libtiff: fix CVE-2023-26965 heap-based use after free

Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf (From OE-Core rev: 9b9f88d8828ee822635ed645cc192829fecec39e) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-07-26 12:20:20 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-08-02 04:47:13 -1000
commit: d198c0d738725477189882869752997d96fb8f71 (patch)
tree: 9fd134295ab7e96ddf59eca29018e56fc45010f9 /meta
parent: 3c2e546a1a75289e82e33babde303ba6fa20fccb (diff)
download: poky-d198c0d738725477189882869752997d96fb8f71.tar.gz
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch
new file mode 100644
index 0000000000..2162493e34
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch
@@ -0,0 +1,97 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+Closes #527
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
+CVE: CVE-2023-26965
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 47 +++++++++++++++--------------------------------
+ 1 file changed, 15 insertions(+), 32 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b811fbb..ce77c74 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -6066,9 +6066,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   uint32_t   tw = 0, tl = 0;       /* Tile width and length */
+   tmsize_t   tile_rowsize = 0;
+   unsigned char *read_buff = NULL;
+-  unsigned char *new_buff  = NULL;
+   int      readunit = 0;
+-  static   tmsize_t  prev_readsize = 0;
+ 
+   TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+   TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6361,47 +6359,32 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+     }
+  
+   read_buff = *read_ptr;
+-  /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+-  /* outside buffer */
+-  if (!read_buff)
+-  {
+-    if( buffsize > 0xFFFFFFFFU - 3 )
+    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+     * outside buffer */
+    /* Reuse of read_buff from previous image is quite unsafe, because other
+     * functions (like rotateImage() etc.) reallocate that buffer with different
+     * size without updating the local prev_readsize value. */
+   if (read_buff)
+     {
+-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-        return (-1);
+        _TIFFfree(read_buff);
+     }
+-    read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-  }
+-  else
+    if (buffsize > 0xFFFFFFFFU - 3)
+     {
+-    if (prev_readsize < buffsize)
+-    {
+-      if( buffsize > 0xFFFFFFFFU - 3 )
+-      {
+-          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-          return (-1);
+-      }
+-      new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-      if (!new_buff)
+-        {
+-       free (read_buff);
+-        read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-        }
+-      else
+-        read_buff = new_buff;
+-      }
+        TIFFError("loadImage", "Required read buffer size too large");
+        return (-1);
+     }
+-  if (!read_buff)
+    read_buff =
+        (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    if (!read_buff)
+     {
+-    TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-    return (-1);
+        TIFFError("loadImage", "Unable to allocate read buffer");
+        return (-1);
+     }
+ 
+   read_buff[buffsize] = 0;
+   read_buff[buffsize+1] = 0;
+   read_buff[buffsize+2] = 0;
+ 
+-  prev_readsize = buffsize;
+   *read_ptr = read_buff;
+ 
+   /* N.B. The read functions used copy separate plane data into a buffer as interleaved
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 2ee10fca72..4796dfde24 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-0795_0796_0797_0798_0799.patch \
           file://CVE-2023-25433.patch \
           file://CVE-2023-25434-CVE-2023-25435.patch \
+           file://CVE-2023-26965.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-07-26 12:20:20 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-08-02 04:47:13 -1000
commit	d198c0d738725477189882869752997d96fb8f71 (patch)
tree	9fd134295ab7e96ddf59eca29018e56fc45010f9 /meta
parent	3c2e546a1a75289e82e33babde303ba6fa20fccb (diff)
download	poky-d198c0d738725477189882869752997d96fb8f71.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch new file mode 100644 index 0000000000..2162493e34 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch
@@ -0,0 +1,97 @@
		1	From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Tue, 14 Feb 2023 20:43:43 +0100
		4	Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
		5	Fix issue 527
		6
		7	Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
		8
		9	Closes #527
		10
		11	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
		12	CVE: CVE-2023-26965
		13	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		14	---
		15	tools/tiffcrop.c \| 47 +++++++++++++++--------------------------------
		16	1 file changed, 15 insertions(+), 32 deletions(-)
		17
		18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		19	index b811fbb..ce77c74 100644
		20	--- a/tools/tiffcrop.c
		21	+++ b/tools/tiffcrop.c
		22	@@ -6066,9 +6066,7 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
		23	uint32_t tw = 0, tl = 0; /* Tile width and length */
		24	tmsize_t tile_rowsize = 0;
		25	unsigned char *read_buff = NULL;
		26	- unsigned char *new_buff = NULL;
		27	int readunit = 0;
		28	- static tmsize_t prev_readsize = 0;
		29
		30	TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
		31	TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
		32	@@ -6361,47 +6359,32 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
		33	}
		34
		35	read_buff = *read_ptr;
		36	- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
		37	- /* outside buffer */
		38	- if (!read_buff)
		39	- {
		40	- if( buffsize > 0xFFFFFFFFU - 3 )
		41	+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
		42	+ * outside buffer */
		43	+ /* Reuse of read_buff from previous image is quite unsafe, because other
		44	+ * functions (like rotateImage() etc.) reallocate that buffer with different
		45	+ * size without updating the local prev_readsize value. */
		46	+ if (read_buff)
		47	{
		48	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		49	- return (-1);
		50	+ _TIFFfree(read_buff);
		51	}
		52	- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		53	- }
		54	- else
		55	+ if (buffsize > 0xFFFFFFFFU - 3)
		56	{
		57	- if (prev_readsize < buffsize)
		58	- {
		59	- if( buffsize > 0xFFFFFFFFU - 3 )
		60	- {
		61	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		62	- return (-1);
		63	- }
		64	- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
		65	- if (!new_buff)
		66	- {
		67	- free (read_buff);
		68	- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		69	- }
		70	- else
		71	- read_buff = new_buff;
		72	- }
		73	+ TIFFError("loadImage", "Required read buffer size too large");
		74	+ return (-1);
		75	}
		76	- if (!read_buff)
		77	+ read_buff =
		78	+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		79	+ if (!read_buff)
		80	{
		81	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		82	- return (-1);
		83	+ TIFFError("loadImage", "Unable to allocate read buffer");
		84	+ return (-1);
		85	}
		86
		87	read_buff[buffsize] = 0;
		88	read_buff[buffsize+1] = 0;
		89	read_buff[buffsize+2] = 0;
		90
		91	- prev_readsize = buffsize;
		92	*read_ptr = read_buff;
		93
		94	/* N.B. The read functions used copy separate plane data into a buffer as interleaved
		95	--
		96	2.25.1
		97


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 2ee10fca72..4796dfde24 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
37	file://CVE-2023-0795_0796_0797_0798_0799.patch \	37	file://CVE-2023-0795_0796_0797_0798_0799.patch \
38	file://CVE-2023-25433.patch \	38	file://CVE-2023-25433.patch \
39	file://CVE-2023-25434-CVE-2023-25435.patch \	39	file://CVE-2023-25434-CVE-2023-25435.patch \
		40	file://CVE-2023-26965.patch \
40	"	41	"
41		42
42	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	43	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"