2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch
new file mode 100644
index 0000000000..3a4845d415
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch
@@ -0,0 +1,47 @@
+From 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 5 Oct 2024 09:45:30 -0700
+Subject: [PATCH] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid 
+ input, addresses issue #650
+CVE: CVE-2024-13978
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiff2pdf.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 63751f1..fef28d1 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -1255,9 +1255,25 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+                        TIFFGetField(input, 
+                                TIFFTAG_TILEWIDTH, 
+                                &( t2p->tiff_tiles[i].tiles_tilewidth) );
+                        if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
+                        {
+                           TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
+                                     t2p->tiff_tiles[i].tiles_tilewidth,
+                                     TIFFFileName(input));
+                           t2p->t2p_error = T2P_ERR_ERROR;
+                           return;
+                        }
+                        TIFFGetField(input, 
+                                TIFFTAG_TILELENGTH, 
+                                &( t2p->tiff_tiles[i].tiles_tilelength) );
+                        if (t2p->tiff_tiles[i].tiles_tilelength < 1)
+                        {
+                           TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
+                                     t2p->tiff_tiles[i].tiles_tilelength,
+                                     TIFFFileName(input));
+                           t2p->t2p_error = T2P_ERR_ERROR;
+                           return;
+                        }
+                        t2p->tiff_tiles[i].tiles_tiles = 
+                        (T2P_TILE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,t2p->tiff_tiles[i].tiles_tilecount,
+                                                                  sizeof(T2P_TILE)) );
+-- 
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 4c9c212312..d5ae82bc7c 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -59,6 +59,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2025-8176-0002.patch \
           file://CVE-2025-8176-0003.patch \
           file://CVE-2025-8177.patch \
+           file://CVE-2024-13978.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch new file mode 100644 index 0000000000..3a4845d415 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch
@@ -0,0 +1,47 @@
		1	From 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Sat, 5 Oct 2024 09:45:30 -0700
		4	Subject: [PATCH] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid
		5	input, addresses issue #650
		6
		7	CVE: CVE-2024-13978
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
		9
		10	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		11	---
		12	tools/tiff2pdf.c \| 16 ++++++++++++++++
		13	1 file changed, 16 insertions(+)
		14
		15	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
		16	index 63751f1..fef28d1 100644
		17	--- a/tools/tiff2pdf.c
		18	+++ b/tools/tiff2pdf.c
		19	@@ -1255,9 +1255,25 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
		20	TIFFGetField(input,
		21	TIFFTAG_TILEWIDTH,
		22	&( t2p->tiff_tiles[i].tiles_tilewidth) );
		23	+ if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
		24	+ {
		25	+ TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
		26	+ t2p->tiff_tiles[i].tiles_tilewidth,
		27	+ TIFFFileName(input));
		28	+ t2p->t2p_error = T2P_ERR_ERROR;
		29	+ return;
		30	+ }
		31	TIFFGetField(input,
		32	TIFFTAG_TILELENGTH,
		33	&( t2p->tiff_tiles[i].tiles_tilelength) );
		34	+ if (t2p->tiff_tiles[i].tiles_tilelength < 1)
		35	+ {
		36	+ TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
		37	+ t2p->tiff_tiles[i].tiles_tilelength,
		38	+ TIFFFileName(input));
		39	+ t2p->t2p_error = T2P_ERR_ERROR;
		40	+ return;
		41	+ }
		42	t2p->tiff_tiles[i].tiles_tiles =
		43	(T2P_TILE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,t2p->tiff_tiles[i].tiles_tilecount,
		44	sizeof(T2P_TILE)) );
		45	--
		46	2.40.0
		47


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 4c9c212312..d5ae82bc7c 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -59,6 +59,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
59	file://CVE-2025-8176-0002.patch \	59	file://CVE-2025-8176-0002.patch \
60	file://CVE-2025-8176-0003.patch \	60	file://CVE-2025-8176-0003.patch \
61	file://CVE-2025-8177.patch \	61	file://CVE-2025-8177.patch \
		62	file://CVE-2024-13978.patch \
62	"	63	"
63		64
64	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	65	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"