 09:40:50 +0530 | ||
4 | Subject: [PATCH] CVE-2022-34526 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990] | ||
7 | CVE: CVE-2022-34526 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | libtiff/tif_dirinfo.c | 3 +++ | ||
11 | 1 file changed, 3 insertions(+) | ||
12 | |||
13 | diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c | ||
14 | index 52d53d4..4a1ca00 100644 | ||
15 | --- a/libtiff/tif_dirinfo.c | ||
16 | +++ b/libtiff/tif_dirinfo.c | ||
17 | @@ -983,6 +983,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) | ||
18 | default: | ||
19 | return 1; | ||
20 | } | ||
21 | + if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) { | ||
22 | + return 0; | ||
23 | + } | ||
24 | /* Check if codec specific tags are allowed for the current | ||
25 | * compression scheme (codec) */ | ||
26 | switch (tif->tif_dir.td_compression) { | ||
27 | -- | ||
28 | 2.25.1 | ||
29 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch new file mode 100644 index 0000000000..760e20dd2b --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch | |||
@@ -0,0 +1,659 @@ | |||
1 | From 226e336cdceec933da2e9f72b6578c7a1bea450b Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Thu, 13 Oct 2022 14:33:27 +0000 | ||
4 | Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271, | ||
5 | |||
6 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ] | ||
7 | CVE: CVE-2022-3570 CVE-2022-3598 | ||
8 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
9 | |||
10 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff | ||
11 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/24d3b2425af24432e0e4e2fd58b33f3b04c4bfa4 | ||
12 | Reviewed-by: Sylvain Beucler <beuc@debian.org> | ||
13 | Last-Update: 2023-01-17 | ||
14 | |||
15 | #381, #386, #388, #389, #435) | ||
16 | |||
17 | --- | ||
18 | tools/tiffcrop.c | 209 ++++++++++++++++++++++++++--------------------- | ||
19 | 1 file changed, 117 insertions(+), 92 deletions(-) | ||
20 | |||
21 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
22 | index c7877aa..c923920 100644 | ||
23 | --- a/tools/tiffcrop.c | ||
24 | +++ b/tools/tiffcrop.c | ||
25 | @@ -126,6 +126,7 @@ static char tiffcrop_rev_date[] = "03-03-2010"; | ||
26 | |||
27 | #ifdef HAVE_STDINT_H | ||
28 | # include <stdint.h> | ||
29 | +# include <inttypes.h> | ||
30 | #endif | ||
31 | |||
32 | #ifndef HAVE_GETOPT | ||
33 | @@ -212,6 +213,10 @@ extern int getopt(int argc, char * const argv[], const char *optstring); | ||
34 | |||
35 | #define TIFF_DIR_MAX 65534 | ||
36 | |||
37 | +/* Some conversion subroutines require image buffers, which are at least 3 bytes | ||
38 | + * larger than the necessary size for the image itself. */ | ||
39 | +#define NUM_BUFF_OVERSIZE_BYTES 3 | ||
40 | + | ||
41 | /* Offsets into buffer for margins and fixed width and length segments */ | ||
42 | struct offset { | ||
43 | uint32 tmargin; | ||
44 | @@ -233,7 +238,7 @@ struct offset { | ||
45 | */ | ||
46 | |||
47 | struct buffinfo { | ||
48 | - uint32 size; /* size of this buffer */ | ||
49 | + size_t size; /* size of this buffer */ | ||
50 | unsigned char *buffer; /* address of the allocated buffer */ | ||
51 | }; | ||
52 | |||
53 | @@ -771,8 +776,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, | ||
54 | uint32 dst_rowsize, shift_width; | ||
55 | uint32 bytes_per_sample, bytes_per_pixel; | ||
56 | uint32 trailing_bits, prev_trailing_bits; | ||
57 | - uint32 tile_rowsize = TIFFTileRowSize(in); | ||
58 | - uint32 src_offset, dst_offset; | ||
59 | + tmsize_t tile_rowsize = TIFFTileRowSize(in); | ||
60 | + tmsize_t src_offset, dst_offset; | ||
61 | uint32 row_offset, col_offset; | ||
62 | uint8 *bufp = (uint8*) buf; | ||
63 | unsigned char *src = NULL; | ||
64 | @@ -822,7 +827,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, | ||
65 | TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); | ||
66 | exit(-1); | ||
67 | } | ||
68 | - tilebuf = _TIFFmalloc(tile_buffsize + 3); | ||
69 | + tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
70 | if (tilebuf == 0) | ||
71 | return 0; | ||
72 | tilebuf[tile_buffsize] = 0; | ||
73 | @@ -986,7 +991,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf, | ||
74 | for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) | ||
75 | { | ||
76 | srcbuffs[sample] = NULL; | ||
77 | - tbuff = (unsigned char *)_TIFFmalloc(tilesize + 8); | ||
78 | + tbuff = (unsigned char *)_TIFFmalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); | ||
79 | if (!tbuff) | ||
80 | { | ||
81 | TIFFError ("readSeparateTilesIntoBuffer", | ||
82 | @@ -1181,7 +1186,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf, | ||
83 | } | ||
84 | rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); | ||
85 | |||
86 | - obuf = _TIFFmalloc (rowstripsize); | ||
87 | + /* Add 3 padding bytes for extractContigSamples32bits */ | ||
88 | + obuf = _TIFFmalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); | ||
89 | if (obuf == NULL) | ||
90 | return 1; | ||
91 | |||
92 | @@ -1194,7 +1200,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf, | ||
93 | stripsize = TIFFVStripSize(out, nrows); | ||
94 | src = buf + (row * rowsize); | ||
95 | total_bytes += stripsize; | ||
96 | - memset (obuf, '\0', rowstripsize); | ||
97 | + memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES); | ||
98 | if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) | ||
99 | { | ||
100 | _TIFFfree(obuf); | ||
101 | @@ -1202,10 +1208,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf, | ||
102 | } | ||
103 | if ((dump->outfile != NULL) && (dump->level == 1)) | ||
104 | { | ||
105 | - dump_info(dump->outfile, dump->format,"", | ||
106 | + if ((uint64_t)scanlinesize > 0x0ffffffffULL) { | ||
107 | + dump_info(dump->infile, dump->format, "loadImage", | ||
108 | + "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", | ||
109 | + (uint64_t)scanlinesize); | ||
110 | + } | ||
111 | + dump_info(dump->outfile, dump->format,"", | ||
112 | "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", | ||
113 | - s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); | ||
114 | - dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); | ||
115 | + s + 1, strip + 1, stripsize, row + 1, (uint32)scanlinesize, src - buf); | ||
116 | + dump_buffer(dump->outfile, dump->format, nrows, (uint32)scanlinesize, row, obuf); | ||
117 | } | ||
118 | |||
119 | if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) | ||
120 | @@ -1232,7 +1243,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, | ||
121 | uint32 tl, tw; | ||
122 | uint32 row, col, nrow, ncol; | ||
123 | uint32 src_rowsize, col_offset; | ||
124 | - uint32 tile_rowsize = TIFFTileRowSize(out); | ||
125 | + tmsize_t tile_rowsize = TIFFTileRowSize(out); | ||
126 | uint8* bufp = (uint8*) buf; | ||
127 | tsize_t tile_buffsize = 0; | ||
128 | tsize_t tilesize = TIFFTileSize(out); | ||
129 | @@ -1275,9 +1286,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, | ||
130 | } | ||
131 | src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; | ||
132 | |||
133 | - tilebuf = _TIFFmalloc(tile_buffsize); | ||
134 | + /* Add 3 padding bytes for extractContigSamples32bits */ | ||
135 | + tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
136 | if (tilebuf == 0) | ||
137 | return 1; | ||
138 | + memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
139 | for (row = 0; row < imagelength; row += tl) | ||
140 | { | ||
141 | nrow = (row + tl > imagelength) ? imagelength - row : tl; | ||
142 | @@ -1323,7 +1336,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength | ||
143 | uint32 imagewidth, tsample_t spp, | ||
144 | struct dump_opts * dump) | ||
145 | { | ||
146 | - tdata_t obuf = _TIFFmalloc(TIFFTileSize(out)); | ||
147 | + /* Add 3 padding bytes for extractContigSamples32bits */ | ||
148 | + tdata_t obuf = _TIFFmalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); | ||
149 | uint32 tl, tw; | ||
150 | uint32 row, col, nrow, ncol; | ||
151 | uint32 src_rowsize, col_offset; | ||
152 | @@ -1333,6 +1347,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength | ||
153 | |||
154 | if (obuf == NULL) | ||
155 | return 1; | ||
156 | + memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); | ||
157 | |||
158 | TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); | ||
159 | TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); | ||
160 | @@ -1754,14 +1769,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 | ||
161 | |||
162 | *opt_offset = '\0'; | ||
163 | /* convert option to lowercase */ | ||
164 | - end = strlen (opt_ptr); | ||
165 | + end = (unsigned int)strlen (opt_ptr); | ||
166 | for (i = 0; i < end; i++) | ||
167 | *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); | ||
168 | /* Look for dump format specification */ | ||
169 | if (strncmp(opt_ptr, "for", 3) == 0) | ||
170 | { | ||
171 | /* convert value to lowercase */ | ||
172 | - end = strlen (opt_offset + 1); | ||
173 | + end = (unsigned int)strlen (opt_offset + 1); | ||
174 | for (i = 1; i <= end; i++) | ||
175 | *(opt_offset + i) = tolower((int) *(opt_offset + i)); | ||
176 | /* check dump format value */ | ||
177 | @@ -2213,6 +2228,8 @@ main(int argc, char* argv[]) | ||
178 | size_t length; | ||
179 | char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */ | ||
180 | |||
181 | + assert(NUM_BUFF_OVERSIZE_BYTES >= 3); | ||
182 | + | ||
183 | little_endian = *((unsigned char *)&little_endian) & '1'; | ||
184 | |||
185 | initImageData(&image); | ||
186 | @@ -3114,13 +3131,13 @@ extractContigSamples32bits (uint8 *in, uint8 *out, uint32 cols, | ||
187 | /* If we have a full buffer's worth, write it out */ | ||
188 | if (ready_bits >= 32) | ||
189 | { | ||
190 | - bytebuff1 = (buff2 >> 56); | ||
191 | + bytebuff1 = (uint8)(buff2 >> 56); | ||
192 | *dst++ = bytebuff1; | ||
193 | - bytebuff2 = (buff2 >> 48); | ||
194 | + bytebuff2 = (uint8)(buff2 >> 48); | ||
195 | *dst++ = bytebuff2; | ||
196 | - bytebuff3 = (buff2 >> 40); | ||
197 | + bytebuff3 = (uint8)(buff2 >> 40); | ||
198 | *dst++ = bytebuff3; | ||
199 | - bytebuff4 = (buff2 >> 32); | ||
200 | + bytebuff4 = (uint8)(buff2 >> 32); | ||
201 | *dst++ = bytebuff4; | ||
202 | ready_bits -= 32; | ||
203 | |||
204 | @@ -3495,13 +3512,13 @@ extractContigSamplesShifted32bits (uint8 *in, uint8 *out, uint32 cols, | ||
205 | } | ||
206 | else /* If we have a full buffer's worth, write it out */ | ||
207 | { | ||
208 | - bytebuff1 = (buff2 >> 56); | ||
209 | + bytebuff1 = (uint8)(buff2 >> 56); | ||
210 | *dst++ = bytebuff1; | ||
211 | - bytebuff2 = (buff2 >> 48); | ||
212 | + bytebuff2 = (uint8)(buff2 >> 48); | ||
213 | *dst++ = bytebuff2; | ||
214 | - bytebuff3 = (buff2 >> 40); | ||
215 | + bytebuff3 = (uint8)(buff2 >> 40); | ||
216 | *dst++ = bytebuff3; | ||
217 | - bytebuff4 = (buff2 >> 32); | ||
218 | + bytebuff4 = (uint8)(buff2 >> 32); | ||
219 | *dst++ = bytebuff4; | ||
220 | ready_bits -= 32; | ||
221 | |||
222 | @@ -3678,10 +3695,10 @@ extractContigSamplesToTileBuffer(uint8 *out, uint8 *in, uint32 rows, uint32 cols | ||
223 | static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) | ||
224 | { | ||
225 | uint8* bufp = buf; | ||
226 | - int32 bytes_read = 0; | ||
227 | + tmsize_t bytes_read = 0; | ||
228 | uint32 strip, nstrips = TIFFNumberOfStrips(in); | ||
229 | - uint32 stripsize = TIFFStripSize(in); | ||
230 | - uint32 rows = 0; | ||
231 | + tmsize_t stripsize = TIFFStripSize(in); | ||
232 | + tmsize_t rows = 0; | ||
233 | uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); | ||
234 | tsize_t scanline_size = TIFFScanlineSize(in); | ||
235 | |||
236 | @@ -3694,13 +3711,12 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) | ||
237 | bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1); | ||
238 | rows = bytes_read / scanline_size; | ||
239 | if ((strip < (nstrips - 1)) && (bytes_read != (int32)stripsize)) | ||
240 | - TIFFError("", "Strip %d: read %lu bytes, strip size %lu", | ||
241 | - (int)strip + 1, (unsigned long) bytes_read, | ||
242 | - (unsigned long)stripsize); | ||
243 | + TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64, | ||
244 | + strip + 1, bytes_read, stripsize); | ||
245 | |||
246 | if (bytes_read < 0 && !ignore) { | ||
247 | - TIFFError("", "Error reading strip %lu after %lu rows", | ||
248 | - (unsigned long) strip, (unsigned long)rows); | ||
249 | + TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows", | ||
250 | + strip, rows); | ||
251 | return 0; | ||
252 | } | ||
253 | bufp += stripsize; | ||
254 | @@ -4164,13 +4180,13 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, | ||
255 | /* If we have a full buffer's worth, write it out */ | ||
256 | if (ready_bits >= 32) | ||
257 | { | ||
258 | - bytebuff1 = (buff2 >> 56); | ||
259 | + bytebuff1 = (uint8)(buff2 >> 56); | ||
260 | *dst++ = bytebuff1; | ||
261 | - bytebuff2 = (buff2 >> 48); | ||
262 | + bytebuff2 = (uint8)(buff2 >> 48); | ||
263 | *dst++ = bytebuff2; | ||
264 | - bytebuff3 = (buff2 >> 40); | ||
265 | + bytebuff3 = (uint8)(buff2 >> 40); | ||
266 | *dst++ = bytebuff3; | ||
267 | - bytebuff4 = (buff2 >> 32); | ||
268 | + bytebuff4 = (uint8)(buff2 >> 32); | ||
269 | *dst++ = bytebuff4; | ||
270 | ready_bits -= 32; | ||
271 | |||
272 | @@ -4213,10 +4229,10 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, | ||
273 | "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", | ||
274 | row + 1, col + 1, src_byte, src_bit, dst - out); | ||
275 | |||
276 | - dump_long (dumpfile, format, "Match bits ", matchbits); | ||
277 | + dump_wide (dumpfile, format, "Match bits ", matchbits); | ||
278 | dump_data (dumpfile, format, "Src bits ", src, 4); | ||
279 | - dump_long (dumpfile, format, "Buff1 bits ", buff1); | ||
280 | - dump_long (dumpfile, format, "Buff2 bits ", buff2); | ||
281 | + dump_wide (dumpfile, format, "Buff1 bits ", buff1); | ||
282 | + dump_wide (dumpfile, format, "Buff2 bits ", buff2); | ||
283 | dump_byte (dumpfile, format, "Write bits1", bytebuff1); | ||
284 | dump_byte (dumpfile, format, "Write bits2", bytebuff2); | ||
285 | dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); | ||
286 | @@ -4689,13 +4705,13 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, | ||
287 | /* If we have a full buffer's worth, write it out */ | ||
288 | if (ready_bits >= 32) | ||
289 | { | ||
290 | - bytebuff1 = (buff2 >> 56); | ||
291 | + bytebuff1 = (uint8)(buff2 >> 56); | ||
292 | *dst++ = bytebuff1; | ||
293 | - bytebuff2 = (buff2 >> 48); | ||
294 | + bytebuff2 = (uint8)(buff2 >> 48); | ||
295 | *dst++ = bytebuff2; | ||
296 | - bytebuff3 = (buff2 >> 40); | ||
297 | + bytebuff3 = (uint8)(buff2 >> 40); | ||
298 | *dst++ = bytebuff3; | ||
299 | - bytebuff4 = (buff2 >> 32); | ||
300 | + bytebuff4 = (uint8)(buff2 >> 32); | ||
301 | *dst++ = bytebuff4; | ||
302 | ready_bits -= 32; | ||
303 | |||
304 | @@ -4738,10 +4754,10 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, | ||
305 | "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", | ||
306 | row + 1, col + 1, src_byte, src_bit, dst - out); | ||
307 | |||
308 | - dump_long (dumpfile, format, "Match bits ", matchbits); | ||
309 | + dump_wide (dumpfile, format, "Match bits ", matchbits); | ||
310 | dump_data (dumpfile, format, "Src bits ", src, 4); | ||
311 | - dump_long (dumpfile, format, "Buff1 bits ", buff1); | ||
312 | - dump_long (dumpfile, format, "Buff2 bits ", buff2); | ||
313 | + dump_wide (dumpfile, format, "Buff1 bits ", buff1); | ||
314 | + dump_wide (dumpfile, format, "Buff2 bits ", buff2); | ||
315 | dump_byte (dumpfile, format, "Write bits1", bytebuff1); | ||
316 | dump_byte (dumpfile, format, "Write bits2", bytebuff2); | ||
317 | dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); | ||
318 | @@ -4764,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, | ||
319 | { | ||
320 | int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; | ||
321 | uint32 j; | ||
322 | - int32 bytes_read = 0; | ||
323 | + tmsize_t bytes_read = 0; | ||
324 | uint16 bps = 0, planar; | ||
325 | uint32 nstrips; | ||
326 | uint32 strips_per_sample; | ||
327 | @@ -4830,7 +4846,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, | ||
328 | for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) | ||
329 | { | ||
330 | srcbuffs[s] = NULL; | ||
331 | - buff = _TIFFmalloc(stripsize + 3); | ||
332 | + buff = _TIFFmalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); | ||
333 | if (!buff) | ||
334 | { | ||
335 | TIFFError ("readSeparateStripsIntoBuffer", | ||
336 | @@ -4853,7 +4869,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, | ||
337 | buff = srcbuffs[s]; | ||
338 | strip = (s * strips_per_sample) + j; | ||
339 | bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); | ||
340 | - rows_this_strip = bytes_read / src_rowsize; | ||
341 | + rows_this_strip = (uint32)(bytes_read / src_rowsize); | ||
342 | if (bytes_read < 0 && !ignore) | ||
343 | { | ||
344 | TIFFError(TIFFFileName(in), | ||
345 | @@ -5860,13 +5876,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
346 | uint16 input_compression = 0, input_photometric = 0; | ||
347 | uint16 subsampling_horiz, subsampling_vert; | ||
348 | uint32 width = 0, length = 0; | ||
349 | - uint32 stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; | ||
350 | + tmsize_t stsize = 0, tlsize = 0, buffsize = 0; | ||
351 | + tmsize_t scanlinesize = 0; | ||
352 | uint32 tw = 0, tl = 0; /* Tile width and length */ | ||
353 | - uint32 tile_rowsize = 0; | ||
354 | + tmsize_t tile_rowsize = 0; | ||
355 | unsigned char *read_buff = NULL; | ||
356 | unsigned char *new_buff = NULL; | ||
357 | int readunit = 0; | ||
358 | - static uint32 prev_readsize = 0; | ||
359 | + static tmsize_t prev_readsize = 0; | ||
360 | |||
361 | TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); | ||
362 | TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); | ||
363 | @@ -6168,7 +6185,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
364 | TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
365 | return (-1); | ||
366 | } | ||
367 | - read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); | ||
368 | + read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
369 | } | ||
370 | else | ||
371 | { | ||
372 | @@ -6179,11 +6196,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
373 | TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
374 | return (-1); | ||
375 | } | ||
376 | - new_buff = _TIFFrealloc(read_buff, buffsize+3); | ||
377 | + new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
378 | if (!new_buff) | ||
379 | { | ||
380 | free (read_buff); | ||
381 | - read_buff = (unsigned char *)_TIFFmalloc(buffsize+3); | ||
382 | + read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
383 | } | ||
384 | else | ||
385 | read_buff = new_buff; | ||
386 | @@ -6256,8 +6273,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
387 | dump_info (dump->infile, dump->format, "", | ||
388 | "Bits per sample %d, Samples per pixel %d", bps, spp); | ||
389 | |||
390 | + if ((uint64_t)scanlinesize > 0x0ffffffffULL) { | ||
391 | + dump_info(dump->infile, dump->format, "loadImage", | ||
392 | + "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", | ||
393 | + (uint64_t)scanlinesize); | ||
394 | + } | ||
395 | for (i = 0; i < length; i++) | ||
396 | - dump_buffer(dump->infile, dump->format, 1, scanlinesize, | ||
397 | + dump_buffer(dump->infile, dump->format, 1, (uint32)scanlinesize, | ||
398 | i, read_buff + (i * scanlinesize)); | ||
399 | } | ||
400 | return (0); | ||
401 | @@ -7277,13 +7299,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image, | ||
402 | if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { | ||
403 | TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); | ||
404 | if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { | ||
405 | - int inknameslen = strlen(inknames) + 1; | ||
406 | + int inknameslen = (int)strlen(inknames) + 1; | ||
407 | const char* cp = inknames; | ||
408 | while (ninks > 1) { | ||
409 | cp = strchr(cp, '\0'); | ||
410 | if (cp) { | ||
411 | cp++; | ||
412 | - inknameslen += (strlen(cp) + 1); | ||
413 | + inknameslen += ((int)strlen(cp) + 1); | ||
414 | } | ||
415 | ninks--; | ||
416 | } | ||
417 | @@ -7346,23 +7368,23 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr) | ||
418 | |||
419 | if (!sect_buff) | ||
420 | { | ||
421 | - sect_buff = (unsigned char *)_TIFFmalloc(sectsize); | ||
422 | + sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
423 | if (!sect_buff) | ||
424 | { | ||
425 | TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
426 | return (-1); | ||
427 | } | ||
428 | - _TIFFmemset(sect_buff, 0, sectsize); | ||
429 | + _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
430 | } | ||
431 | else | ||
432 | { | ||
433 | if (prev_sectsize < sectsize) | ||
434 | { | ||
435 | - new_buff = _TIFFrealloc(sect_buff, sectsize); | ||
436 | + new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
437 | if (!new_buff) | ||
438 | { | ||
439 | free (sect_buff); | ||
440 | - sect_buff = (unsigned char *)_TIFFmalloc(sectsize); | ||
441 | + sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
442 | } | ||
443 | else | ||
444 | sect_buff = new_buff; | ||
445 | @@ -7372,7 +7394,7 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr) | ||
446 | TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
447 | return (-1); | ||
448 | } | ||
449 | - _TIFFmemset(sect_buff, 0, sectsize); | ||
450 | + _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); | ||
451 | } | ||
452 | } | ||
453 | |||
454 | @@ -7403,17 +7425,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
455 | cropsize = crop->bufftotal; | ||
456 | crop_buff = seg_buffs[0].buffer; | ||
457 | if (!crop_buff) | ||
458 | - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); | ||
459 | + crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
460 | else | ||
461 | { | ||
462 | prev_cropsize = seg_buffs[0].size; | ||
463 | if (prev_cropsize < cropsize) | ||
464 | { | ||
465 | - next_buff = _TIFFrealloc(crop_buff, cropsize); | ||
466 | + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
467 | if (! next_buff) | ||
468 | { | ||
469 | _TIFFfree (crop_buff); | ||
470 | - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); | ||
471 | + crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
472 | } | ||
473 | else | ||
474 | crop_buff = next_buff; | ||
475 | @@ -7426,7 +7448,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
476 | return (-1); | ||
477 | } | ||
478 | |||
479 | - _TIFFmemset(crop_buff, 0, cropsize); | ||
480 | + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
481 | seg_buffs[0].buffer = crop_buff; | ||
482 | seg_buffs[0].size = cropsize; | ||
483 | |||
484 | @@ -7505,17 +7527,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
485 | cropsize = crop->bufftotal; | ||
486 | crop_buff = seg_buffs[i].buffer; | ||
487 | if (!crop_buff) | ||
488 | - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); | ||
489 | + crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
490 | else | ||
491 | { | ||
492 | prev_cropsize = seg_buffs[0].size; | ||
493 | if (prev_cropsize < cropsize) | ||
494 | { | ||
495 | - next_buff = _TIFFrealloc(crop_buff, cropsize); | ||
496 | + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
497 | if (! next_buff) | ||
498 | { | ||
499 | _TIFFfree (crop_buff); | ||
500 | - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); | ||
501 | + crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
502 | } | ||
503 | else | ||
504 | crop_buff = next_buff; | ||
505 | @@ -7528,7 +7550,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
506 | return (-1); | ||
507 | } | ||
508 | |||
509 | - _TIFFmemset(crop_buff, 0, cropsize); | ||
510 | + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
511 | seg_buffs[i].buffer = crop_buff; | ||
512 | seg_buffs[i].size = cropsize; | ||
513 | |||
514 | @@ -7641,24 +7663,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
515 | crop_buff = *crop_buff_ptr; | ||
516 | if (!crop_buff) | ||
517 | { | ||
518 | - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); | ||
519 | + crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
520 | if (!crop_buff) | ||
521 | { | ||
522 | TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
523 | return (-1); | ||
524 | } | ||
525 | - _TIFFmemset(crop_buff, 0, cropsize); | ||
526 | + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
527 | prev_cropsize = cropsize; | ||
528 | } | ||
529 | else | ||
530 | { | ||
531 | if (prev_cropsize < cropsize) | ||
532 | { | ||
533 | - new_buff = _TIFFrealloc(crop_buff, cropsize); | ||
534 | + new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
535 | if (!new_buff) | ||
536 | { | ||
537 | free (crop_buff); | ||
538 | - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); | ||
539 | + crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
540 | } | ||
541 | else | ||
542 | crop_buff = new_buff; | ||
543 | @@ -7667,7 +7689,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
544 | TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
545 | return (-1); | ||
546 | } | ||
547 | - _TIFFmemset(crop_buff, 0, cropsize); | ||
548 | + _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
549 | } | ||
550 | } | ||
551 | |||
552 | @@ -7965,13 +7987,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, | ||
553 | if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { | ||
554 | TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); | ||
555 | if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { | ||
556 | - int inknameslen = strlen(inknames) + 1; | ||
557 | + int inknameslen = (int)strlen(inknames) + 1; | ||
558 | const char* cp = inknames; | ||
559 | while (ninks > 1) { | ||
560 | cp = strchr(cp, '\0'); | ||
561 | if (cp) { | ||
562 | cp++; | ||
563 | - inknameslen += (strlen(cp) + 1); | ||
564 | + inknameslen += ((int)strlen(cp) + 1); | ||
565 | } | ||
566 | ninks--; | ||
567 | } | ||
568 | @@ -8356,13 +8378,13 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, | ||
569 | } | ||
570 | else /* If we have a full buffer's worth, write it out */ | ||
571 | { | ||
572 | - bytebuff1 = (buff2 >> 56); | ||
573 | + bytebuff1 = (uint8)(buff2 >> 56); | ||
574 | *dst++ = bytebuff1; | ||
575 | - bytebuff2 = (buff2 >> 48); | ||
576 | + bytebuff2 = (uint8)(buff2 >> 48); | ||
577 | *dst++ = bytebuff2; | ||
578 | - bytebuff3 = (buff2 >> 40); | ||
579 | + bytebuff3 = (uint8)(buff2 >> 40); | ||
580 | *dst++ = bytebuff3; | ||
581 | - bytebuff4 = (buff2 >> 32); | ||
582 | + bytebuff4 = (uint8)(buff2 >> 32); | ||
583 | *dst++ = bytebuff4; | ||
584 | ready_bits -= 32; | ||
585 | |||
586 | @@ -8431,12 +8453,13 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
587 | return (-1); | ||
588 | } | ||
589 | |||
590 | - if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize))) | ||
591 | + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ | ||
592 | + if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) | ||
593 | { | ||
594 | - TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); | ||
595 | + TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
596 | return (-1); | ||
597 | } | ||
598 | - _TIFFmemset(rbuff, '\0', buffsize); | ||
599 | + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
600 | |||
601 | ibuff = *ibuff_ptr; | ||
602 | switch (rotation) | ||
603 | @@ -8964,13 +8987,13 @@ reverseSamples32bits (uint16 spp, uint16 bps, uint32 width, | ||
604 | } | ||
605 | else /* If we have a full buffer's worth, write it out */ | ||
606 | { | ||
607 | - bytebuff1 = (buff2 >> 56); | ||
608 | + bytebuff1 = (uint8)(buff2 >> 56); | ||
609 | *dst++ = bytebuff1; | ||
610 | - bytebuff2 = (buff2 >> 48); | ||
611 | + bytebuff2 = (uint8)(buff2 >> 48); | ||
612 | *dst++ = bytebuff2; | ||
613 | - bytebuff3 = (buff2 >> 40); | ||
614 | + bytebuff3 = (uint8)(buff2 >> 40); | ||
615 | *dst++ = bytebuff3; | ||
616 | - bytebuff4 = (buff2 >> 32); | ||
617 | + bytebuff4 = (uint8)(buff2 >> 32); | ||
618 | *dst++ = bytebuff4; | ||
619 | ready_bits -= 32; | ||
620 | |||
621 | @@ -9061,12 +9084,13 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length, | ||
622 | { | ||
623 | case MIRROR_BOTH: | ||
624 | case MIRROR_VERT: | ||
625 | - line_buff = (unsigned char *)_TIFFmalloc(rowsize); | ||
626 | + line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
627 | if (line_buff == NULL) | ||
628 | { | ||
629 | - TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); | ||
630 | + TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
631 | return (-1); | ||
632 | } | ||
633 | + _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
634 | |||
635 | dst = ibuff + (rowsize * (length - 1)); | ||
636 | for (row = 0; row < length / 2; row++) | ||
637 | @@ -9098,11 +9122,12 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length, | ||
638 | } | ||
639 | else | ||
640 | { /* non 8 bit per sample data */ | ||
641 | - if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + 1))) | ||
642 | + if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) | ||
643 | { | ||
644 | TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); | ||
645 | return (-1); | ||
646 | } | ||
647 | + _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
648 | bytes_per_sample = (bps + 7) / 8; | ||
649 | bytes_per_pixel = ((bps * spp) + 7) / 8; | ||
650 | if (bytes_per_pixel < (bytes_per_sample + 1)) | ||
651 | @@ -9114,7 +9139,7 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length, | ||
652 | { | ||
653 | row_offset = row * rowsize; | ||
654 | src = ibuff + row_offset; | ||
655 | - _TIFFmemset (line_buff, '\0', rowsize); | ||
656 | + _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); | ||
657 | switch (shift_width) | ||
658 | { | ||
659 | case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff)) | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch new file mode 100644 index 0000000000..18a4b4e0ff --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch | |||
@@ -0,0 +1,123 @@ | |||
1 | From f7c06c395daf1b2c52ab431e00db2d9fc2ac993e Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Tue, 10 May 2022 20:03:17 +0000 | ||
4 | Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349 | ||
5 | |||
6 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ] | ||
7 | CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627 | ||
8 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
9 | |||
10 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/e319508023580e2f70e6e626f745b5b2a1707313 | ||
11 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf | ||
12 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba | ||
13 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 | ||
14 | Reviewed-by: Sylvain Beucler <beuc@debian.org> | ||
15 | Last-Update: 2023-01-17 | ||
16 | |||
17 | --- | ||
18 | tools/tiffcrop.c | 50 ++++++++++++++++++++++++++++++++++++++++-------- | ||
19 | 1 file changed, 42 insertions(+), 8 deletions(-) | ||
20 | |||
21 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
22 | index c923920..a0789a3 100644 | ||
23 | --- a/tools/tiffcrop.c | ||
24 | +++ b/tools/tiffcrop.c | ||
25 | @@ -103,7 +103,12 @@ | ||
26 | * selects which functions dump data, with higher numbers selecting | ||
27 | * lower level, scanline level routines. Debug reports a limited set | ||
28 | * of messages to monitor progess without enabling dump logs. | ||
29 | - */ | ||
30 | + * | ||
31 | + * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. | ||
32 | + * In no case should the options be applied to a given selection successively. | ||
33 | + * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options | ||
34 | + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. | ||
35 | + */ | ||
36 | |||
37 | static char tiffcrop_version_id[] = "2.4.1"; | ||
38 | static char tiffcrop_rev_date[] = "03-03-2010"; | ||
39 | @@ -176,12 +181,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring); | ||
40 | #define ROTATECW_270 32 | ||
41 | #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) | ||
42 | |||
43 | -#define CROP_NONE 0 | ||
44 | -#define CROP_MARGINS 1 | ||
45 | -#define CROP_WIDTH 2 | ||
46 | -#define CROP_LENGTH 4 | ||
47 | -#define CROP_ZONES 8 | ||
48 | -#define CROP_REGIONS 16 | ||
49 | +#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ | ||
50 | +#define CROP_MARGINS 1 /* "-m" */ | ||
51 | +#define CROP_WIDTH 2 /* "-X" */ | ||
52 | +#define CROP_LENGTH 4 /* "-Y" */ | ||
53 | +#define CROP_ZONES 8 /* "-Z" */ | ||
54 | +#define CROP_REGIONS 16 /* "-z" */ | ||
55 | #define CROP_ROTATE 32 | ||
56 | #define CROP_MIRROR 64 | ||
57 | #define CROP_INVERT 128 | ||
58 | @@ -323,7 +328,7 @@ struct crop_mask { | ||
59 | #define PAGE_MODE_RESOLUTION 1 | ||
60 | #define PAGE_MODE_PAPERSIZE 2 | ||
61 | #define PAGE_MODE_MARGINS 4 | ||
62 | -#define PAGE_MODE_ROWSCOLS 8 | ||
63 | +#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ | ||
64 | |||
65 | #define INVERT_DATA_ONLY 10 | ||
66 | #define INVERT_DATA_AND_TAG 11 | ||
67 | @@ -754,6 +759,12 @@ static char* usage_info[] = { | ||
68 | " The four debug/dump options are independent, though it makes little sense to", | ||
69 | " specify a dump file without specifying a detail level.", | ||
70 | " ", | ||
71 | +"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.", | ||
72 | +" In no case should the options be applied to a given selection successively.", | ||
73 | +" ", | ||
74 | +"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options", | ||
75 | +" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.", | ||
76 | +" ", | ||
77 | NULL | ||
78 | }; | ||
79 | |||
80 | @@ -2112,6 +2123,27 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 | ||
81 | /*NOTREACHED*/ | ||
82 | } | ||
83 | } | ||
84 | + /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ | ||
85 | + char XY, Z, R, S; | ||
86 | + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; | ||
87 | + Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; | ||
88 | + R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; | ||
89 | + S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; | ||
90 | + if (XY + Z + R + S > 1) { | ||
91 | + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); | ||
92 | + exit(EXIT_FAILURE); | ||
93 | + } | ||
94 | + | ||
95 | + /* Check for not allowed combination: | ||
96 | + * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options | ||
97 | + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. | ||
98 | +. */ | ||
99 | + if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { | ||
100 | + TIFFError("tiffcrop input error", | ||
101 | + "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); | ||
102 | + exit(EXIT_FAILURE); | ||
103 | + } | ||
104 | + | ||
105 | } /* end process_command_opts */ | ||
106 | |||
107 | /* Start a new output file if one has not been previously opened or | ||
108 | @@ -2384,6 +2416,7 @@ main(int argc, char* argv[]) | ||
109 | exit (-1); | ||
110 | } | ||
111 | |||
112 | + /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ | ||
113 | if (crop.selections > 0) | ||
114 | { | ||
115 | if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) | ||
116 | @@ -2400,6 +2433,7 @@ main(int argc, char* argv[]) | ||
117 | exit (-1); | ||
118 | } | ||
119 | } | ||
120 | + /* Format and write selected image parts to output file(s). */ | ||
121 | if (page.mode == PAGE_MODE_NONE) | ||
122 | { /* Whole image or sections not based on output page size */ | ||
123 | if (crop.selections > 0) | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch new file mode 100644 index 0000000000..b3232d9002 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch | |||
@@ -0,0 +1,277 @@ | |||
1 | From 01bca7e6f608da7696949fca6acda78b9935ba19 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Tue, 30 Aug 2022 16:56:48 +0200 | ||
4 | Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related | ||
5 | |||
6 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ] | ||
7 | CVE: CVE-2022-3599 CVE-2022-4645 CVE-2023-30774 | ||
8 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
9 | |||
10 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246 | ||
11 | Reviewed-by: Sylvain Beucler <beuc@debian.org> | ||
12 | Last-Update: 2023-01-17 | ||
13 | |||
14 | TIFFTAG_NUMBEROFINKS value | ||
15 | |||
16 | In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: | ||
17 | |||
18 | Behaviour for writing: | ||
19 | `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. | ||
20 | `NumberOfInks` is automatically set when `InkNames` is set. | ||
21 | If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. | ||
22 | If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. | ||
23 | |||
24 | Behaviour for reading: | ||
25 | When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. | ||
26 | If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. | ||
27 | If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. | ||
28 | |||
29 | This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow | ||
30 | |||
31 | This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. | ||
32 | |||
33 | It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. | ||
34 | |||
35 | --- | ||
36 | libtiff/tif_dir.c | 120 ++++++++++++++++++++++++----------------- | ||
37 | libtiff/tif_dir.h | 2 + | ||
38 | libtiff/tif_dirinfo.c | 2 +- | ||
39 | libtiff/tif_dirwrite.c | 5 ++ | ||
40 | libtiff/tif_print.c | 4 ++ | ||
41 | 5 files changed, 83 insertions(+), 50 deletions(-) | ||
42 | |||
43 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
44 | index 39aeeb4..9d8267a 100644 | ||
45 | --- a/libtiff/tif_dir.c | ||
46 | +++ b/libtiff/tif_dir.c | ||
47 | @@ -29,6 +29,7 @@ | ||
48 | * (and also some miscellaneous stuff) | ||
49 | */ | ||
50 | #include "tiffiop.h" | ||
51 | +# include <inttypes.h> | ||
52 | |||
53 | /* | ||
54 | * These are used in the backwards compatibility code... | ||
55 | @@ -137,32 +138,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32* v) | ||
56 | } | ||
57 | |||
58 | /* | ||
59 | - * Confirm we have "samplesperpixel" ink names separated by \0. Returns | ||
60 | + * Count ink names separated by \0. Returns | ||
61 | * zero if the ink names are not as expected. | ||
62 | */ | ||
63 | -static uint32 | ||
64 | -checkInkNamesString(TIFF* tif, uint32 slen, const char* s) | ||
65 | +static uint16 | ||
66 | +countInkNamesString(TIFF *tif, uint32 slen, const char *s) | ||
67 | { | ||
68 | - TIFFDirectory* td = &tif->tif_dir; | ||
69 | - uint16 i = td->td_samplesperpixel; | ||
70 | + uint16 i = 0; | ||
71 | + const char *ep = s + slen; | ||
72 | + const char *cp = s; | ||
73 | |||
74 | if (slen > 0) { | ||
75 | - const char* ep = s+slen; | ||
76 | - const char* cp = s; | ||
77 | - for (; i > 0; i--) { | ||
78 | + do { | ||
79 | for (; cp < ep && *cp != '\0'; cp++) {} | ||
80 | if (cp >= ep) | ||
81 | goto bad; | ||
82 | cp++; /* skip \0 */ | ||
83 | - } | ||
84 | - return ((uint32)(cp-s)); | ||
85 | + i++; | ||
86 | + } while (cp < ep); | ||
87 | + return (i); | ||
88 | } | ||
89 | bad: | ||
90 | TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", | ||
91 | - "%s: Invalid InkNames value; expecting %d names, found %d", | ||
92 | - tif->tif_name, | ||
93 | - td->td_samplesperpixel, | ||
94 | - td->td_samplesperpixel-i); | ||
95 | + "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink", | ||
96 | + tif->tif_name, slen, i); | ||
97 | return (0); | ||
98 | } | ||
99 | |||
100 | @@ -476,13 +475,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) | ||
101 | _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); | ||
102 | break; | ||
103 | case TIFFTAG_INKNAMES: | ||
104 | - v = (uint16) va_arg(ap, uint16_vap); | ||
105 | - s = va_arg(ap, char*); | ||
106 | - v = checkInkNamesString(tif, v, s); | ||
107 | - status = v > 0; | ||
108 | - if( v > 0 ) { | ||
109 | - _TIFFsetNString(&td->td_inknames, s, v); | ||
110 | - td->td_inknameslen = v; | ||
111 | + { | ||
112 | + v = (uint16) va_arg(ap, uint16_vap); | ||
113 | + s = va_arg(ap, char*); | ||
114 | + uint16 ninksinstring; | ||
115 | + ninksinstring = countInkNamesString(tif, v, s); | ||
116 | + status = ninksinstring > 0; | ||
117 | + if(ninksinstring > 0 ) { | ||
118 | + _TIFFsetNString(&td->td_inknames, s, v); | ||
119 | + td->td_inknameslen = v; | ||
120 | + /* Set NumberOfInks to the value ninksinstring */ | ||
121 | + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) | ||
122 | + { | ||
123 | + if (td->td_numberofinks != ninksinstring) { | ||
124 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
125 | + "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"", | ||
126 | + tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); | ||
127 | + td->td_numberofinks = ninksinstring; | ||
128 | + } | ||
129 | + } else { | ||
130 | + td->td_numberofinks = ninksinstring; | ||
131 | + TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); | ||
132 | + } | ||
133 | + if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) | ||
134 | + { | ||
135 | + if (td->td_numberofinks != td->td_samplesperpixel) { | ||
136 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
137 | + "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", | ||
138 | + tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); | ||
139 | + } | ||
140 | + } | ||
141 | + } | ||
142 | + } | ||
143 | + break; | ||
144 | + case TIFFTAG_NUMBEROFINKS: | ||
145 | + v = (uint16)va_arg(ap, uint16_vap); | ||
146 | + /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ | ||
147 | + if (TIFFFieldSet(tif, FIELD_INKNAMES)) | ||
148 | + { | ||
149 | + if (v != td->td_numberofinks) { | ||
150 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
151 | + "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")", | ||
152 | + tif->tif_name, fip->field_name, v, td->td_numberofinks); | ||
153 | + /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ | ||
154 | + status = 0; | ||
155 | + } | ||
156 | + } else { | ||
157 | + td->td_numberofinks = (uint16)v; | ||
158 | + if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) | ||
159 | + { | ||
160 | + if (td->td_numberofinks != td->td_samplesperpixel) { | ||
161 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
162 | + "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", | ||
163 | + tif->tif_name, fip->field_name, v, td->td_samplesperpixel); | ||
164 | + } | ||
165 | + } | ||
166 | } | ||
167 | break; | ||
168 | case TIFFTAG_PERSAMPLE: | ||
169 | @@ -887,34 +934,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) | ||
170 | if (fip->field_bit == FIELD_CUSTOM) { | ||
171 | standard_tag = 0; | ||
172 | } | ||
173 | - | ||
174 | - if( standard_tag == TIFFTAG_NUMBEROFINKS ) | ||
175 | - { | ||
176 | - int i; | ||
177 | - for (i = 0; i < td->td_customValueCount; i++) { | ||
178 | - uint16 val; | ||
179 | - TIFFTagValue *tv = td->td_customValues + i; | ||
180 | - if (tv->info->field_tag != standard_tag) | ||
181 | - continue; | ||
182 | - if( tv->value == NULL ) | ||
183 | - return 0; | ||
184 | - val = *(uint16 *)tv->value; | ||
185 | - /* Truncate to SamplesPerPixel, since the */ | ||
186 | - /* setting code for INKNAMES assume that there are SamplesPerPixel */ | ||
187 | - /* inknames. */ | ||
188 | - /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ | ||
189 | - if( val > td->td_samplesperpixel ) | ||
190 | - { | ||
191 | - TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", | ||
192 | - "Truncating NumberOfInks from %u to %u", | ||
193 | - val, td->td_samplesperpixel); | ||
194 | - val = td->td_samplesperpixel; | ||
195 | - } | ||
196 | - *va_arg(ap, uint16*) = val; | ||
197 | - return 1; | ||
198 | - } | ||
199 | - return 0; | ||
200 | - } | ||
201 | |||
202 | switch (standard_tag) { | ||
203 | case TIFFTAG_SUBFILETYPE: | ||
204 | @@ -1092,6 +1111,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) | ||
205 | case TIFFTAG_INKNAMES: | ||
206 | *va_arg(ap, char**) = td->td_inknames; | ||
207 | break; | ||
208 | + case TIFFTAG_NUMBEROFINKS: | ||
209 | + *va_arg(ap, uint16 *) = td->td_numberofinks; | ||
210 | + break; | ||
211 | default: | ||
212 | { | ||
213 | int i; | ||
214 | diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h | ||
215 | index e7f0667..7cad679 100644 | ||
216 | --- a/libtiff/tif_dir.h | ||
217 | +++ b/libtiff/tif_dir.h | ||
218 | @@ -117,6 +117,7 @@ typedef struct { | ||
219 | /* CMYK parameters */ | ||
220 | int td_inknameslen; | ||
221 | char* td_inknames; | ||
222 | + uint16 td_numberofinks; /* number of inks in InkNames string */ | ||
223 | |||
224 | int td_customValueCount; | ||
225 | TIFFTagValue *td_customValues; | ||
226 | @@ -174,6 +175,7 @@ typedef struct { | ||
227 | #define FIELD_TRANSFERFUNCTION 44 | ||
228 | #define FIELD_INKNAMES 46 | ||
229 | #define FIELD_SUBIFD 49 | ||
230 | +#define FIELD_NUMBEROFINKS 50 | ||
231 | /* FIELD_CUSTOM (see tiffio.h) 65 */ | ||
232 | /* end of support for well-known tags; codec-private tags follow */ | ||
233 | #define FIELD_CODEC 66 /* base of codec-private tags */ | ||
234 | diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c | ||
235 | index fbfaaf0..bf7de70 100644 | ||
236 | --- a/libtiff/tif_dirinfo.c | ||
237 | +++ b/libtiff/tif_dirinfo.c | ||
238 | @@ -104,7 +104,7 @@ tiffFields[] = { | ||
239 | { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, | ||
240 | { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, | ||
241 | { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, | ||
242 | - { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, | ||
243 | + { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, | ||
244 | { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, | ||
245 | { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, | ||
246 | { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, | ||
247 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
248 | index 9e4d306..a2dbc3b 100644 | ||
249 | --- a/libtiff/tif_dirwrite.c | ||
250 | +++ b/libtiff/tif_dirwrite.c | ||
251 | @@ -677,6 +677,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) | ||
252 | if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) | ||
253 | goto bad; | ||
254 | } | ||
255 | + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) | ||
256 | + { | ||
257 | + if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) | ||
258 | + goto bad; | ||
259 | + } | ||
260 | if (TIFFFieldSet(tif,FIELD_SUBIFD)) | ||
261 | { | ||
262 | if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) | ||
263 | diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c | ||
264 | index a073794..a9f05a7 100644 | ||
265 | --- a/libtiff/tif_print.c | ||
266 | +++ b/libtiff/tif_print.c | ||
267 | @@ -402,6 +402,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) | ||
268 | } | ||
269 | fputs("\n", fd); | ||
270 | } | ||
271 | + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { | ||
272 | + fprintf(fd, " NumberOfInks: %d\n", | ||
273 | + td->td_numberofinks); | ||
274 | + } | ||
275 | if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { | ||
276 | fprintf(fd, " Thresholding: "); | ||
277 | switch (td->td_threshholding) { | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch new file mode 100644 index 0000000000..ea70827cbe --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 7e87352217d1f0c77eee7033ac59e3aab08532bb Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Tue, 8 Nov 2022 15:16:58 +0100 | ||
4 | Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on | ||
5 | |||
6 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ] | ||
7 | CVE: CVE-2022-3970 | ||
8 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
9 | |||
10 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be | ||
11 | Reviewed-by: Sylvain Beucler <beuc@debian.org> | ||
12 | Last-Update: 2023-01-17 | ||
13 | |||
14 | strips/tiles > 2 GB | ||
15 | |||
16 | Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 | ||
17 | |||
18 | --- | ||
19 | libtiff/tif_getimage.c | 8 ++++---- | ||
20 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
21 | |||
22 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
23 | index 96ab146..0b90dcc 100644 | ||
24 | --- a/libtiff/tif_getimage.c | ||
25 | +++ b/libtiff/tif_getimage.c | ||
26 | @@ -3042,15 +3042,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop | ||
27 | return( ok ); | ||
28 | |||
29 | for( i_row = 0; i_row < read_ysize; i_row++ ) { | ||
30 | - memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, | ||
31 | - raster + (read_ysize - i_row - 1) * read_xsize, | ||
32 | + memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, | ||
33 | + raster + (size_t)(read_ysize - i_row - 1) * read_xsize, | ||
34 | read_xsize * sizeof(uint32) ); | ||
35 | - _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, | ||
36 | + _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, | ||
37 | 0, sizeof(uint32) * (tile_xsize - read_xsize) ); | ||
38 | } | ||
39 | |||
40 | for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { | ||
41 | - _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, | ||
42 | + _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, | ||
43 | 0, sizeof(uint32) * tile_xsize ); | ||
44 | } | ||
45 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch new file mode 100644 index 0000000000..0a88f59553 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch | |||
@@ -0,0 +1,548 @@ | |||
1 | From d385738335deb0c4bb70449f12e411f2203c0d01 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Fri, 2 Sep 2022 21:20:28 +0200 | ||
4 | Subject: [PATCH 1/4] Improved IFD-Loop Handling (fixes #455) | ||
5 | |||
6 | Basic approach: | ||
7 | - The order in the entire chain must be checked, and not only whether an offset has already been read once. | ||
8 | - To do this, pairs of directory number and offset are stored and checked. | ||
9 | - The offset of a directory number can change. | ||
10 | - TIFFAdvanceDirectory() must also perform an IFD loop check. | ||
11 | - TIFFCheckDirOffset() is replaced by _TIFFCheckDirNumberAndOffset(). | ||
12 | |||
13 | Rules for the check: | ||
14 | - If an offset is already in the list, it must have the same IFD number. Otherwise it is an IDF loop. | ||
15 | - If the offset is not in the list and the IFD number is greater than there are list entries, a new list entry is added. | ||
16 | - Otherwise, the offset of the IFD number is updated. | ||
17 | |||
18 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2022-40090.patch?h=ubuntu/focal-security | ||
19 | Upstream commit | ||
20 | https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41] | ||
21 | CVE: CVE-2022-40090 | ||
22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
23 | --- | ||
24 | libtiff/tif_close.c | 6 ++- | ||
25 | libtiff/tif_dir.c | 91 +++++++++++++++++++++++++---------------- | ||
26 | libtiff/tif_dir.h | 1 + | ||
27 | libtiff/tif_dirread.c | 94 ++++++++++++++++++++++++++++++------------- | ||
28 | libtiff/tif_open.c | 3 +- | ||
29 | libtiff/tiffiop.h | 3 +- | ||
30 | 6 files changed, 131 insertions(+), 67 deletions(-) | ||
31 | |||
32 | --- tiff-4.1.0+git191117.orig/libtiff/tif_close.c | ||
33 | +++ tiff-4.1.0+git191117/libtiff/tif_close.c | ||
34 | @@ -52,8 +52,10 @@ TIFFCleanup(TIFF* tif) | ||
35 | (*tif->tif_cleanup)(tif); | ||
36 | TIFFFreeDirectory(tif); | ||
37 | |||
38 | - if (tif->tif_dirlist) | ||
39 | - _TIFFfree(tif->tif_dirlist); | ||
40 | + if (tif->tif_dirlistoff) | ||
41 | + _TIFFfree(tif->tif_dirlistoff); | ||
42 | + if (tif->tif_dirlistdirn) | ||
43 | + _TIFFfree(tif->tif_dirlistdirn); | ||
44 | |||
45 | /* | ||
46 | * Clean up client info links. | ||
47 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dir.c | ||
48 | +++ tiff-4.1.0+git191117/libtiff/tif_dir.c | ||
49 | @@ -1463,12 +1463,22 @@ TIFFDefaultDirectory(TIFF* tif) | ||
50 | } | ||
51 | |||
52 | static int | ||
53 | -TIFFAdvanceDirectory(TIFF* tif, uint64* nextdir, uint64* off) | ||
54 | +TIFFAdvanceDirectory(TIFF* tif, uint64* nextdiroff, uint64* off, uint16* nextdirnum) | ||
55 | { | ||
56 | static const char module[] = "TIFFAdvanceDirectory"; | ||
57 | + | ||
58 | + /* Add this directory to the directory list, if not already in. */ | ||
59 | + if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) { | ||
60 | + TIFFErrorExt(tif->tif_clientdata, module, "Starting directory %hu at offset 0x%lx (%lu) might cause an IFD loop", | ||
61 | + *nextdirnum, *nextdiroff, *nextdiroff); | ||
62 | + *nextdiroff = 0; | ||
63 | + *nextdirnum = 0; | ||
64 | + return(0); | ||
65 | + } | ||
66 | + | ||
67 | if (isMapped(tif)) | ||
68 | { | ||
69 | - uint64 poff=*nextdir; | ||
70 | + uint64 poff=*nextdiroff; | ||
71 | if (!(tif->tif_flags&TIFF_BIGTIFF)) | ||
72 | { | ||
73 | tmsize_t poffa,poffb,poffc,poffd; | ||
74 | @@ -1479,7 +1489,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* | ||
75 | if (((uint64)poffa!=poff)||(poffb<poffa)||(poffb<(tmsize_t)sizeof(uint16))||(poffb>tif->tif_size)) | ||
76 | { | ||
77 | TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count"); | ||
78 | - *nextdir=0; | ||
79 | + *nextdiroff=0; | ||
80 | return(0); | ||
81 | } | ||
82 | _TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16)); | ||
83 | @@ -1497,7 +1507,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* | ||
84 | _TIFFmemcpy(&nextdir32,tif->tif_base+poffc,sizeof(uint32)); | ||
85 | if (tif->tif_flags&TIFF_SWAB) | ||
86 | TIFFSwabLong(&nextdir32); | ||
87 | - *nextdir=nextdir32; | ||
88 | + *nextdiroff=nextdir32; | ||
89 | } | ||
90 | else | ||
91 | { | ||
92 | @@ -1529,11 +1539,10 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* | ||
93 | } | ||
94 | if (off!=NULL) | ||
95 | *off=(uint64)poffc; | ||
96 | - _TIFFmemcpy(nextdir,tif->tif_base+poffc,sizeof(uint64)); | ||
97 | + _TIFFmemcpy(nextdiroff,tif->tif_base+poffc,sizeof(uint64)); | ||
98 | if (tif->tif_flags&TIFF_SWAB) | ||
99 | - TIFFSwabLong8(nextdir); | ||
100 | + TIFFSwabLong8(nextdiroff); | ||
101 | } | ||
102 | - return(1); | ||
103 | } | ||
104 | else | ||
105 | { | ||
106 | @@ -1541,7 +1550,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* | ||
107 | { | ||
108 | uint16 dircount; | ||
109 | uint32 nextdir32; | ||
110 | - if (!SeekOK(tif, *nextdir) || | ||
111 | + if (!SeekOK(tif, *nextdiroff) || | ||
112 | !ReadOK(tif, &dircount, sizeof (uint16))) { | ||
113 | TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count", | ||
114 | tif->tif_name); | ||
115 | @@ -1562,13 +1571,13 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* | ||
116 | } | ||
117 | if (tif->tif_flags & TIFF_SWAB) | ||
118 | TIFFSwabLong(&nextdir32); | ||
119 | - *nextdir=nextdir32; | ||
120 | + *nextdiroff=nextdir32; | ||
121 | } | ||
122 | else | ||
123 | { | ||
124 | uint64 dircount64; | ||
125 | uint16 dircount16; | ||
126 | - if (!SeekOK(tif, *nextdir) || | ||
127 | + if (!SeekOK(tif, *nextdiroff) || | ||
128 | !ReadOK(tif, &dircount64, sizeof (uint64))) { | ||
129 | TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count", | ||
130 | tif->tif_name); | ||
131 | @@ -1588,17 +1597,27 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* | ||
132 | else | ||
133 | (void) TIFFSeekFile(tif, | ||
134 | dircount16*20, SEEK_CUR); | ||
135 | - if (!ReadOK(tif, nextdir, sizeof (uint64))) { | ||
136 | + if (!ReadOK(tif, nextdiroff, sizeof (uint64))) { | ||
137 | TIFFErrorExt(tif->tif_clientdata, module, | ||
138 | "%s: Error fetching directory link", | ||
139 | tif->tif_name); | ||
140 | return (0); | ||
141 | } | ||
142 | if (tif->tif_flags & TIFF_SWAB) | ||
143 | - TIFFSwabLong8(nextdir); | ||
144 | + TIFFSwabLong8(nextdiroff); | ||
145 | } | ||
146 | - return (1); | ||
147 | } | ||
148 | + if (*nextdiroff != 0) { | ||
149 | + (*nextdirnum)++; | ||
150 | + /* Check next directory for IFD looping and if so, set it as last directory. */ | ||
151 | + if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) { | ||
152 | + TIFFWarningExt(tif->tif_clientdata, module, "the next directory %hu at offset 0x%lx (%lu) might be an IFD loop. Treating directory %hu as last directory", | ||
153 | + *nextdirnum, *nextdiroff, *nextdiroff, *nextdirnum-1); | ||
154 | + *nextdiroff = 0; | ||
155 | + (*nextdirnum)--; | ||
156 | + } | ||
157 | + } | ||
158 | + return (1); | ||
159 | } | ||
160 | |||
161 | /* | ||
162 | @@ -1608,14 +1627,16 @@ uint16 | ||
163 | TIFFNumberOfDirectories(TIFF* tif) | ||
164 | { | ||
165 | static const char module[] = "TIFFNumberOfDirectories"; | ||
166 | - uint64 nextdir; | ||
167 | + uint64 nextdiroff; | ||
168 | + uint16 nextdirnum; | ||
169 | uint16 n; | ||
170 | if (!(tif->tif_flags&TIFF_BIGTIFF)) | ||
171 | - nextdir = tif->tif_header.classic.tiff_diroff; | ||
172 | + nextdiroff = tif->tif_header.classic.tiff_diroff; | ||
173 | else | ||
174 | - nextdir = tif->tif_header.big.tiff_diroff; | ||
175 | + nextdiroff = tif->tif_header.big.tiff_diroff; | ||
176 | + nextdirnum = 0; | ||
177 | n = 0; | ||
178 | - while (nextdir != 0 && TIFFAdvanceDirectory(tif, &nextdir, NULL)) | ||
179 | + while (nextdiroff != 0 && TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum)) | ||
180 | { | ||
181 | if (n != 65535) { | ||
182 | ++n; | ||
183 | @@ -1638,28 +1659,30 @@ TIFFNumberOfDirectories(TIFF* tif) | ||
184 | int | ||
185 | TIFFSetDirectory(TIFF* tif, uint16 dirn) | ||
186 | { | ||
187 | - uint64 nextdir; | ||
188 | + uint64 nextdiroff; | ||
189 | + uint16 nextdirnum; | ||
190 | uint16 n; | ||
191 | |||
192 | if (!(tif->tif_flags&TIFF_BIGTIFF)) | ||
193 | - nextdir = tif->tif_header.classic.tiff_diroff; | ||
194 | + nextdiroff = tif->tif_header.classic.tiff_diroff; | ||
195 | else | ||
196 | - nextdir = tif->tif_header.big.tiff_diroff; | ||
197 | - for (n = dirn; n > 0 && nextdir != 0; n--) | ||
198 | - if (!TIFFAdvanceDirectory(tif, &nextdir, NULL)) | ||
199 | + nextdiroff = tif->tif_header.big.tiff_diroff; | ||
200 | + nextdirnum = 0; | ||
201 | + for (n = dirn; n > 0 && nextdiroff != 0; n--) | ||
202 | + if (!TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum)) | ||
203 | return (0); | ||
204 | - tif->tif_nextdiroff = nextdir; | ||
205 | + /* If the n-th directory could not be reached (does not exist), | ||
206 | + * return here without touching anything further. */ | ||
207 | + if (nextdiroff == 0 || n > 0) | ||
208 | + return (0); | ||
209 | + | ||
210 | + tif->tif_nextdiroff = nextdiroff; | ||
211 | /* | ||
212 | * Set curdir to the actual directory index. The | ||
213 | * -1 is because TIFFReadDirectory will increment | ||
214 | * tif_curdir after successfully reading the directory. | ||
215 | */ | ||
216 | tif->tif_curdir = (dirn - n) - 1; | ||
217 | - /* | ||
218 | - * Reset tif_dirnumber counter and start new list of seen directories. | ||
219 | - * We need this to prevent IFD loops. | ||
220 | - */ | ||
221 | - tif->tif_dirnumber = 0; | ||
222 | return (TIFFReadDirectory(tif)); | ||
223 | } | ||
224 | |||
225 | @@ -1672,13 +1695,42 @@ TIFFSetDirectory(TIFF* tif, uint16 dirn) | ||
226 | int | ||
227 | TIFFSetSubDirectory(TIFF* tif, uint64 diroff) | ||
228 | { | ||
229 | - tif->tif_nextdiroff = diroff; | ||
230 | - /* | ||
231 | - * Reset tif_dirnumber counter and start new list of seen directories. | ||
232 | - * We need this to prevent IFD loops. | ||
233 | + /* Match nextdiroff and curdir for consistent IFD-loop checking. | ||
234 | + * Only with TIFFSetSubDirectory() the IFD list can be corrupted with invalid offsets | ||
235 | + * within the main IFD tree. | ||
236 | + * In the case of several subIFDs of a main image, | ||
237 | + * there are two possibilities that are not even mutually exclusive. | ||
238 | + * a.) The subIFD tag contains an array with all offsets of the subIFDs. | ||
239 | + * b.) The SubIFDs are concatenated with their NextIFD parameters. | ||
240 | + * (refer to https://www.awaresystems.be/imaging/tiff/specification/TIFFPM6.pdf.) | ||
241 | */ | ||
242 | - tif->tif_dirnumber = 0; | ||
243 | - return (TIFFReadDirectory(tif)); | ||
244 | + int retval; | ||
245 | + uint16 curdir = 0; | ||
246 | + int8 probablySubIFD = 0; | ||
247 | + if (diroff == 0) { | ||
248 | + /* Special case to invalidate the tif_lastdiroff member. */ | ||
249 | + tif->tif_curdir = 65535; | ||
250 | + } else { | ||
251 | + if (!_TIFFGetDirNumberFromOffset(tif, diroff, &curdir)) { | ||
252 | + /* Non-existing offsets might point to a SubIFD or invalid IFD.*/ | ||
253 | + probablySubIFD = 1; | ||
254 | + } | ||
255 | + /* -1 because TIFFReadDirectory() will increment tif_curdir. */ | ||
256 | + tif->tif_curdir = curdir - 1; | ||
257 | + } | ||
258 | + | ||
259 | + tif->tif_nextdiroff = diroff; | ||
260 | + retval = TIFFReadDirectory(tif); | ||
261 | + /* If failed, curdir was not incremented in TIFFReadDirectory(), so set it back. */ | ||
262 | + if (!retval )tif->tif_curdir++; | ||
263 | + if (retval && probablySubIFD) { | ||
264 | + /* Reset IFD list to start new one for SubIFD chain and also start SubIFD chain with tif_curdir=0. */ | ||
265 | + tif->tif_dirnumber = 0; | ||
266 | + tif->tif_curdir = 0; /* first directory of new chain */ | ||
267 | + /* add this offset to new IFD list */ | ||
268 | + _TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir, diroff); | ||
269 | + } | ||
270 | + return (retval); | ||
271 | } | ||
272 | |||
273 | /* | ||
274 | @@ -1702,12 +1754,15 @@ TIFFLastDirectory(TIFF* tif) | ||
275 | |||
276 | /* | ||
277 | * Unlink the specified directory from the directory chain. | ||
278 | + * Note: First directory starts with number dirn=1. | ||
279 | + * This is different to TIFFSetDirectory() where the first directory starts with zero. | ||
280 | */ | ||
281 | int | ||
282 | TIFFUnlinkDirectory(TIFF* tif, uint16 dirn) | ||
283 | { | ||
284 | static const char module[] = "TIFFUnlinkDirectory"; | ||
285 | uint64 nextdir; | ||
286 | + uint16 nextdirnum; | ||
287 | uint64 off; | ||
288 | uint16 n; | ||
289 | |||
290 | @@ -1731,19 +1786,21 @@ TIFFUnlinkDirectory(TIFF* tif, uint16 di | ||
291 | nextdir = tif->tif_header.big.tiff_diroff; | ||
292 | off = 8; | ||
293 | } | ||
294 | + nextdirnum = 0; /* First directory is dirn=0 */ | ||
295 | + | ||
296 | for (n = dirn-1; n > 0; n--) { | ||
297 | if (nextdir == 0) { | ||
298 | TIFFErrorExt(tif->tif_clientdata, module, "Directory %d does not exist", dirn); | ||
299 | return (0); | ||
300 | } | ||
301 | - if (!TIFFAdvanceDirectory(tif, &nextdir, &off)) | ||
302 | + if (!TIFFAdvanceDirectory(tif, &nextdir, &off, &nextdirnum)) | ||
303 | return (0); | ||
304 | } | ||
305 | /* | ||
306 | * Advance to the directory to be unlinked and fetch | ||
307 | * the offset of the directory that follows. | ||
308 | */ | ||
309 | - if (!TIFFAdvanceDirectory(tif, &nextdir, NULL)) | ||
310 | + if (!TIFFAdvanceDirectory(tif, &nextdir, NULL, &nextdirnum)) | ||
311 | return (0); | ||
312 | /* | ||
313 | * Go back and patch the link field of the preceding | ||
314 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dir.h | ||
315 | +++ tiff-4.1.0+git191117/libtiff/tif_dir.h | ||
316 | @@ -300,6 +300,8 @@ extern int _TIFFMergeFields(TIFF*, const | ||
317 | extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); | ||
318 | extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); | ||
319 | extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); | ||
320 | +extern int _TIFFCheckDirNumberAndOffset(TIFF *tif, uint16 dirn, uint64 diroff); | ||
321 | +extern int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64 diroff, uint16 *dirn); | ||
322 | |||
323 | #if defined(__cplusplus) | ||
324 | } | ||
325 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c | ||
326 | +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c | ||
327 | @@ -158,7 +158,6 @@ static void TIFFReadDirectoryFindFieldIn | ||
328 | |||
329 | static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount); | ||
330 | static void MissingRequired(TIFF*, const char*); | ||
331 | -static int TIFFCheckDirOffset(TIFF* tif, uint64 diroff); | ||
332 | static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32); | ||
333 | static uint16 TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, uint64* nextdiroff); | ||
334 | static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover); | ||
335 | @@ -3584,12 +3583,19 @@ TIFFReadDirectory(TIFF* tif) | ||
336 | int bitspersample_read = FALSE; | ||
337 | int color_channels; | ||
338 | |||
339 | - tif->tif_diroff=tif->tif_nextdiroff; | ||
340 | - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) | ||
341 | - return 0; /* last offset or bad offset (IFD looping) */ | ||
342 | - (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */ | ||
343 | - tif->tif_curdir++; | ||
344 | - nextdiroff = tif->tif_nextdiroff; | ||
345 | + if (tif->tif_nextdiroff == 0) { | ||
346 | + /* In this special case, tif_diroff needs also to be set to 0. */ | ||
347 | + tif->tif_diroff = tif->tif_nextdiroff; | ||
348 | + return 0; /* last offset, thus no checking necessary */ | ||
349 | + } | ||
350 | + | ||
351 | + nextdiroff = tif->tif_nextdiroff; | ||
352 | + /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL reading of the directory. Otherwise, invalid IFD offsets could corrupt the IFD list. */ | ||
353 | + if (!_TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir + 1, nextdiroff)) { | ||
354 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
355 | + "Didn't read next directory due to IFD looping at offset 0x%lx (%lu) to offset 0x%lx (%lu)", tif->tif_diroff, tif->tif_diroff, nextdiroff, nextdiroff); | ||
356 | + return 0; /* bad offset (IFD looping) */ | ||
357 | + } | ||
358 | dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff); | ||
359 | if (!dircount) | ||
360 | { | ||
361 | @@ -3597,6 +3603,11 @@ TIFFReadDirectory(TIFF* tif) | ||
362 | "Failed to read directory at offset " TIFF_UINT64_FORMAT,nextdiroff); | ||
363 | return 0; | ||
364 | } | ||
365 | + /* Set global values after a valid directory has been fetched. | ||
366 | + * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the beginning. */ | ||
367 | + tif->tif_curdir++; | ||
368 | + (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */ | ||
369 | + | ||
370 | TIFFReadDirectoryCheckOrder(tif,dir,dircount); | ||
371 | |||
372 | /* | ||
373 | @@ -4628,13 +4639,17 @@ MissingRequired(TIFF* tif, const char* t | ||
374 | } | ||
375 | |||
376 | /* | ||
377 | - * Check the directory offset against the list of already seen directory | ||
378 | - * offsets. This is a trick to prevent IFD looping. The one can create TIFF | ||
379 | - * file with looped directory pointers. We will maintain a list of already | ||
380 | - * seen directories and check every IFD offset against that list. | ||
381 | + * Check the directory number and offset against the list of already seen | ||
382 | + * directory numbers and offsets. This is a trick to prevent IFD looping. | ||
383 | + * The one can create TIFF file with looped directory pointers. We will | ||
384 | + * maintain a list of already seen directories and check every IFD offset | ||
385 | + * and its IFD number against that list. However, the offset of an IFD number | ||
386 | + * can change - e.g. when writing updates to file. | ||
387 | + * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered, | ||
388 | + * or an error has occured. | ||
389 | */ | ||
390 | -static int | ||
391 | -TIFFCheckDirOffset(TIFF* tif, uint64 diroff) | ||
392 | +int | ||
393 | +_TIFFCheckDirNumberAndOffset(TIFF* tif, uint16 dirn, uint64 diroff) | ||
394 | { | ||
395 | uint16 n; | ||
396 | |||
397 | @@ -4646,35 +4661,64 @@ TIFFCheckDirOffset(TIFF* tif, uint64 dir | ||
398 | return 0; | ||
399 | } | ||
400 | |||
401 | - for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) { | ||
402 | - if (tif->tif_dirlist[n] == diroff) | ||
403 | - return 0; | ||
404 | + /* Check if offset is already in the list: | ||
405 | + * - yes: check, if offset is at the same IFD number - if not, it is an IFD loop | ||
406 | + * - no: add to list or update offset at that IFD number | ||
407 | + */ | ||
408 | + for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff; n++) { | ||
409 | + if (tif->tif_dirlistoff[n] == diroff) { | ||
410 | + if (tif->tif_dirlistdirn[n] == dirn) { | ||
411 | + return 1; | ||
412 | + } else { | ||
413 | + TIFFWarningExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset", | ||
414 | + "TIFF directory %hu has IFD looping to directory %hu at offset 0x%lx (%lu)", | ||
415 | + dirn-1, tif->tif_dirlistdirn[n], diroff, diroff); | ||
416 | + return 0; | ||
417 | + } | ||
418 | + } | ||
419 | + } | ||
420 | + /* Check if offset of an IFD has been changed and update offset of that IFD number. */ | ||
421 | + if (dirn < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff) { | ||
422 | + /* tif_dirlistdirn can have IFD numbers dirn in random order */ | ||
423 | + for (n = 0; n < tif->tif_dirnumber; n++) { | ||
424 | + if (tif->tif_dirlistdirn[n] == dirn) { | ||
425 | + tif->tif_dirlistoff[n] = diroff; | ||
426 | + return 1; | ||
427 | + } | ||
428 | + } | ||
429 | } | ||
430 | |||
431 | + /* Add IFD offset and dirn to IFD directory list */ | ||
432 | tif->tif_dirnumber++; | ||
433 | |||
434 | - if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) { | ||
435 | - uint64* new_dirlist; | ||
436 | - | ||
437 | + if (tif->tif_dirlistoff == NULL || tif->tif_dirlistdirn == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) { | ||
438 | + uint64 *new_dirlist; | ||
439 | /* | ||
440 | * XXX: Reduce memory allocation granularity of the dirlist | ||
441 | * array. | ||
442 | */ | ||
443 | - new_dirlist = (uint64*)_TIFFCheckRealloc(tif, tif->tif_dirlist, | ||
444 | - tif->tif_dirnumber, 2 * sizeof(uint64), "for IFD list"); | ||
445 | + if (tif->tif_dirnumber >= 32768) | ||
446 | + tif->tif_dirlistsize = 65535; | ||
447 | + else | ||
448 | + tif->tif_dirlistsize = 2 * tif->tif_dirnumber; | ||
449 | + | ||
450 | + new_dirlist = (uint64 *)_TIFFCheckRealloc(tif, tif->tif_dirlistoff, | ||
451 | + tif->tif_dirlistsize, sizeof(uint64), "for IFD offset list"); | ||
452 | if (!new_dirlist) | ||
453 | return 0; | ||
454 | - if( tif->tif_dirnumber >= 32768 ) | ||
455 | - tif->tif_dirlistsize = 65535; | ||
456 | - else | ||
457 | - tif->tif_dirlistsize = 2 * tif->tif_dirnumber; | ||
458 | - tif->tif_dirlist = new_dirlist; | ||
459 | + tif->tif_dirlistoff = new_dirlist; | ||
460 | + new_dirlist = (uint64 *)_TIFFCheckRealloc(tif, tif->tif_dirlistdirn, | ||
461 | + tif->tif_dirlistsize, sizeof(uint16), "for IFD dirnumber list"); | ||
462 | + if (!new_dirlist) | ||
463 | + return 0; | ||
464 | + tif->tif_dirlistdirn = (uint16 *)new_dirlist; | ||
465 | } | ||
466 | |||
467 | - tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff; | ||
468 | + tif->tif_dirlistoff[tif->tif_dirnumber - 1] = diroff; | ||
469 | + tif->tif_dirlistdirn[tif->tif_dirnumber - 1] = dirn; | ||
470 | |||
471 | return 1; | ||
472 | -} | ||
473 | +} /* --- _TIFFCheckDirNumberAndOffset() ---*/ | ||
474 | |||
475 | /* | ||
476 | * Check the count field of a directory entry against a known value. The | ||
477 | @@ -4703,6 +4747,47 @@ CheckDirCount(TIFF* tif, TIFFDirEntry* d | ||
478 | } | ||
479 | |||
480 | /* | ||
481 | + * Retrieve the matching IFD directory number of a given IFD offset | ||
482 | + * from the list of directories already seen. | ||
483 | + * Returns 1 if the offset was in the list and the directory number | ||
484 | + * can be returned. | ||
485 | + * Otherwise returns 0 or if an error occured. | ||
486 | + */ | ||
487 | +int | ||
488 | +_TIFFGetDirNumberFromOffset(TIFF *tif, uint64 diroff, uint16* dirn) | ||
489 | +{ | ||
490 | + uint16 n; | ||
491 | + | ||
492 | + if (diroff == 0) /* no more directories */ | ||
493 | + return 0; | ||
494 | + if (tif->tif_dirnumber == 65535) { | ||
495 | + TIFFErrorExt(tif->tif_clientdata, "_TIFFGetDirNumberFromOffset", | ||
496 | + "Cannot handle more than 65535 TIFF directories"); | ||
497 | + return 0; | ||
498 | + } | ||
499 | + | ||
500 | + /* Check if offset is already in the list and return matching directory number. | ||
501 | + * Otherwise update IFD list using TIFFNumberOfDirectories() | ||
502 | + * and search again in IFD list. | ||
503 | + */ | ||
504 | + for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) { | ||
505 | + if (tif->tif_dirlistoff[n] == diroff) { | ||
506 | + *dirn = tif->tif_dirlistdirn[n]; | ||
507 | + return 1; | ||
508 | + } | ||
509 | + } | ||
510 | + TIFFNumberOfDirectories(tif); | ||
511 | + for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) { | ||
512 | + if (tif->tif_dirlistoff[n] == diroff) { | ||
513 | + *dirn = tif->tif_dirlistdirn[n]; | ||
514 | + return 1; | ||
515 | + } | ||
516 | + } | ||
517 | + return 0; | ||
518 | +} /*--- _TIFFGetDirNumberFromOffset() ---*/ | ||
519 | + | ||
520 | + | ||
521 | +/* | ||
522 | * Read IFD structure from the specified offset. If the pointer to | ||
523 | * nextdiroff variable has been specified, read it too. Function returns a | ||
524 | * number of fields in the directory or 0 if failed. | ||
525 | --- tiff-4.1.0+git191117.orig/libtiff/tif_open.c | ||
526 | +++ tiff-4.1.0+git191117/libtiff/tif_open.c | ||
527 | @@ -353,7 +353,8 @@ TIFFClientOpen( | ||
528 | if (!TIFFDefaultDirectory(tif)) | ||
529 | goto bad; | ||
530 | tif->tif_diroff = 0; | ||
531 | - tif->tif_dirlist = NULL; | ||
532 | + tif->tif_dirlistoff = NULL; | ||
533 | + tif->tif_dirlistdirn = NULL; | ||
534 | tif->tif_dirlistsize = 0; | ||
535 | tif->tif_dirnumber = 0; | ||
536 | return (tif); | ||
537 | --- tiff-4.1.0+git191117.orig/libtiff/tiffiop.h | ||
538 | +++ tiff-4.1.0+git191117/libtiff/tiffiop.h | ||
539 | @@ -145,7 +145,8 @@ struct tiff { | ||
540 | #define TIFF_CHOPPEDUPARRAYS 0x4000000U /* set when allocChoppedUpStripArrays() has modified strip array */ | ||
541 | uint64 tif_diroff; /* file offset of current directory */ | ||
542 | uint64 tif_nextdiroff; /* file offset of following directory */ | ||
543 | - uint64* tif_dirlist; /* list of offsets to already seen directories to prevent IFD looping */ | ||
544 | + uint64* tif_dirlistoff; /* list of offsets to already seen directories to prevent IFD looping */ | ||
545 | + uint16* tif_dirlistdirn; /* list of directory numbers to already seen directories to prevent IFD looping */ | ||
546 | uint16 tif_dirlistsize; /* number of entries in offset list */ | ||
547 | uint16 tif_dirnumber; /* number of already seen directories */ | ||
548 | TIFFDirectory tif_dir; /* internal rep of current directory */ | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch new file mode 100644 index 0000000000..5747202bd9 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | From 424c82b5b33256e7f03faace51dc8010f3ded9ff Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Sat, 21 Jan 2023 15:58:10 +0000 | ||
4 | Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. | ||
5 | |||
6 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz] | ||
7 | CVE: CVE-2022-48281 | ||
8 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
9 | |||
10 | --- | ||
11 | tools/tiffcrop.c | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
15 | index a0789a3..8aed9cd 100644 | ||
16 | --- a/tools/tiffcrop.c | ||
17 | +++ b/tools/tiffcrop.c | ||
18 | @@ -7564,7 +7564,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
19 | crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
20 | else | ||
21 | { | ||
22 | - prev_cropsize = seg_buffs[0].size; | ||
23 | + prev_cropsize = seg_buffs[i].size; | ||
24 | if (prev_cropsize < cropsize) | ||
25 | { | ||
26 | next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch new file mode 100644 index 0000000000..253018525a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch | |||
@@ -0,0 +1,157 @@ | |||
1 | From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001 | ||
2 | From: Markus Koschany <apo@debian.org> | ||
3 | Date: Tue, 21 Feb 2023 14:26:43 +0100 | ||
4 | Subject: [PATCH] CVE-2023-0795 | ||
5 | |||
6 | This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, | ||
7 | CVE-2023-0799. | ||
8 | |||
9 | Bug-Debian: https://bugs.debian.org/1031632 | ||
10 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 | ||
11 | |||
12 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ] | ||
13 | CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 | ||
14 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
15 | --- | ||
16 | tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++-------------------- | ||
17 | 1 file changed, 30 insertions(+), 21 deletions(-) | ||
18 | |||
19 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
20 | index 8aed9cd..f21a7d7 100644 | ||
21 | --- a/tools/tiffcrop.c | ||
22 | +++ b/tools/tiffcrop.c | ||
23 | @@ -277,7 +277,6 @@ struct region { | ||
24 | uint32 width; /* width in pixels */ | ||
25 | uint32 length; /* length in pixels */ | ||
26 | uint32 buffsize; /* size of buffer needed to hold the cropped region */ | ||
27 | - unsigned char *buffptr; /* address of start of the region */ | ||
28 | }; | ||
29 | |||
30 | /* Cropping parameters from command line and image data | ||
31 | @@ -532,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, | ||
32 | static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, | ||
33 | uint32, uint32, uint8 *, uint8 *); | ||
34 | static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, | ||
35 | - unsigned char **); | ||
36 | + unsigned char **, int); | ||
37 | static int mirrorImage(uint16, uint16, uint16, uint32, uint32, | ||
38 | unsigned char *); | ||
39 | static int invertImage(uint16, uint16, uint16, uint32, uint32, | ||
40 | @@ -5112,7 +5111,6 @@ initCropMasks (struct crop_mask *cps) | ||
41 | cps->regionlist[i].width = 0; | ||
42 | cps->regionlist[i].length = 0; | ||
43 | cps->regionlist[i].buffsize = 0; | ||
44 | - cps->regionlist[i].buffptr = NULL; | ||
45 | cps->zonelist[i].position = 0; | ||
46 | cps->zonelist[i].total = 0; | ||
47 | } | ||
48 | @@ -6358,8 +6356,13 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b | ||
49 | image->adjustments & ROTATE_ANY); | ||
50 | return (-1); | ||
51 | } | ||
52 | - | ||
53 | - if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr)) | ||
54 | + | ||
55 | + /* Dummy variable in order not to switch two times the | ||
56 | + * image->width,->length within rotateImage(), | ||
57 | + * but switch xres, yres there. */ | ||
58 | + uint32_t width = image->width; | ||
59 | + uint32_t length = image->length; | ||
60 | + if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE)) | ||
61 | { | ||
62 | TIFFError ("correct_orientation", "Unable to rotate image"); | ||
63 | return (-1); | ||
64 | @@ -6427,7 +6430,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, | ||
65 | /* These should not be needed for composite images */ | ||
66 | crop->regionlist[i].width = crop_width; | ||
67 | crop->regionlist[i].length = crop_length; | ||
68 | - crop->regionlist[i].buffptr = crop_buff; | ||
69 | |||
70 | src_rowsize = ((img_width * bps * spp) + 7) / 8; | ||
71 | dst_rowsize = (((crop_width * bps * count) + 7) / 8); | ||
72 | @@ -6664,7 +6666,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop, | ||
73 | |||
74 | crop->regionlist[region].width = crop_width; | ||
75 | crop->regionlist[region].length = crop_length; | ||
76 | - crop->regionlist[region].buffptr = crop_buff; | ||
77 | |||
78 | src = read_buff; | ||
79 | dst = crop_buff; | ||
80 | @@ -7542,7 +7543,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
81 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
82 | { | ||
83 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
84 | - &crop->combined_length, &crop_buff)) | ||
85 | + &crop->combined_length, &crop_buff, FALSE)) | ||
86 | { | ||
87 | TIFFError("processCropSelections", | ||
88 | "Failed to rotate composite regions by %d degrees", crop->rotation); | ||
89 | @@ -7648,7 +7649,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
90 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
91 | { | ||
92 | if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, | ||
93 | - &crop->regionlist[i].length, &crop_buff)) | ||
94 | + &crop->regionlist[i].length, &crop_buff, FALSE)) | ||
95 | { | ||
96 | TIFFError("processCropSelections", | ||
97 | "Failed to rotate crop region by %d degrees", crop->rotation); | ||
98 | @@ -7780,7 +7781,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
99 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
100 | { | ||
101 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
102 | - &crop->combined_length, crop_buff_ptr)) | ||
103 | + &crop->combined_length, crop_buff_ptr, TRUE)) | ||
104 | { | ||
105 | TIFFError("createCroppedImage", | ||
106 | "Failed to rotate image or cropped selection by %d degrees", crop->rotation); | ||
107 | @@ -8443,7 +8444,7 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, | ||
108 | /* Rotate an image by a multiple of 90 degrees clockwise */ | ||
109 | static int | ||
110 | rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
111 | - uint32 *img_length, unsigned char **ibuff_ptr) | ||
112 | + uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params) | ||
113 | { | ||
114 | int shift_width; | ||
115 | uint32 bytes_per_pixel, bytes_per_sample; | ||
116 | @@ -8634,11 +8635,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
117 | |||
118 | *img_width = length; | ||
119 | *img_length = width; | ||
120 | - image->width = length; | ||
121 | - image->length = width; | ||
122 | - res_temp = image->xres; | ||
123 | - image->xres = image->yres; | ||
124 | - image->yres = res_temp; | ||
125 | + /* Only toggle image parameters if whole input image is rotated. */ | ||
126 | + if (rot_image_params) | ||
127 | + { | ||
128 | + image->width = length; | ||
129 | + image->length = width; | ||
130 | + res_temp = image->xres; | ||
131 | + image->xres = image->yres; | ||
132 | + image->yres = res_temp; | ||
133 | + } | ||
134 | break; | ||
135 | |||
136 | case 270: if ((bps % 8) == 0) /* byte aligned data */ | ||
137 | @@ -8711,11 +8716,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
138 | |||
139 | *img_width = length; | ||
140 | *img_length = width; | ||
141 | - image->width = length; | ||
142 | - image->length = width; | ||
143 | - res_temp = image->xres; | ||
144 | - image->xres = image->yres; | ||
145 | - image->yres = res_temp; | ||
146 | + /* Only toggle image parameters if whole input image is rotated. */ | ||
147 | + if (rot_image_params) | ||
148 | + { | ||
149 | + image->width = length; | ||
150 | + image->length = width; | ||
151 | + res_temp = image->xres; | ||
152 | + image->xres = image->yres; | ||
153 | + image->yres = res_temp; | ||
154 | + } | ||
155 | break; | ||
156 | default: | ||
157 | break; | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch new file mode 100644 index 0000000000..bf1a439b4d --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch | |||
@@ -0,0 +1,135 @@ | |||
1 | From e18be834497e0ebf68d443abb9e18187f36cd3bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Markus Koschany <apo@debian.org> | ||
3 | Date: Tue, 21 Feb 2023 14:39:52 +0100 | ||
4 | Subject: [PATCH] CVE-2023-0800 | ||
5 | |||
6 | This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, | ||
7 | CVE-2023-0804. | ||
8 | |||
9 | Bug-Debian: https://bugs.debian.org/1031632 | ||
10 | Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 | ||
11 | |||
12 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ] | ||
13 | CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 | ||
14 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
15 | --- | ||
16 | tools/tiffcrop.c | 73 +++++++++++++++++++++++++++++++++++++++++++++--- | ||
17 | 1 file changed, 69 insertions(+), 4 deletions(-) | ||
18 | |||
19 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
20 | index f21a7d7..742615a 100644 | ||
21 | --- a/tools/tiffcrop.c | ||
22 | +++ b/tools/tiffcrop.c | ||
23 | @@ -5250,18 +5250,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, | ||
24 | |||
25 | crop->regionlist[i].buffsize = buffsize; | ||
26 | crop->bufftotal += buffsize; | ||
27 | + | ||
28 | + /* For composite images with more than one region, the | ||
29 | + * combined_length or combined_width always needs to be equal, | ||
30 | + * respectively. | ||
31 | + * Otherwise, even the first section/region copy | ||
32 | + * action might cause buffer overrun. */ | ||
33 | if (crop->img_mode == COMPOSITE_IMAGES) | ||
34 | { | ||
35 | switch (crop->edge_ref) | ||
36 | { | ||
37 | case EDGE_LEFT: | ||
38 | case EDGE_RIGHT: | ||
39 | + if (i > 0 && zlength != crop->combined_length) | ||
40 | + { | ||
41 | + TIFFError( | ||
42 | + "computeInputPixelOffsets", | ||
43 | + "Only equal length regions can be combined for " | ||
44 | + "-E left or right"); | ||
45 | + return (-1); | ||
46 | + } | ||
47 | crop->combined_length = zlength; | ||
48 | crop->combined_width += zwidth; | ||
49 | break; | ||
50 | case EDGE_BOTTOM: | ||
51 | case EDGE_TOP: /* width from left, length from top */ | ||
52 | default: | ||
53 | + if (i > 0 && zwidth != crop->combined_width) | ||
54 | + { | ||
55 | + TIFFError("computeInputPixelOffsets", | ||
56 | + "Only equal width regions can be " | ||
57 | + "combined for -E " | ||
58 | + "top or bottom"); | ||
59 | + return (-1); | ||
60 | + } | ||
61 | crop->combined_width = zwidth; | ||
62 | crop->combined_length += zlength; | ||
63 | break; | ||
64 | @@ -6416,6 +6438,47 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, | ||
65 | crop->combined_width = 0; | ||
66 | crop->combined_length = 0; | ||
67 | |||
68 | + /* If there is more than one region, check beforehand whether all the width | ||
69 | + * and length values of the regions are the same, respectively. */ | ||
70 | + switch (crop->edge_ref) | ||
71 | + { | ||
72 | + default: | ||
73 | + case EDGE_TOP: | ||
74 | + case EDGE_BOTTOM: | ||
75 | + for (i = 1; i < crop->selections; i++) | ||
76 | + { | ||
77 | + uint32_t crop_width0 = | ||
78 | + crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; | ||
79 | + uint32_t crop_width1 = | ||
80 | + crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; | ||
81 | + if (crop_width0 != crop_width1) | ||
82 | + { | ||
83 | + TIFFError("extractCompositeRegions", | ||
84 | + "Only equal width regions can be combined for -E " | ||
85 | + "top or bottom"); | ||
86 | + return (1); | ||
87 | + } | ||
88 | + } | ||
89 | + break; | ||
90 | + case EDGE_LEFT: | ||
91 | + case EDGE_RIGHT: | ||
92 | + for (i = 1; i < crop->selections; i++) | ||
93 | + { | ||
94 | + uint32_t crop_length0 = | ||
95 | + crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; | ||
96 | + uint32_t crop_length1 = | ||
97 | + crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; | ||
98 | + if (crop_length0 != crop_length1) | ||
99 | + { | ||
100 | + TIFFError("extractCompositeRegions", | ||
101 | + "Only equal length regions can be combined for " | ||
102 | + "-E left or right"); | ||
103 | + return (1); | ||
104 | + } | ||
105 | + } | ||
106 | + } | ||
107 | + | ||
108 | + | ||
109 | for (i = 0; i < crop->selections; i++) | ||
110 | { | ||
111 | /* rows, columns, width, length are expressed in pixels */ | ||
112 | @@ -6439,8 +6502,9 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, | ||
113 | default: | ||
114 | case EDGE_TOP: | ||
115 | case EDGE_BOTTOM: | ||
116 | - if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) | ||
117 | - { | ||
118 | + if ((crop->selections > i + 1) && | ||
119 | + (crop_width != crop->regionlist[i + 1].width)) | ||
120 | + { | ||
121 | TIFFError ("extractCompositeRegions", | ||
122 | "Only equal width regions can be combined for -E top or bottom"); | ||
123 | return (1); | ||
124 | @@ -6520,8 +6584,9 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, | ||
125 | break; | ||
126 | case EDGE_LEFT: /* splice the pieces of each row together, side by side */ | ||
127 | case EDGE_RIGHT: | ||
128 | - if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) | ||
129 | - { | ||
130 | + if ((crop->selections > i + 1) && | ||
131 | + (crop_length != crop->regionlist[i + 1].length)) | ||
132 | + { | ||
133 | TIFFError ("extractCompositeRegions", | ||
134 | "Only equal length regions can be combined for -E left or right"); | ||
135 | return (1); | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch new file mode 100644 index 0000000000..9915b77645 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001 | ||
2 | From: zhailiangliang <zhailiangliang@loongson.cn> | ||
3 | Date: Thu, 16 Mar 2023 16:16:54 +0800 | ||
4 | Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection | ||
5 | |||
6 | CVE: CVE-2023-1916 | ||
7 | Upstream-Status: Submitted [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535] | ||
8 | Signed-off-by: Marek Vasut <marex@denx.de> | ||
9 | --- | ||
10 | archive/tools/tiffcrop.c | 62 +++++++++++++++++++++++++++++----------- | ||
11 | 1 file changed, 45 insertions(+), 17 deletions(-) | ||
12 | |||
13 | --- tiff-4.1.0+git191117.orig/tools/tiffcrop.c | ||
14 | +++ tiff-4.1.0+git191117/tools/tiffcrop.c | ||
15 | @@ -5549,6 +5549,15 @@ getCropOffsets(struct image_data *image, | ||
16 | crop->combined_width += (uint32)zwidth; | ||
17 | else | ||
18 | crop->combined_width = (uint32)zwidth; | ||
19 | + | ||
20 | + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ | ||
21 | + if (((crop->rotation == 90) || (crop->rotation == 270)) | ||
22 | + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) | ||
23 | + { | ||
24 | + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); | ||
25 | + return -1; | ||
26 | + } | ||
27 | + | ||
28 | break; | ||
29 | case EDGE_BOTTOM: /* width from left, zones from bottom to top */ | ||
30 | zwidth = offsets.crop_width; | ||
31 | @@ -5579,6 +5588,15 @@ getCropOffsets(struct image_data *image, | ||
32 | else | ||
33 | crop->combined_length = (uint32)zlength; | ||
34 | crop->combined_width = (uint32)zwidth; | ||
35 | + | ||
36 | + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ | ||
37 | + if (((crop->rotation == 90) || (crop->rotation == 270)) | ||
38 | + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) | ||
39 | + { | ||
40 | + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); | ||
41 | + return -1; | ||
42 | + } | ||
43 | + | ||
44 | break; | ||
45 | case EDGE_RIGHT: /* zones from right to left, length from top */ | ||
46 | zlength = offsets.crop_length; | ||
47 | @@ -5606,6 +5624,15 @@ getCropOffsets(struct image_data *image, | ||
48 | crop->combined_width += (uint32)zwidth; | ||
49 | else | ||
50 | crop->combined_width = (uint32)zwidth; | ||
51 | + | ||
52 | + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ | ||
53 | + if (((crop->rotation == 90) || (crop->rotation == 270)) | ||
54 | + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) | ||
55 | + { | ||
56 | + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); | ||
57 | + return -1; | ||
58 | + } | ||
59 | + | ||
60 | break; | ||
61 | case EDGE_TOP: /* width from left, zones from top to bottom */ | ||
62 | default: | ||
63 | @@ -5632,6 +5659,15 @@ getCropOffsets(struct image_data *image, | ||
64 | else | ||
65 | crop->combined_length = (uint32)zlength; | ||
66 | crop->combined_width = (uint32)zwidth; | ||
67 | + | ||
68 | + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ | ||
69 | + if (((crop->rotation == 90) || (crop->rotation == 270)) | ||
70 | + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) | ||
71 | + { | ||
72 | + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); | ||
73 | + return -1; | ||
74 | + } | ||
75 | + | ||
76 | break; | ||
77 | } /* end switch statement */ | ||
78 | |||
79 | @@ -6827,9 +6863,9 @@ extractImageSection(struct image_data *i | ||
80 | * regardless of the way the data are organized in the input file. | ||
81 | * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 | ||
82 | */ | ||
83 | - img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ | ||
84 | - full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ | ||
85 | - trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ | ||
86 | + img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ | ||
87 | + full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ | ||
88 | + trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ | ||
89 | |||
90 | #ifdef DEVELMODE | ||
91 | TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n", | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch new file mode 100644 index 0000000000..7d6d40f25a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch | |||
@@ -0,0 +1,173 @@ | |||
1 | From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Fri, 3 Feb 2023 15:31:31 +0100 | ||
4 | Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() | ||
5 | fix#520 rotateImage() set up a new buffer and calculates its size | ||
6 | individually. Therefore, seg_buffs[] size needs to be updated accordingly. | ||
7 | Before this fix, the seg_buffs buffer size was calculated with a different | ||
8 | formula than within rotateImage(). | ||
9 | |||
10 | Closes #520. | ||
11 | |||
12 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44] | ||
13 | CVE: CVE-2023-25433 | ||
14 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
15 | --- | ||
16 | tools/tiffcrop.c | 69 +++++++++++++++++++++++++++++++++++++++--------- | ||
17 | 1 file changed, 56 insertions(+), 13 deletions(-) | ||
18 | |||
19 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
20 | index 742615a..aab0ec6 100644 | ||
21 | --- a/tools/tiffcrop.c | ||
22 | +++ b/tools/tiffcrop.c | ||
23 | @@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, | ||
24 | static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, | ||
25 | uint32, uint32, uint8 *, uint8 *); | ||
26 | static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, | ||
27 | - unsigned char **, int); | ||
28 | + unsigned char **, size_t *); | ||
29 | static int mirrorImage(uint16, uint16, uint16, uint32, uint32, | ||
30 | unsigned char *); | ||
31 | static int invertImage(uint16, uint16, uint16, uint32, uint32, | ||
32 | @@ -6384,7 +6384,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b | ||
33 | * but switch xres, yres there. */ | ||
34 | uint32_t width = image->width; | ||
35 | uint32_t length = image->length; | ||
36 | - if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE)) | ||
37 | + if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL)) | ||
38 | { | ||
39 | TIFFError ("correct_orientation", "Unable to rotate image"); | ||
40 | return (-1); | ||
41 | @@ -7607,8 +7607,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
42 | |||
43 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
44 | { | ||
45 | + /* rotateImage() set up a new buffer and calculates its size | ||
46 | + * individually. Therefore, seg_buffs size needs to be updated | ||
47 | + * accordingly. */ | ||
48 | + size_t rot_buf_size = 0; | ||
49 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
50 | - &crop->combined_length, &crop_buff, FALSE)) | ||
51 | + &crop->combined_length, &crop_buff, &rot_buf_size)) | ||
52 | { | ||
53 | TIFFError("processCropSelections", | ||
54 | "Failed to rotate composite regions by %d degrees", crop->rotation); | ||
55 | @@ -7713,8 +7717,13 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
56 | |||
57 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
58 | { | ||
59 | - if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, | ||
60 | - &crop->regionlist[i].length, &crop_buff, FALSE)) | ||
61 | + /* Furthermore, rotateImage() set up a new buffer and calculates | ||
62 | + * its size individually. Therefore, seg_buffs size needs to be | ||
63 | + * updated accordingly. */ | ||
64 | + size_t rot_buf_size = 0; | ||
65 | + if (rotateImage( | ||
66 | + crop->rotation, image, &crop->regionlist[i].width, | ||
67 | + &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) | ||
68 | { | ||
69 | TIFFError("processCropSelections", | ||
70 | "Failed to rotate crop region by %d degrees", crop->rotation); | ||
71 | @@ -7725,8 +7734,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
72 | crop->combined_width = total_width; | ||
73 | crop->combined_length = total_length; | ||
74 | seg_buffs[i].buffer = crop_buff; | ||
75 | - seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) | ||
76 | - * image->spp) * crop->regionlist[i].length; | ||
77 | + seg_buffs[i].size = rot_buf_size; | ||
78 | } | ||
79 | } | ||
80 | } | ||
81 | @@ -7735,7 +7743,6 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
82 | |||
83 | /* Copy the crop section of the data from the current image into a buffer | ||
84 | * and adjust the IFD values to reflect the new size. If no cropping is | ||
85 | - * required, use the origial read buffer as the crop buffer. | ||
86 | * | ||
87 | * There is quite a bit of redundancy between this routine and the more | ||
88 | * specialized processCropSelections, but this provides | ||
89 | @@ -7846,7 +7853,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
90 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
91 | { | ||
92 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
93 | - &crop->combined_length, crop_buff_ptr, TRUE)) | ||
94 | + &crop->combined_length, crop_buff_ptr, NULL)) | ||
95 | { | ||
96 | TIFFError("createCroppedImage", | ||
97 | "Failed to rotate image or cropped selection by %d degrees", crop->rotation); | ||
98 | @@ -8515,7 +8522,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
99 | uint32 bytes_per_pixel, bytes_per_sample; | ||
100 | uint32 row, rowsize, src_offset, dst_offset; | ||
101 | uint32 i, col, width, length; | ||
102 | - uint32 colsize, buffsize, col_offset, pix_offset; | ||
103 | + uint32 colsize, col_offset, pix_offset; | ||
104 | + tmsize_t buffsize; | ||
105 | unsigned char *ibuff; | ||
106 | unsigned char *src; | ||
107 | unsigned char *dst; | ||
108 | @@ -8528,12 +8536,41 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
109 | spp = image->spp; | ||
110 | bps = image->bps; | ||
111 | |||
112 | + if ((spp != 0 && bps != 0 && | ||
113 | + width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) || | ||
114 | + (spp != 0 && bps != 0 && | ||
115 | + length > (uint32_t)((UINT32_MAX - 7) / spp / bps))) | ||
116 | + { | ||
117 | + TIFFError("rotateImage", "Integer overflow detected."); | ||
118 | + return (-1); | ||
119 | + } | ||
120 | + | ||
121 | rowsize = ((bps * spp * width) + 7) / 8; | ||
122 | colsize = ((bps * spp * length) + 7) / 8; | ||
123 | if ((colsize * width) > (rowsize * length)) | ||
124 | - buffsize = (colsize + 1) * width; | ||
125 | +{ | ||
126 | + if (((tmsize_t)colsize + 1) != 0 && | ||
127 | + (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / | ||
128 | + ((tmsize_t)colsize + 1))) | ||
129 | + { | ||
130 | + TIFFError("rotateImage", | ||
131 | + "Integer overflow when calculating buffer size."); | ||
132 | + return (-1); | ||
133 | + } | ||
134 | + buffsize = ((tmsize_t)colsize + 1) * width; | ||
135 | + } | ||
136 | else | ||
137 | - buffsize = (rowsize + 1) * length; | ||
138 | + { | ||
139 | + if (((tmsize_t)rowsize + 1) != 0 && | ||
140 | + (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / | ||
141 | + ((tmsize_t)rowsize + 1))) | ||
142 | + { | ||
143 | + TIFFError("rotateImage", | ||
144 | + "Integer overflow when calculating buffer size."); | ||
145 | + return (-1); | ||
146 | + } | ||
147 | + buffsize = (rowsize + 1) * length; | ||
148 | + } | ||
149 | |||
150 | bytes_per_sample = (bps + 7) / 8; | ||
151 | bytes_per_pixel = ((bps * spp) + 7) / 8; | ||
152 | @@ -8556,11 +8593,17 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
153 | /* Add 3 padding bytes for extractContigSamplesShifted32bits */ | ||
154 | if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) | ||
155 | { | ||
156 | - TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
157 | + TIFFError("rotateImage", | ||
158 | + "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT | ||
159 | + " bytes ", | ||
160 | + buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
161 | return (-1); | ||
162 | } | ||
163 | _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
164 | |||
165 | + if (rot_buf_size != NULL) | ||
166 | + *rot_buf_size = buffsize; | ||
167 | + | ||
168 | ibuff = *ibuff_ptr; | ||
169 | switch (rotation) | ||
170 | { | ||
171 | -- | ||
172 | 2.25.1 | ||
173 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch new file mode 100644 index 0000000000..6a6596f092 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Sun, 29 Jan 2023 11:09:26 +0100 | ||
4 | Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) | ||
5 | image width and length parameters when only cropped image sections are | ||
6 | rotated. Remove buffptr from region structure because never used. | ||
7 | |||
8 | Closes #492 #493 #494 #495 #499 #518 #519 | ||
9 | |||
10 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38] | ||
11 | CVE: CVE-2023-25434 & CVE-2023-25435 | ||
12 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
13 | --- | ||
14 | tools/tiffcrop.c | 29 +++++++++++++++++------------ | ||
15 | 1 file changed, 17 insertions(+), 12 deletions(-) | ||
16 | |||
17 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
18 | index aab0ec6..ce84414 100644 | ||
19 | --- a/tools/tiffcrop.c | ||
20 | +++ b/tools/tiffcrop.c | ||
21 | @@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, | ||
22 | static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, | ||
23 | uint32, uint32, uint8 *, uint8 *); | ||
24 | static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, | ||
25 | - unsigned char **, size_t *); | ||
26 | + unsigned char **, size_t *, int); | ||
27 | static int mirrorImage(uint16, uint16, uint16, uint32, uint32, | ||
28 | unsigned char *); | ||
29 | static int invertImage(uint16, uint16, uint16, uint32, uint32, | ||
30 | @@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b | ||
31 | /* Dummy variable in order not to switch two times the | ||
32 | * image->width,->length within rotateImage(), | ||
33 | * but switch xres, yres there. */ | ||
34 | - uint32_t width = image->width; | ||
35 | - uint32_t length = image->length; | ||
36 | - if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL)) | ||
37 | - { | ||
38 | + uint32_t width = image->width; | ||
39 | + uint32_t length = image->length; | ||
40 | + if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, | ||
41 | + TRUE)) | ||
42 | + { | ||
43 | TIFFError ("correct_orientation", "Unable to rotate image"); | ||
44 | return (-1); | ||
45 | } | ||
46 | @@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
47 | * accordingly. */ | ||
48 | size_t rot_buf_size = 0; | ||
49 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
50 | - &crop->combined_length, &crop_buff, &rot_buf_size)) | ||
51 | + &crop->combined_length, &crop_buff, &rot_buf_size, | ||
52 | + FALSE)) | ||
53 | { | ||
54 | TIFFError("processCropSelections", | ||
55 | "Failed to rotate composite regions by %d degrees", crop->rotation); | ||
56 | @@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, | ||
57 | * its size individually. Therefore, seg_buffs size needs to be | ||
58 | * updated accordingly. */ | ||
59 | size_t rot_buf_size = 0; | ||
60 | - if (rotateImage( | ||
61 | - crop->rotation, image, &crop->regionlist[i].width, | ||
62 | - &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) | ||
63 | + if (rotateImage(crop->rotation, image, | ||
64 | + &crop->regionlist[i].width, | ||
65 | + &crop->regionlist[i].length, &crop_buff, | ||
66 | + &rot_buf_size, FALSE)) | ||
67 | { | ||
68 | TIFFError("processCropSelections", | ||
69 | "Failed to rotate crop region by %d degrees", crop->rotation); | ||
70 | @@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
71 | if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ | ||
72 | { | ||
73 | if (rotateImage(crop->rotation, image, &crop->combined_width, | ||
74 | - &crop->combined_length, crop_buff_ptr, NULL)) | ||
75 | + &crop->combined_length, crop_buff_ptr, NULL, TRUE)) | ||
76 | { | ||
77 | TIFFError("createCroppedImage", | ||
78 | "Failed to rotate image or cropped selection by %d degrees", crop->rotation); | ||
79 | @@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, | ||
80 | |||
81 | /* Rotate an image by a multiple of 90 degrees clockwise */ | ||
82 | static int | ||
83 | -rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, | ||
84 | - uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params) | ||
85 | +rotateImage(uint16 rotation, struct image_data *image, | ||
86 | + uint32 *img_width, uint32 *img_length, | ||
87 | + unsigned char **ibuff_ptr, size_t *rot_buf_size, | ||
88 | + int rot_image_params) | ||
89 | { | ||
90 | int shift_width; | ||
91 | uint32 bytes_per_pixel, bytes_per_sample; | ||
92 | -- | ||
93 | 2.25.1 | ||
94 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch new file mode 100644 index 0000000000..b7a7e93764 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Tue, 14 Feb 2023 20:43:43 +0100 | ||
4 | Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. | ||
5 | Fix issue 527 | ||
6 | |||
7 | Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. | ||
8 | |||
9 | Closes #527 | ||
10 | |||
11 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] | ||
12 | CVE: CVE-2023-26965 | ||
13 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
14 | --- | ||
15 | tools/tiffcrop.c | 40 ++++++++++------------------------------ | ||
16 | 1 file changed, 10 insertions(+), 30 deletions(-) | ||
17 | |||
18 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
19 | index ce84414..a533089 100644 | ||
20 | --- a/tools/tiffcrop.c | ||
21 | +++ b/tools/tiffcrop.c | ||
22 | @@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
23 | uint32 tw = 0, tl = 0; /* Tile width and length */ | ||
24 | tmsize_t tile_rowsize = 0; | ||
25 | unsigned char *read_buff = NULL; | ||
26 | - unsigned char *new_buff = NULL; | ||
27 | int readunit = 0; | ||
28 | - static tmsize_t prev_readsize = 0; | ||
29 | |||
30 | TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); | ||
31 | TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); | ||
32 | @@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
33 | read_buff = *read_ptr; | ||
34 | /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ | ||
35 | /* outside buffer */ | ||
36 | - if (!read_buff) | ||
37 | + if (read_buff) | ||
38 | { | ||
39 | - if( buffsize > 0xFFFFFFFFU - 3 ) | ||
40 | - { | ||
41 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
42 | - return (-1); | ||
43 | - } | ||
44 | - read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
45 | + _TIFFfree(read_buff); | ||
46 | } | ||
47 | - else | ||
48 | - { | ||
49 | - if (prev_readsize < buffsize) | ||
50 | - { | ||
51 | - if( buffsize > 0xFFFFFFFFU - 3 ) | ||
52 | - { | ||
53 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
54 | - return (-1); | ||
55 | - } | ||
56 | - new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
57 | - if (!new_buff) | ||
58 | - { | ||
59 | - free (read_buff); | ||
60 | - read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
61 | - } | ||
62 | - else | ||
63 | - read_buff = new_buff; | ||
64 | - } | ||
65 | - } | ||
66 | + if (buffsize > 0xFFFFFFFFU - 3) | ||
67 | + { | ||
68 | + TIFFError("loadImage", "Required read buffer size too large"); | ||
69 | + return (-1); | ||
70 | + } | ||
71 | + read_buff = | ||
72 | + (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
73 | if (!read_buff) | ||
74 | { | ||
75 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
76 | + TIFFError("loadImage", "Unable to allocate read buffer"); | ||
77 | return (-1); | ||
78 | } | ||
79 | |||
80 | @@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c | ||
81 | read_buff[buffsize+1] = 0; | ||
82 | read_buff[buffsize+2] = 0; | ||
83 | |||
84 | - prev_readsize = buffsize; | ||
85 | *read_ptr = read_buff; | ||
86 | |||
87 | /* N.B. The read functions used copy separate plane data into a buffer as interleaved | ||
88 | -- | ||
89 | 2.25.1 | ||
90 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch new file mode 100644 index 0000000000..48657e6aa4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Thu, 16 Feb 2023 12:03:16 +0100 | ||
4 | Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode(). | ||
5 | |||
6 | Closes #530 | ||
7 | |||
8 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] | ||
9 | CVE: CVE-2023-26966 | ||
10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
11 | --- | ||
12 | libtiff/tif_luv.c | 7 +++++++ | ||
13 | 1 file changed, 7 insertions(+) | ||
14 | |||
15 | diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c | ||
16 | index 6fe4858..8b2c5f1 100644 | ||
17 | --- a/libtiff/tif_luv.c | ||
18 | +++ b/libtiff/tif_luv.c | ||
19 | @@ -923,6 +923,13 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */ | ||
20 | { | ||
21 | register int vi, ui; | ||
22 | |||
23 | + /* check for NaN */ | ||
24 | + if (u != u || v != v) | ||
25 | + { | ||
26 | + u = U_NEU; | ||
27 | + v = V_NEU; | ||
28 | + } | ||
29 | + | ||
30 | if (v < UV_VSTART) | ||
31 | return oog_encode(u, v); | ||
32 | vi = itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em); | ||
33 | -- | ||
34 | 2.25.1 | ||
35 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch new file mode 100644 index 0000000000..62a5e1831c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001 | ||
2 | From: xiaoxiaoafeifei <lliangliang2007@163.com> | ||
3 | Date: Fri, 21 Apr 2023 13:01:34 +0000 | ||
4 | Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`: | ||
5 | applying zero offset to null pointer | ||
6 | |||
7 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f] | ||
8 | CVE: CVE-2023-2908 | ||
9 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
10 | --- | ||
11 | libtiff/tif_dir.c | 4 ++-- | ||
12 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
15 | index 9d8267a..6389b40 100644 | ||
16 | --- a/libtiff/tif_dir.c | ||
17 | +++ b/libtiff/tif_dir.c | ||
18 | @@ -145,10 +145,10 @@ static uint16 | ||
19 | countInkNamesString(TIFF *tif, uint32 slen, const char *s) | ||
20 | { | ||
21 | uint16 i = 0; | ||
22 | - const char *ep = s + slen; | ||
23 | - const char *cp = s; | ||
24 | |||
25 | if (slen > 0) { | ||
26 | + const char *ep = s + slen; | ||
27 | + const char *cp = s; | ||
28 | do { | ||
29 | for (; cp < ep && *cp != '\0'; cp++) {} | ||
30 | if (cp >= ep) | ||
31 | -- | ||
32 | 2.25.1 | ||
33 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch new file mode 100644 index 0000000000..8db24fc714 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Fri, 3 Feb 2023 17:38:55 +0100 | ||
4 | Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515 | ||
5 | |||
6 | Closes #515 | ||
7 | |||
8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536] | ||
9 | CVE: CVE-2023-3316 | ||
10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
11 | --- | ||
12 | libtiff/tif_close.c | 11 +++++++---- | ||
13 | tools/tiffcrop.c | 5 ++++- | ||
14 | 2 files changed, 11 insertions(+), 5 deletions(-) | ||
15 | |||
16 | diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c | ||
17 | index e4228df..335e80f 100644 | ||
18 | --- a/libtiff/tif_close.c | ||
19 | +++ b/libtiff/tif_close.c | ||
20 | @@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif) | ||
21 | */ | ||
22 | |||
23 | void | ||
24 | -TIFFClose(TIFF* tif) | ||
25 | +TIFFClose(TIFF *tif) | ||
26 | { | ||
27 | - TIFFCloseProc closeproc = tif->tif_closeproc; | ||
28 | - thandle_t fd = tif->tif_clientdata; | ||
29 | + if (tif != NULL) | ||
30 | + { | ||
31 | + TIFFCloseProc closeproc = tif->tif_closeproc; | ||
32 | + thandle_t fd = tif->tif_clientdata; | ||
33 | |||
34 | TIFFCleanup(tif); | ||
35 | - (void) (*closeproc)(fd); | ||
36 | + (void)(*closeproc)(fd); | ||
37 | + } | ||
38 | } | ||
39 | |||
40 | /* vim: set ts=8 sts=8 sw=8 noet: */ | ||
41 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
42 | index a533089..f14bb0c 100644 | ||
43 | --- a/tools/tiffcrop.c | ||
44 | +++ b/tools/tiffcrop.c | ||
45 | @@ -2526,7 +2526,10 @@ main(int argc, char* argv[]) | ||
46 | } | ||
47 | } | ||
48 | |||
49 | - TIFFClose(out); | ||
50 | + if (out != NULL) | ||
51 | + { | ||
52 | + TIFFClose(out); | ||
53 | + } | ||
54 | |||
55 | return (0); | ||
56 | } /* end main */ | ||
57 | -- | ||
58 | 2.25.1 | ||
59 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch new file mode 100644 index 0000000000..67837fe142 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001 | ||
2 | From: zhailiangliang <zhailiangliang@loongson.cn> | ||
3 | Date: Tue, 7 Mar 2023 15:02:08 +0800 | ||
4 | Subject: [PATCH] Fix memory leak in tiffcrop.c | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] | ||
7 | CVE: CVE-2023-3576 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
10 | --- | ||
11 | tools/tiffcrop.c | 7 ++++++- | ||
12 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
15 | index f14bb0c..7121c7c 100644 | ||
16 | --- a/tools/tiffcrop.c | ||
17 | +++ b/tools/tiffcrop.c | ||
18 | @@ -7746,8 +7746,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
19 | |||
20 | read_buff = *read_buff_ptr; | ||
21 | |||
22 | + /* Memory is freed before crop_buff_ptr is overwritten */ | ||
23 | + if (*crop_buff_ptr != NULL) | ||
24 | + { | ||
25 | + _TIFFfree(*crop_buff_ptr); | ||
26 | + } | ||
27 | + | ||
28 | /* process full image, no crop buffer needed */ | ||
29 | - crop_buff = read_buff; | ||
30 | *crop_buff_ptr = read_buff; | ||
31 | crop->combined_width = image->width; | ||
32 | crop->combined_length = image->length; | ||
33 | -- | ||
34 | 2.25.1 | ||
35 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch new file mode 100644 index 0000000000..fd67305c0b --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Fri, 5 May 2023 19:43:46 +0200 | ||
4 | Subject: [PATCH] Consider error return of writeSelections(). Fixes #553 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8] | ||
7 | CVE: CVE-2023-3618 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | tools/tiffcrop.c | 14 ++++++++++---- | ||
11 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
12 | |||
13 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
14 | index 7121c7c..93b7f96 100644 | ||
15 | --- a/tools/tiffcrop.c | ||
16 | +++ b/tools/tiffcrop.c | ||
17 | @@ -2437,9 +2437,15 @@ main(int argc, char* argv[]) | ||
18 | { /* Whole image or sections not based on output page size */ | ||
19 | if (crop.selections > 0) | ||
20 | { | ||
21 | - writeSelections(in, &out, &crop, &image, &dump, seg_buffs, | ||
22 | - mp, argv[argc - 1], &next_page, total_pages); | ||
23 | - } | ||
24 | + if (writeSelections(in, &out, &crop, &image, &dump, | ||
25 | + seg_buffs, mp, argv[argc - 1], | ||
26 | + &next_page, total_pages)) | ||
27 | + { | ||
28 | + TIFFError("main", | ||
29 | + "Unable to write new image selections"); | ||
30 | + exit(EXIT_FAILURE); | ||
31 | + } | ||
32 | + } | ||
33 | else /* One file all images and sections */ | ||
34 | { | ||
35 | if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1], | ||
36 | @@ -7749,7 +7755,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
37 | /* Memory is freed before crop_buff_ptr is overwritten */ | ||
38 | if (*crop_buff_ptr != NULL) | ||
39 | { | ||
40 | - _TIFFfree(*crop_buff_ptr); | ||
41 | + _TIFFfree(*crop_buff_ptr); | ||
42 | } | ||
43 | |||
44 | /* process full image, no crop buffer needed */ | ||
45 | -- | ||
46 | 2.25.1 | ||
47 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch new file mode 100644 index 0000000000..6eb286039f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Arie Haenel <arie.haenel@jct.ac.il> | ||
3 | Date: Wed, 19 Jul 2023 19:34:25 +0000 | ||
4 | Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images | ||
5 | (fixes #591) | ||
6 | |||
7 | Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5] | ||
8 | CVE: CVE-2023-40745 | ||
9 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
10 | --- | ||
11 | tools/tiffcp.c | 7 +++++++ | ||
12 | 1 file changed, 7 insertions(+) | ||
13 | |||
14 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
15 | index 83b3910..007bd05 100644 | ||
16 | --- a/tools/tiffcp.c | ||
17 | +++ b/tools/tiffcp.c | ||
18 | @@ -1437,6 +1437,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
19 | TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); | ||
20 | return 0; | ||
21 | } | ||
22 | + | ||
23 | + if ( (imagew - tilew * spp) > INT_MAX ){ | ||
24 | + TIFFError(TIFFFileName(in), | ||
25 | + "Error, image raster scan line size is too large"); | ||
26 | + return 0; | ||
27 | + } | ||
28 | + | ||
29 | iskew = imagew - tilew*spp; | ||
30 | tilebuf = _TIFFmalloc(tilesize); | ||
31 | if (tilebuf == 0) | ||
32 | -- | ||
33 | 2.25.1 | ||
34 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch new file mode 100644 index 0000000000..3f44a42012 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 4cc97e3dfa6559f4d17af0d0687bcae07ca4b73d Mon Sep 17 00:00:00 2001 | ||
2 | From: Arie Haenel <arie.haenel@jct.ac.il> | ||
3 | Date: Wed, 19 Jul 2023 19:40:01 +0000 | ||
4 | Subject: raw2tiff: fix integer overflow and bypass of the check (fixes #592) | ||
5 | |||
6 | Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz | ||
7 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] | ||
8 | CVE: CVE-2023-41175 | ||
9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
10 | --- | ||
11 | tools/raw2tiff.c | 26 ++++++++++++++++++++++++++ | ||
12 | 1 file changed, 26 insertions(+) | ||
13 | |||
14 | diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c | ||
15 | index ab36ff4e..a905da52 100644 | ||
16 | --- a/tools/raw2tiff.c | ||
17 | +++ b/tools/raw2tiff.c | ||
18 | @@ -35,6 +35,7 @@ | ||
19 | #include <sys/types.h> | ||
20 | #include <math.h> | ||
21 | #include <ctype.h> | ||
22 | +#include <limits.h> | ||
23 | |||
24 | #ifdef HAVE_UNISTD_H | ||
25 | # include <unistd.h> | ||
26 | @@ -101,6 +102,7 @@ main(int argc, char* argv[]) | ||
27 | int fd; | ||
28 | char *outfilename = NULL; | ||
29 | TIFF *out; | ||
30 | + uint32 temp_limit_check = 0; | ||
31 | |||
32 | uint32 row, col, band; | ||
33 | int c; | ||
34 | @@ -212,6 +214,30 @@ main(int argc, char* argv[]) | ||
35 | if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) | ||
36 | return 1; | ||
37 | |||
38 | + if ((width == 0) || (length == 0) ){ | ||
39 | + fprintf(stderr, "Too large nbands value specified.\n"); | ||
40 | + return (EXIT_FAILURE); | ||
41 | + } | ||
42 | + | ||
43 | + temp_limit_check = nbands * depth; | ||
44 | + | ||
45 | + if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { | ||
46 | + fprintf(stderr, "Too large length size specified.\n"); | ||
47 | + return (EXIT_FAILURE); | ||
48 | + } | ||
49 | + temp_limit_check = temp_limit_check * length; | ||
50 | + | ||
51 | + if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { | ||
52 | + fprintf(stderr, "Too large width size specified.\n"); | ||
53 | + return (EXIT_FAILURE); | ||
54 | + } | ||
55 | + temp_limit_check = temp_limit_check * width; | ||
56 | + | ||
57 | + if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { | ||
58 | + fprintf(stderr, "Too large header size specified.\n"); | ||
59 | + return (EXIT_FAILURE); | ||
60 | + } | ||
61 | + | ||
62 | if (outfilename == NULL) | ||
63 | outfilename = argv[optind+1]; | ||
64 | out = TIFFOpen(outfilename, "w"); | ||
65 | -- | ||
66 | 2.30.2 | ||
67 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch new file mode 100644 index 0000000000..1b651e6529 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet); | ||
4 | -- Rodrigo Figueiredo Zaiden] | ||
5 | |||
6 | Backport of: | ||
7 | |||
8 | From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 | ||
9 | From: Even Rouault <even.rouault@spatialys.com> | ||
10 | Date: Tue, 31 Oct 2023 15:58:41 +0100 | ||
11 | Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of | ||
12 | col/row (fixes #622) | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] | ||
16 | CVE: CVE-2023-52356 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | libtiff/tif_getimage.c | 15 +++++++++++++++ | ||
20 | 1 file changed, 15 insertions(+) | ||
21 | |||
22 | |||
23 | --- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c | ||
24 | +++ tiff-4.1.0+git191117/libtiff/tif_getimage.c | ||
25 | @@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r | ||
26 | } | ||
27 | |||
28 | if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { | ||
29 | + if (row >= img.height) | ||
30 | + { | ||
31 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), | ||
32 | + "Invalid row passed to TIFFReadRGBAStrip()."); | ||
33 | + TIFFRGBAImageEnd(&img); | ||
34 | + return (0); | ||
35 | + } | ||
36 | |||
37 | img.row_offset = row; | ||
38 | img.col_offset = 0; | ||
39 | @@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co | ||
40 | return( 0 ); | ||
41 | } | ||
42 | |||
43 | + if (col >= img.width || row >= img.height) | ||
44 | + { | ||
45 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), | ||
46 | + "Invalid row/col passed to TIFFReadRGBATile()."); | ||
47 | + TIFFRGBAImageEnd(&img); | ||
48 | + return (0); | ||
49 | + } | ||
50 | + | ||
51 | /* | ||
52 | * The TIFFRGBAImageGet() function doesn't allow us to get off the | ||
53 | * edge of the image, even to fill an otherwise valid tile. So we | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch new file mode 100644 index 0000000000..a777dea9b0 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Sat, 9 Sep 2023 15:45:47 +0200 | ||
4 | Subject: [PATCH] Check also if codec of input image is available, | ||
5 | independently from codec check of output image and return with error if not. | ||
6 | Fixes #606. | ||
7 | |||
8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a] | ||
9 | CVE: CVE-2023-6228 | ||
10 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
11 | --- | ||
12 | tools/tiffcp.c | 2 ++ | ||
13 | 1 file changed, 2 insertions(+) | ||
14 | |||
15 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
16 | index 007bd05..d2f7b66 100644 | ||
17 | --- a/tools/tiffcp.c | ||
18 | +++ b/tools/tiffcp.c | ||
19 | @@ -628,6 +628,8 @@ tiffcp(TIFF* in, TIFF* out) | ||
20 | else | ||
21 | CopyField(TIFFTAG_COMPRESSION, compression); | ||
22 | TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); | ||
23 | + if (!TIFFIsCODECConfigured(input_compression)) | ||
24 | + return FALSE; | ||
25 | TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); | ||
26 | if (input_compression == COMPRESSION_JPEG) { | ||
27 | /* Force conversion to RGB */ | ||
28 | -- | ||
29 | 2.25.1 | ||
30 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch new file mode 100644 index 0000000000..e955b3f2e4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch | |||
@@ -0,0 +1,191 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . included inttypes.h header to support PRIu32 and PRIu64; | ||
4 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
5 | . using uint64 instead of uint64_t to preserve the current code usage; | ||
6 | . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); | ||
7 | . calls to the check size, that is the idea of the patch, were added before | ||
8 | _TIFFCheckMalloc and may note match the original patch methods; | ||
9 | -- Rodrigo Figueiredo Zaiden] | ||
10 | |||
11 | Backport of: | ||
12 | |||
13 | From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 | ||
14 | From: Su Laus <sulau@freenet.de> | ||
15 | Date: Tue, 31 Oct 2023 15:43:29 +0000 | ||
16 | Subject: [PATCH] Prevent some out-of-memory attacks | ||
17 | |||
18 | Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. | ||
19 | |||
20 | At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. | ||
21 | |||
22 | See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 | ||
23 | |||
24 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security | ||
25 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a] | ||
26 | CVE: CVE-2023-6277 | ||
27 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
28 | --- | ||
29 | libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++- | ||
30 | 1 file changed, 90 insertions(+), 2 deletions(-) | ||
31 | |||
32 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c | ||
33 | +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c | ||
34 | @@ -37,6 +37,7 @@ | ||
35 | #include "tiffiop.h" | ||
36 | #include <float.h> | ||
37 | #include <stdlib.h> | ||
38 | +#include <inttypes.h> | ||
39 | |||
40 | #define FAILED_FII ((uint32) -1) | ||
41 | |||
42 | @@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead | ||
43 | datasize=(*count)*typesize; | ||
44 | assert((tmsize_t)datasize>0); | ||
45 | |||
46 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
47 | + * size of requested memory is not greater than file size. | ||
48 | + */ | ||
49 | + uint64 filesize = TIFFGetFileSize(tif); | ||
50 | + if (datasize > filesize) | ||
51 | + { | ||
52 | + TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
53 | + "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
54 | + " is greather than filesize %" PRIu64 | ||
55 | + ". Memory not allocated, tag not read", | ||
56 | + direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
57 | + filesize); | ||
58 | + return (TIFFReadDirEntryErrAlloc); | ||
59 | + } | ||
60 | + | ||
61 | if( isMapped(tif) && datasize > (uint32)tif->tif_size ) | ||
62 | return TIFFReadDirEntryErrIo; | ||
63 | |||
64 | @@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
65 | if( !_TIFFFillStrilesInternal( tif, 0 ) ) | ||
66 | return -1; | ||
67 | |||
68 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
69 | + * size of requested memory is not greater than file size. */ | ||
70 | + uint64 filesize = TIFFGetFileSize(tif); | ||
71 | + uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); | ||
72 | + if (allocsize > filesize) | ||
73 | + { | ||
74 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
75 | + "Requested memory size for StripByteCounts of %" PRIu64 | ||
76 | + " is greather than filesize %" PRIu64 | ||
77 | + ". Memory not allocated", | ||
78 | + allocsize, filesize); | ||
79 | + return -1; | ||
80 | + } | ||
81 | + | ||
82 | if (td->td_stripbytecount_p) | ||
83 | _TIFFfree(td->td_stripbytecount_p); | ||
84 | td->td_stripbytecount_p = (uint64*) | ||
85 | @@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
86 | |||
87 | if (td->td_compression != COMPRESSION_NONE) { | ||
88 | uint64 space; | ||
89 | - uint64 filesize; | ||
90 | uint16 n; | ||
91 | - filesize = TIFFGetFileSize(tif); | ||
92 | if (!(tif->tif_flags&TIFF_BIGTIFF)) | ||
93 | space=sizeof(TIFFHeaderClassic)+2+dircount*12+4; | ||
94 | else | ||
95 | @@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
96 | dircount16 = (uint16)dircount64; | ||
97 | dirsize = 20; | ||
98 | } | ||
99 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
100 | + * if size of requested memory is not greater than file size. */ | ||
101 | + uint64 filesize = TIFFGetFileSize(tif); | ||
102 | + uint64 allocsize = (uint64)dircount16 * dirsize; | ||
103 | + if (allocsize > filesize) | ||
104 | + { | ||
105 | + TIFFWarningExt( | ||
106 | + tif->tif_clientdata, module, | ||
107 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
108 | + " is greather than filesize %" PRIu64 | ||
109 | + ". Memory not allocated, TIFF directory not read", | ||
110 | + allocsize, filesize); | ||
111 | + return 0; | ||
112 | + } | ||
113 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
114 | dirsize, "to read TIFF directory"); | ||
115 | if (origdir == NULL) | ||
116 | @@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
117 | "Sanity check on directory count failed, zero tag directories not supported"); | ||
118 | return 0; | ||
119 | } | ||
120 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
121 | + * if size of requested memory is not greater than file size. */ | ||
122 | + uint64 filesize = TIFFGetFileSize(tif); | ||
123 | + uint64 allocsize = (uint64)dircount16 * dirsize; | ||
124 | + if (allocsize > filesize) | ||
125 | + { | ||
126 | + TIFFWarningExt( | ||
127 | + tif->tif_clientdata, module, | ||
128 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
129 | + " is greather than filesize %" PRIu64 | ||
130 | + ". Memory not allocated, TIFF directory not read", | ||
131 | + allocsize, filesize); | ||
132 | + return 0; | ||
133 | + } | ||
134 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
135 | dirsize, | ||
136 | "to read TIFF directory"); | ||
137 | @@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
138 | } | ||
139 | } | ||
140 | } | ||
141 | + /* No check against filesize needed here because "dir" should have same size | ||
142 | + * than "origdir" checked above. */ | ||
143 | dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16, | ||
144 | sizeof(TIFFDirEntry), | ||
145 | "to read TIFF directory"); | ||
146 | @@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn | ||
147 | _TIFFfree(data); | ||
148 | return(0); | ||
149 | } | ||
150 | - | ||
151 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
152 | + * if size of requested memory is not greater than file size. */ | ||
153 | + uint64 filesize = TIFFGetFileSize(tif); | ||
154 | + uint64 allocsize = (uint64)nstrips * sizeof(uint64); | ||
155 | + if (allocsize > filesize) | ||
156 | + { | ||
157 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
158 | + "Requested memory size for StripArray of %" PRIu64 | ||
159 | + " is greather than filesize %" PRIu64 | ||
160 | + ". Memory not allocated", | ||
161 | + allocsize, filesize); | ||
162 | + _TIFFfree(data); | ||
163 | + return (0); | ||
164 | + } | ||
165 | resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); | ||
166 | if (resizeddata==0) { | ||
167 | _TIFFfree(data); | ||
168 | @@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI | ||
169 | } | ||
170 | bytecount = last_offset + last_bytecount - offset; | ||
171 | |||
172 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
173 | + * size of StripByteCount and StripOffset tags is not greater than | ||
174 | + * file size. | ||
175 | + */ | ||
176 | + uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; | ||
177 | + uint64 filesize = TIFFGetFileSize(tif); | ||
178 | + if (allocsize > filesize) | ||
179 | + { | ||
180 | + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
181 | + "Requested memory size for StripByteCount and " | ||
182 | + "StripOffsets %" PRIu64 | ||
183 | + " is greather than filesize %" PRIu64 | ||
184 | + ". Memory not allocated", | ||
185 | + allocsize, filesize); | ||
186 | + return; | ||
187 | + } | ||
188 | + | ||
189 | newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
190 | "for chopped \"StripByteCounts\" array"); | ||
191 | newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch new file mode 100644 index 0000000000..644b3fdb3f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch | |||
@@ -0,0 +1,152 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
4 | . using uint64 instead of uint64_t to preserve the current code usage; | ||
5 | -- Rodrigo Figueiredo Zaiden] | ||
6 | |||
7 | Backport of: | ||
8 | |||
9 | From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001 | ||
10 | From: Even Rouault <even.rouault@spatialys.com> | ||
11 | Date: Tue, 31 Oct 2023 19:47:22 +0100 | ||
12 | Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough | ||
13 | RAM requests | ||
14 | |||
15 | Ammends 5320c9d89c054fa805d037d84c57da874470b01a | ||
16 | |||
17 | This fixes a performance regression caught by the GDAL regression test | ||
18 | suite. | ||
19 | |||
20 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security | ||
21 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa] | ||
22 | CVE: CVE-2023-6277 | ||
23 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
24 | --- | ||
25 | libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------ | ||
26 | 1 file changed, 48 insertions(+), 35 deletions(-) | ||
27 | |||
28 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c | ||
29 | +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c | ||
30 | @@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead | ||
31 | datasize=(*count)*typesize; | ||
32 | assert((tmsize_t)datasize>0); | ||
33 | |||
34 | - /* Before allocating a huge amount of memory for corrupted files, check if | ||
35 | - * size of requested memory is not greater than file size. | ||
36 | - */ | ||
37 | - uint64 filesize = TIFFGetFileSize(tif); | ||
38 | - if (datasize > filesize) | ||
39 | + if (datasize > 100 * 1024 * 1024) | ||
40 | { | ||
41 | - TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
42 | - "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
43 | - " is greather than filesize %" PRIu64 | ||
44 | - ". Memory not allocated, tag not read", | ||
45 | - direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
46 | - filesize); | ||
47 | - return (TIFFReadDirEntryErrAlloc); | ||
48 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
49 | + * if size of requested memory is not greater than file size. | ||
50 | + */ | ||
51 | + const uint64 filesize = TIFFGetFileSize(tif); | ||
52 | + if (datasize > filesize) | ||
53 | + { | ||
54 | + TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
55 | + "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
56 | + " is greater than filesize %" PRIu64 | ||
57 | + ". Memory not allocated, tag not read", | ||
58 | + direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
59 | + filesize); | ||
60 | + return (TIFFReadDirEntryErrAlloc); | ||
61 | + } | ||
62 | } | ||
63 | |||
64 | if( isMapped(tif) && datasize > (uint32)tif->tif_size ) | ||
65 | @@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
66 | if( !_TIFFFillStrilesInternal( tif, 0 ) ) | ||
67 | return -1; | ||
68 | |||
69 | - /* Before allocating a huge amount of memory for corrupted files, check if | ||
70 | - * size of requested memory is not greater than file size. */ | ||
71 | - uint64 filesize = TIFFGetFileSize(tif); | ||
72 | - uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); | ||
73 | - if (allocsize > filesize) | ||
74 | + const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); | ||
75 | + uint64 filesize = 0; | ||
76 | + if (allocsize > 100 * 1024 * 1024) | ||
77 | { | ||
78 | - TIFFWarningExt(tif->tif_clientdata, module, | ||
79 | - "Requested memory size for StripByteCounts of %" PRIu64 | ||
80 | - " is greather than filesize %" PRIu64 | ||
81 | - ". Memory not allocated", | ||
82 | - allocsize, filesize); | ||
83 | - return -1; | ||
84 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
85 | + * if size of requested memory is not greater than file size. */ | ||
86 | + filesize = TIFFGetFileSize(tif); | ||
87 | + if (allocsize > filesize) | ||
88 | + { | ||
89 | + TIFFWarningExt( | ||
90 | + tif->tif_clientdata, module, | ||
91 | + "Requested memory size for StripByteCounts of %" PRIu64 | ||
92 | + " is greater than filesize %" PRIu64 ". Memory not allocated", | ||
93 | + allocsize, filesize); | ||
94 | + return -1; | ||
95 | + } | ||
96 | } | ||
97 | |||
98 | if (td->td_stripbytecount_p) | ||
99 | @@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
100 | return -1; | ||
101 | space+=datasize; | ||
102 | } | ||
103 | + if (filesize == 0) | ||
104 | + filesize = TIFFGetFileSize(tif); | ||
105 | if( filesize < space ) | ||
106 | - /* we should perhaps return in error ? */ | ||
107 | - space = filesize; | ||
108 | - else | ||
109 | - space = filesize - space; | ||
110 | + /* we should perhaps return in error ? */ | ||
111 | + space = filesize; | ||
112 | + else | ||
113 | + space = filesize - space; | ||
114 | if (td->td_planarconfig == PLANARCONFIG_SEPARATE) | ||
115 | space /= td->td_samplesperpixel; | ||
116 | for (strip = 0; strip < td->td_nstrips; strip++) | ||
117 | @@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
118 | dircount16 = (uint16)dircount64; | ||
119 | dirsize = 20; | ||
120 | } | ||
121 | - /* Before allocating a huge amount of memory for corrupted files, check | ||
122 | - * if size of requested memory is not greater than file size. */ | ||
123 | - uint64 filesize = TIFFGetFileSize(tif); | ||
124 | - uint64 allocsize = (uint64)dircount16 * dirsize; | ||
125 | - if (allocsize > filesize) | ||
126 | + const uint64 allocsize = (uint64)dircount16 * dirsize; | ||
127 | + if (allocsize > 100 * 1024 * 1024) | ||
128 | { | ||
129 | - TIFFWarningExt( | ||
130 | - tif->tif_clientdata, module, | ||
131 | - "Requested memory size for TIFF directory of %" PRIu64 | ||
132 | - " is greather than filesize %" PRIu64 | ||
133 | - ". Memory not allocated, TIFF directory not read", | ||
134 | - allocsize, filesize); | ||
135 | - return 0; | ||
136 | + /* Before allocating a huge amount of memory for corrupted files, | ||
137 | + * check if size of requested memory is not greater than file size. | ||
138 | + */ | ||
139 | + const uint64 filesize = TIFFGetFileSize(tif); | ||
140 | + if (allocsize > filesize) | ||
141 | + { | ||
142 | + TIFFWarningExt( | ||
143 | + tif->tif_clientdata, module, | ||
144 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
145 | + " is greater than filesize %" PRIu64 | ||
146 | + ". Memory not allocated, TIFF directory not read", | ||
147 | + allocsize, filesize); | ||
148 | + return 0; | ||
149 | + } | ||
150 | } | ||
151 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
152 | dirsize, "to read TIFF directory"); | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch new file mode 100644 index 0000000000..ed7d7e7b96 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001 | ||
4 | From: Even Rouault <even.rouault@spatialys.com> | ||
5 | Date: Tue, 31 Oct 2023 20:13:45 +0100 | ||
6 | Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize | ||
7 | check | ||
8 | |||
9 | CoverityScan rightly points that the max value for dircount16 * dirsize | ||
10 | is 4096 * 20. That's small enough not to do any check | ||
11 | |||
12 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security | ||
13 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3] | ||
14 | CVE: CVE-2023-6277 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | libtiff/tif_dirread.c | 18 ------------------ | ||
18 | 1 file changed, 18 deletions(-) | ||
19 | |||
20 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c | ||
21 | +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c | ||
22 | @@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir | ||
23 | dircount16 = (uint16)dircount64; | ||
24 | dirsize = 20; | ||
25 | } | ||
26 | - const uint64 allocsize = (uint64)dircount16 * dirsize; | ||
27 | - if (allocsize > 100 * 1024 * 1024) | ||
28 | - { | ||
29 | - /* Before allocating a huge amount of memory for corrupted files, | ||
30 | - * check if size of requested memory is not greater than file size. | ||
31 | - */ | ||
32 | - const uint64 filesize = TIFFGetFileSize(tif); | ||
33 | - if (allocsize > filesize) | ||
34 | - { | ||
35 | - TIFFWarningExt( | ||
36 | - tif->tif_clientdata, module, | ||
37 | - "Requested memory size for TIFF directory of %" PRIu64 | ||
38 | - " is greater than filesize %" PRIu64 | ||
39 | - ". Memory not allocated, TIFF directory not read", | ||
40 | - allocsize, filesize); | ||
41 | - return 0; | ||
42 | - } | ||
43 | - } | ||
44 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
45 | dirsize, "to read TIFF directory"); | ||
46 | if (origdir == NULL) | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch new file mode 100644 index 0000000000..1a43fd3230 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
4 | . using uint64 instead of uint64_t to preserve the current code usage; | ||
5 | . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); | ||
6 | -- Rodrigo Figueiredo Zaiden] | ||
7 | |||
8 | Backport of: | ||
9 | |||
10 | From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001 | ||
11 | From: Even Rouault <even.rouault@spatialys.com> | ||
12 | Date: Tue, 31 Oct 2023 21:30:58 +0100 | ||
13 | Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough | ||
14 | RAM requests | ||
15 | |||
16 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security | ||
17 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a] | ||
18 | CVE: CVE-2023-6277 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------ | ||
22 | 1 file changed, 31 insertions(+), 23 deletions(-) | ||
23 | |||
24 | --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c | ||
25 | +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c | ||
26 | @@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn | ||
27 | _TIFFfree(data); | ||
28 | return(0); | ||
29 | } | ||
30 | - /* Before allocating a huge amount of memory for corrupted files, check | ||
31 | - * if size of requested memory is not greater than file size. */ | ||
32 | - uint64 filesize = TIFFGetFileSize(tif); | ||
33 | - uint64 allocsize = (uint64)nstrips * sizeof(uint64); | ||
34 | - if (allocsize > filesize) | ||
35 | + const uint64 allocsize = (uint64)nstrips * sizeof(uint64); | ||
36 | + if (allocsize > 100 * 1024 * 1024) | ||
37 | { | ||
38 | - TIFFWarningExt(tif->tif_clientdata, module, | ||
39 | - "Requested memory size for StripArray of %" PRIu64 | ||
40 | - " is greather than filesize %" PRIu64 | ||
41 | - ". Memory not allocated", | ||
42 | - allocsize, filesize); | ||
43 | - _TIFFfree(data); | ||
44 | - return (0); | ||
45 | + /* Before allocating a huge amount of memory for corrupted files, | ||
46 | + * check if size of requested memory is not greater than file size. | ||
47 | + */ | ||
48 | + const uint64 filesize = TIFFGetFileSize(tif); | ||
49 | + if (allocsize > filesize) | ||
50 | + { | ||
51 | + TIFFWarningExt( | ||
52 | + tif->tif_clientdata, module, | ||
53 | + "Requested memory size for StripArray of %" PRIu64 | ||
54 | + " is greater than filesize %" PRIu64 | ||
55 | + ". Memory not allocated", | ||
56 | + allocsize, filesize); | ||
57 | + _TIFFfree(data); | ||
58 | + return (0); | ||
59 | + } | ||
60 | } | ||
61 | resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); | ||
62 | if (resizeddata==0) { | ||
63 | @@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI | ||
64 | * size of StripByteCount and StripOffset tags is not greater than | ||
65 | * file size. | ||
66 | */ | ||
67 | - uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; | ||
68 | - uint64 filesize = TIFFGetFileSize(tif); | ||
69 | - if (allocsize > filesize) | ||
70 | - { | ||
71 | - TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
72 | - "Requested memory size for StripByteCount and " | ||
73 | - "StripOffsets %" PRIu64 | ||
74 | - " is greather than filesize %" PRIu64 | ||
75 | - ". Memory not allocated", | ||
76 | - allocsize, filesize); | ||
77 | - return; | ||
78 | + const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; | ||
79 | + if (allocsize > 100 * 1024 * 1024) | ||
80 | + { | ||
81 | + const uint64 filesize = TIFFGetFileSize(tif); | ||
82 | + if (allocsize > filesize) | ||
83 | + { | ||
84 | + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
85 | + "Requested memory size for StripByteCount and " | ||
86 | + "StripOffsets %" PRIu64 | ||
87 | + " is greater than filesize %" PRIu64 | ||
88 | + ". Memory not allocated", | ||
89 | + allocsize, filesize); | ||
90 | + return; | ||
91 | + } | ||
92 | } | ||
93 | |||
94 | newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch new file mode 100644 index 0000000000..01ed5dcd24 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 5 Feb 2022 20:36:41 +0100 | ||
4 | Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null | ||
5 | source pointer and size of zero (fixes #362) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2022-0562 | ||
9 | Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> | ||
10 | Comment: Refreshed patch | ||
11 | --- | ||
12 | libtiff/tif_dirread.c | 3 ++- | ||
13 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
16 | index 2bbc4585..23194ced 100644 | ||
17 | --- a/libtiff/tif_dirread.c | ||
18 | +++ b/libtiff/tif_dirread.c | ||
19 | @@ -4126,7 +4126,8 @@ | ||
20 | goto bad; | ||
21 | } | ||
22 | |||
23 | - memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); | ||
24 | + if (old_extrasamples > 0) | ||
25 | + memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); | ||
26 | _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); | ||
27 | _TIFFfree(new_sampleinfo); | ||
28 | } | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch new file mode 100644 index 0000000000..71b85cac10 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch | |||
@@ -0,0 +1,212 @@ | |||
1 | From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sun, 5 Dec 2021 14:37:46 +0100 | ||
4 | Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319) | ||
5 | |||
6 | to avoid having the size of the strip arrays inconsistent with the | ||
7 | number of strips returned by TIFFNumberOfStrips(), which may cause | ||
8 | out-ouf-bounds array read afterwards. | ||
9 | |||
10 | One of the OJPEG hack that alters SamplesPerPixel may influence the | ||
11 | number of strips. Hence compute tif_dir.td_nstrips only afterwards. | ||
12 | |||
13 | CVE: CVE-2022-1354 | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | [https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798] | ||
17 | |||
18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
19 | --- | ||
20 | libtiff/tif_dirread.c | 162 ++++++++++++++++++++++-------------------- | ||
21 | 1 file changed, 83 insertions(+), 79 deletions(-) | ||
22 | |||
23 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
24 | index 8f434ef5..14c031d1 100644 | ||
25 | --- a/libtiff/tif_dirread.c | ||
26 | +++ b/libtiff/tif_dirread.c | ||
27 | @@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif) | ||
28 | MissingRequired(tif,"ImageLength"); | ||
29 | goto bad; | ||
30 | } | ||
31 | - /* | ||
32 | - * Setup appropriate structures (by strip or by tile) | ||
33 | - */ | ||
34 | - if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { | ||
35 | - tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); | ||
36 | - tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; | ||
37 | - tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; | ||
38 | - tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; | ||
39 | - tif->tif_flags &= ~TIFF_ISTILED; | ||
40 | - } else { | ||
41 | - tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); | ||
42 | - tif->tif_flags |= TIFF_ISTILED; | ||
43 | - } | ||
44 | - if (!tif->tif_dir.td_nstrips) { | ||
45 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
46 | - "Cannot handle zero number of %s", | ||
47 | - isTiled(tif) ? "tiles" : "strips"); | ||
48 | - goto bad; | ||
49 | - } | ||
50 | - tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; | ||
51 | - if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) | ||
52 | - tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; | ||
53 | - if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { | ||
54 | -#ifdef OJPEG_SUPPORT | ||
55 | - if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && | ||
56 | - (isTiled(tif)==0) && | ||
57 | - (tif->tif_dir.td_nstrips==1)) { | ||
58 | - /* | ||
59 | - * XXX: OJPEG hack. | ||
60 | - * If a) compression is OJPEG, b) it's not a tiled TIFF, | ||
61 | - * and c) the number of strips is 1, | ||
62 | - * then we tolerate the absence of stripoffsets tag, | ||
63 | - * because, presumably, all required data is in the | ||
64 | - * JpegInterchangeFormat stream. | ||
65 | - */ | ||
66 | - TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); | ||
67 | - } else | ||
68 | -#endif | ||
69 | - { | ||
70 | - MissingRequired(tif, | ||
71 | - isTiled(tif) ? "TileOffsets" : "StripOffsets"); | ||
72 | - goto bad; | ||
73 | - } | ||
74 | - } | ||
75 | + | ||
76 | /* | ||
77 | * Second pass: extract other information. | ||
78 | */ | ||
79 | @@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif) | ||
80 | } /* -- if (!dp->tdir_ignore) */ | ||
81 | } /* -- for-loop -- */ | ||
82 | |||
83 | - if( tif->tif_mode == O_RDWR && | ||
84 | - tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && | ||
85 | - tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && | ||
86 | - tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && | ||
87 | - tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && | ||
88 | - tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && | ||
89 | - tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && | ||
90 | - tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && | ||
91 | - tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) | ||
92 | - { | ||
93 | - /* Directory typically created with TIFFDeferStrileArrayWriting() */ | ||
94 | - TIFFSetupStrips(tif); | ||
95 | - } | ||
96 | - else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) | ||
97 | - { | ||
98 | - if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) | ||
99 | - { | ||
100 | - if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), | ||
101 | - tif->tif_dir.td_nstrips, | ||
102 | - &tif->tif_dir.td_stripoffset_p)) | ||
103 | - { | ||
104 | - goto bad; | ||
105 | - } | ||
106 | - } | ||
107 | - if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) | ||
108 | - { | ||
109 | - if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), | ||
110 | - tif->tif_dir.td_nstrips, | ||
111 | - &tif->tif_dir.td_stripbytecount_p)) | ||
112 | - { | ||
113 | - goto bad; | ||
114 | - } | ||
115 | - } | ||
116 | - } | ||
117 | - | ||
118 | /* | ||
119 | * OJPEG hack: | ||
120 | * - If a) compression is OJPEG, and b) photometric tag is missing, | ||
121 | @@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif) | ||
122 | } | ||
123 | } | ||
124 | |||
125 | + /* | ||
126 | + * Setup appropriate structures (by strip or by tile) | ||
127 | + * We do that only after the above OJPEG hack which alters SamplesPerPixel | ||
128 | + * and thus influences the number of strips in the separate planarconfig. | ||
129 | + */ | ||
130 | + if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { | ||
131 | + tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); | ||
132 | + tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; | ||
133 | + tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; | ||
134 | + tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; | ||
135 | + tif->tif_flags &= ~TIFF_ISTILED; | ||
136 | + } else { | ||
137 | + tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); | ||
138 | + tif->tif_flags |= TIFF_ISTILED; | ||
139 | + } | ||
140 | + if (!tif->tif_dir.td_nstrips) { | ||
141 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
142 | + "Cannot handle zero number of %s", | ||
143 | + isTiled(tif) ? "tiles" : "strips"); | ||
144 | + goto bad; | ||
145 | + } | ||
146 | + tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; | ||
147 | + if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) | ||
148 | + tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; | ||
149 | + if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { | ||
150 | +#ifdef OJPEG_SUPPORT | ||
151 | + if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && | ||
152 | + (isTiled(tif)==0) && | ||
153 | + (tif->tif_dir.td_nstrips==1)) { | ||
154 | + /* | ||
155 | + * XXX: OJPEG hack. | ||
156 | + * If a) compression is OJPEG, b) it's not a tiled TIFF, | ||
157 | + * and c) the number of strips is 1, | ||
158 | + * then we tolerate the absence of stripoffsets tag, | ||
159 | + * because, presumably, all required data is in the | ||
160 | + * JpegInterchangeFormat stream. | ||
161 | + */ | ||
162 | + TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); | ||
163 | + } else | ||
164 | +#endif | ||
165 | + { | ||
166 | + MissingRequired(tif, | ||
167 | + isTiled(tif) ? "TileOffsets" : "StripOffsets"); | ||
168 | + goto bad; | ||
169 | + } | ||
170 | + } | ||
171 | + | ||
172 | + if( tif->tif_mode == O_RDWR && | ||
173 | + tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && | ||
174 | + tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && | ||
175 | + tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && | ||
176 | + tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && | ||
177 | + tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && | ||
178 | + tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && | ||
179 | + tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && | ||
180 | + tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) | ||
181 | + { | ||
182 | + /* Directory typically created with TIFFDeferStrileArrayWriting() */ | ||
183 | + TIFFSetupStrips(tif); | ||
184 | + } | ||
185 | + else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) | ||
186 | + { | ||
187 | + if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) | ||
188 | + { | ||
189 | + if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), | ||
190 | + tif->tif_dir.td_nstrips, | ||
191 | + &tif->tif_dir.td_stripoffset_p)) | ||
192 | + { | ||
193 | + goto bad; | ||
194 | + } | ||
195 | + } | ||
196 | + if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) | ||
197 | + { | ||
198 | + if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), | ||
199 | + tif->tif_dir.td_nstrips, | ||
200 | + &tif->tif_dir.td_stripbytecount_p)) | ||
201 | + { | ||
202 | + goto bad; | ||
203 | + } | ||
204 | + } | ||
205 | + } | ||
206 | + | ||
207 | /* | ||
208 | * Make sure all non-color channels are extrasamples. | ||
209 | * If it's not the case, define them as such. | ||
210 | -- | ||
211 | 2.25.1 | ||
212 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch new file mode 100644 index 0000000000..e59f5aad55 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Sat, 2 Apr 2022 22:33:31 +0200 | ||
4 | Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) | ||
5 | |||
6 | CVE: CVE-2022-1355 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | [https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2] | ||
10 | |||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | tools/tiffcp.c | 25 ++++++++++++++++++++----- | ||
14 | 1 file changed, 20 insertions(+), 5 deletions(-) | ||
15 | |||
16 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
17 | index fd129bb7..8d944ff6 100644 | ||
18 | --- a/tools/tiffcp.c | ||
19 | +++ b/tools/tiffcp.c | ||
20 | @@ -274,19 +274,34 @@ main(int argc, char* argv[]) | ||
21 | deftilewidth = atoi(optarg); | ||
22 | break; | ||
23 | case 'B': | ||
24 | - *mp++ = 'b'; *mp = '\0'; | ||
25 | + if (strlen(mode) < (sizeof(mode) - 1)) | ||
26 | + { | ||
27 | + *mp++ = 'b'; *mp = '\0'; | ||
28 | + } | ||
29 | break; | ||
30 | case 'L': | ||
31 | - *mp++ = 'l'; *mp = '\0'; | ||
32 | + if (strlen(mode) < (sizeof(mode) - 1)) | ||
33 | + { | ||
34 | + *mp++ = 'l'; *mp = '\0'; | ||
35 | + } | ||
36 | break; | ||
37 | case 'M': | ||
38 | - *mp++ = 'm'; *mp = '\0'; | ||
39 | + if (strlen(mode) < (sizeof(mode) - 1)) | ||
40 | + { | ||
41 | + *mp++ = 'm'; *mp = '\0'; | ||
42 | + } | ||
43 | break; | ||
44 | case 'C': | ||
45 | - *mp++ = 'c'; *mp = '\0'; | ||
46 | + if (strlen(mode) < (sizeof(mode) - 1)) | ||
47 | + { | ||
48 | + *mp++ = 'c'; *mp = '\0'; | ||
49 | + } | ||
50 | break; | ||
51 | case '8': | ||
52 | - *mp++ = '8'; *mp = '\0'; | ||
53 | + if (strlen(mode) < (sizeof(mode)-1)) | ||
54 | + { | ||
55 | + *mp++ = '8'; *mp = '\0'; | ||
56 | + } | ||
57 | break; | ||
58 | case 'x': | ||
59 | pageInSeq = 1; | ||
60 | -- | ||
61 | 2.25.1 | ||
62 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch new file mode 100644 index 0000000000..fc5d0ab5f4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sun, 6 Feb 2022 13:08:38 +0100 | ||
4 | Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null | ||
5 | source pointer and size of zero (fixes #362) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2022-0561 | ||
9 | Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> | ||
10 | Comment: Refreshed patch | ||
11 | --- | ||
12 | libtiff/tif_dirread.c | 5 +++-- | ||
13 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
14 | |||
15 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
16 | index 23194ced..50ebf8ac 100644 | ||
17 | --- a/libtiff/tif_dirread.c | ||
18 | +++ b/libtiff/tif_dirread.c | ||
19 | @@ -5683,8 +5682,9 @@ | ||
20 | _TIFFfree(data); | ||
21 | return(0); | ||
22 | } | ||
23 | - _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); | ||
24 | - _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); | ||
25 | + if( dir->tdir_count ) | ||
26 | + _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64)); | ||
27 | + _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64)); | ||
28 | _TIFFfree(data); | ||
29 | data=resizeddata; | ||
30 | } | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 1f92c18513..7efaba3a38 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | |||
@@ -1,10 +1,59 @@ | |||
1 | SUMMARY = "Provides support for the Tag Image File Format (TIFF)" | 1 | SUMMARY = "Provides support for the Tag Image File Format (TIFF)" |
2 | DESCRIPTION = "Library provides support for the Tag Image File Format \ | ||
3 | (TIFF), a widely used format for storing image data. This library \ | ||
4 | provide means to easily access and create TIFF image files." | ||
5 | HOMEPAGE = "http://www.libtiff.org/" | ||
2 | LICENSE = "BSD-2-Clause" | 6 | LICENSE = "BSD-2-Clause" |
3 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" | 7 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" |
4 | 8 | ||
5 | CVE_PRODUCT = "libtiff" | 9 | CVE_PRODUCT = "libtiff" |
6 | 10 | ||
7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 11 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ |
12 | file://CVE-2020-35523.patch \ | ||
13 | file://CVE-2020-35524-1.patch \ | ||
14 | file://CVE-2020-35524-2.patch \ | ||
15 | file://001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \ | ||
16 | file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \ | ||
17 | file://CVE-2020-35521_and_CVE-2020-35522.patch \ | ||
18 | file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \ | ||
19 | file://561599c99f987dc32ae110370cfdd7df7975586b.patch \ | ||
20 | file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \ | ||
21 | file://CVE-2022-0865.patch \ | ||
22 | file://CVE-2022-0908.patch \ | ||
23 | file://CVE-2022-0907.patch \ | ||
24 | file://CVE-2022-0909.patch \ | ||
25 | file://CVE-2022-0891.patch \ | ||
26 | file://CVE-2022-0924.patch \ | ||
27 | file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ | ||
28 | file://CVE-2022-34526.patch \ | ||
29 | file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ | ||
30 | file://CVE-2022-1354.patch \ | ||
31 | file://CVE-2022-1355.patch \ | ||
32 | file://CVE-2022-3570_3598.patch \ | ||
33 | file://CVE-2022-3597_3626_3627.patch \ | ||
34 | file://CVE-2022-3599.patch \ | ||
35 | file://CVE-2022-3970.patch \ | ||
36 | file://CVE-2022-48281.patch \ | ||
37 | file://CVE-2023-0795_0796_0797_0798_0799.patch \ | ||
38 | file://CVE-2023-0800_0801_0802_0803_0804.patch \ | ||
39 | file://CVE-2023-1916.patch \ | ||
40 | file://CVE-2023-25433.patch \ | ||
41 | file://CVE-2023-25434-CVE-2023-25435.patch \ | ||
42 | file://CVE-2023-26965.patch \ | ||
43 | file://CVE-2023-26966.patch \ | ||
44 | file://CVE-2023-2908.patch \ | ||
45 | file://CVE-2023-3316.patch \ | ||
46 | file://CVE-2023-3576.patch \ | ||
47 | file://CVE-2023-3618.patch \ | ||
48 | file://CVE-2023-40745.patch \ | ||
49 | file://CVE-2023-41175.patch \ | ||
50 | file://CVE-2022-40090.patch \ | ||
51 | file://CVE-2023-6228.patch \ | ||
52 | file://CVE-2023-6277-1.patch \ | ||
53 | file://CVE-2023-6277-2.patch \ | ||
54 | file://CVE-2023-6277-3.patch \ | ||
55 | file://CVE-2023-6277-4.patch \ | ||
56 | file://CVE-2023-52356.patch \ | ||
8 | " | 57 | " |
9 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" | 58 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" |
10 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" | 59 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" |
@@ -12,6 +61,10 @@ SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d677 | |||
12 | # exclude betas | 61 | # exclude betas |
13 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" | 62 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |
14 | 63 | ||
64 | # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 | ||
65 | # and 4.1.0 doesn't have the issue | ||
66 | CVE_CHECK_WHITELIST += "CVE-2015-7313" | ||
67 | |||
15 | inherit autotools multilib_header | 68 | inherit autotools multilib_header |
16 | 69 | ||
17 | CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" | 70 | CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" |
diff --git a/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb b/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb index 00ca3675ca..d603602584 100644 --- a/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb +++ b/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb | |||
@@ -1,5 +1,9 @@ | |||
1 | SUMMARY = "Library and test program for decoding MPEG-2 and MPEG-1 video streams" | 1 | SUMMARY = "Library and test program for decoding MPEG-2 and MPEG-1 video streams" |
2 | HOMEPAGE = "http://libmpeg2.sourceforge.net/" | 2 | DESCRIPTION = "mpeg2dec is a test program for libmpeg2. It decodes \ |
3 | mpeg-1 and mpeg-2 video streams, and also includes a demultiplexer \ | ||
4 | for mpeg-1 and mpeg-2 program streams. The main purpose of mpeg2dec \ | ||
5 | is to have a simple test bed for libmpeg2." | ||
6 | HOMEPAGE = "https://libmpeg2.sourceforge.io/" | ||
3 | SECTION = "libs" | 7 | SECTION = "libs" |
4 | LICENSE = "GPLv2+" | 8 | LICENSE = "GPLv2+" |
5 | LICENSE_FLAGS = "commercial" | 9 | LICENSE_FLAGS = "commercial" |
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc index 417eb1d9d3..317983edb2 100644 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc | |||
@@ -1,4 +1,6 @@ | |||
1 | SUMMARY = "Sound server for Linux and Unix-like operating systems" | 1 | SUMMARY = "Sound server for Linux and Unix-like operating systems" |
2 | DESCRIPTION = "A general purpose sound server intended to run as a middleware \ | ||
3 | between your applications and your hardware devices, either using ALSA or OSS." | ||
2 | HOMEPAGE = "http://www.pulseaudio.org" | 4 | HOMEPAGE = "http://www.pulseaudio.org" |
3 | AUTHOR = "Lennart Poettering" | 5 | AUTHOR = "Lennart Poettering" |
4 | SECTION = "libs/multimedia" | 6 | SECTION = "libs/multimedia" |
diff --git a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch new file mode 100644 index 0000000000..eb16e95ffc --- /dev/null +++ b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | Backport patch to fix CVE-2020-23903. | ||
2 | |||
3 | CVE: CVE-2020-23903 | ||
4 | Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001 | ||
9 | From: Tristan Matthews <tmatth@videolan.org> | ||
10 | Date: Mon, 13 Jul 2020 23:25:03 -0400 | ||
11 | Subject: [PATCH] wav_io: guard against invalid channel numbers | ||
12 | |||
13 | Fixes #13 | ||
14 | --- | ||
15 | src/wav_io.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/src/wav_io.c b/src/wav_io.c | ||
19 | index b5183015..09d62eb0 100644 | ||
20 | --- a/src/wav_io.c | ||
21 | +++ b/src/wav_io.c | ||
22 | @@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32 | ||
23 | stmp = le_short(stmp); | ||
24 | *channels = stmp; | ||
25 | |||
26 | - if (stmp>2) | ||
27 | + if (stmp>2 || stmp<1) | ||
28 | { | ||
29 | fprintf (stderr, "Only mono and (intensity) stereo supported\n"); | ||
30 | return -1; | ||
diff --git a/meta/recipes-multimedia/speex/speex_1.2.0.bb b/meta/recipes-multimedia/speex/speex_1.2.0.bb index 3a0911d6f8..ea475f0f1b 100644 --- a/meta/recipes-multimedia/speex/speex_1.2.0.bb +++ b/meta/recipes-multimedia/speex/speex_1.2.0.bb | |||
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \ | |||
7 | file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50" | 7 | file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50" |
8 | DEPENDS = "libogg speexdsp" | 8 | DEPENDS = "libogg speexdsp" |
9 | 9 | ||
10 | SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz" | 10 | SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \ |
11 | file://CVE-2020-23903.patch \ | ||
12 | " | ||
11 | UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar" | 13 | UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar" |
12 | 14 | ||
13 | SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c" | 15 | SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c" |
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch new file mode 100644 index 0000000000..d293ab93ab --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001 | ||
2 | From: James Zern <jzern@google.com> | ||
3 | Date: Wed, 22 Feb 2023 22:15:47 -0800 | ||
4 | Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error | ||
5 | |||
6 | This avoids a double free should the function fail prior to | ||
7 | VP8BitWriterInit() and a previous trial result's buffer carried over. | ||
8 | Previously in ApplyFiltersAndEncode() trial.bw (with a previous | ||
9 | iteration's buffer) would be freed, followed by best.bw pointing to the | ||
10 | same buffer. | ||
11 | |||
12 | Since: | ||
13 | 187d379d add a fallback to ALPHA_NO_COMPRESSION | ||
14 | |||
15 | In addition, check the return value of VP8BitWriterInit() in this | ||
16 | function. | ||
17 | |||
18 | Bug: webp:603 | ||
19 | Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910 | ||
20 | |||
21 | CVE: CVE-2023-1999 | ||
22 | Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129] | ||
23 | Signed-off-by: Nikhil R <nikhil.r@kpit.com> | ||
24 | --- | ||
25 | src/enc/alpha_enc.c | 4 +++- | ||
26 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c | ||
29 | index f7c02690e3..7d205586fe 100644 | ||
30 | --- a/src/enc/alpha_enc.c | ||
31 | +++ b/src/enc/alpha_enc.c | ||
32 | @@ -13,6 +13,7 @@ | ||
33 | |||
34 | #include <assert.h> | ||
35 | #include <stdlib.h> | ||
36 | +#include <string.h> | ||
37 | |||
38 | #include "src/enc/vp8i_enc.h" | ||
39 | #include "src/dsp/dsp.h" | ||
40 | @@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height, | ||
41 | } | ||
42 | } else { | ||
43 | VP8LBitWriterWipeOut(&tmp_bw); | ||
44 | + memset(&result->bw, 0, sizeof(result->bw)); | ||
45 | return 0; | ||
46 | } | ||
47 | } | ||
48 | @@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height, | ||
49 | header = method | (filter << 2); | ||
50 | if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4; | ||
51 | |||
52 | - VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size); | ||
53 | + if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0; | ||
54 | ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN); | ||
55 | ok = ok && VP8BitWriterAppend(&result->bw, output, output_size); | ||
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch new file mode 100644 index 0000000000..419b12f7d9 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch | |||
@@ -0,0 +1,366 @@ | |||
1 | From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001 | ||
2 | From: Vincent Rabaud <vrabaud@google.com> | ||
3 | Date: Thu, 7 Sep 2023 21:16:03 +0200 | ||
4 | Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable. | ||
5 | |||
6 | First, BuildHuffmanTable is called to check if the data is valid. | ||
7 | If it is and the table is not big enough, more memory is allocated. | ||
8 | |||
9 | This will make sure that valid (but unoptimized because of unbalanced | ||
10 | codes) streams are still decodable. | ||
11 | |||
12 | Bug: chromium:1479274 | ||
13 | Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 | ||
14 | |||
15 | CVE: CVE-2023-4863 | ||
16 | |||
17 | Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a] | ||
18 | |||
19 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
20 | --- | ||
21 | src/dec/vp8l_dec.c | 46 ++++++++++--------- | ||
22 | src/dec/vp8li_dec.h | 2 +- | ||
23 | src/utils/huffman_utils.c | 97 +++++++++++++++++++++++++++++++-------- | ||
24 | src/utils/huffman_utils.h | 27 +++++++++-- | ||
25 | 4 files changed, 129 insertions(+), 43 deletions(-) | ||
26 | |||
27 | diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c | ||
28 | index 93615d4..0d38314 100644 | ||
29 | --- a/src/dec/vp8l_dec.c | ||
30 | +++ b/src/dec/vp8l_dec.c | ||
31 | @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( | ||
32 | int symbol; | ||
33 | int max_symbol; | ||
34 | int prev_code_len = DEFAULT_CODE_LENGTH; | ||
35 | - HuffmanCode table[1 << LENGTHS_TABLE_BITS]; | ||
36 | + HuffmanTables tables; | ||
37 | |||
38 | - if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS, | ||
39 | - code_length_code_lengths, | ||
40 | - NUM_CODE_LENGTH_CODES)) { | ||
41 | + if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, &tables) || | ||
42 | + !VP8LBuildHuffmanTable(&tables, LENGTHS_TABLE_BITS, | ||
43 | + code_length_code_lengths, NUM_CODE_LENGTH_CODES)) { | ||
44 | goto End; | ||
45 | } | ||
46 | |||
47 | @@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths( | ||
48 | int code_len; | ||
49 | if (max_symbol-- == 0) break; | ||
50 | VP8LFillBitWindow(br); | ||
51 | - p = &table[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; | ||
52 | + p = &tables.curr_segment->start[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; | ||
53 | VP8LSetBitPos(br, br->bit_pos_ + p->bits); | ||
54 | code_len = p->value; | ||
55 | if (code_len < kCodeLengthLiterals) { | ||
56 | @@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths( | ||
57 | ok = 1; | ||
58 | |||
59 | End: | ||
60 | + VP8LHuffmanTablesDeallocate(&tables); | ||
61 | if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR; | ||
62 | return ok; | ||
63 | } | ||
64 | @@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths( | ||
65 | // 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman | ||
66 | // tree. | ||
67 | static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec, | ||
68 | - int* const code_lengths, HuffmanCode* const table) { | ||
69 | + int* const code_lengths, | ||
70 | + HuffmanTables* const table) { | ||
71 | int ok = 0; | ||
72 | int size = 0; | ||
73 | VP8LBitReader* const br = &dec->br_; | ||
74 | @@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, | ||
75 | VP8LMetadata* const hdr = &dec->hdr_; | ||
76 | uint32_t* huffman_image = NULL; | ||
77 | HTreeGroup* htree_groups = NULL; | ||
78 | - HuffmanCode* huffman_tables = NULL; | ||
79 | - HuffmanCode* huffman_table = NULL; | ||
80 | + HuffmanTables* huffman_tables = &hdr->huffman_tables_; | ||
81 | int num_htree_groups = 1; | ||
82 | int num_htree_groups_max = 1; | ||
83 | int max_alphabet_size = 0; | ||
84 | @@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, | ||
85 | int* mapping = NULL; | ||
86 | int ok = 0; | ||
87 | |||
88 | + // Check the table has been 0 initialized (through InitMetadata). | ||
89 | + assert(huffman_tables->root.start == NULL); | ||
90 | + assert(huffman_tables->curr_segment == NULL); | ||
91 | + | ||
92 | if (allow_recursion && VP8LReadBits(br, 1)) { | ||
93 | // use meta Huffman codes. | ||
94 | const int huffman_precision = VP8LReadBits(br, 3) + 2; | ||
95 | @@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, | ||
96 | |||
97 | code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size, | ||
98 | sizeof(*code_lengths)); | ||
99 | - huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size, | ||
100 | - sizeof(*huffman_tables)); | ||
101 | htree_groups = VP8LHtreeGroupsNew(num_htree_groups); | ||
102 | |||
103 | - if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL) { | ||
104 | + if (htree_groups == NULL || code_lengths == NULL || | ||
105 | + !VP8LHuffmanTablesAllocate(num_htree_groups * table_size, | ||
106 | + huffman_tables)) { | ||
107 | dec->status_ = VP8_STATUS_OUT_OF_MEMORY; | ||
108 | goto Error; | ||
109 | } | ||
110 | |||
111 | - huffman_table = huffman_tables; | ||
112 | for (i = 0; i < num_htree_groups_max; ++i) { | ||
113 | // If the index "i" is unused in the Huffman image, just make sure the | ||
114 | // coefficients are valid but do not store them. | ||
115 | @@ -468,19 +472,20 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, | ||
116 | int max_bits = 0; | ||
117 | for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) { | ||
118 | int alphabet_size = kAlphabetSize[j]; | ||
119 | - htrees[j] = huffman_table; | ||
120 | if (j == 0 && color_cache_bits > 0) { | ||
121 | alphabet_size += (1 << color_cache_bits); | ||
122 | } | ||
123 | - size = ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_table); | ||
124 | + size = | ||
125 | + ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_tables); | ||
126 | + htrees[j] = huffman_tables->curr_segment->curr_table; | ||
127 | if (size == 0) { | ||
128 | goto Error; | ||
129 | } | ||
130 | if (is_trivial_literal && kLiteralMap[j] == 1) { | ||
131 | - is_trivial_literal = (huffman_table->bits == 0); | ||
132 | + is_trivial_literal = (htrees[j]->bits == 0); | ||
133 | } | ||
134 | - total_size += huffman_table->bits; | ||
135 | - huffman_table += size; | ||
136 | + total_size += htrees[j]->bits; | ||
137 | + huffman_tables->curr_segment->curr_table += size; | ||
138 | if (j <= ALPHA) { | ||
139 | int local_max_bits = code_lengths[0]; | ||
140 | int k; | ||
141 | @@ -515,14 +520,13 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, | ||
142 | hdr->huffman_image_ = huffman_image; | ||
143 | hdr->num_htree_groups_ = num_htree_groups; | ||
144 | hdr->htree_groups_ = htree_groups; | ||
145 | - hdr->huffman_tables_ = huffman_tables; | ||
146 | |||
147 | Error: | ||
148 | WebPSafeFree(code_lengths); | ||
149 | WebPSafeFree(mapping); | ||
150 | if (!ok) { | ||
151 | WebPSafeFree(huffman_image); | ||
152 | - WebPSafeFree(huffman_tables); | ||
153 | + VP8LHuffmanTablesDeallocate(huffman_tables); | ||
154 | VP8LHtreeGroupsFree(htree_groups); | ||
155 | } | ||
156 | return ok; | ||
157 | @@ -1354,7 +1358,7 @@ static void ClearMetadata(VP8LMetadata* const hdr) { | ||
158 | assert(hdr != NULL); | ||
159 | |||
160 | WebPSafeFree(hdr->huffman_image_); | ||
161 | - WebPSafeFree(hdr->huffman_tables_); | ||
162 | + VP8LHuffmanTablesDeallocate(&hdr->huffman_tables_); | ||
163 | VP8LHtreeGroupsFree(hdr->htree_groups_); | ||
164 | VP8LColorCacheClear(&hdr->color_cache_); | ||
165 | VP8LColorCacheClear(&hdr->saved_color_cache_); | ||
166 | @@ -1670,7 +1674,7 @@ int VP8LDecodeImage(VP8LDecoder* const dec) { | ||
167 | // Sanity checks. | ||
168 | if (dec == NULL) return 0; | ||
169 | |||
170 | - assert(dec->hdr_.huffman_tables_ != NULL); | ||
171 | + assert(dec->hdr_.huffman_tables_.root.start != NULL); | ||
172 | assert(dec->hdr_.htree_groups_ != NULL); | ||
173 | assert(dec->hdr_.num_htree_groups_ > 0); | ||
174 | |||
175 | diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h | ||
176 | index 72b2e86..32540a4 100644 | ||
177 | --- a/src/dec/vp8li_dec.h | ||
178 | +++ b/src/dec/vp8li_dec.h | ||
179 | @@ -51,7 +51,7 @@ typedef struct { | ||
180 | uint32_t* huffman_image_; | ||
181 | int num_htree_groups_; | ||
182 | HTreeGroup* htree_groups_; | ||
183 | - HuffmanCode* huffman_tables_; | ||
184 | + HuffmanTables huffman_tables_; | ||
185 | } VP8LMetadata; | ||
186 | |||
187 | typedef struct VP8LDecoder VP8LDecoder; | ||
188 | diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c | ||
189 | index 0cba0fb..9efd628 100644 | ||
190 | --- a/src/utils/huffman_utils.c | ||
191 | +++ b/src/utils/huffman_utils.c | ||
192 | @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, | ||
193 | if (num_open < 0) { | ||
194 | return 0; | ||
195 | } | ||
196 | - if (root_table == NULL) continue; | ||
197 | for (; count[len] > 0; --count[len]) { | ||
198 | HuffmanCode code; | ||
199 | if ((key & mask) != low) { | ||
200 | - table += table_size; | ||
201 | + if (root_table != NULL) table += table_size; | ||
202 | table_bits = NextTableBitSize(count, len, root_bits); | ||
203 | table_size = 1 << table_bits; | ||
204 | total_size += table_size; | ||
205 | low = key & mask; | ||
206 | - root_table[low].bits = (uint8_t)(table_bits + root_bits); | ||
207 | - root_table[low].value = (uint16_t)((table - root_table) - low); | ||
208 | + if (root_table != NULL) { | ||
209 | + root_table[low].bits = (uint8_t)(table_bits + root_bits); | ||
210 | + root_table[low].value = (uint16_t)((table - root_table) - low); | ||
211 | + } | ||
212 | + } | ||
213 | + if (root_table != NULL) { | ||
214 | + code.bits = (uint8_t)(len - root_bits); | ||
215 | + code.value = (uint16_t)sorted[symbol++]; | ||
216 | + ReplicateValue(&table[key >> root_bits], step, table_size, code); | ||
217 | } | ||
218 | - code.bits = (uint8_t)(len - root_bits); | ||
219 | - code.value = (uint16_t)sorted[symbol++]; | ||
220 | - ReplicateValue(&table[key >> root_bits], step, table_size, code); | ||
221 | key = GetNextKey(key, len); | ||
222 | } | ||
223 | } | ||
224 | @@ -211,25 +214,83 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, | ||
225 | ((1 << MAX_CACHE_BITS) + NUM_LITERAL_CODES + NUM_LENGTH_CODES) | ||
226 | // Cut-off value for switching between heap and stack allocation. | ||
227 | #define SORTED_SIZE_CUTOFF 512 | ||
228 | -int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits, | ||
229 | +int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits, | ||
230 | const int code_lengths[], int code_lengths_size) { | ||
231 | - int total_size; | ||
232 | + const int total_size = | ||
233 | + BuildHuffmanTable(NULL, root_bits, code_lengths, code_lengths_size, NULL); | ||
234 | assert(code_lengths_size <= MAX_CODE_LENGTHS_SIZE); | ||
235 | - if (root_table == NULL) { | ||
236 | - total_size = BuildHuffmanTable(NULL, root_bits, | ||
237 | - code_lengths, code_lengths_size, NULL); | ||
238 | - } else if (code_lengths_size <= SORTED_SIZE_CUTOFF) { | ||
239 | + if (total_size == 0 || root_table == NULL) return total_size; | ||
240 | + | ||
241 | + if (root_table->curr_segment->curr_table + total_size >= | ||
242 | + root_table->curr_segment->start + root_table->curr_segment->size) { | ||
243 | + // If 'root_table' does not have enough memory, allocate a new segment. | ||
244 | + // The available part of root_table->curr_segment is left unused because we | ||
245 | + // need a contiguous buffer. | ||
246 | + const int segment_size = root_table->curr_segment->size; | ||
247 | + struct HuffmanTablesSegment* next = | ||
248 | + (HuffmanTablesSegment*)WebPSafeMalloc(1, sizeof(*next)); | ||
249 | + if (next == NULL) return 0; | ||
250 | + // Fill the new segment. | ||
251 | + // We need at least 'total_size' but if that value is small, it is better to | ||
252 | + // allocate a big chunk to prevent more allocations later. 'segment_size' is | ||
253 | + // therefore chosen (any other arbitrary value could be chosen). | ||
254 | + next->size = total_size > segment_size ? total_size : segment_size; | ||
255 | + next->start = | ||
256 | + (HuffmanCode*)WebPSafeMalloc(next->size, sizeof(*next->start)); | ||
257 | + if (next->start == NULL) { | ||
258 | + WebPSafeFree(next); | ||
259 | + return 0; | ||
260 | + } | ||
261 | + next->curr_table = next->start; | ||
262 | + next->next = NULL; | ||
263 | + // Point to the new segment. | ||
264 | + root_table->curr_segment->next = next; | ||
265 | + root_table->curr_segment = next; | ||
266 | + } | ||
267 | + if (code_lengths_size <= SORTED_SIZE_CUTOFF) { | ||
268 | // use local stack-allocated array. | ||
269 | uint16_t sorted[SORTED_SIZE_CUTOFF]; | ||
270 | - total_size = BuildHuffmanTable(root_table, root_bits, | ||
271 | - code_lengths, code_lengths_size, sorted); | ||
272 | - } else { // rare case. Use heap allocation. | ||
273 | + BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits, | ||
274 | + code_lengths, code_lengths_size, sorted); | ||
275 | + } else { // rare case. Use heap allocation. | ||
276 | uint16_t* const sorted = | ||
277 | (uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted)); | ||
278 | if (sorted == NULL) return 0; | ||
279 | - total_size = BuildHuffmanTable(root_table, root_bits, | ||
280 | - code_lengths, code_lengths_size, sorted); | ||
281 | + BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits, | ||
282 | + code_lengths, code_lengths_size, sorted); | ||
283 | WebPSafeFree(sorted); | ||
284 | } | ||
285 | return total_size; | ||
286 | } | ||
287 | + | ||
288 | +int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables) { | ||
289 | + // Have 'segment' point to the first segment for now, 'root'. | ||
290 | + HuffmanTablesSegment* const root = &huffman_tables->root; | ||
291 | + huffman_tables->curr_segment = root; | ||
292 | + // Allocate root. | ||
293 | + root->start = (HuffmanCode*)WebPSafeMalloc(size, sizeof(*root->start)); | ||
294 | + if (root->start == NULL) return 0; | ||
295 | + root->curr_table = root->start; | ||
296 | + root->next = NULL; | ||
297 | + root->size = size; | ||
298 | + return 1; | ||
299 | +} | ||
300 | + | ||
301 | +void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables) { | ||
302 | + HuffmanTablesSegment *current, *next; | ||
303 | + if (huffman_tables == NULL) return; | ||
304 | + // Free the root node. | ||
305 | + current = &huffman_tables->root; | ||
306 | + next = current->next; | ||
307 | + WebPSafeFree(current->start); | ||
308 | + current->start = NULL; | ||
309 | + current->next = NULL; | ||
310 | + current = next; | ||
311 | + // Free the following nodes. | ||
312 | + while (current != NULL) { | ||
313 | + next = current->next; | ||
314 | + WebPSafeFree(current->start); | ||
315 | + WebPSafeFree(current); | ||
316 | + current = next; | ||
317 | + } | ||
318 | +} | ||
319 | diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h | ||
320 | index 13b7ad1..98415c5 100644 | ||
321 | --- a/src/utils/huffman_utils.h | ||
322 | +++ b/src/utils/huffman_utils.h | ||
323 | @@ -43,6 +43,29 @@ typedef struct { | ||
324 | // or non-literal symbol otherwise | ||
325 | } HuffmanCode32; | ||
326 | |||
327 | +// Contiguous memory segment of HuffmanCodes. | ||
328 | +typedef struct HuffmanTablesSegment { | ||
329 | + HuffmanCode* start; | ||
330 | + // Pointer to where we are writing into the segment. Starts at 'start' and | ||
331 | + // cannot go beyond 'start' + 'size'. | ||
332 | + HuffmanCode* curr_table; | ||
333 | + // Pointer to the next segment in the chain. | ||
334 | + struct HuffmanTablesSegment* next; | ||
335 | + int size; | ||
336 | +} HuffmanTablesSegment; | ||
337 | + | ||
338 | +// Chained memory segments of HuffmanCodes. | ||
339 | +typedef struct HuffmanTables { | ||
340 | + HuffmanTablesSegment root; | ||
341 | + // Currently processed segment. At first, this is 'root'. | ||
342 | + HuffmanTablesSegment* curr_segment; | ||
343 | +} HuffmanTables; | ||
344 | + | ||
345 | +// Allocates a HuffmanTables with 'size' contiguous HuffmanCodes. Returns 0 on | ||
346 | +// memory allocation error, 1 otherwise. | ||
347 | +int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables); | ||
348 | +void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables); | ||
349 | + | ||
350 | #define HUFFMAN_PACKED_BITS 6 | ||
351 | #define HUFFMAN_PACKED_TABLE_SIZE (1u << HUFFMAN_PACKED_BITS) | ||
352 | |||
353 | @@ -78,9 +101,7 @@ void VP8LHtreeGroupsFree(HTreeGroup* const htree_groups); | ||
354 | // the huffman table. | ||
355 | // Returns built table size or 0 in case of error (invalid tree or | ||
356 | // memory error). | ||
357 | -// If root_table is NULL, it returns 0 if a lookup cannot be built, something | ||
358 | -// > 0 otherwise (but not the table size). | ||
359 | -int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits, | ||
360 | +int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits, | ||
361 | const int code_lengths[], int code_lengths_size); | ||
362 | |||
363 | #ifdef __cplusplus | ||
364 | -- | ||
365 | 2.40.0 | ||
366 | |||
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch new file mode 100644 index 0000000000..c1eedb6100 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 | ||
2 | From: Vincent Rabaud <vrabaud@google.com> | ||
3 | Date: Mon, 11 Sep 2023 16:06:08 +0200 | ||
4 | Subject: [PATCH 2/2] Fix invalid incremental decoding check. | ||
5 | |||
6 | The first condition is only necessary if we have not read enough | ||
7 | (enough being defined by src_last, not src_end which is the end | ||
8 | of the image). | ||
9 | The second condition now fits the comment below: "if not | ||
10 | incremental, and we are past the end of buffer". | ||
11 | |||
12 | BUG=oss-fuzz:62136 | ||
13 | |||
14 | Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f | ||
15 | |||
16 | CVE: CVE-2023-4863 | ||
17 | |||
18 | Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520] | ||
19 | |||
20 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
21 | --- | ||
22 | src/dec/vp8l_dec.c | 15 +++++++++++++-- | ||
23 | 1 file changed, 13 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c | ||
26 | index 0d38314..684a5b6 100644 | ||
27 | --- a/src/dec/vp8l_dec.c | ||
28 | +++ b/src/dec/vp8l_dec.c | ||
29 | @@ -1237,9 +1237,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data, | ||
30 | } | ||
31 | |||
32 | br->eos_ = VP8LIsEndOfStream(br); | ||
33 | - if (dec->incremental_ && br->eos_ && src < src_end) { | ||
34 | + // In incremental decoding: | ||
35 | + // br->eos_ && src < src_last: if 'br' reached the end of the buffer and | ||
36 | + // 'src_last' has not been reached yet, there is not enough data. 'dec' has to | ||
37 | + // be reset until there is more data. | ||
38 | + // !br->eos_ && src < src_last: this cannot happen as either the buffer is | ||
39 | + // fully read, either enough has been read to reach 'src_last'. | ||
40 | + // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go | ||
41 | + // beyond 'src_last' in case the image is cropped and an LZ77 goes further. | ||
42 | + // The buffer might have been enough or there is some left. 'br->eos_' does | ||
43 | + // not matter. | ||
44 | + assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last); | ||
45 | + if (dec->incremental_ && br->eos_ && src < src_last) { | ||
46 | RestoreState(dec); | ||
47 | - } else if (!br->eos_) { | ||
48 | + } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { | ||
49 | // Process the remaining rows corresponding to last row-block. | ||
50 | if (process_func != NULL) { | ||
51 | process_func(dec, row > last_row ? last_row : row); | ||
52 | -- | ||
53 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb index 68e5ae2b3c..88c36cb76c 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb | |||
@@ -19,6 +19,12 @@ SRC_URI[sha256sum] = "98a052268cc4d5ece27f76572a7f50293f439c17a98e67c4ea0c7ed6f5 | |||
19 | 19 | ||
20 | UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html" | 20 | UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html" |
21 | 21 | ||
22 | SRC_URI += " \ | ||
23 | file://CVE-2023-1999.patch \ | ||
24 | file://CVE-2023-4863-0001.patch \ | ||
25 | file://CVE-2023-4863-0002.patch \ | ||
26 | " | ||
27 | |||
22 | EXTRA_OECONF = " \ | 28 | EXTRA_OECONF = " \ |
23 | --disable-wic \ | 29 | --disable-wic \ |
24 | --enable-libwebpmux \ | 30 | --enable-libwebpmux \ |
diff --git a/meta/recipes-multimedia/x264/x264_git.bb b/meta/recipes-multimedia/x264/x264_git.bb index 39429a8809..6789646833 100644 --- a/meta/recipes-multimedia/x264/x264_git.bb +++ b/meta/recipes-multimedia/x264/x264_git.bb | |||
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" | |||
8 | 8 | ||
9 | DEPENDS = "nasm-native" | 9 | DEPENDS = "nasm-native" |
10 | 10 | ||
11 | SRC_URI = "git://github.com/mirror/x264;branch=stable \ | 11 | SRC_URI = "git://github.com/mirror/x264;branch=stable;protocol=https \ |
12 | file://don-t-default-to-cortex-a9-with-neon.patch \ | 12 | file://don-t-default-to-cortex-a9-with-neon.patch \ |
13 | file://Fix-X32-build-by-disabling-asm.patch \ | 13 | file://Fix-X32-build-by-disabling-asm.patch \ |
14 | " | 14 | " |