2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
new file mode 100644
index 0000000000..b3bc0e0d94
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
@@ -0,0 +1,62 @@
+From 6ba36f159fd396ad11bf6b7874554197736ecc8b Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Aug 2025 18:55:54 +0200
+Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for 
+ TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer 
+ dereference.
+Closes #718
+CVE: CVE-2025-8534
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiff2ps.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
+index e5425bf..5c54205 100644
+--- a/tools/tiff2ps.c
+++ b/tools/tiff2ps.c
+@@ -2432,12 +2432,22 @@ int PS_Lvl2page(FILE *fd, TIFF *tif, uint32_t w, uint32_t h)
+     if (tiled_image)
+     {
+         num_chunks = TIFFNumberOfTiles(tif);
+-        TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc);
+        if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc))
+        {
+            TIFFError(filename,
+                      "Can't read bytecounts of tiles at PS_Lvl2page()");
+            return (FALSE);
+        }
+     }
+     else
+     {
+         num_chunks = TIFFNumberOfStrips(tif);
+-        TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
+        if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
+        {
+            TIFFError(filename,
+                      "Can't read bytecounts of strips at PS_Lvl2page()");
+            return (FALSE);
+        }
+     }
+ 
+     if (use_rawdata)
+@@ -3107,7 +3117,11 @@ void PSRawDataBW(FILE *fd, TIFF *tif, uint32_t w, uint32_t h)
+     (void)w;
+     (void)h;
+     TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder);
+-    TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
+    if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
+    {
+        TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()");
+        return;
+    }
+ 
+     /*
+      * Find largest strip:
+-- 
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
index 26e3811ff8..2155ac8df4 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2025-8176_3.patch \
           file://CVE-2025-8177_1.patch \
           file://CVE-2025-8177_2.patch \
+           file://CVE-2025-8534.patch \
           "
 SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch new file mode 100644 index 0000000000..b3bc0e0d94 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
@@ -0,0 +1,62 @@
		1	From 6ba36f159fd396ad11bf6b7874554197736ecc8b Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sat, 2 Aug 2025 18:55:54 +0200
		4	Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for
		5	TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer
		6	dereference.
		7
		8	Closes #718
		9
		10	CVE: CVE-2025-8534
		11	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b]
		12
		13	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		14	---
		15	tools/tiff2ps.c \| 20 +++++++++++++++++---
		16	1 file changed, 17 insertions(+), 3 deletions(-)
		17
		18	diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
		19	index e5425bf..5c54205 100644
		20	--- a/tools/tiff2ps.c
		21	+++ b/tools/tiff2ps.c
		22	@@ -2432,12 +2432,22 @@ int PS_Lvl2page(FILE fd, TIFF tif, uint32_t w, uint32_t h)
		23	if (tiled_image)
		24	{
		25	num_chunks = TIFFNumberOfTiles(tif);
		26	- TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc);
		27	+ if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc))
		28	+ {
		29	+ TIFFError(filename,
		30	+ "Can't read bytecounts of tiles at PS_Lvl2page()");
		31	+ return (FALSE);
		32	+ }
		33	}
		34	else
		35	{
		36	num_chunks = TIFFNumberOfStrips(tif);
		37	- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
		38	+ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
		39	+ {
		40	+ TIFFError(filename,
		41	+ "Can't read bytecounts of strips at PS_Lvl2page()");
		42	+ return (FALSE);
		43	+ }
		44	}
		45
		46	if (use_rawdata)
		47	@@ -3107,7 +3117,11 @@ void PSRawDataBW(FILE fd, TIFF tif, uint32_t w, uint32_t h)
		48	(void)w;
		49	(void)h;
		50	TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder);
		51	- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
		52	+ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
		53	+ {
		54	+ TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()");
		55	+ return;
		56	+ }
		57
		58	/*
		59	* Find largest strip:
		60	--
		61	2.40.0
		62


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb index 26e3811ff8..2155ac8df4 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
16	file://CVE-2025-8176_3.patch \	16	file://CVE-2025-8176_3.patch \
17	file://CVE-2025-8177_1.patch \	17	file://CVE-2025-8177_1.patch \
18	file://CVE-2025-8177_2.patch \	18	file://CVE-2025-8177_2.patch \
		19	file://CVE-2025-8534.patch \
19	"	20	"
20		21
21	SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"	22	SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"