tiff: Fix for CVE-2022-2867/8/9

Add Patch to fix CVE-2022-2867, CVE-2022-2868 CVE-2022-2869 (From OE-Core rev: 67df7488bf66183ffdb9f497f00ad291b79210d3) Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Virendra Thakur <virendrak@kpit.com> 2022-09-05 15:11:11 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-16 17:53:28 +0100
commit: a98b309fe23cfdcf3f8be7afc4fde6734b973f43 (patch)
tree: d686c9d3e8a0218caad5c661ed2e10b73f823f3f /meta
parent: b9c73d659161e79c010ae6219bb076a10e225d83 (diff)
download: poky-a98b309fe23cfdcf3f8be7afc4fde6734b973f43.tar.gz
2 files changed, 160 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
new file mode 100644
index 0000000000..131ff94119
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
+From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 9 Feb 2022 21:31:29 +0000
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+ uint32_t underflow.
+CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+Index: tiff-4.1.0/tools/tiffcrop.c
+===================================================================
+--- tiff-4.1.0.orig/tools/tiffcrop.c
+++ tiff-4.1.0/tools/tiffcrop.c
+@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
+        y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+        y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+        }
+-      if (x1 < 1)
+-        crop->regionlist[i].x1 = 0;
+-      else
+-        crop->regionlist[i].x1 = (uint32) (x1 - 1);
+      /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 
+       * b) Corners are expected to be submitted as top-left to bottom-right.
+       *    Therefore, check that and reorder input.
+       * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+       */
+      uint32_t aux;
+      if (x1 > x2) {
+        aux = x1;
+        x1 = x2;
+        x2 = aux;
+      }
+      if (y1 > y2) {
+        aux = y1;
+        y1 = y2;
+        y2 = aux;
+      }
+      if (x1 > image->width - 1)
+        crop->regionlist[i].x1 = image->width - 1;
+      else if (x1 > 0)
+        crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+ 
+       if (x2 > image->width - 1)
+         crop->regionlist[i].x2 = image->width - 1;
+-      else
+-        crop->regionlist[i].x2 = (uint32) (x2 - 1);
+-      zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; 
+-
+-      if (y1 < 1)
+-        crop->regionlist[i].y1 = 0;
+-      else
+-        crop->regionlist[i].y1 = (uint32) (y1 - 1);
+      else if (x2 > 0)
+        crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
+
+      zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+      if (y1 > image->length - 1)
+        crop->regionlist[i].y1 = image->length - 1;
+      else if (y1 > 0)
+        crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+ 
+       if (y2 > image->length - 1)
+         crop->regionlist[i].y2 = image->length - 1;
+-      else
+-        crop->regionlist[i].y2 = (uint32) (y2 - 1);
+-
+-      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; 
+      else if (y2 > 0)
+        crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+ 
+      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+       if (zwidth > max_width)
+         max_width = zwidth;
+       if (zlength > max_length)
+@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
+        }
+       }
+     return (0);
+-    }
+    }  /* crop_mode == CROP_REGIONS */
+   
+   /* Convert crop margins into offsets into image
+    * Margins are expressed as pixel rows and columns, not bytes
+@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
+       bmargin = (uint32) 0;
+       return (-1);
+       }
+-    }
+    }  /* crop_mode == CROP_MARGINS */
+   else
+     { /* no margins requested */
+     tmargin = (uint32) 0;
+@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
+   off->endx   = endx;
+   off->endy   = endy;
+ 
+-  crop_width  = endx - startx + 1;
+-  crop_length = endy - starty + 1;
+-
+-  if (crop_width <= 0)
+  if (endx + 1 <= startx)
+     {
+     TIFFError("computeInputPixelOffsets", 
+                "Invalid left/right margins and /or image crop width requested");
+     return (-1);
+     }
+  crop_width  = endx - startx + 1;
+   if (crop_width > image->width)
+     crop_width = image->width;
+ 
+-  if (crop_length <= 0)
+  if (endy + 1 <= starty)
+     {
+     TIFFError("computeInputPixelOffsets", 
+               "Invalid top/bottom margins and /or image crop length requested");
+     return (-1);
+     }
+  crop_length = endy - starty + 1;
+   if (crop_length > image->length)
+     crop_length = image->length;
+ 
+@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
+   else
+     crop->selections = crop->zones;
+ 
+-  for (i = 0; i < crop->zones; i++)
+  /* Initialize regions iterator i */
+  i = 0;
+  for (int j = 0; j < crop->zones; j++)
+     {
+-    seg = crop->zonelist[i].position;
+-    total = crop->zonelist[i].total;
+    seg = crop->zonelist[j].position;
+    total = crop->zonelist[j].total;
+
+    /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+    if (seg == 0 || total == 0 || seg > total) {
+        continue;
+    }
+ 
+     switch (crop->edge_ref) 
+       {
+@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
+                     i + 1, (uint32)zwidth, (uint32)zlength,
+                    crop->regionlist[i].x1, crop->regionlist[i].x2, 
+                     crop->regionlist[i].y1, crop->regionlist[i].y2);
+  /* increment regions iterator */
+  i++;
+     }
+-
+    /* set number of generated regions out of given zones */
+    crop->selections = i;
+   return (0);
+   } /* end getCropOffsets */
+ 
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index c061d2aaac..93a35230d6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2022-0924.patch \
           file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
           file://CVE-2022-34526.patch \
+           file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
          "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
author	Virendra Thakur <virendrak@kpit.com>	2022-09-05 15:11:11 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-16 17:53:28 +0100
commit	a98b309fe23cfdcf3f8be7afc4fde6734b973f43 (patch)
tree	d686c9d3e8a0218caad5c661ed2e10b73f823f3f /meta
parent	b9c73d659161e79c010ae6219bb076a10e225d83 (diff)
download	poky-a98b309fe23cfdcf3f8be7afc4fde6734b973f43.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000000..131ff94119 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
		1	From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
		2	From: Su Laus <sulau@freenet.de>
		3	Date: Wed, 9 Feb 2022 21:31:29 +0000
		4	Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
		5	uint32_t underflow.
		6
		7	CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
		9	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		10	---
		11	Index: tiff-4.1.0/tools/tiffcrop.c
		12	===================================================================
		13	--- tiff-4.1.0.orig/tools/tiffcrop.c
		14	+++ tiff-4.1.0/tools/tiffcrop.c
		15	@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
		16	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
		17	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
		18	}
		19	- if (x1 < 1)
		20	- crop->regionlist[i].x1 = 0;
		21	- else
		22	- crop->regionlist[i].x1 = (uint32) (x1 - 1);
		23	+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
		24	+ * b) Corners are expected to be submitted as top-left to bottom-right.
		25	+ * Therefore, check that and reorder input.
		26	+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
		27	+ */
		28	+ uint32_t aux;
		29	+ if (x1 > x2) {
		30	+ aux = x1;
		31	+ x1 = x2;
		32	+ x2 = aux;
		33	+ }
		34	+ if (y1 > y2) {
		35	+ aux = y1;
		36	+ y1 = y2;
		37	+ y2 = aux;
		38	+ }
		39	+ if (x1 > image->width - 1)
		40	+ crop->regionlist[i].x1 = image->width - 1;
		41	+ else if (x1 > 0)
		42	+ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
		43
		44	if (x2 > image->width - 1)
		45	crop->regionlist[i].x2 = image->width - 1;
		46	- else
		47	- crop->regionlist[i].x2 = (uint32) (x2 - 1);
		48	- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
		49	-
		50	- if (y1 < 1)
		51	- crop->regionlist[i].y1 = 0;
		52	- else
		53	- crop->regionlist[i].y1 = (uint32) (y1 - 1);
		54	+ else if (x2 > 0)
		55	+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
		56	+
		57	+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
		58	+
		59	+ if (y1 > image->length - 1)
		60	+ crop->regionlist[i].y1 = image->length - 1;
		61	+ else if (y1 > 0)
		62	+ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
		63
		64	if (y2 > image->length - 1)
		65	crop->regionlist[i].y2 = image->length - 1;
		66	- else
		67	- crop->regionlist[i].y2 = (uint32) (y2 - 1);
		68	-
		69	- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
		70	+ else if (y2 > 0)
		71	+ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
		72
		73	+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
		74	if (zwidth > max_width)
		75	max_width = zwidth;
		76	if (zlength > max_length)
		77	@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
		78	}
		79	}
		80	return (0);
		81	- }
		82	+ } /* crop_mode == CROP_REGIONS */
		83
		84	/* Convert crop margins into offsets into image
		85	* Margins are expressed as pixel rows and columns, not bytes
		86	@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
		87	bmargin = (uint32) 0;
		88	return (-1);
		89	}
		90	- }
		91	+ } /* crop_mode == CROP_MARGINS */
		92	else
		93	{ /* no margins requested */
		94	tmargin = (uint32) 0;
		95	@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
		96	off->endx = endx;
		97	off->endy = endy;
		98
		99	- crop_width = endx - startx + 1;
		100	- crop_length = endy - starty + 1;
		101	-
		102	- if (crop_width <= 0)
		103	+ if (endx + 1 <= startx)
		104	{
		105	TIFFError("computeInputPixelOffsets",
		106	"Invalid left/right margins and /or image crop width requested");
		107	return (-1);
		108	}
		109	+ crop_width = endx - startx + 1;
		110	if (crop_width > image->width)
		111	crop_width = image->width;
		112
		113	- if (crop_length <= 0)
		114	+ if (endy + 1 <= starty)
		115	{
		116	TIFFError("computeInputPixelOffsets",
		117	"Invalid top/bottom margins and /or image crop length requested");
		118	return (-1);
		119	}
		120	+ crop_length = endy - starty + 1;
		121	if (crop_length > image->length)
		122	crop_length = image->length;
		123
		124	@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
		125	else
		126	crop->selections = crop->zones;
		127
		128	- for (i = 0; i < crop->zones; i++)
		129	+ /* Initialize regions iterator i */
		130	+ i = 0;
		131	+ for (int j = 0; j < crop->zones; j++)
		132	{
		133	- seg = crop->zonelist[i].position;
		134	- total = crop->zonelist[i].total;
		135	+ seg = crop->zonelist[j].position;
		136	+ total = crop->zonelist[j].total;
		137	+
		138	+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
		139	+ if (seg == 0 \|\| total == 0 \|\| seg > total) {
		140	+ continue;
		141	+ }
		142
		143	switch (crop->edge_ref)
		144	{
		145	@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
		146	i + 1, (uint32)zwidth, (uint32)zlength,
		147	crop->regionlist[i].x1, crop->regionlist[i].x2,
		148	crop->regionlist[i].y1, crop->regionlist[i].y2);
		149	+ /* increment regions iterator */
		150	+ i++;
		151	}
		152	-
		153	+ /* set number of generated regions out of given zones */
		154	+ crop->selections = i;
		155	return (0);
		156	} /* end getCropOffsets */
		157
		158	--
		159	GitLab


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index c061d2aaac..93a35230d6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
26	file://CVE-2022-0924.patch \	26	file://CVE-2022-0924.patch \
27	file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \	27	file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
28	file://CVE-2022-34526.patch \	28	file://CVE-2022-34526.patch \
		29	file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
29	"	30	"
30	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"	31	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
31	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"	32	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"