tiff: backport a fix for CVE-2023-26965

Fixes a bug where a buffer was used after a potential reallocation. (From OE-Core rev: 48b8945fa570edcdf1e19ed4a4ca81c4416f1a6a) Signed-off-by: Natasha Bailey <nat.bailey@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Natasha Bailey <nat.bailey@windriver.com> 2023-06-23 10:47:44 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-06-27 16:23:40 +0100
commit: a4bd1f72821d3cae65c220e35f716234766974bf (patch)
tree: ce33702d240b188252ed0eeb777721dbb1136cad /meta
parent: 49eddee6521b94abc1826e560d9bf4a2a5abcc53 (diff)
download: poky-a4bd1f72821d3cae65c220e35f716234766974bf.tar.gz
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
new file mode 100644
index 0000000000..5fdc1ed013
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,99 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+Closes #527
+CVE: CVE-2023-26965
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
+Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
+---
+ tools/tiffcrop.c | 47 +++++++++++++----------------------------------
+ 1 file changed, 13 insertions(+), 34 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index d7ad5ca8..d3e11ba2 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+     uint32_t tw = 0, tl = 0; /* Tile width and length */
+     tmsize_t tile_rowsize = 0;
+     unsigned char *read_buff = NULL;
+-    unsigned char *new_buff = NULL;
+     int readunit = 0;
+-    static tmsize_t prev_readsize = 0;
+ 
+     TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+     TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+     }
+ 
+     read_buff = *read_ptr;
+-    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+-    /* outside buffer */
+-    if (!read_buff)
+    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+     * outside buffer */
+    /* Reuse of read_buff from previous image is quite unsafe, because other
+     * functions (like rotateImage() etc.) reallocate that buffer with different
+     * size without updating the local prev_readsize value. */
+    if (read_buff)
+     {
+-        if (buffsize > 0xFFFFFFFFU - 3)
+-        {
+-            TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-            return (-1);
+-        }
+-        read_buff =
+-            (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+        _TIFFfree(read_buff);
+     }
+-    else
+    if (buffsize > 0xFFFFFFFFU - 3)
+     {
+-        if (prev_readsize < buffsize)
+-        {
+-            if (buffsize > 0xFFFFFFFFU - 3)
+-            {
+-                TIFFError("loadImage",
+-                          "Unable to allocate/reallocate read buffer");
+-                return (-1);
+-            }
+-            new_buff =
+-                _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-            if (!new_buff)
+-            {
+-                free(read_buff);
+-                read_buff = (unsigned char *)limitMalloc(
+-                    buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-            }
+-            else
+-                read_buff = new_buff;
+-        }
+        TIFFError("loadImage", "Required read buffer size too large");
+        return (-1);
+     }
+    read_buff =
+        (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+     if (!read_buff)
+     {
+-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+        TIFFError("loadImage", "Unable to allocate read buffer");
+         return (-1);
+     }
+ 
+@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+     read_buff[buffsize + 1] = 0;
+     read_buff[buffsize + 2] = 0;
+ 
+-    prev_readsize = buffsize;
+     *read_ptr = read_buff;
+ 
+     /* N.B. The read functions used copy separate plane data into a buffer as
+-- 
+2.39.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..2bde8fe9d6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2022-48281.patch \
           file://CVE-2023-2731.patch \
+           file://CVE-2023-26965.patch \
 "
 SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
author	Natasha Bailey <nat.bailey@windriver.com>	2023-06-23 10:47:44 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-06-27 16:23:40 +0100
commit	a4bd1f72821d3cae65c220e35f716234766974bf (patch)
tree	ce33702d240b188252ed0eeb777721dbb1136cad /meta
parent	49eddee6521b94abc1826e560d9bf4a2a5abcc53 (diff)
download	poky-a4bd1f72821d3cae65c220e35f716234766974bf.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch new file mode 100644 index 0000000000..5fdc1ed013 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,99 @@
		1	From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Tue, 14 Feb 2023 20:43:43 +0100
		4	Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
		5	Fix issue 527
		6
		7	Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
		8
		9	Closes #527
		10
		11	CVE: CVE-2023-26965
		12	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
		13	Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
		14	---
		15	tools/tiffcrop.c \| 47 +++++++++++++----------------------------------
		16	1 file changed, 13 insertions(+), 34 deletions(-)
		17
		18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		19	index d7ad5ca8..d3e11ba2 100644
		20	--- a/tools/tiffcrop.c
		21	+++ b/tools/tiffcrop.c
		22	@@ -6771,9 +6771,7 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
		23	uint32_t tw = 0, tl = 0; /* Tile width and length */
		24	tmsize_t tile_rowsize = 0;
		25	unsigned char *read_buff = NULL;
		26	- unsigned char *new_buff = NULL;
		27	int readunit = 0;
		28	- static tmsize_t prev_readsize = 0;
		29
		30	TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
		31	TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
		32	@@ -7097,43 +7095,25 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
		33	}
		34
		35	read_buff = *read_ptr;
		36	- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
		37	- /* outside buffer */
		38	- if (!read_buff)
		39	+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
		40	+ * outside buffer */
		41	+ /* Reuse of read_buff from previous image is quite unsafe, because other
		42	+ * functions (like rotateImage() etc.) reallocate that buffer with different
		43	+ * size without updating the local prev_readsize value. */
		44	+ if (read_buff)
		45	{
		46	- if (buffsize > 0xFFFFFFFFU - 3)
		47	- {
		48	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		49	- return (-1);
		50	- }
		51	- read_buff =
		52	- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		53	+ _TIFFfree(read_buff);
		54	}
		55	- else
		56	+ if (buffsize > 0xFFFFFFFFU - 3)
		57	{
		58	- if (prev_readsize < buffsize)
		59	- {
		60	- if (buffsize > 0xFFFFFFFFU - 3)
		61	- {
		62	- TIFFError("loadImage",
		63	- "Unable to allocate/reallocate read buffer");
		64	- return (-1);
		65	- }
		66	- new_buff =
		67	- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
		68	- if (!new_buff)
		69	- {
		70	- free(read_buff);
		71	- read_buff = (unsigned char *)limitMalloc(
		72	- buffsize + NUM_BUFF_OVERSIZE_BYTES);
		73	- }
		74	- else
		75	- read_buff = new_buff;
		76	- }
		77	+ TIFFError("loadImage", "Required read buffer size too large");
		78	+ return (-1);
		79	}
		80	+ read_buff =
		81	+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		82	if (!read_buff)
		83	{
		84	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		85	+ TIFFError("loadImage", "Unable to allocate read buffer");
		86	return (-1);
		87	}
		88
		89	@@ -7141,7 +7121,6 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
		90	read_buff[buffsize + 1] = 0;
		91	read_buff[buffsize + 2] = 0;
		92
		93	- prev_readsize = buffsize;
		94	*read_ptr = read_buff;
		95
		96	/* N.B. The read functions used copy separate plane data into a buffer as
		97	--
		98	2.39.0
		99


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb index ca4a3eff91..2bde8fe9d6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12	file://CVE-2022-48281.patch \	12	file://CVE-2022-48281.patch \
13	file://CVE-2023-2731.patch \	13	file://CVE-2023-2731.patch \
		14	file://CVE-2023-26965.patch \
14	"	15	"
15		16
16	SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"	17	SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"