tiff: upgrade to 4.5.1

Also remove old CVE_CHECK_IGNOREs which are no longer needed due to CPE updates. This is a backport from master. Mickledore had one extra CVE patch that was not on master at the time of upgrade, so it had to be manually removed here. (From OE-Core rev: 309b58071d14406ccdf90342f0a33285dc83c87c) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Natasha Bailey <nat.bailey@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ross Burton <ross.burton@arm.com> 2023-07-20 11:44:13 -0700
committer: Steve Sakoman <steve@sakoman.com> 2023-07-26 05:12:21 -1000
commit: a809b0d5dc37927e0632c50762783d913bdf10f8 (patch)
tree: ae04d806472bdaefbe6491d6f4f9b70b26a1a55a /meta
parent: b3d4ea6522623c3736286b2bacba48079fe7cb45 (diff)
download: poky-a809b0d5dc37927e0632c50762783d913bdf10f8.tar.gz
5 files changed, 2 insertions, 338 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
deleted file mode 100644
index e356d377ea..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-CVE: CVE-2022-48281
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
-From: Su Laus <sulau@freenet.de>
-Date: Sat, 21 Jan 2023 15:58:10 +0000
-Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
---
- tools/tiffcrop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 14fa18da..7db69883 100644
--- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
-                     cropsize + NUM_BUFF_OVERSIZE_BYTES);
-             else
-             {
-                prev_cropsize = seg_buffs[0].size;
-+                prev_cropsize = seg_buffs[i].size;
-                 if (prev_cropsize < cropsize)
-                 {
-                     next_buff = _TIFFrealloc(
-- 
-GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch
deleted file mode 100644
index a78c9709f9..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
-From: Su_Laus <sulau@freenet.de>
-Date: Sun, 29 Jan 2023 11:09:26 +0100
-Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
- image width and length parameters when only cropped image sections are
- rotated. Remove buffptr from region structure because never used.
-Closes #492 #493 #494 #495 #499 #518 #519
-Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
-CVE: CVE-2023-25434
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
- tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++--------------------
- 1 file changed, 30 insertions(+), 21 deletions(-)
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index fc5b34b..6e1acc4 100644
--- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -296,7 +296,6 @@ struct region
-     uint32_t width;    /* width in pixels */
-     uint32_t length;   /* length in pixels */
-     uint32_t buffsize; /* size of buffer needed to hold the cropped region */
-    unsigned char *buffptr; /* address of start of the region */
- };
- 
- /* Cropping parameters from command line and image data
-@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
- static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
-                                      uint32_t, uint32_t, uint8_t *, uint8_t *);
- static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
-                       unsigned char **);
-+                       unsigned char **, int);
- static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
-                        unsigned char *);
- static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
-@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_mask *cps)
-         cps->regionlist[i].width = 0;
-         cps->regionlist[i].length = 0;
-         cps->regionlist[i].buffsize = 0;
-        cps->regionlist[i].buffptr = NULL;
-         cps->zonelist[i].position = 0;
-         cps->zonelist[i].total = 0;
-     }
-@@ -7221,8 +7219,13 @@ static int correct_orientation(struct image_data *image,
-             return (-1);
-         }
- 
-        if (rotateImage(rotation, image, &image->width, &image->length,
-                        work_buff_ptr))
-+        /* Dummy variable in order not to switch two times the
-+         * image->width,->length within rotateImage(),
-+         * but switch xres, yres there. */
-+        uint32_t width = image->width;
-+        uint32_t length = image->length;
-+        if (rotateImage(rotation, image, &width, &length, work_buff_ptr,
-+                        TRUE))
-         {
-             TIFFError("correct_orientation", "Unable to rotate image");
-             return (-1);
-@@ -7291,7 +7294,6 @@ static int extractCompositeRegions(struct image_data *image,
-         /* These should not be needed for composite images */
-         crop->regionlist[i].width = crop_width;
-         crop->regionlist[i].length = crop_length;
-        crop->regionlist[i].buffptr = crop_buff;
- 
-         src_rowsize = ((img_width * bps * spp) + 7) / 8;
-         dst_rowsize = (((crop_width * bps * count) + 7) / 8);
-@@ -7552,7 +7554,6 @@ static int extractSeparateRegion(struct image_data *image,
- 
-     crop->regionlist[region].width = crop_width;
-     crop->regionlist[region].length = crop_length;
-    crop->regionlist[region].buffptr = crop_buff;
- 
-     src = read_buff;
-     dst = crop_buff;
-@@ -8543,7 +8544,7 @@ static int processCropSelections(struct image_data *image,
-                                               reallocate the buffer */
-         {
-             if (rotateImage(crop->rotation, image, &crop->combined_width,
-                            &crop->combined_length, &crop_buff))
-+                            &crop->combined_length, &crop_buff, FALSE))
-             {
-                 TIFFError("processCropSelections",
-                           "Failed to rotate composite regions by %" PRIu32
-@@ -8668,7 +8669,7 @@ static int processCropSelections(struct image_data *image,
-                  */
-                 if (rotateImage(crop->rotation, image,
-                                 &crop->regionlist[i].width,
-                                &crop->regionlist[i].length, &crop_buff))
-+                                &crop->regionlist[i].length, &crop_buff, FALSE))
-                 {
-                     TIFFError("processCropSelections",
-                               "Failed to rotate crop region by %" PRIu16
-@@ -8815,7 +8816,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop,
-         CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
-     {
-         if (rotateImage(crop->rotation, image, &crop->combined_width,
-                        &crop->combined_length, crop_buff_ptr))
-+                        &crop->combined_length, crop_buff_ptr, TRUE))
-         {
-             TIFFError("createCroppedImage",
-                       "Failed to rotate image or cropped selection by %" PRIu16
-@@ -9531,7 +9532,7 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,
- /* Rotate an image by a multiple of 90 degrees clockwise */
- static int rotateImage(uint16_t rotation, struct image_data *image,
-                        uint32_t *img_width, uint32_t *img_length,
-                       unsigned char **ibuff_ptr)
-+                       unsigned char **ibuff_ptr, int rot_image_params)
- {
-     int shift_width;
-     uint32_t bytes_per_pixel, bytes_per_sample;
-@@ -9747,11 +9748,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
- 
-             *img_width = length;
-             *img_length = width;
-            image->width = length;
-            image->length = width;
-            res_temp = image->xres;
-            image->xres = image->yres;
-            image->yres = res_temp;
-+            /* Only toggle image parameters if whole input image is rotated. */
-+            if (rot_image_params)
-+            {
-+                image->width = length;
-+                image->length = width;
-+                res_temp = image->xres;
-+                image->xres = image->yres;
-+                image->yres = res_temp;
-+            }
-             break;
- 
-         case 270:
-@@ -9834,11 +9839,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
- 
-             *img_width = length;
-             *img_length = width;
-            image->width = length;
-            image->length = width;
-            res_temp = image->xres;
-            image->xres = image->yres;
-            image->yres = res_temp;
-+            /* Only toggle image parameters if whole input image is rotated. */
-+            if (rot_image_params)
-+            {
-+                image->width = length;
-+                image->length = width;
-+                res_temp = image->xres;
-+                image->xres = image->yres;
-+                image->yres = res_temp;
-+            }
-             break;
-         default:
-             break;
-- 
-2.35.7
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
deleted file mode 100644
index 09161c9165..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
-From: Su_Laus <sulau@freenet.de>
-Date: Tue, 14 Feb 2023 20:43:43 +0100
-Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
- Fix issue 527
-Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
-Closes #527
-Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
-CVE: CVE-2023-26965
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
- tools/tiffcrop.c | 47 +++++++++++++----------------------------------
- 1 file changed, 13 insertions(+), 34 deletions(-)
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index fb0fbb2..58ed3ab 100644
--- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -6746,9 +6746,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
-     uint32_t tw = 0, tl = 0; /* Tile width and length */
-     tmsize_t tile_rowsize = 0;
-     unsigned char *read_buff = NULL;
-    unsigned char *new_buff = NULL;
-     int readunit = 0;
-    static tmsize_t prev_readsize = 0;
- 
-     TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
-     TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
-@@ -7072,43 +7070,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
-     }
- 
-     read_buff = *read_ptr;
-    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
-    /* outside buffer */
-    if (!read_buff)
-+    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
-+     * outside buffer */
-+    /* Reuse of read_buff from previous image is quite unsafe, because other
-+     * functions (like rotateImage() etc.) reallocate that buffer with different
-+     * size without updating the local prev_readsize value. */
-+    if (read_buff)
-     {
-        if (buffsize > 0xFFFFFFFFU - 3)
-        {
-            TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-            return (-1);
-        }
-        read_buff =
-            (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
-+        _TIFFfree(read_buff);
-     }
-    else
-+    if (buffsize > 0xFFFFFFFFU - 3)
-     {
-        if (prev_readsize < buffsize)
-        {
-            if (buffsize > 0xFFFFFFFFU - 3)
-            {
-                TIFFError("loadImage",
-                          "Unable to allocate/reallocate read buffer");
-                return (-1);
-            }
-            new_buff =
-                _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
-            if (!new_buff)
-            {
-                free(read_buff);
-                read_buff = (unsigned char *)limitMalloc(
-                    buffsize + NUM_BUFF_OVERSIZE_BYTES);
-            }
-            else
-                read_buff = new_buff;
-        }
-+        TIFFError("loadImage", "Required read buffer size too large");
-+        return (-1);
-     }
-+    read_buff =
-+        (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
-     if (!read_buff)
-     {
-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-+        TIFFError("loadImage", "Unable to allocate read buffer");
-         return (-1);
-     }
- 
-@@ -7116,7 +7096,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
-     read_buff[buffsize + 1] = 0;
-     read_buff[buffsize + 2] = 0;
- 
-    prev_readsize = buffsize;
-     *read_ptr = read_buff;
- 
-     /* N.B. The read functions used copy separate plane data into a buffer as
-- 
-2.35.7
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
deleted file mode 100644
index 7db0a35f72..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 29 Apr 2023 12:20:46 +0200
-Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
- strip whith a missing end-of-information marker (fixes #548)
-CVE: CVE-2023-2731
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]
---
- libtiff/tif_lzw.c | 5 +++++
- 1 file changed, 5 insertions(+)
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index ba75a07e..d631fa10 100644
--- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
- 
-     if (sp->read_error)
-     {
-+        TIFFErrorExtR(tif, module,
-+                      "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
-+                      "previous error",
-+                      tif->tif_row);
-         return 0;
-     }
- 
-@@ -742,6 +746,7 @@ after_loop:
-     return (1);
- 
- no_eoi:
-+    sp->read_error = 1;
-     TIFFErrorExtR(tif, module,
-                   "LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
-                   tif->tif_curstrip);
-- 
-2.34.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 220f7e2816..5af3f84265 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -8,14 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 CVE_PRODUCT = "libtiff"
-SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"
-           file://CVE-2022-48281.patch \
-           file://CVE-2023-2731.patch \
-           file://CVE-2023-25434.patch \
-           file://CVE-2023-26965.patch \
-"
-SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
+SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
@@ -23,11 +18,6 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
 # and 4.3.0 doesn't have the issue
 CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
 inherit autotools multilib_header
author	Ross Burton <ross.burton@arm.com>	2023-07-20 11:44:13 -0700
committer	Steve Sakoman <steve@sakoman.com>	2023-07-26 05:12:21 -1000
commit	a809b0d5dc37927e0632c50762783d913bdf10f8 (patch)
tree	ae04d806472bdaefbe6491d6f4f9b70b26a1a55a /meta
parent	b3d4ea6522623c3736286b2bacba48079fe7cb45 (diff)
download	poky-a809b0d5dc37927e0632c50762783d913bdf10f8.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch deleted file mode 100644 index e356d377ea..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch +++ /dev/null
@@ -1,29 +0,0 @@
1	CVE: CVE-2022-48281
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
6	From: Su Laus <sulau@freenet.de>
7	Date: Sat, 21 Jan 2023 15:58:10 +0000
8	Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
9
10	---
11	tools/tiffcrop.c \| 2 +-
12	1 file changed, 1 insertion(+), 1 deletion(-)
13
14	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
15	index 14fa18da..7db69883 100644
16	--- a/tools/tiffcrop.c
17	+++ b/tools/tiffcrop.c
18	@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
19	cropsize + NUM_BUFF_OVERSIZE_BYTES);
20	else
21	{
22	- prev_cropsize = seg_buffs[0].size;
23	+ prev_cropsize = seg_buffs[i].size;
24	if (prev_cropsize < cropsize)
25	{
26	next_buff = _TIFFrealloc(
27	--
28	GitLab
29


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch deleted file mode 100644 index a78c9709f9..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch +++ /dev/null
@@ -1,159 +0,0 @@
1	From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
2	From: Su_Laus <sulau@freenet.de>
3	Date: Sun, 29 Jan 2023 11:09:26 +0100
4	Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
5	image width and length parameters when only cropped image sections are
6	rotated. Remove buffptr from region structure because never used.
7
8	Closes #492 #493 #494 #495 #499 #518 #519
9
10	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
11	CVE: CVE-2023-25434
12
13	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
14	---
15	tools/tiffcrop.c \| 51 ++++++++++++++++++++++++++++--------------------
16	1 file changed, 30 insertions(+), 21 deletions(-)
17
18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
19	index fc5b34b..6e1acc4 100644
20	--- a/tools/tiffcrop.c
21	+++ b/tools/tiffcrop.c
22	@@ -296,7 +296,6 @@ struct region
23	uint32_t width; /* width in pixels */
24	uint32_t length; /* length in pixels */
25	uint32_t buffsize; /* size of buffer needed to hold the cropped region */
26	- unsigned char buffptr; / address of start of the region */
27	};
28
29	/* Cropping parameters from command line and image data
30	@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
31	static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
32	uint32_t, uint32_t, uint8_t , uint8_t );
33	static int rotateImage(uint16_t, struct image_data , uint32_t , uint32_t *,
34	- unsigned char **);
35	+ unsigned char **, int);
36	static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
37	unsigned char *);
38	static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
39	@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_mask *cps)
40	cps->regionlist[i].width = 0;
41	cps->regionlist[i].length = 0;
42	cps->regionlist[i].buffsize = 0;
43	- cps->regionlist[i].buffptr = NULL;
44	cps->zonelist[i].position = 0;
45	cps->zonelist[i].total = 0;
46	}
47	@@ -7221,8 +7219,13 @@ static int correct_orientation(struct image_data *image,
48	return (-1);
49	}
50
51	- if (rotateImage(rotation, image, &image->width, &image->length,
52	- work_buff_ptr))
53	+ /* Dummy variable in order not to switch two times the
54	+ * image->width,->length within rotateImage(),
55	+ * but switch xres, yres there. */
56	+ uint32_t width = image->width;
57	+ uint32_t length = image->length;
58	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr,
59	+ TRUE))
60	{
61	TIFFError("correct_orientation", "Unable to rotate image");
62	return (-1);
63	@@ -7291,7 +7294,6 @@ static int extractCompositeRegions(struct image_data *image,
64	/* These should not be needed for composite images */
65	crop->regionlist[i].width = crop_width;
66	crop->regionlist[i].length = crop_length;
67	- crop->regionlist[i].buffptr = crop_buff;
68
69	src_rowsize = ((img_width * bps * spp) + 7) / 8;
70	dst_rowsize = (((crop_width * bps * count) + 7) / 8);
71	@@ -7552,7 +7554,6 @@ static int extractSeparateRegion(struct image_data *image,
72
73	crop->regionlist[region].width = crop_width;
74	crop->regionlist[region].length = crop_length;
75	- crop->regionlist[region].buffptr = crop_buff;
76
77	src = read_buff;
78	dst = crop_buff;
79	@@ -8543,7 +8544,7 @@ static int processCropSelections(struct image_data *image,
80	reallocate the buffer */
81	{
82	if (rotateImage(crop->rotation, image, &crop->combined_width,
83	- &crop->combined_length, &crop_buff))
84	+ &crop->combined_length, &crop_buff, FALSE))
85	{
86	TIFFError("processCropSelections",
87	"Failed to rotate composite regions by %" PRIu32
88	@@ -8668,7 +8669,7 @@ static int processCropSelections(struct image_data *image,
89	*/
90	if (rotateImage(crop->rotation, image,
91	&crop->regionlist[i].width,
92	- &crop->regionlist[i].length, &crop_buff))
93	+ &crop->regionlist[i].length, &crop_buff, FALSE))
94	{
95	TIFFError("processCropSelections",
96	"Failed to rotate crop region by %" PRIu16
97	@@ -8815,7 +8816,7 @@ static int createCroppedImage(struct image_data image, struct crop_mask crop,
98	CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
99	{
100	if (rotateImage(crop->rotation, image, &crop->combined_width,
101	- &crop->combined_length, crop_buff_ptr))
102	+ &crop->combined_length, crop_buff_ptr, TRUE))
103	{
104	TIFFError("createCroppedImage",
105	"Failed to rotate image or cropped selection by %" PRIu16
106	@@ -9531,7 +9532,7 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,
107	/* Rotate an image by a multiple of 90 degrees clockwise */
108	static int rotateImage(uint16_t rotation, struct image_data *image,
109	uint32_t img_width, uint32_t img_length,
110	- unsigned char **ibuff_ptr)
111	+ unsigned char **ibuff_ptr, int rot_image_params)
112	{
113	int shift_width;
114	uint32_t bytes_per_pixel, bytes_per_sample;
115	@@ -9747,11 +9748,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
116
117	*img_width = length;
118	*img_length = width;
119	- image->width = length;
120	- image->length = width;
121	- res_temp = image->xres;
122	- image->xres = image->yres;
123	- image->yres = res_temp;
124	+ /* Only toggle image parameters if whole input image is rotated. */
125	+ if (rot_image_params)
126	+ {
127	+ image->width = length;
128	+ image->length = width;
129	+ res_temp = image->xres;
130	+ image->xres = image->yres;
131	+ image->yres = res_temp;
132	+ }
133	break;
134
135	case 270:
136	@@ -9834,11 +9839,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
137
138	*img_width = length;
139	*img_length = width;
140	- image->width = length;
141	- image->length = width;
142	- res_temp = image->xres;
143	- image->xres = image->yres;
144	- image->yres = res_temp;
145	+ /* Only toggle image parameters if whole input image is rotated. */
146	+ if (rot_image_params)
147	+ {
148	+ image->width = length;
149	+ image->length = width;
150	+ res_temp = image->xres;
151	+ image->xres = image->yres;
152	+ image->yres = res_temp;
153	+ }
154	break;
155	default:
156	break;
157	--
158	2.35.7
159


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch deleted file mode 100644 index 09161c9165..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch +++ /dev/null
@@ -1,99 +0,0 @@
1	From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
2	From: Su_Laus <sulau@freenet.de>
3	Date: Tue, 14 Feb 2023 20:43:43 +0100
4	Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
5	Fix issue 527
6
7	Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
8
9	Closes #527
10
11	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
12	CVE: CVE-2023-26965
13	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
14	---
15	tools/tiffcrop.c \| 47 +++++++++++++----------------------------------
16	1 file changed, 13 insertions(+), 34 deletions(-)
17
18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
19	index fb0fbb2..58ed3ab 100644
20	--- a/tools/tiffcrop.c
21	+++ b/tools/tiffcrop.c
22	@@ -6746,9 +6746,7 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
23	uint32_t tw = 0, tl = 0; /* Tile width and length */
24	tmsize_t tile_rowsize = 0;
25	unsigned char *read_buff = NULL;
26	- unsigned char *new_buff = NULL;
27	int readunit = 0;
28	- static tmsize_t prev_readsize = 0;
29
30	TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
31	TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
32	@@ -7072,43 +7070,25 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
33	}
34
35	read_buff = *read_ptr;
36	- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
37	- /* outside buffer */
38	- if (!read_buff)
39	+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
40	+ * outside buffer */
41	+ /* Reuse of read_buff from previous image is quite unsafe, because other
42	+ * functions (like rotateImage() etc.) reallocate that buffer with different
43	+ * size without updating the local prev_readsize value. */
44	+ if (read_buff)
45	{
46	- if (buffsize > 0xFFFFFFFFU - 3)
47	- {
48	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
49	- return (-1);
50	- }
51	- read_buff =
52	- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
53	+ _TIFFfree(read_buff);
54	}
55	- else
56	+ if (buffsize > 0xFFFFFFFFU - 3)
57	{
58	- if (prev_readsize < buffsize)
59	- {
60	- if (buffsize > 0xFFFFFFFFU - 3)
61	- {
62	- TIFFError("loadImage",
63	- "Unable to allocate/reallocate read buffer");
64	- return (-1);
65	- }
66	- new_buff =
67	- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
68	- if (!new_buff)
69	- {
70	- free(read_buff);
71	- read_buff = (unsigned char *)limitMalloc(
72	- buffsize + NUM_BUFF_OVERSIZE_BYTES);
73	- }
74	- else
75	- read_buff = new_buff;
76	- }
77	+ TIFFError("loadImage", "Required read buffer size too large");
78	+ return (-1);
79	}
80	+ read_buff =
81	+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
82	if (!read_buff)
83	{
84	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
85	+ TIFFError("loadImage", "Unable to allocate read buffer");
86	return (-1);
87	}
88
89	@@ -7116,7 +7096,6 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
90	read_buff[buffsize + 1] = 0;
91	read_buff[buffsize + 2] = 0;
92
93	- prev_readsize = buffsize;
94	*read_ptr = read_buff;
95
96	/* N.B. The read functions used copy separate plane data into a buffer as
97	--
98	2.35.7
99


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch deleted file mode 100644 index 7db0a35f72..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch +++ /dev/null
@@ -1,39 +0,0 @@
1	From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
2	From: Even Rouault <even.rouault@spatialys.com>
3	Date: Sat, 29 Apr 2023 12:20:46 +0200
4	Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
5	strip whith a missing end-of-information marker (fixes #548)
6
7	CVE: CVE-2023-2731
8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]
9
10	---
11	libtiff/tif_lzw.c \| 5 +++++
12	1 file changed, 5 insertions(+)
13
14	diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
15	index ba75a07e..d631fa10 100644
16	--- a/libtiff/tif_lzw.c
17	+++ b/libtiff/tif_lzw.c
18	@@ -423,6 +423,10 @@ static int LZWDecode(TIFF tif, uint8_t op0, tmsize_t occ0, uint16_t s)
19
20	if (sp->read_error)
21	{
22	+ TIFFErrorExtR(tif, module,
23	+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
24	+ "previous error",
25	+ tif->tif_row);
26	return 0;
27	}
28
29	@@ -742,6 +746,7 @@ after_loop:
30	return (1);
31
32	no_eoi:
33	+ sp->read_error = 1;
34	TIFFErrorExtR(tif, module,
35	"LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
36	tif->tif_curstrip);
37	--
38	2.34.1
39


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb index 220f7e2816..5af3f84265 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -8,14 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
8		8
9	CVE_PRODUCT = "libtiff"	9	CVE_PRODUCT = "libtiff"
10		10
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"
12	file://CVE-2022-48281.patch \
13	file://CVE-2023-2731.patch \
14	file://CVE-2023-25434.patch \
15	file://CVE-2023-26965.patch \
16	"
17		12
18	SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"	13	SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
19		14
20	# exclude betas	15	# exclude betas
21	UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"	16	UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
@@ -23,11 +18,6 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
23	# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313	18	# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
24	# and 4.3.0 doesn't have the issue	19	# and 4.3.0 doesn't have the issue
25	CVE_CHECK_IGNORE += "CVE-2015-7313"	20	CVE_CHECK_IGNORE += "CVE-2015-7313"
26	# These issues only affect libtiff post-4.3.0 but before 4.4.0,
27	# caused by 3079627e and fixed by b4e79bfa.
28	CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
29	# Issue is in jbig which we don't enable
30	CVE_CHECK_IGNORE += "CVE-2022-1210"
31		21
32	inherit autotools multilib_header	22	inherit autotools multilib_header
33		23