tiff: fix CVE-2023-52355 and CVE-2023-52356

CVE-2023-52355: An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. Issue fixed by providing a documentation update. CVE-2023-52356: A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. References: https://nvd.nist.gov/vuln/detail/CVE-2023-52355 https://security-tracker.debian.org/tracker/CVE-2023-52355 https://gitlab.com/libtiff/libtiff/-/issues/621 https://gitlab.com/libtiff/libtiff/-/merge_requests/553 https://nvd.nist.gov/vuln/detail/CVE-2023-52356 https://gitlab.com/libtiff/libtiff/-/issues/622 https://gitlab.com/libtiff/libtiff/-/merge_requests/546 (From OE-Core rev: 831d7a2fffb3dec94571289292f0940bc7ecd70a) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yogita Urade <yogita.urade@windriver.com> 2024-02-02 08:26:32 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-02-08 10:53:13 +0000
commit: eba805ace44c6884377e765860059d39c61405a2 (patch)
tree: 288eb6b51dc8ae7dbcc36e449ba84483feb52aea
parent: 57d82f92c1060c5f15072f5d266dbac11665ae26 (diff)
download: poky-eba805ace44c6884377e765860059d39c61405a2.tar.gz
4 files changed, 318 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch
new file mode 100644
index 0000000000..f5520fcafd
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch
@@ -0,0 +1,238 @@
+From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 1 Feb 2024 13:06:08 +0000
+Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst
+ and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes.
+CVE: CVE-2023-52355
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ doc/functions/TIFFDeferStrileArrayWriting.rst |  5 +++
+ doc/functions/TIFFError.rst                   |  3 ++
+ doc/functions/TIFFOpen.rst                    | 13 +++---
+ doc/functions/TIFFOpenOptions.rst             | 44 ++++++++++++++++++-
+ doc/functions/TIFFStrileQuery.rst             |  5 +++
+ doc/libtiff.rst                               | 31 ++++++++++++-
+ 6 files changed, 91 insertions(+), 10 deletions(-)
+diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst
+index 60ee746..705aebc 100644
+--- a/doc/functions/TIFFDeferStrileArrayWriting.rst
+++ b/doc/functions/TIFFDeferStrileArrayWriting.rst
+@@ -61,6 +61,11 @@ Diagnostics
+ All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
+ Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
+ 
+Note
+----
+
+This functionality was introduced with libtiff 4.1.
+
+ See also
+ --------
+ 
+diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst
+index 99924ad..cf4b37c 100644
+--- a/doc/functions/TIFFError.rst
+++ b/doc/functions/TIFFError.rst
+@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`.
+ Furthermore, a **custom defined data structure** *user_data* for the
+ error handler can be given along.
+ 
+Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the
+application-specific handler introduced with libtiff 4.5.
+
+ Note
+ ----
+ 
+diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst
+index db79d7b..adc474f 100644
+--- a/doc/functions/TIFFOpen.rst
+++ b/doc/functions/TIFFOpen.rst
+@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the
+ file should be closed using its file descriptor *fd*.
+ 
+ :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`,
+-but options, such as re-entrant error and warning handlers may be passed
+-with the *opts* argument. The *opts* argument may be NULL. 
+but options, such as re-entrant error and warning handlers and a limit in byte
+that libtiff internal memory allocation functions are allowed to request per call
+may be passed with the *opts* argument. The *opts* argument may be NULL.
+ Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument
+ parameters. The allocated memory for :c:type:`TIFFOpenOptions`
+ can be released straight after successful execution of the related
+@@ -105,9 +106,7 @@ can be released straight after successful execution of the related
+ but opens a TIFF file with a Unicode filename.
+ 
+ :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`,
+-but options, such as re-entrant error and warning handlers may be passed
+-with the *opts* argument. The *opts* argument may be NULL. 
+-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument.
+but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed.
+ 
+ :c:func:`TIFFSetFileName` sets the file name in the tif-structure
+ and returns the old file name.
+@@ -326,5 +325,5 @@ See also
+ 
+ :doc:`libtiff` (3tiff),
+ :doc:`TIFFClose` (3tiff),
+-:doc:`TIFFStrileQuery`,
+-:doc:`TIFFOpenOptions`
+\ No newline at end of file
+:doc:`TIFFStrileQuery` (3tiff),
+:doc:`TIFFOpenOptions`
+diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst
+index 5c67566..23f2975 100644
+--- a/doc/functions/TIFFOpenOptions.rst
+++ b/doc/functions/TIFFOpenOptions.rst
+@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer.
+ :c:func:`TIFFOpenOptionsFree` releases the allocated memory for
+ :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions`
+ can be released straight after successful execution of the related
+-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`.
+TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`.
+ 
+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the
+ maximum single memory limit in byte that ``libtiff`` internal memory allocation
+ functions are allowed to request per call.
+ 
+.. note::
+    However, the ``libtiff`` external functions :c:func:`_TIFFmalloc`
+    and :c:func:`_TIFFrealloc` **do not apply** this internal memory
+    allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`!
+
+ :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to
+ an application-specific and per-TIFF handle (re-entrant) error handler.
+ Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data* 
+@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL.
+ :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler,
+ which is invoked through  :c:func:`TIFFWarningExtR`
+ 
+Example
+-------
+
+::
+
+    #include "tiffio.h"
+
+    typedef struct MyErrorHandlerUserDataStruct
+    {
+        /* ... any user data structure ... */
+    } MyErrorHandlerUserDataStruct;
+
+    static int myErrorHandler(TIFF *tiff, void *user_data, const char *module,
+                          const char *fmt, va_list ap)
+    {
+        MyErrorHandlerUserDataStruct *errorhandler_user_data =
+            (MyErrorHandlerUserDataStruct *)user_data;
+        /*... code of myErrorHandler ...*/
+        return 1;
+    }
+
+
+    main()
+    {
+        tmsize_t limit = (256 * 1024 * 1024);
+        MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */};
+
+        TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
+        TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
+        TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data);
+        TIFF *tif = TIFFOpenExt("foo.tif", "r", opts);
+        TIFFOpenOptionsFree(opts);
+        /* ... go on here ... */
+
+        TIFFClose(tif);
+    }
+
+ Note
+ ----
+ 
+diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst
+index f8631af..7931fe4 100644
+--- a/doc/functions/TIFFStrileQuery.rst
+++ b/doc/functions/TIFFStrileQuery.rst
+@@ -66,6 +66,11 @@ Diagnostics
+ All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
+ Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
+ 
+Note
+----
+
+This functionality was introduced with libtiff 4.1.
+
+ See also
+ --------
+ 
+diff --git a/doc/libtiff.rst b/doc/libtiff.rst
+index 6a0054c..d96a860 100644
+--- a/doc/libtiff.rst
+++ b/doc/libtiff.rst
+@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture.
+ :c:func:`realloc`, and :c:func:`free` routines in the C library.)
+ 
+ To deal with segmented pointer issues ``libtiff`` also provides
+-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove`
+:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp`
+ routines that mimic the equivalent ANSI C routines, but that are
+ intended for use with memory allocated through :c:func:`_TIFFmalloc`
+ and :c:func:`_TIFFrealloc`.
+ 
+With ``libtiff`` 4.5 a method was introduced to limit the internal
+memory allocation that functions are allowed to request per call
+(see  :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`).
+
+ Error Handling
+ --------------
+ 
+@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`.
+ Likewise warning messages are directed to a single handler routine
+ that can be specified with a call to :c:func:`TIFFSetWarningHandler`
+ 
+Further application-specific and per-TIFF handle (re-entrant) error handler
+and warning handler can be set. Please refer to :doc:`/functions/TIFFError`
+and :doc:`/functions/TIFFOpenOptions`.
+
+ Basic File Handling
+ -------------------
+ 
+@@ -139,7 +147,7 @@ a ``"w"`` argument:
+     main()
+     {
+         TIFF* tif = TIFFOpen("foo.tif", "w");
+-        ... do stuff ...
+        /* ... do stuff ... */
+         TIFFClose(tif);
+     }
+ 
+@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any
+ buffered information to a file.  Note that if you call :c:func:`TIFFClose`
+ you do not need to call :c:func:`TIFFFlush`.
+ 
+.. warning::
+
+    In order to prevent out-of-memory issues when opening a TIFF file
+    :c:func:`TIFFOpenExt` can be used and then the maximum single memory
+    limit in byte that ``libtiff`` internal memory allocation functions
+    are allowed to request per call can be set with
+    :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
+
+Example
+
+::
+
+    tmsize_t limit = (256 * 1024 * 1024);
+    TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
+    TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
+    TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
+    TIFFOpenOptionsFree(opts);
+    /* ... go on here ... */
+
+ TIFF Directories
+ ----------------
+ 
+-- 
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch
new file mode 100644
index 0000000000..19a1ef727a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch
@@ -0,0 +1,28 @@
+From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001
+From: Timothy Lyanguzov <theta682@gmail.com>
+Date: Thu, 1 Feb 2024 11:19:06 +0000
+Subject: [PATCH] Fix typo.
+CVE: CVE-2023-52355
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ doc/libtiff.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/doc/libtiff.rst b/doc/libtiff.rst
+index d96a860..4fedc3e 100644
+--- a/doc/libtiff.rst
+++ b/doc/libtiff.rst
+@@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`.
+     In order to prevent out-of-memory issues when opening a TIFF file
+     :c:func:`TIFFOpenExt` can be used and then the maximum single memory
+-    limit in byte that ``libtiff`` internal memory allocation functions
+    limit in bytes that ``libtiff`` internal memory allocation functions
+     are allowed to request per call can be set with
+     :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
new file mode 100644
index 0000000000..75f5d8946a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
@@ -0,0 +1,49 @@
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 1 Feb 2024 11:38:14 +0000
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+CVE: CVE-2023-52356
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 41f7dfd..9cd6eee 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
+     if (TIFFRGBAImageOK(tif, emsg) &&
+         TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
+     {
+       if (row >= img.height)
+        {
+            TIFFErrorExtR(tif, TIFFFileName(tif),
+                          "Invalid row passed to TIFFReadRGBAStrip().");
+            TIFFRGBAImageEnd(&img);
+            return (0);
+       }
+         img.row_offset = row;
+         img.col_offset = 0;
+@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
+         return (0);
+     }
+    if (col >= img.width || row >= img.height)
+    {
+        TIFFErrorExtR(tif, TIFFFileName(tif),
+                      "Invalid row/col passed to TIFFReadRGBATile().");
+        TIFFRGBAImageEnd(&img);
+        return (0);
+    }
+
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index eb8a096f19..a26e4694f6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -13,6 +13,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
           file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
           file://CVE-2023-6228.patch \
+           file://CVE-2023-52355-0001.patch \
+           file://CVE-2023-52355-0002.patch \
+           file://CVE-2023-52356.patch \
           "
 SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
author	Yogita Urade <yogita.urade@windriver.com>	2024-02-02 08:26:32 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-02-08 10:53:13 +0000
commit	eba805ace44c6884377e765860059d39c61405a2 (patch)
tree	288eb6b51dc8ae7dbcc36e449ba84483feb52aea
parent	57d82f92c1060c5f15072f5d266dbac11665ae26 (diff)
download	poky-eba805ace44c6884377e765860059d39c61405a2.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch new file mode 100644 index 0000000000..f5520fcafd --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch
@@ -0,0 +1,238 @@
		1	From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Thu, 1 Feb 2024 13:06:08 +0000
		4	Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst
		5	and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes.
		6
		7	CVE: CVE-2023-52355
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4]
		9
		10	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		11	---
		12	doc/functions/TIFFDeferStrileArrayWriting.rst \| 5 +++
		13	doc/functions/TIFFError.rst \| 3 ++
		14	doc/functions/TIFFOpen.rst \| 13 +++---
		15	doc/functions/TIFFOpenOptions.rst \| 44 ++++++++++++++++++-
		16	doc/functions/TIFFStrileQuery.rst \| 5 +++
		17	doc/libtiff.rst \| 31 ++++++++++++-
		18	6 files changed, 91 insertions(+), 10 deletions(-)
		19
		20	diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst
		21	index 60ee746..705aebc 100644
		22	--- a/doc/functions/TIFFDeferStrileArrayWriting.rst
		23	+++ b/doc/functions/TIFFDeferStrileArrayWriting.rst
		24	@@ -61,6 +61,11 @@ Diagnostics
		25	All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
		26	Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
		27
		28	+Note
		29	+----
		30	+
		31	+This functionality was introduced with libtiff 4.1.
		32	+
		33	See also
		34	--------
		35
		36	diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst
		37	index 99924ad..cf4b37c 100644
		38	--- a/doc/functions/TIFFError.rst
		39	+++ b/doc/functions/TIFFError.rst
		40	@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`.
		41	Furthermore, a custom defined data structure user_data for the
		42	error handler can be given along.
		43
		44	+Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the
		45	+application-specific handler introduced with libtiff 4.5.
		46	+
		47	Note
		48	----
		49
		50	diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst
		51	index db79d7b..adc474f 100644
		52	--- a/doc/functions/TIFFOpen.rst
		53	+++ b/doc/functions/TIFFOpen.rst
		54	@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the
		55	file should be closed using its file descriptor fd.
		56
		57	:c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`,
		58	-but options, such as re-entrant error and warning handlers may be passed
		59	-with the opts argument. The opts argument may be NULL.
		60	+but options, such as re-entrant error and warning handlers and a limit in byte
		61	+that libtiff internal memory allocation functions are allowed to request per call
		62	+may be passed with the opts argument. The opts argument may be NULL.
		63	Refer to :doc:`TIFFOpenOptions` for allocating and filling the opts argument
		64	parameters. The allocated memory for :c:type:`TIFFOpenOptions`
		65	can be released straight after successful execution of the related
		66	@@ -105,9 +106,7 @@ can be released straight after successful execution of the related
		67	but opens a TIFF file with a Unicode filename.
		68
		69	:c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`,
		70	-but options, such as re-entrant error and warning handlers may be passed
		71	-with the opts argument. The opts argument may be NULL.
		72	-Refer to :doc:`TIFFOpenOptions` for filling the opts argument.
		73	+but options argument opts like for :c:func:`TIFFOpenExt` can be passed.
		74
		75	:c:func:`TIFFSetFileName` sets the file name in the tif-structure
		76	and returns the old file name.
		77	@@ -326,5 +325,5 @@ See also
		78
		79	:doc:`libtiff` (3tiff),
		80	:doc:`TIFFClose` (3tiff),
		81	-:doc:`TIFFStrileQuery`,
		82	-:doc:`TIFFOpenOptions`
		83	\ No newline at end of file
		84	+:doc:`TIFFStrileQuery` (3tiff),
		85	+:doc:`TIFFOpenOptions`
		86	diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst
		87	index 5c67566..23f2975 100644
		88	--- a/doc/functions/TIFFOpenOptions.rst
		89	+++ b/doc/functions/TIFFOpenOptions.rst
		90	@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer.
		91	:c:func:`TIFFOpenOptionsFree` releases the allocated memory for
		92	:c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions`
		93	can be released straight after successful execution of the related
		94	-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`.
		95	+TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`.
		96
		97	:c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the
		98	maximum single memory limit in byte that ``libtiff`` internal memory allocation
		99	functions are allowed to request per call.
		100
		101	+.. note::
		102	+ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc`
		103	+ and :c:func:`_TIFFrealloc` do not apply this internal memory
		104	+ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`!
		105	+
		106	:c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to
		107	an application-specific and per-TIFF handle (re-entrant) error handler.
		108	Furthermore, a pointer to a custom defined data structure errorhandler_user_data
		109	@@ -55,6 +60,43 @@ The errorhandler_user_data argument may be NULL.
		110	:c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler,
		111	which is invoked through :c:func:`TIFFWarningExtR`
		112
		113	+Example
		114	+-------
		115	+
		116	+::
		117	+
		118	+ #include "tiffio.h"
		119	+
		120	+ typedef struct MyErrorHandlerUserDataStruct
		121	+ {
		122	+ /* ... any user data structure ... */
		123	+ } MyErrorHandlerUserDataStruct;
		124	+
		125	+ static int myErrorHandler(TIFF tiff, void user_data, const char *module,
		126	+ const char *fmt, va_list ap)
		127	+ {
		128	+ MyErrorHandlerUserDataStruct *errorhandler_user_data =
		129	+ (MyErrorHandlerUserDataStruct *)user_data;
		130	+ /... code of myErrorHandler .../
		131	+ return 1;
		132	+ }
		133	+
		134	+
		135	+ main()
		136	+ {
		137	+ tmsize_t limit = (256 * 1024 * 1024);
		138	+ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */};
		139	+
		140	+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
		141	+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
		142	+ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data);
		143	+ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts);
		144	+ TIFFOpenOptionsFree(opts);
		145	+ /* ... go on here ... */
		146	+
		147	+ TIFFClose(tif);
		148	+ }
		149	+
		150	Note
		151	----
		152
		153	diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst
		154	index f8631af..7931fe4 100644
		155	--- a/doc/functions/TIFFStrileQuery.rst
		156	+++ b/doc/functions/TIFFStrileQuery.rst
		157	@@ -66,6 +66,11 @@ Diagnostics
		158	All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
		159	Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
		160
		161	+Note
		162	+----
		163	+
		164	+This functionality was introduced with libtiff 4.1.
		165	+
		166	See also
		167	--------
		168
		169	diff --git a/doc/libtiff.rst b/doc/libtiff.rst
		170	index 6a0054c..d96a860 100644
		171	--- a/doc/libtiff.rst
		172	+++ b/doc/libtiff.rst
		173	@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture.
		174	:c:func:`realloc`, and :c:func:`free` routines in the C library.)
		175
		176	To deal with segmented pointer issues ``libtiff`` also provides
		177	-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove`
		178	+:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp`
		179	routines that mimic the equivalent ANSI C routines, but that are
		180	intended for use with memory allocated through :c:func:`_TIFFmalloc`
		181	and :c:func:`_TIFFrealloc`.
		182
		183	+With ``libtiff`` 4.5 a method was introduced to limit the internal
		184	+memory allocation that functions are allowed to request per call
		185	+(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`).
		186	+
		187	Error Handling
		188	--------------
		189
		190	@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`.
		191	Likewise warning messages are directed to a single handler routine
		192	that can be specified with a call to :c:func:`TIFFSetWarningHandler`
		193
		194	+Further application-specific and per-TIFF handle (re-entrant) error handler
		195	+and warning handler can be set. Please refer to :doc:`/functions/TIFFError`
		196	+and :doc:`/functions/TIFFOpenOptions`.
		197	+
		198	Basic File Handling
		199	-------------------
		200
		201	@@ -139,7 +147,7 @@ a ``"w"`` argument:
		202	main()
		203	{
		204	TIFF* tif = TIFFOpen("foo.tif", "w");
		205	- ... do stuff ...
		206	+ /* ... do stuff ... */
		207	TIFFClose(tif);
		208	}
		209
		210	@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any
		211	buffered information to a file. Note that if you call :c:func:`TIFFClose`
		212	you do not need to call :c:func:`TIFFFlush`.
		213
		214	+.. warning::
		215	+
		216	+ In order to prevent out-of-memory issues when opening a TIFF file
		217	+ :c:func:`TIFFOpenExt` can be used and then the maximum single memory
		218	+ limit in byte that ``libtiff`` internal memory allocation functions
		219	+ are allowed to request per call can be set with
		220	+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
		221	+
		222	+Example
		223	+
		224	+::
		225	+
		226	+ tmsize_t limit = (256 * 1024 * 1024);
		227	+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
		228	+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
		229	+ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
		230	+ TIFFOpenOptionsFree(opts);
		231	+ /* ... go on here ... */
		232	+
		233	TIFF Directories
		234	----------------
		235
		236	--
		237	2.40.0
		238


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch new file mode 100644 index 0000000000..19a1ef727a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch
@@ -0,0 +1,28 @@
		1	From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001
		2	From: Timothy Lyanguzov <theta682@gmail.com>
		3	Date: Thu, 1 Feb 2024 11:19:06 +0000
		4	Subject: [PATCH] Fix typo.
		5
		6	CVE: CVE-2023-52355
		7	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4]
		8
		9	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		10	---
		11	doc/libtiff.rst \| 2 +-
		12	1 file changed, 1 insertion(+), 1 deletion(-)
		13
		14	diff --git a/doc/libtiff.rst b/doc/libtiff.rst
		15	index d96a860..4fedc3e 100644
		16	--- a/doc/libtiff.rst
		17	+++ b/doc/libtiff.rst
		18	@@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`.
		19
		20	In order to prevent out-of-memory issues when opening a TIFF file
		21	:c:func:`TIFFOpenExt` can be used and then the maximum single memory
		22	- limit in byte that ``libtiff`` internal memory allocation functions
		23	+ limit in bytes that ``libtiff`` internal memory allocation functions
		24	are allowed to request per call can be set with
		25	:c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
		26
		27	--
		28	2.40.0


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch new file mode 100644 index 0000000000..75f5d8946a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
@@ -0,0 +1,49 @@
		1	From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Thu, 1 Feb 2024 11:38:14 +0000
		4	Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
		5	col/row (fixes #622)
		6
		7	CVE: CVE-2023-52356
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
		9
		10	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		11	---
		12	libtiff/tif_getimage.c \| 15 +++++++++++++++
		13	1 file changed, 15 insertions(+)
		14
		15	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
		16	index 41f7dfd..9cd6eee 100644
		17	--- a/libtiff/tif_getimage.c
		18	+++ b/libtiff/tif_getimage.c
		19	@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF tif, uint32_t row, uint32_t raster,
		20	if (TIFFRGBAImageOK(tif, emsg) &&
		21	TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
		22	{
		23	+ if (row >= img.height)
		24	+ {
		25	+ TIFFErrorExtR(tif, TIFFFileName(tif),
		26	+ "Invalid row passed to TIFFReadRGBAStrip().");
		27	+ TIFFRGBAImageEnd(&img);
		28	+ return (0);
		29	+ }
		30
		31	img.row_offset = row;
		32	img.col_offset = 0;
		33	@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF tif, uint32_t col, uint32_t row, uint32_t raster,
		34	return (0);
		35	}
		36
		37	+ if (col >= img.width \|\| row >= img.height)
		38	+ {
		39	+ TIFFErrorExtR(tif, TIFFFileName(tif),
		40	+ "Invalid row/col passed to TIFFReadRGBATile().");
		41	+ TIFFRGBAImageEnd(&img);
		42	+ return (0);
		43	+ }
		44	+
		45	/*
		46	* The TIFFRGBAImageGet() function doesn't allow us to get off the
		47	* edge of the image, even to fill an otherwise valid tile. So we
		48	--
		49	2.40.0


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index eb8a096f19..a26e4694f6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -13,6 +13,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
13	file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \	13	file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
14	file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \	14	file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
15	file://CVE-2023-6228.patch \	15	file://CVE-2023-6228.patch \
		16	file://CVE-2023-52355-0001.patch \
		17	file://CVE-2023-52355-0002.patch \
		18	file://CVE-2023-52356.patch \
16	"	19	"
17		20
18	SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"	21	SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"