2 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
new file mode 100644
index 0000000000..59c14e2703
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
@@ -0,0 +1,60 @@
+From 6ba36f159fd396ad11bf6b7874554197736ecc8b Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Aug 2025 18:55:54 +0200
+Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for 
+ TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer 
+ dereference.
+Closes #718
+CVE: CVE-2025-8534
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiff2ps.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
+index a598ede..05a346a 100644
+--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
+@@ -2193,10 +2193,20 @@ PS_Lvl2page(FILE* fd, TIFF* tif, uint32_t w, uint32_t h)
+        tiled_image = TIFFIsTiled(tif);
+        if (tiled_image) {
+                num_chunks = TIFFNumberOfTiles(tif);
+-               TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc);
+               if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc))
+                {
+                   TIFFError(filename,
+                             "Can't read bytecounts of tiles at PS_Lvl2page()");
+                   return (FALSE);
+                }
+        } else {
+                num_chunks = TIFFNumberOfStrips(tif);
+-               TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
+               if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
+                {
+                   TIFFError(filename,
+                             "Can't read bytecounts of strips at PS_Lvl2page()");
+                   return (FALSE);
+                 }
+        }
+ 
+        if (use_rawdata) {
+@@ -2791,7 +2801,11 @@ PSRawDataBW(FILE* fd, TIFF* tif, uint32_t w, uint32_t h)
+ 
+        (void) w; (void) h;
+        TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder);
+-       TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
+        if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
+        {
+           TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()");
+           return;
+        }
+ 
+        /*
+         * Find largest strip:
+-- 
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index d5ae82bc7c..137dc7f478 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -60,6 +60,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2025-8176-0003.patch \
           file://CVE-2025-8177.patch \
           file://CVE-2024-13978.patch \
+           file://CVE-2025-8534.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch new file mode 100644 index 0000000000..59c14e2703 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
@@ -0,0 +1,60 @@
		1	From 6ba36f159fd396ad11bf6b7874554197736ecc8b Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sat, 2 Aug 2025 18:55:54 +0200
		4	Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for
		5	TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer
		6	dereference.
		7
		8	Closes #718
		9
		10	CVE: CVE-2025-8534
		11	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b]
		12
		13	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		14	---
		15	tools/tiff2ps.c \| 20 +++++++++++++++++---
		16	1 file changed, 17 insertions(+), 3 deletions(-)
		17
		18	diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
		19	index a598ede..05a346a 100644
		20	--- a/tools/tiff2ps.c
		21	+++ b/tools/tiff2ps.c
		22	@@ -2193,10 +2193,20 @@ PS_Lvl2page(FILE* fd, TIFF* tif, uint32_t w, uint32_t h)
		23	tiled_image = TIFFIsTiled(tif);
		24	if (tiled_image) {
		25	num_chunks = TIFFNumberOfTiles(tif);
		26	- TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc);
		27	+ if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc))
		28	+ {
		29	+ TIFFError(filename,
		30	+ "Can't read bytecounts of tiles at PS_Lvl2page()");
		31	+ return (FALSE);
		32	+ }
		33	} else {
		34	num_chunks = TIFFNumberOfStrips(tif);
		35	- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
		36	+ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
		37	+ {
		38	+ TIFFError(filename,
		39	+ "Can't read bytecounts of strips at PS_Lvl2page()");
		40	+ return (FALSE);
		41	+ }
		42	}
		43
		44	if (use_rawdata) {
		45	@@ -2791,7 +2801,11 @@ PSRawDataBW(FILE* fd, TIFF* tif, uint32_t w, uint32_t h)
		46
		47	(void) w; (void) h;
		48	TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder);
		49	- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
		50	+ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
		51	+ {
		52	+ TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()");
		53	+ return;
		54	+ }
		55
		56	/*
		57	* Find largest strip:
		58	--
		59	2.40.0
		60


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index d5ae82bc7c..137dc7f478 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -60,6 +60,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
60	file://CVE-2025-8176-0003.patch \	60	file://CVE-2025-8176-0003.patch \
61	file://CVE-2025-8177.patch \	61	file://CVE-2025-8177.patch \
62	file://CVE-2024-13978.patch \	62	file://CVE-2024-13978.patch \
		63	file://CVE-2025-8534.patch \
63	"	64	"
64		65
65	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	66	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"