tiff: fix multiple CVEs

Backport fixes for: * CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44 * CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 (From OE-Core rev: 01b9f7f7bb3eaecd6aa757fa090fcc4424788ce1) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-07-26 11:39:02 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-08-02 04:47:13 -1000
commit: 3c2e546a1a75289e82e33babde303ba6fa20fccb (patch)
tree: 741ff4d1977398526b0d8ba1ae7d92a22bccc471
parent: 4596433a54c12ee229e923ae39e3ec0d16d6f067 (diff)
download: poky-3c2e546a1a75289e82e33babde303ba6fa20fccb.tar.gz
3 files changed, 291 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
new file mode 100644
index 0000000000..285aa3d1c4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
@@ -0,0 +1,195 @@
+From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 3 Feb 2023 15:31:31 +0100
+Subject: [PATCH] CVE-2023-25433
+tiffcrop correctly update buffersize after rotateImage()
+fix#520 rotateImage() set up a new buffer and calculates its size
+individually. Therefore, seg_buffs[] size needs to be updated accordingly.
+Before this fix, the seg_buffs buffer size was calculated with a different
+formula than within rotateImage().
+Closes #520.
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44]
+CVE: CVE-2023-25433
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 78 +++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 60 insertions(+), 18 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index eee26bf..cbd24cc 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -523,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
+ static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
+                                      uint32_t, uint32_t, uint8_t *, uint8_t *);
+ static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
+-                       unsigned char **, int);
+                       unsigned char **, size_t *);
+ static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+                        unsigned char *);
+ static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+@@ -6515,7 +6515,7 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+        * but switch xres, yres there. */
+       uint32_t width = image->width;
+       uint32_t length = image->length;
+-      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
+      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+       {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+@@ -7695,16 +7695,19 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+       {
+        /* rotateImage() set up a new buffer and calculates its size
+         * individually. Therefore, seg_buffs size  needs to be updated
+         * accordingly. */
+      size_t rot_buf_size = 0;
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff, FALSE))
+                      &crop->combined_length, &crop_buff, &rot_buf_size))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
+         return (-1);
+         }
+       seg_buffs[0].buffer = crop_buff;
+-      seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
+-                            * image->spp) * crop->combined_length; 
+      seg_buffs[0].size = rot_buf_size;
+       }
+     }
+   else  /* Separated Images */
+@@ -7804,9 +7807,13 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+         {
+           /* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed. 
+            * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
+-           */
+-       if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
+-                       &crop->regionlist[i].length, &crop_buff, FALSE))
+           * Furthermore, rotateImage() set up a new buffer and calculates
+           * its size individually. Therefore, seg_buffs size  needs to be
+           * updated accordingly. */
+          size_t rot_buf_size = 0;
+           if (rotateImage(
+                crop->rotation, image, &crop->regionlist[i].width,
+                &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
+@@ -7817,8 +7824,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+         crop->combined_width = total_width;
+         crop->combined_length = total_length;
+         seg_buffs[i].buffer = crop_buff;
+-        seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
+-                               * image->spp) * crop->regionlist[i].length; 
+        seg_buffs[i].size = rot_buf_size;
+         }
+       }  /* for crop->selections loop */
+     }  /* Separated Images (else case) */
+@@ -7827,7 +7833,6 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+ /* Copy the crop section of the data from the current image into a buffer
+  * and adjust the IFD values to reflect the new size. If no cropping is
+- * required, use the original read buffer as the crop buffer.
+  *
+  * There is quite a bit of redundancy between this routine and the more
+  * specialized processCropSelections, but this provides
+@@ -7938,7 +7943,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr, TRUE))
+                    &crop->combined_length, crop_buff_ptr, NULL))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
+@@ -8600,14 +8605,16 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
+ 
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+-rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+-            uint32_t *img_length, unsigned char **ibuff_ptr, int rot_image_params)
+rotateImage(uint16_t rotation, struct image_data *image,
+            uint32_t *img_width,uint32_t *img_length,
+            unsigned char **ibuff_ptr, size_t *rot_buf_size)
+   {
+   int      shift_width;
+   uint32_t   bytes_per_pixel, bytes_per_sample;
+   uint32_t   row, rowsize, src_offset, dst_offset;
+   uint32_t   i, col, width, length;
+-  uint32_t   colsize, buffsize, col_offset, pix_offset;
+  uint32_t colsize, col_offset, pix_offset;
+  tmsize_t buffsize;
+   unsigned char *ibuff;
+   unsigned char *src;
+   unsigned char *dst;
+@@ -8620,12 +8627,41 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+   spp = image->spp;
+   bps = image->bps;
+ 
+  if ((spp != 0 && bps != 0 &&
+         width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
+        (spp != 0 && bps != 0 &&
+         length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
+    {
+        TIFFError("rotateImage", "Integer overflow detected.");
+        return (-1);
+    }
+
+   rowsize = ((bps * spp * width) + 7) / 8;
+   colsize = ((bps * spp * length) + 7) / 8;
+   if ((colsize * width) > (rowsize * length))
+-    buffsize = (colsize + 1) * width;
+{
+        if (((tmsize_t)colsize + 1) != 0 &&
+            (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+                               ((tmsize_t)colsize + 1)))
+        {
+            TIFFError("rotateImage",
+                      "Integer overflow when calculating buffer size.");
+            return (-1);
+        }
+        buffsize = ((tmsize_t)colsize + 1) * width;
+    }
+   else
+-    buffsize = (rowsize + 1) * length;
+    {
+        if (((tmsize_t)rowsize + 1) != 0 &&
+            (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+                                ((tmsize_t)rowsize + 1)))
+        {
+            TIFFError("rotateImage",
+                      "Integer overflow when calculating buffer size.");
+            return (-1);
+        }
+        buffsize = (rowsize + 1) * length;
+    }
+ 
+   bytes_per_sample = (bps + 7) / 8;
+   bytes_per_pixel  = ((bps * spp) + 7) / 8;
+@@ -8648,11 +8684,17 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+   /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+   if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
+     {
+-    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    TIFFError("rotateImage",
+              "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
+              " bytes ",
+              buffsize + NUM_BUFF_OVERSIZE_BYTES);
+     return (-1);
+     }
+   _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ 
+  if (rot_buf_size != NULL)
+       *rot_buf_size = buffsize;
+
+   ibuff = *ibuff_ptr;
+   switch (rotation)
+     {
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25434-CVE-2023-25435.patch
new file mode 100644
index 0000000000..e214277504
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
+From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 29 Jan 2023 11:09:26 +0100
+Subject: [PATCH] CVE-2023-25434 & CVE-2023-25435
+tiffcrop: Amend rotateImage() not to toggle the input (main)
+image width and length parameters when only cropped image sections are
+rotated. Remove buffptr from region structure because never used.
+Closes #492 #493 #494 #495 #499 #518 #519
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
+CVE: CVE-2023-25434 & CVE-2023-25435
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index cbd24cc..b811fbb 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -523,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
+ static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
+                                      uint32_t, uint32_t, uint8_t *, uint8_t *);
+ static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
+-                       unsigned char **, size_t *);
+                       unsigned char **, size_t *, int);
+ static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+                        unsigned char *);
+ static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+@@ -6513,10 +6513,11 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+       /* Dummy variable in order not to switch two times the
+        * image->width,->length within rotateImage(),
+        * but switch xres, yres there. */
+-      uint32_t width = image->width;
+-      uint32_t length = image->length;
+-      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+-      {
+        uint32_t width = image->width;
+        uint32_t length = image->length;
+        if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
+                        TRUE))
+        {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+       }
+@@ -7700,7 +7701,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+          * accordingly. */
+       size_t rot_buf_size = 0;
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff, &rot_buf_size))
+                      &crop->combined_length, &crop_buff, &rot_buf_size,
+                            FALSE))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
+@@ -7811,9 +7813,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+            * its size individually. Therefore, seg_buffs size  needs to be
+            * updated accordingly. */
+           size_t rot_buf_size = 0;
+-           if (rotateImage(
+-                crop->rotation, image, &crop->regionlist[i].width,
+-                &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+           if (rotateImage(crop->rotation, image,
+                                &crop->regionlist[i].width,
+                                &crop->regionlist[i].length, &crop_buff,
+                                &rot_buf_size, FALSE))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
+@@ -7943,7 +7946,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr, NULL))
+                    &crop->combined_length, crop_buff_ptr, NULL, TRUE))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
+@@ -8607,7 +8610,9 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
+ static int
+ rotateImage(uint16_t rotation, struct image_data *image,
+             uint32_t *img_width,uint32_t *img_length,
+-            unsigned char **ibuff_ptr, size_t *rot_buf_size)
+            unsigned char **ibuff_ptr, size_t *rot_buf_size,
+            int rot_image_params)
+
+   {
+   int      shift_width;
+   uint32_t   bytes_per_pixel, bytes_per_sample;
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 2be25756bc..2ee10fca72 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -35,6 +35,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2022-48281.patch \
           file://CVE-2023-0800_0801_0802_0803_0804.patch \
           file://CVE-2023-0795_0796_0797_0798_0799.patch \
+           file://CVE-2023-25433.patch \
+           file://CVE-2023-25434-CVE-2023-25435.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-07-26 11:39:02 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-08-02 04:47:13 -1000
commit	3c2e546a1a75289e82e33babde303ba6fa20fccb (patch)
tree	741ff4d1977398526b0d8ba1ae7d92a22bccc471
parent	4596433a54c12ee229e923ae39e3ec0d16d6f067 (diff)
download	poky-3c2e546a1a75289e82e33babde303ba6fa20fccb.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch new file mode 100644 index 0000000000..285aa3d1c4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
@@ -0,0 +1,195 @@
		1	From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Fri, 3 Feb 2023 15:31:31 +0100
		4	Subject: [PATCH] CVE-2023-25433
		5
		6	tiffcrop correctly update buffersize after rotateImage()
		7	fix#520 rotateImage() set up a new buffer and calculates its size
		8	individually. Therefore, seg_buffs[] size needs to be updated accordingly.
		9	Before this fix, the seg_buffs buffer size was calculated with a different
		10	formula than within rotateImage().
		11
		12	Closes #520.
		13
		14	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44]
		15	CVE: CVE-2023-25433
		16	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		17	---
		18	tools/tiffcrop.c \| 78 +++++++++++++++++++++++++++++++++++++-----------
		19	1 file changed, 60 insertions(+), 18 deletions(-)
		20
		21	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		22	index eee26bf..cbd24cc 100644
		23	--- a/tools/tiffcrop.c
		24	+++ b/tools/tiffcrop.c
		25	@@ -523,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
		26	static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
		27	uint32_t, uint32_t, uint8_t , uint8_t );
		28	static int rotateImage(uint16_t, struct image_data , uint32_t , uint32_t *,
		29	- unsigned char **, int);
		30	+ unsigned char *, size_t );
		31	static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		32	unsigned char *);
		33	static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		34	@@ -6515,7 +6515,7 @@ static int correct_orientation(struct image_data image, unsigned char *work_b
		35	* but switch xres, yres there. */
		36	uint32_t width = image->width;
		37	uint32_t length = image->length;
		38	- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
		39	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
		40	{
		41	TIFFError ("correct_orientation", "Unable to rotate image");
		42	return (-1);
		43	@@ -7695,16 +7695,19 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		44
		45	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		46	{
		47	+ /* rotateImage() set up a new buffer and calculates its size
		48	+ * individually. Therefore, seg_buffs size needs to be updated
		49	+ * accordingly. */
		50	+ size_t rot_buf_size = 0;
		51	if (rotateImage(crop->rotation, image, &crop->combined_width,
		52	- &crop->combined_length, &crop_buff, FALSE))
		53	+ &crop->combined_length, &crop_buff, &rot_buf_size))
		54	{
		55	TIFFError("processCropSelections",
		56	"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
		57	return (-1);
		58	}
		59	seg_buffs[0].buffer = crop_buff;
		60	- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
		61	- * image->spp) * crop->combined_length;
		62	+ seg_buffs[0].size = rot_buf_size;
		63	}
		64	}
		65	else /* Separated Images */
		66	@@ -7804,9 +7807,13 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		67	{
		68	/* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed.
		69	* ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
		70	- */
		71	- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
		72	- &crop->regionlist[i].length, &crop_buff, FALSE))
		73	+ * Furthermore, rotateImage() set up a new buffer and calculates
		74	+ * its size individually. Therefore, seg_buffs size needs to be
		75	+ * updated accordingly. */
		76	+ size_t rot_buf_size = 0;
		77	+ if (rotateImage(
		78	+ crop->rotation, image, &crop->regionlist[i].width,
		79	+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
		80	{
		81	TIFFError("processCropSelections",
		82	"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
		83	@@ -7817,8 +7824,7 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		84	crop->combined_width = total_width;
		85	crop->combined_length = total_length;
		86	seg_buffs[i].buffer = crop_buff;
		87	- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
		88	- * image->spp) * crop->regionlist[i].length;
		89	+ seg_buffs[i].size = rot_buf_size;
		90	}
		91	} /* for crop->selections loop */
		92	} /* Separated Images (else case) */
		93	@@ -7827,7 +7833,6 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		94
		95	/* Copy the crop section of the data from the current image into a buffer
		96	* and adjust the IFD values to reflect the new size. If no cropping is
		97	- * required, use the original read buffer as the crop buffer.
		98	*
		99	* There is quite a bit of redundancy between this routine and the more
		100	* specialized processCropSelections, but this provides
		101	@@ -7938,7 +7943,7 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		102	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		103	{
		104	if (rotateImage(crop->rotation, image, &crop->combined_width,
		105	- &crop->combined_length, crop_buff_ptr, TRUE))
		106	+ &crop->combined_length, crop_buff_ptr, NULL))
		107	{
		108	TIFFError("createCroppedImage",
		109	"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
		110	@@ -8600,14 +8605,16 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
		111
		112	/* Rotate an image by a multiple of 90 degrees clockwise */
		113	static int
		114	-rotateImage(uint16_t rotation, struct image_data image, uint32_t img_width,
		115	- uint32_t img_length, unsigned char *ibuff_ptr, int rot_image_params)
		116	+rotateImage(uint16_t rotation, struct image_data *image,
		117	+ uint32_t img_width,uint32_t img_length,
		118	+ unsigned char *ibuff_ptr, size_t rot_buf_size)
		119	{
		120	int shift_width;
		121	uint32_t bytes_per_pixel, bytes_per_sample;
		122	uint32_t row, rowsize, src_offset, dst_offset;
		123	uint32_t i, col, width, length;
		124	- uint32_t colsize, buffsize, col_offset, pix_offset;
		125	+ uint32_t colsize, col_offset, pix_offset;
		126	+ tmsize_t buffsize;
		127	unsigned char *ibuff;
		128	unsigned char *src;
		129	unsigned char *dst;
		130	@@ -8620,12 +8627,41 @@ rotateImage(uint16_t rotation, struct image_data image, uint32_t img_width,
		131	spp = image->spp;
		132	bps = image->bps;
		133
		134	+ if ((spp != 0 && bps != 0 &&
		135	+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) \|\|
		136	+ (spp != 0 && bps != 0 &&
		137	+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
		138	+ {
		139	+ TIFFError("rotateImage", "Integer overflow detected.");
		140	+ return (-1);
		141	+ }
		142	+
		143	rowsize = ((bps * spp * width) + 7) / 8;
		144	colsize = ((bps * spp * length) + 7) / 8;
		145	if ((colsize * width) > (rowsize * length))
		146	- buffsize = (colsize + 1) * width;
		147	+{
		148	+ if (((tmsize_t)colsize + 1) != 0 &&
		149	+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
		150	+ ((tmsize_t)colsize + 1)))
		151	+ {
		152	+ TIFFError("rotateImage",
		153	+ "Integer overflow when calculating buffer size.");
		154	+ return (-1);
		155	+ }
		156	+ buffsize = ((tmsize_t)colsize + 1) * width;
		157	+ }
		158	else
		159	- buffsize = (rowsize + 1) * length;
		160	+ {
		161	+ if (((tmsize_t)rowsize + 1) != 0 &&
		162	+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
		163	+ ((tmsize_t)rowsize + 1)))
		164	+ {
		165	+ TIFFError("rotateImage",
		166	+ "Integer overflow when calculating buffer size.");
		167	+ return (-1);
		168	+ }
		169	+ buffsize = (rowsize + 1) * length;
		170	+ }
		171
		172	bytes_per_sample = (bps + 7) / 8;
		173	bytes_per_pixel = ((bps * spp) + 7) / 8;
		174	@@ -8648,11 +8684,17 @@ rotateImage(uint16_t rotation, struct image_data image, uint32_t img_width,
		175	/* Add 3 padding bytes for extractContigSamplesShifted32bits */
		176	if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
		177	{
		178	- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
		179	+ TIFFError("rotateImage",
		180	+ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
		181	+ " bytes ",
		182	+ buffsize + NUM_BUFF_OVERSIZE_BYTES);
		183	return (-1);
		184	}
		185	_TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
		186
		187	+ if (rot_buf_size != NULL)
		188	+ *rot_buf_size = buffsize;
		189	+
		190	ibuff = *ibuff_ptr;
		191	switch (rotation)
		192	{
		193	--
		194	2.25.1
		195


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25434-CVE-2023-25435.patch new file mode 100644 index 0000000000..e214277504 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
		1	From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sun, 29 Jan 2023 11:09:26 +0100
		4	Subject: [PATCH] CVE-2023-25434 & CVE-2023-25435
		5
		6	tiffcrop: Amend rotateImage() not to toggle the input (main)
		7	image width and length parameters when only cropped image sections are
		8	rotated. Remove buffptr from region structure because never used.
		9
		10	Closes #492 #493 #494 #495 #499 #518 #519
		11
		12	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
		13	CVE: CVE-2023-25434 & CVE-2023-25435
		14	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		15	---
		16	tools/tiffcrop.c \| 27 ++++++++++++++++-----------
		17	1 file changed, 16 insertions(+), 11 deletions(-)
		18
		19	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		20	index cbd24cc..b811fbb 100644
		21	--- a/tools/tiffcrop.c
		22	+++ b/tools/tiffcrop.c
		23	@@ -523,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
		24	static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
		25	uint32_t, uint32_t, uint8_t , uint8_t );
		26	static int rotateImage(uint16_t, struct image_data , uint32_t , uint32_t *,
		27	- unsigned char *, size_t );
		28	+ unsigned char *, size_t , int);
		29	static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		30	unsigned char *);
		31	static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		32	@@ -6513,10 +6513,11 @@ static int correct_orientation(struct image_data image, unsigned char *work_b
		33	/* Dummy variable in order not to switch two times the
		34	* image->width,->length within rotateImage(),
		35	* but switch xres, yres there. */
		36	- uint32_t width = image->width;
		37	- uint32_t length = image->length;
		38	- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
		39	- {
		40	+ uint32_t width = image->width;
		41	+ uint32_t length = image->length;
		42	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
		43	+ TRUE))
		44	+ {
		45	TIFFError ("correct_orientation", "Unable to rotate image");
		46	return (-1);
		47	}
		48	@@ -7700,7 +7701,8 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		49	* accordingly. */
		50	size_t rot_buf_size = 0;
		51	if (rotateImage(crop->rotation, image, &crop->combined_width,
		52	- &crop->combined_length, &crop_buff, &rot_buf_size))
		53	+ &crop->combined_length, &crop_buff, &rot_buf_size,
		54	+ FALSE))
		55	{
		56	TIFFError("processCropSelections",
		57	"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
		58	@@ -7811,9 +7813,10 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		59	* its size individually. Therefore, seg_buffs size needs to be
		60	* updated accordingly. */
		61	size_t rot_buf_size = 0;
		62	- if (rotateImage(
		63	- crop->rotation, image, &crop->regionlist[i].width,
		64	- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
		65	+ if (rotateImage(crop->rotation, image,
		66	+ &crop->regionlist[i].width,
		67	+ &crop->regionlist[i].length, &crop_buff,
		68	+ &rot_buf_size, FALSE))
		69	{
		70	TIFFError("processCropSelections",
		71	"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
		72	@@ -7943,7 +7946,7 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		73	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		74	{
		75	if (rotateImage(crop->rotation, image, &crop->combined_width,
		76	- &crop->combined_length, crop_buff_ptr, NULL))
		77	+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
		78	{
		79	TIFFError("createCroppedImage",
		80	"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
		81	@@ -8607,7 +8610,9 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
		82	static int
		83	rotateImage(uint16_t rotation, struct image_data *image,
		84	uint32_t img_width,uint32_t img_length,
		85	- unsigned char *ibuff_ptr, size_t rot_buf_size)
		86	+ unsigned char *ibuff_ptr, size_t rot_buf_size,
		87	+ int rot_image_params)
		88	+
		89	{
		90	int shift_width;
		91	uint32_t bytes_per_pixel, bytes_per_sample;
		92	--
		93	2.25.1
		94


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 2be25756bc..2ee10fca72 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -35,6 +35,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
35	file://CVE-2022-48281.patch \	35	file://CVE-2022-48281.patch \
36	file://CVE-2023-0800_0801_0802_0803_0804.patch \	36	file://CVE-2023-0800_0801_0802_0803_0804.patch \
37	file://CVE-2023-0795_0796_0797_0798_0799.patch \	37	file://CVE-2023-0795_0796_0797_0798_0799.patch \
		38	file://CVE-2023-25433.patch \
		39	file://CVE-2023-25434-CVE-2023-25435.patch \
38	"	40	"
39		41
40	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	42	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"