2 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch
new file mode 100644
index 0000000000..cb4656fd46
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch
@@ -0,0 +1,34 @@
+From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Wed, 19 Jul 2023 19:34:25 +0000
+Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
+ (fixes #591)
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
+CVE: CVE-2023-40745
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/tiffcp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 57eef90..34b6ef2 100644
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -1577,6 +1577,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+                TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+                return 0;
+        }
+
+       if ( (imagew - tilew * spp) > INT_MAX ){
+           TIFFError(TIFFFileName(in),
+                     "Error, image raster scan line size is too large");
+           return 0;
+       }
+
+        iskew = imagew - tilew*spp;
+        tilebuf = limitMalloc(tilesize);
+        if (tilebuf == 0)
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 8ef98fe5d0..8dcd73273e 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-26966.patch \
           file://CVE-2022-40090.patch \
           file://CVE-2023-1916.patch \
+           file://CVE-2023-40745.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch new file mode 100644 index 0000000000..cb4656fd46 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch
@@ -0,0 +1,34 @@
		1	From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
		2	From: Arie Haenel <arie.haenel@jct.ac.il>
		3	Date: Wed, 19 Jul 2023 19:34:25 +0000
		4	Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
		5	(fixes #591)
		6
		7	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
		8	CVE: CVE-2023-40745
		9	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		10	---
		11	tools/tiffcp.c \| 7 +++++++
		12	1 file changed, 7 insertions(+)
		13
		14	diff --git a/tools/tiffcp.c b/tools/tiffcp.c
		15	index 57eef90..34b6ef2 100644
		16	--- a/tools/tiffcp.c
		17	+++ b/tools/tiffcp.c
		18	@@ -1577,6 +1577,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
		19	TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
		20	return 0;
		21	}
		22	+
		23	+ if ( (imagew - tilew * spp) > INT_MAX ){
		24	+ TIFFError(TIFFFileName(in),
		25	+ "Error, image raster scan line size is too large");
		26	+ return 0;
		27	+ }
		28	+
		29	iskew = imagew - tilew*spp;
		30	tilebuf = limitMalloc(tilesize);
		31	if (tilebuf == 0)
		32	--
		33	2.25.1
		34


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 8ef98fe5d0..8dcd73273e 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
45	file://CVE-2023-26966.patch \	45	file://CVE-2023-26966.patch \
46	file://CVE-2022-40090.patch \	46	file://CVE-2022-40090.patch \
47	file://CVE-2023-1916.patch \	47	file://CVE-2023-1916.patch \
		48	file://CVE-2023-40745.patch \
48	"	49	"
49		50
50	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	51	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"