2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
new file mode 100644
index 0000000000..6722781a3a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
@@ -0,0 +1,99 @@
+From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 16 Mar 2023 16:16:54 +0800
+Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
+CVE: CVE-2023-1916
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 05ba4d2..8a08536 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+              crop->combined_width += (uint32_t)zwidth;
+            else
+              crop->combined_width = (uint32_t)zwidth;
+
+          /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
+            break;
+       case EDGE_BOTTOM: /* width from left, zones from bottom to top */
+            zwidth = offsets.crop_width;
+@@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+            else
+              crop->combined_length = (uint32_t)zlength;
+            crop->combined_width = (uint32_t)zwidth;
+
+          /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
+            break;
+       case EDGE_RIGHT: /* zones from right to left, length from top */
+                  zlength = offsets.crop_length;
+@@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+                          crop->combined_width += (uint32_t)zwidth;
+                  else
+                          crop->combined_width = (uint32_t)zwidth;
+
+               /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+                if (((crop->rotation == 90) || (crop->rotation == 270))
+                    && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+                {
+                    TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                    return -1;
+                }
+
+                  break;
+       case EDGE_TOP: /* width from left, zones from top to bottom */
+       default:
+@@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+            else
+              crop->combined_length = (uint32_t)zlength;
+            crop->combined_width = (uint32_t)zwidth;
+-           break;
+
+          /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
+          break;
+       } /* end switch statement */
+ 
+     buffsize = (uint32_t)
+@@ -7016,9 +7052,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+      * regardless of the way the data are organized in the input file.
+      * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
+      */
+-    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
+-    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
+-    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+    img_rowsize = (((img_width * spp * bps) + 7) / 8);  /* row size in full bytes of source image */
+    full_bytes = (sect_width * spp * bps) / 8;          /* number of COMPLETE bytes per row in section */
+    trailing_bits = (sect_width * spp * bps) % 8;       /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 9e1e6fa099..8ef98fe5d0 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-3618-2.patch \
           file://CVE-2023-26966.patch \
           file://CVE-2022-40090.patch \
+           file://CVE-2023-1916.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch new file mode 100644 index 0000000000..6722781a3a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
@@ -0,0 +1,99 @@
		1	From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
		2	From: zhailiangliang <zhailiangliang@loongson.cn>
		3	Date: Thu, 16 Mar 2023 16:16:54 +0800
		4	Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
		5
		6	CVE: CVE-2023-1916
		7	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
		8	Signed-off-by: Marek Vasut <marex@denx.de>
		9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		10	---
		11	tools/tiffcrop.c \| 44 ++++++++++++++++++++++++++++++++++++++++----
		12	1 file changed, 40 insertions(+), 4 deletions(-)
		13
		14	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		15	index 05ba4d2..8a08536 100644
		16	--- a/tools/tiffcrop.c
		17	+++ b/tools/tiffcrop.c
		18	@@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		19	crop->combined_width += (uint32_t)zwidth;
		20	else
		21	crop->combined_width = (uint32_t)zwidth;
		22	+
		23	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
		24	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
		25	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
		26	+ {
		27	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
		28	+ return -1;
		29	+ }
		30	+
		31	break;
		32	case EDGE_BOTTOM: /* width from left, zones from bottom to top */
		33	zwidth = offsets.crop_width;
		34	@@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		35	else
		36	crop->combined_length = (uint32_t)zlength;
		37	crop->combined_width = (uint32_t)zwidth;
		38	+
		39	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
		40	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
		41	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
		42	+ {
		43	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
		44	+ return -1;
		45	+ }
		46	+
		47	break;
		48	case EDGE_RIGHT: /* zones from right to left, length from top */
		49	zlength = offsets.crop_length;
		50	@@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		51	crop->combined_width += (uint32_t)zwidth;
		52	else
		53	crop->combined_width = (uint32_t)zwidth;
		54	+
		55	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
		56	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
		57	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
		58	+ {
		59	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
		60	+ return -1;
		61	+ }
		62	+
		63	break;
		64	case EDGE_TOP: /* width from left, zones from top to bottom */
		65	default:
		66	@@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		67	else
		68	crop->combined_length = (uint32_t)zlength;
		69	crop->combined_width = (uint32_t)zwidth;
		70	- break;
		71	+
		72	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
		73	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
		74	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
		75	+ {
		76	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
		77	+ return -1;
		78	+ }
		79	+
		80	+ break;
		81	} /* end switch statement */
		82
		83	buffsize = (uint32_t)
		84	@@ -7016,9 +7052,9 @@ extractImageSection(struct image_data image, struct pageseg section,
		85	* regardless of the way the data are organized in the input file.
		86	* Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
		87	*/
		88	- img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
		89	- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
		90	- trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
		91	+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
		92	+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
		93	+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
		94
		95	#ifdef DEVELMODE
		96	TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
		97	--
		98	2.25.1
		99


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 9e1e6fa099..8ef98fe5d0 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
44	file://CVE-2023-3618-2.patch \	44	file://CVE-2023-3618-2.patch \
45	file://CVE-2023-26966.patch \	45	file://CVE-2023-26966.patch \
46	file://CVE-2022-40090.patch \	46	file://CVE-2022-40090.patch \
		47	file://CVE-2023-1916.patch \
47	"	48	"
48		49
49	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	50	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"