diff options
| -rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch | 57 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 |
2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch new file mode 100644 index 0000000000..9199cc6090 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Su Laus <sulau@freenet.de> | ||
| 3 | Date: Wed, 11 Jun 2025 19:45:19 +0000 | ||
| 4 | Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster | ||
| 5 | rows at TIFFReadRGBAImageOriented() | ||
| 6 | |||
| 7 | CVE: CVE-2025-9900 | ||
| 8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99] | ||
| 9 | |||
| 10 | Changes- | ||
| 11 | - Use old API TIFFWarningExt instead of TIFFWarningExtR. | ||
| 12 | |||
| 13 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 14 | --- | ||
| 15 | libtiff/tif_getimage.c | 20 +++++++++++++++++--- | ||
| 16 | 1 file changed, 17 insertions(+), 3 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
| 19 | index a9cd48f..4c807ad 100644 | ||
| 20 | --- a/libtiff/tif_getimage.c | ||
| 21 | +++ b/libtiff/tif_getimage.c | ||
| 22 | @@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h) | ||
| 23 | "No \"put\" routine setupl; probably can not handle image format"); | ||
| 24 | return (0); | ||
| 25 | } | ||
| 26 | + /* Verify raster width and height against image width and height. */ | ||
| 27 | + if (h > img->height) | ||
| 28 | + { | ||
| 29 | + /* Adapt parameters to read only available lines and put image at | ||
| 30 | + * the bottom of the raster. */ | ||
| 31 | + raster += (size_t)(h - img->height) * w; | ||
| 32 | + h = img->height; | ||
| 33 | + } | ||
| 34 | + if (w > img->width) | ||
| 35 | + { | ||
| 36 | + TIFFWarningExt(img->tif, TIFFFileName(img->tif), | ||
| 37 | + "Raster width of %d shall not be larger than image " | ||
| 38 | + "width of %d -> raster width adapted for reading", | ||
| 39 | + w, img->width); | ||
| 40 | + w = img->width; | ||
| 41 | + } | ||
| 42 | return (*img->get)(img, raster, w, h); | ||
| 43 | } | ||
| 44 | |||
| 45 | @@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif, | ||
| 46 | |||
| 47 | if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) { | ||
| 48 | img.req_orientation = (uint16_t)orientation; | ||
| 49 | - /* XXX verify rwidth and rheight against width and height */ | ||
| 50 | - ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth, | ||
| 51 | - rwidth, img.height); | ||
| 52 | + ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); | ||
| 53 | TIFFRGBAImageEnd(&img); | ||
| 54 | } else { | ||
| 55 | TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); | ||
| 56 | -- | ||
| 57 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 6db4d80cdf..0b4bef4c41 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | |||
| @@ -62,6 +62,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
| 62 | file://CVE-2024-13978.patch \ | 62 | file://CVE-2024-13978.patch \ |
| 63 | file://CVE-2025-8534.patch \ | 63 | file://CVE-2025-8534.patch \ |
| 64 | file://CVE-2025-8851.patch \ | 64 | file://CVE-2025-8851.patch \ |
| 65 | file://CVE-2025-9900.patch \ | ||
| 65 | " | 66 | " |
| 66 | 67 | ||
| 67 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" | 68 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" |