8 files changed, 316 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_1.patch
new file mode 100644
index 0000000000..8bb7cf280d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_1.patch
@@ -0,0 +1,77 @@
+From 6dd7006103f9612fbd22e9c7c1b93d16691370a4 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 27 Sep 2024 11:21:57 -0700
+Subject: [PATCH 1/7] Fix issue #649 in fax2ps caused by regression in commit
+ https://gitlab.com/libtiff/libtiff/-/commit/28c38d648b64a66c3218778c4745225fe3e3a06d
+ where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer.
+CVE: CVE-2024-13978
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/7be20ccaab97455f192de0ac561ceda7cd9e12d1]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ libtiff/tif_read.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 7efab59..964f119 100644
+--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
+@@ -466,7 +466,9 @@ int TIFFReadScanline(TIFF *tif, void *buf, uint32_t row, uint16_t sample)
+     }
+     else
+     {
+-        memset(buf, 0, (size_t)tif->tif_scanlinesize);
+        /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */
+        if (buf)
+            memset(buf, 0, (size_t)tif->tif_scanlinesize);
+     }
+     return (e > 0 ? 1 : -1);
+ }
+@@ -554,7 +556,10 @@ tmsize_t TIFFReadEncodedStrip(TIFF *tif, uint32_t strip, void *buf,
+         stripsize = size;
+     if (!TIFFFillStrip(tif, strip))
+     {
+-        memset(buf, 0, (size_t)stripsize);
+        /* The output buf may be NULL, in particular if TIFFTAG_FAXFILLFUNC
+           is being used. Thus, memset must be conditional on buf not NULL. */
+        if (buf)
+            memset(buf, 0, (size_t)stripsize);
+         return ((tmsize_t)(-1));
+     }
+     if ((*tif->tif_decodestrip)(tif, buf, stripsize, plane) <= 0)
+@@ -976,7 +981,9 @@ tmsize_t TIFFReadEncodedTile(TIFF *tif, uint32_t tile, void *buf, tmsize_t size)
+         size = tilesize;
+     if (!TIFFFillTile(tif, tile))
+     {
+-        memset(buf, 0, (size_t)size);
+        /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */
+        if (buf)
+            memset(buf, 0, (size_t)size);
+         return ((tmsize_t)(-1));
+     }
+     else if ((*tif->tif_decodetile)(tif, (uint8_t *)buf, size,
+@@ -1569,7 +1576,9 @@ int TIFFReadFromUserBuffer(TIFF *tif, uint32_t strile, void *inbuf,
+         if (!TIFFStartTile(tif, strile))
+         {
+             ret = 0;
+-            memset(outbuf, 0, (size_t)outsize);
+            /* See related TIFFReadEncodedStrip comment. */
+            if (outbuf)
+                memset(outbuf, 0, (size_t)outsize);
+         }
+         else if (!(*tif->tif_decodetile)(
+                      tif, (uint8_t *)outbuf, outsize,
+@@ -1596,7 +1605,9 @@ int TIFFReadFromUserBuffer(TIFF *tif, uint32_t strile, void *inbuf,
+             if (!TIFFStartStrip(tif, strile))
+             {
+                 ret = 0;
+-                memset(outbuf, 0, (size_t)outsize);
+                /* See related TIFFReadEncodedStrip comment. */
+                if (outbuf)
+                    memset(outbuf, 0, (size_t)outsize);
+             }
+             else if (!(*tif->tif_decodestrip)(
+                          tif, (uint8_t *)outbuf, outsize,
+-- 
+2.47.3
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch
new file mode 100644
index 0000000000..a022fd41e2
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch
@@ -0,0 +1,45 @@
+From a80b9eb70a8137e2571b2f32bd05d1a22a5603c4 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 5 Oct 2024 09:45:30 -0700
+Subject: [PATCH 2/7] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid
+ input, addresses issue #650
+CVE: CVE-2024-13978
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/tiff2pdf.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 6dfc239..2010fee 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -1371,8 +1371,24 @@ void t2p_read_tiff_init(T2P *t2p, TIFF *input)
+             t2p->pdf_xrefcount += (t2p->tiff_tiles[i].tiles_tilecount - 1) * 2;
+             TIFFGetField(input, TIFFTAG_TILEWIDTH,
+                          &(t2p->tiff_tiles[i].tiles_tilewidth));
+            if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
+            {
+                TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
+                          t2p->tiff_tiles[i].tiles_tilewidth,
+                          TIFFFileName(input));
+                t2p->t2p_error = T2P_ERR_ERROR;
+                return;
+            }
+             TIFFGetField(input, TIFFTAG_TILELENGTH,
+                          &(t2p->tiff_tiles[i].tiles_tilelength));
+            if (t2p->tiff_tiles[i].tiles_tilelength < 1)
+            {
+                TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
+                          t2p->tiff_tiles[i].tiles_tilelength,
+                          TIFFFileName(input));
+                t2p->t2p_error = T2P_ERR_ERROR;
+                return;
+            }
+             t2p->tiff_tiles[i].tiles_tiles = (T2P_TILE *)_TIFFmalloc(
+                 TIFFSafeMultiply(tmsize_t, t2p->tiff_tiles[i].tiles_tilecount,
+                                  sizeof(T2P_TILE)));
+-- 
+2.47.3
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_1.patch
new file mode 100644
index 0000000000..14d3cb445e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_1.patch
@@ -0,0 +1,61 @@
+From ed35364de1e3ad444e6f954514ee68eb9be496d2 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH 3/7] Don't skip the first line of the input image. Addresses
+ issue #703
+CVE: CVE-2025-8176
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/tiffdither.c | 4 ++--
+ tools/tiffmedian.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index 714fe03..bfed6df 100644
+--- a/tools/tiffdither.c
+++ b/tools/tiffdither.c
+@@ -98,7 +98,7 @@ static int fsdither(TIFF *in, TIFF *out)
+     nextptr = nextline;
+     for (j = 0; j < imagewidth; ++j)
+         *nextptr++ = *inptr++;
+-    for (i = 1; i < imagelength; ++i)
+    for (i = 0; i < imagelength; ++i)
+     {
+         tmpptr = thisline;
+         thisline = nextline;
+@@ -146,7 +146,7 @@ static int fsdither(TIFF *in, TIFF *out)
+                     nextptr[0] += v / 16;
+             }
+         }
+-        if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
+        if (TIFFWriteScanline(out, outline, i, 0) < 0)
+             goto skip_on_error;
+     }
+     goto exit_label;
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 02b0bc2..f6cf26c 100644
+--- a/tools/tiffmedian.c
+++ b/tools/tiffmedian.c
+@@ -917,7 +917,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+     outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ 
+     GetInputLine(in, 0, goto bad); /* get first line */
+-    for (i = 1; i <= imagelength; ++i)
+    for (i = 0; i <= imagelength; ++i)
+     {
+         SWAP(short *, thisline, nextline);
+         lastline = (i >= imax);
+@@ -997,7 +997,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+                 nextptr += 3;
+             }
+         }
+-        if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
+        if (TIFFWriteScanline(out, outline, i, 0) < 0)
+             break;
+     }
+ bad:
+-- 
+2.47.3
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_2.patch
new file mode 100644
index 0000000000..74cf5ae277
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_2.patch
@@ -0,0 +1,31 @@
+From c090daf37e7f2ad09ec7e9cfabd1c5fde3dee6eb Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:25:16 -0700
+Subject: [PATCH 4/7] Fix tiffmedian bug #707
+CVE: CVE-2025-8176
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/tiffmedian.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index f6cf26c..8c9978b 100644
+--- a/tools/tiffmedian.c
+++ b/tools/tiffmedian.c
+@@ -414,7 +414,10 @@ static void get_histogram(TIFF *in, Colorbox *box)
+     for (i = 0; i < imagelength; i++)
+     {
+         if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-            break;
+        {
+            fprintf(stderr, "Error reading scanline\n");
+            exit(EXIT_FAILURE);
+        }
+         inptr = inputline;
+         for (j = imagewidth; j-- > 0;)
+         {
+-- 
+2.47.3
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_3.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_3.patch
new file mode 100644
index 0000000000..e0f41f8d71
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_3.patch
@@ -0,0 +1,28 @@
+From bd645550275963797343e8e91a9a8fee318428e0 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:38:09 -0700
+Subject: [PATCH 5/7] conflict resolution
+CVE: CVE-2025-8176
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/tiffmedian.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 8c9978b..47e0524 100644
+--- a/tools/tiffmedian.c
+++ b/tools/tiffmedian.c
+@@ -920,7 +920,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+     outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ 
+     GetInputLine(in, 0, goto bad); /* get first line */
+-    for (i = 0; i <= imagelength; ++i)
+    for (i = 0; i < imagelength; ++i)
+     {
+         SWAP(short *, thisline, nextline);
+         lastline = (i >= imax);
+-- 
+2.47.3
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_1.patch
new file mode 100644
index 0000000000..9437ffcc20
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_1.patch
@@ -0,0 +1,36 @@
+From 01bf5ba7f4a27c5e28ce467a66b13e066556e545 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Thu, 19 Jun 2025 11:51:33 -0700
+Subject: [PATCH 6/7] Fix for thumbnail issue #715
+CVE: CVE-2025-8177
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/75d8eca6f106c01aadf76b8500a7d062b12f2d82]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/thumbnail.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index b4cb114..432d172 100644
+--- a/tools/thumbnail.c
+++ b/tools/thumbnail.c
+@@ -620,7 +620,15 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[])
+             }
+             acc += bits[*src & mask1];
+         }
+-        *row++ = cmap[(255 * acc) / area];
+        if (255 * acc / area < 256)
+        {
+            *row++ = cmap[(255 * acc) / area];
+        }
+        else
+        {
+            fprintf(stderr, "acc=%d, area=%d\n", acc, area);
+            row++;
+        }
+     }
+ }
+ 
+-- 
+2.47.3
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_2.patch
new file mode 100644
index 0000000000..356e3ba402
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_2.patch
@@ -0,0 +1,29 @@
+From c3ad38afb9986b9ddcd7d95367ded152488260cd Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 23 Jun 2025 10:09:07 -0700
+Subject: [PATCH 7/7] set a default value - assumes cmap[0] was not, itself,
+ uninitialized
+CVE: CVE-2025-8177
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/e8c9d6c616b19438695fd829e58ae4fde5bfbc22]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/thumbnail.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index 432d172..110ea42 100644
+--- a/tools/thumbnail.c
+++ b/tools/thumbnail.c
+@@ -627,7 +627,7 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[])
+         else
+         {
+             fprintf(stderr, "acc=%d, area=%d\n", acc, area);
+-            row++;
+            *row++ = cmap[0];
+         }
+     }
+ }
+-- 
+2.47.3
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
index 5a6939d584..26e3811ff8 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -8,7 +8,15 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 CVE_PRODUCT = "libtiff"
-SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"
+SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+           file://CVE-2024-13978_1.patch \
+           file://CVE-2024-13978_2.patch \
+           file://CVE-2025-8176_1.patch \
+           file://CVE-2025-8176_2.patch \
+           file://CVE-2025-8176_3.patch \
+           file://CVE-2025-8177_1.patch \
+           file://CVE-2025-8177_2.patch \
+           "
 SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_1.patch new file mode 100644 index 0000000000..8bb7cf280d --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_1.patch
@@ -0,0 +1,77 @@
		1	From 6dd7006103f9612fbd22e9c7c1b93d16691370a4 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Fri, 27 Sep 2024 11:21:57 -0700
		4	Subject: [PATCH 1/7] Fix issue #649 in fax2ps caused by regression in commit
		5	https://gitlab.com/libtiff/libtiff/-/commit/28c38d648b64a66c3218778c4745225fe3e3a06d
		6	where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer.
		7
		8	CVE: CVE-2024-13978
		9	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/7be20ccaab97455f192de0ac561ceda7cd9e12d1]
		10	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		11	---
		12	libtiff/tif_read.c \| 21 ++++++++++++++++-----
		13	1 file changed, 16 insertions(+), 5 deletions(-)
		14
		15	diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
		16	index 7efab59..964f119 100644
		17	--- a/libtiff/tif_read.c
		18	+++ b/libtiff/tif_read.c
		19	@@ -466,7 +466,9 @@ int TIFFReadScanline(TIFF tif, void buf, uint32_t row, uint16_t sample)
		20	}
		21	else
		22	{
		23	- memset(buf, 0, (size_t)tif->tif_scanlinesize);
		24	+ /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */
		25	+ if (buf)
		26	+ memset(buf, 0, (size_t)tif->tif_scanlinesize);
		27	}
		28	return (e > 0 ? 1 : -1);
		29	}
		30	@@ -554,7 +556,10 @@ tmsize_t TIFFReadEncodedStrip(TIFF tif, uint32_t strip, void buf,
		31	stripsize = size;
		32	if (!TIFFFillStrip(tif, strip))
		33	{
		34	- memset(buf, 0, (size_t)stripsize);
		35	+ /* The output buf may be NULL, in particular if TIFFTAG_FAXFILLFUNC
		36	+ is being used. Thus, memset must be conditional on buf not NULL. */
		37	+ if (buf)
		38	+ memset(buf, 0, (size_t)stripsize);
		39	return ((tmsize_t)(-1));
		40	}
		41	if ((*tif->tif_decodestrip)(tif, buf, stripsize, plane) <= 0)
		42	@@ -976,7 +981,9 @@ tmsize_t TIFFReadEncodedTile(TIFF tif, uint32_t tile, void buf, tmsize_t size)
		43	size = tilesize;
		44	if (!TIFFFillTile(tif, tile))
		45	{
		46	- memset(buf, 0, (size_t)size);
		47	+ /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */
		48	+ if (buf)
		49	+ memset(buf, 0, (size_t)size);
		50	return ((tmsize_t)(-1));
		51	}
		52	else if ((tif->tif_decodetile)(tif, (uint8_t )buf, size,
		53	@@ -1569,7 +1576,9 @@ int TIFFReadFromUserBuffer(TIFF tif, uint32_t strile, void inbuf,
		54	if (!TIFFStartTile(tif, strile))
		55	{
		56	ret = 0;
		57	- memset(outbuf, 0, (size_t)outsize);
		58	+ /* See related TIFFReadEncodedStrip comment. */
		59	+ if (outbuf)
		60	+ memset(outbuf, 0, (size_t)outsize);
		61	}
		62	else if (!(*tif->tif_decodetile)(
		63	tif, (uint8_t *)outbuf, outsize,
		64	@@ -1596,7 +1605,9 @@ int TIFFReadFromUserBuffer(TIFF tif, uint32_t strile, void inbuf,
		65	if (!TIFFStartStrip(tif, strile))
		66	{
		67	ret = 0;
		68	- memset(outbuf, 0, (size_t)outsize);
		69	+ /* See related TIFFReadEncodedStrip comment. */
		70	+ if (outbuf)
		71	+ memset(outbuf, 0, (size_t)outsize);
		72	}
		73	else if (!(*tif->tif_decodestrip)(
		74	tif, (uint8_t *)outbuf, outsize,
		75	--
		76	2.47.3
		77


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch new file mode 100644 index 0000000000..a022fd41e2 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch
@@ -0,0 +1,45 @@
		1	From a80b9eb70a8137e2571b2f32bd05d1a22a5603c4 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Sat, 5 Oct 2024 09:45:30 -0700
		4	Subject: [PATCH 2/7] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid
		5	input, addresses issue #650
		6
		7	CVE: CVE-2024-13978
		8	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
		9	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		10	---
		11	tools/tiff2pdf.c \| 16 ++++++++++++++++
		12	1 file changed, 16 insertions(+)
		13
		14	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
		15	index 6dfc239..2010fee 100644
		16	--- a/tools/tiff2pdf.c
		17	+++ b/tools/tiff2pdf.c
		18	@@ -1371,8 +1371,24 @@ void t2p_read_tiff_init(T2P t2p, TIFF input)
		19	t2p->pdf_xrefcount += (t2p->tiff_tiles[i].tiles_tilecount - 1) * 2;
		20	TIFFGetField(input, TIFFTAG_TILEWIDTH,
		21	&(t2p->tiff_tiles[i].tiles_tilewidth));
		22	+ if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
		23	+ {
		24	+ TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
		25	+ t2p->tiff_tiles[i].tiles_tilewidth,
		26	+ TIFFFileName(input));
		27	+ t2p->t2p_error = T2P_ERR_ERROR;
		28	+ return;
		29	+ }
		30	TIFFGetField(input, TIFFTAG_TILELENGTH,
		31	&(t2p->tiff_tiles[i].tiles_tilelength));
		32	+ if (t2p->tiff_tiles[i].tiles_tilelength < 1)
		33	+ {
		34	+ TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
		35	+ t2p->tiff_tiles[i].tiles_tilelength,
		36	+ TIFFFileName(input));
		37	+ t2p->t2p_error = T2P_ERR_ERROR;
		38	+ return;
		39	+ }
		40	t2p->tiff_tiles[i].tiles_tiles = (T2P_TILE *)_TIFFmalloc(
		41	TIFFSafeMultiply(tmsize_t, t2p->tiff_tiles[i].tiles_tilecount,
		42	sizeof(T2P_TILE)));
		43	--
		44	2.47.3
		45


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_1.patch new file mode 100644 index 0000000000..14d3cb445e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_1.patch
@@ -0,0 +1,61 @@
		1	From ed35364de1e3ad444e6f954514ee68eb9be496d2 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Mon, 19 May 2025 10:53:30 -0700
		4	Subject: [PATCH 3/7] Don't skip the first line of the input image. Addresses
		5	issue #703
		6
		7	CVE: CVE-2025-8176
		8	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa]
		9	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		10	---
		11	tools/tiffdither.c \| 4 ++--
		12	tools/tiffmedian.c \| 4 ++--
		13	2 files changed, 4 insertions(+), 4 deletions(-)
		14
		15	diff --git a/tools/tiffdither.c b/tools/tiffdither.c
		16	index 714fe03..bfed6df 100644
		17	--- a/tools/tiffdither.c
		18	+++ b/tools/tiffdither.c
		19	@@ -98,7 +98,7 @@ static int fsdither(TIFF in, TIFF out)
		20	nextptr = nextline;
		21	for (j = 0; j < imagewidth; ++j)
		22	nextptr++ = inptr++;
		23	- for (i = 1; i < imagelength; ++i)
		24	+ for (i = 0; i < imagelength; ++i)
		25	{
		26	tmpptr = thisline;
		27	thisline = nextline;
		28	@@ -146,7 +146,7 @@ static int fsdither(TIFF in, TIFF out)
		29	nextptr[0] += v / 16;
		30	}
		31	}
		32	- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
		33	+ if (TIFFWriteScanline(out, outline, i, 0) < 0)
		34	goto skip_on_error;
		35	}
		36	goto exit_label;
		37	diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
		38	index 02b0bc2..f6cf26c 100644
		39	--- a/tools/tiffmedian.c
		40	+++ b/tools/tiffmedian.c
		41	@@ -917,7 +917,7 @@ static void quant_fsdither(TIFF in, TIFF out)
		42	outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
		43
		44	GetInputLine(in, 0, goto bad); /* get first line */
		45	- for (i = 1; i <= imagelength; ++i)
		46	+ for (i = 0; i <= imagelength; ++i)
		47	{
		48	SWAP(short *, thisline, nextline);
		49	lastline = (i >= imax);
		50	@@ -997,7 +997,7 @@ static void quant_fsdither(TIFF in, TIFF out)
		51	nextptr += 3;
		52	}
		53	}
		54	- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
		55	+ if (TIFFWriteScanline(out, outline, i, 0) < 0)
		56	break;
		57	}
		58	bad:
		59	--
		60	2.47.3
		61


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_2.patch new file mode 100644 index 0000000000..74cf5ae277 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_2.patch
@@ -0,0 +1,31 @@
		1	From c090daf37e7f2ad09ec7e9cfabd1c5fde3dee6eb Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Sat, 24 May 2025 21:25:16 -0700
		4	Subject: [PATCH 4/7] Fix tiffmedian bug #707
		5
		6	CVE: CVE-2025-8176
		7	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda]
		8	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		9	---
		10	tools/tiffmedian.c \| 5 ++++-
		11	1 file changed, 4 insertions(+), 1 deletion(-)
		12
		13	diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
		14	index f6cf26c..8c9978b 100644
		15	--- a/tools/tiffmedian.c
		16	+++ b/tools/tiffmedian.c
		17	@@ -414,7 +414,10 @@ static void get_histogram(TIFF in, Colorbox box)
		18	for (i = 0; i < imagelength; i++)
		19	{
		20	if (TIFFReadScanline(in, inputline, i, 0) <= 0)
		21	- break;
		22	+ {
		23	+ fprintf(stderr, "Error reading scanline\n");
		24	+ exit(EXIT_FAILURE);
		25	+ }
		26	inptr = inputline;
		27	for (j = imagewidth; j-- > 0;)
		28	{
		29	--
		30	2.47.3
		31


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_3.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_3.patch new file mode 100644 index 0000000000..e0f41f8d71 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176_3.patch
@@ -0,0 +1,28 @@
		1	From bd645550275963797343e8e91a9a8fee318428e0 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Sat, 24 May 2025 21:38:09 -0700
		4	Subject: [PATCH 5/7] conflict resolution
		5
		6	CVE: CVE-2025-8176
		7	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0]
		8	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		9	---
		10	tools/tiffmedian.c \| 2 +-
		11	1 file changed, 1 insertion(+), 1 deletion(-)
		12
		13	diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
		14	index 8c9978b..47e0524 100644
		15	--- a/tools/tiffmedian.c
		16	+++ b/tools/tiffmedian.c
		17	@@ -920,7 +920,7 @@ static void quant_fsdither(TIFF in, TIFF out)
		18	outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
		19
		20	GetInputLine(in, 0, goto bad); /* get first line */
		21	- for (i = 0; i <= imagelength; ++i)
		22	+ for (i = 0; i < imagelength; ++i)
		23	{
		24	SWAP(short *, thisline, nextline);
		25	lastline = (i >= imax);
		26	--
		27	2.47.3
		28


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_1.patch new file mode 100644 index 0000000000..9437ffcc20 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_1.patch
@@ -0,0 +1,36 @@
		1	From 01bf5ba7f4a27c5e28ce467a66b13e066556e545 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Thu, 19 Jun 2025 11:51:33 -0700
		4	Subject: [PATCH 6/7] Fix for thumbnail issue #715
		5
		6	CVE: CVE-2025-8177
		7	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/75d8eca6f106c01aadf76b8500a7d062b12f2d82]
		8	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		9	---
		10	tools/thumbnail.c \| 10 +++++++++-
		11	1 file changed, 9 insertions(+), 1 deletion(-)
		12
		13	diff --git a/tools/thumbnail.c b/tools/thumbnail.c
		14	index b4cb114..432d172 100644
		15	--- a/tools/thumbnail.c
		16	+++ b/tools/thumbnail.c
		17	@@ -620,7 +620,15 @@ static void setrow(uint8_t row, uint32_t nrows, const uint8_t rows[])
		18	}
		19	acc += bits[*src & mask1];
		20	}
		21	- row++ = cmap[(255 acc) / area];
		22	+ if (255 * acc / area < 256)
		23	+ {
		24	+ row++ = cmap[(255 acc) / area];
		25	+ }
		26	+ else
		27	+ {
		28	+ fprintf(stderr, "acc=%d, area=%d\n", acc, area);
		29	+ row++;
		30	+ }
		31	}
		32	}
		33
		34	--
		35	2.47.3
		36


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_2.patch new file mode 100644 index 0000000000..356e3ba402 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177_2.patch
@@ -0,0 +1,29 @@
		1	From c3ad38afb9986b9ddcd7d95367ded152488260cd Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Mon, 23 Jun 2025 10:09:07 -0700
		4	Subject: [PATCH 7/7] set a default value - assumes cmap[0] was not, itself,
		5	uninitialized
		6
		7	CVE: CVE-2025-8177
		8	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/e8c9d6c616b19438695fd829e58ae4fde5bfbc22]
		9	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		10	---
		11	tools/thumbnail.c \| 2 +-
		12	1 file changed, 1 insertion(+), 1 deletion(-)
		13
		14	diff --git a/tools/thumbnail.c b/tools/thumbnail.c
		15	index 432d172..110ea42 100644
		16	--- a/tools/thumbnail.c
		17	+++ b/tools/thumbnail.c
		18	@@ -627,7 +627,7 @@ static void setrow(uint8_t row, uint32_t nrows, const uint8_t rows[])
		19	else
		20	{
		21	fprintf(stderr, "acc=%d, area=%d\n", acc, area);
		22	- row++;
		23	+ *row++ = cmap[0];
		24	}
		25	}
		26	}
		27	--
		28	2.47.3
		29


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb index 5a6939d584..26e3811ff8 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -8,7 +8,15 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
8		8
9	CVE_PRODUCT = "libtiff"	9	CVE_PRODUCT = "libtiff"
10		10
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
		12	file://CVE-2024-13978_1.patch \
		13	file://CVE-2024-13978_2.patch \
		14	file://CVE-2025-8176_1.patch \
		15	file://CVE-2025-8176_2.patch \
		16	file://CVE-2025-8176_3.patch \
		17	file://CVE-2025-8177_1.patch \
		18	file://CVE-2025-8177_2.patch \
		19	"
12		20
13	SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"	21	SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"
14		22