3 files changed, 260 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch
new file mode 100644
index 0000000000..a78c9709f9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch
@@ -0,0 +1,159 @@
+From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 29 Jan 2023 11:09:26 +0100
+Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
+ image width and length parameters when only cropped image sections are
+ rotated. Remove buffptr from region structure because never used.
+Closes #492 #493 #494 #495 #499 #518 #519
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
+CVE: CVE-2023-25434
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 30 insertions(+), 21 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index fc5b34b..6e1acc4 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -296,7 +296,6 @@ struct region
+     uint32_t width;    /* width in pixels */
+     uint32_t length;   /* length in pixels */
+     uint32_t buffsize; /* size of buffer needed to hold the cropped region */
+-    unsigned char *buffptr; /* address of start of the region */
+ };
+ 
+ /* Cropping parameters from command line and image data
+@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
+ static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
+                                      uint32_t, uint32_t, uint8_t *, uint8_t *);
+ static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
+-                       unsigned char **);
+                       unsigned char **, int);
+ static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+                        unsigned char *);
+ static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_mask *cps)
+         cps->regionlist[i].width = 0;
+         cps->regionlist[i].length = 0;
+         cps->regionlist[i].buffsize = 0;
+-        cps->regionlist[i].buffptr = NULL;
+         cps->zonelist[i].position = 0;
+         cps->zonelist[i].total = 0;
+     }
+@@ -7221,8 +7219,13 @@ static int correct_orientation(struct image_data *image,
+             return (-1);
+         }
+ 
+-        if (rotateImage(rotation, image, &image->width, &image->length,
+-                        work_buff_ptr))
+        /* Dummy variable in order not to switch two times the
+         * image->width,->length within rotateImage(),
+         * but switch xres, yres there. */
+        uint32_t width = image->width;
+        uint32_t length = image->length;
+        if (rotateImage(rotation, image, &width, &length, work_buff_ptr,
+                        TRUE))
+         {
+             TIFFError("correct_orientation", "Unable to rotate image");
+             return (-1);
+@@ -7291,7 +7294,6 @@ static int extractCompositeRegions(struct image_data *image,
+         /* These should not be needed for composite images */
+         crop->regionlist[i].width = crop_width;
+         crop->regionlist[i].length = crop_length;
+-        crop->regionlist[i].buffptr = crop_buff;
+ 
+         src_rowsize = ((img_width * bps * spp) + 7) / 8;
+         dst_rowsize = (((crop_width * bps * count) + 7) / 8);
+@@ -7552,7 +7554,6 @@ static int extractSeparateRegion(struct image_data *image,
+ 
+     crop->regionlist[region].width = crop_width;
+     crop->regionlist[region].length = crop_length;
+-    crop->regionlist[region].buffptr = crop_buff;
+ 
+     src = read_buff;
+     dst = crop_buff;
+@@ -8543,7 +8544,7 @@ static int processCropSelections(struct image_data *image,
+                                               reallocate the buffer */
+         {
+             if (rotateImage(crop->rotation, image, &crop->combined_width,
+-                            &crop->combined_length, &crop_buff))
+                            &crop->combined_length, &crop_buff, FALSE))
+             {
+                 TIFFError("processCropSelections",
+                           "Failed to rotate composite regions by %" PRIu32
+@@ -8668,7 +8669,7 @@ static int processCropSelections(struct image_data *image,
+                  */
+                 if (rotateImage(crop->rotation, image,
+                                 &crop->regionlist[i].width,
+-                                &crop->regionlist[i].length, &crop_buff))
+                                &crop->regionlist[i].length, &crop_buff, FALSE))
+                 {
+                     TIFFError("processCropSelections",
+                               "Failed to rotate crop region by %" PRIu16
+@@ -8815,7 +8816,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop,
+         CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+         if (rotateImage(crop->rotation, image, &crop->combined_width,
+-                        &crop->combined_length, crop_buff_ptr))
+                        &crop->combined_length, crop_buff_ptr, TRUE))
+         {
+             TIFFError("createCroppedImage",
+                       "Failed to rotate image or cropped selection by %" PRIu16
+@@ -9531,7 +9532,7 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int rotateImage(uint16_t rotation, struct image_data *image,
+                        uint32_t *img_width, uint32_t *img_length,
+-                       unsigned char **ibuff_ptr)
+                       unsigned char **ibuff_ptr, int rot_image_params)
+ {
+     int shift_width;
+     uint32_t bytes_per_pixel, bytes_per_sample;
+@@ -9747,11 +9748,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
+ 
+             *img_width = length;
+             *img_length = width;
+-            image->width = length;
+-            image->length = width;
+-            res_temp = image->xres;
+-            image->xres = image->yres;
+-            image->yres = res_temp;
+            /* Only toggle image parameters if whole input image is rotated. */
+            if (rot_image_params)
+            {
+                image->width = length;
+                image->length = width;
+                res_temp = image->xres;
+                image->xres = image->yres;
+                image->yres = res_temp;
+            }
+             break;
+ 
+         case 270:
+@@ -9834,11 +9839,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
+ 
+             *img_width = length;
+             *img_length = width;
+-            image->width = length;
+-            image->length = width;
+-            res_temp = image->xres;
+-            image->xres = image->yres;
+-            image->yres = res_temp;
+            /* Only toggle image parameters if whole input image is rotated. */
+            if (rot_image_params)
+            {
+                image->width = length;
+                image->length = width;
+                res_temp = image->xres;
+                image->xres = image->yres;
+                image->yres = res_temp;
+            }
+             break;
+         default:
+             break;
+-- 
+2.35.7
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
new file mode 100644
index 0000000000..09161c9165
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,99 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+Closes #527
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
+CVE: CVE-2023-26965
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/tiffcrop.c | 47 +++++++++++++----------------------------------
+ 1 file changed, 13 insertions(+), 34 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index fb0fbb2..58ed3ab 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -6746,9 +6746,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+     uint32_t tw = 0, tl = 0; /* Tile width and length */
+     tmsize_t tile_rowsize = 0;
+     unsigned char *read_buff = NULL;
+-    unsigned char *new_buff = NULL;
+     int readunit = 0;
+-    static tmsize_t prev_readsize = 0;
+ 
+     TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+     TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -7072,43 +7070,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+     }
+ 
+     read_buff = *read_ptr;
+-    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+-    /* outside buffer */
+-    if (!read_buff)
+    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+     * outside buffer */
+    /* Reuse of read_buff from previous image is quite unsafe, because other
+     * functions (like rotateImage() etc.) reallocate that buffer with different
+     * size without updating the local prev_readsize value. */
+    if (read_buff)
+     {
+-        if (buffsize > 0xFFFFFFFFU - 3)
+-        {
+-            TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-            return (-1);
+-        }
+-        read_buff =
+-            (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+        _TIFFfree(read_buff);
+     }
+-    else
+    if (buffsize > 0xFFFFFFFFU - 3)
+     {
+-        if (prev_readsize < buffsize)
+-        {
+-            if (buffsize > 0xFFFFFFFFU - 3)
+-            {
+-                TIFFError("loadImage",
+-                          "Unable to allocate/reallocate read buffer");
+-                return (-1);
+-            }
+-            new_buff =
+-                _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-            if (!new_buff)
+-            {
+-                free(read_buff);
+-                read_buff = (unsigned char *)limitMalloc(
+-                    buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-            }
+-            else
+-                read_buff = new_buff;
+-        }
+        TIFFError("loadImage", "Required read buffer size too large");
+        return (-1);
+     }
+    read_buff =
+        (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+     if (!read_buff)
+     {
+-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+        TIFFError("loadImage", "Unable to allocate read buffer");
+         return (-1);
+     }
+ 
+@@ -7116,7 +7096,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
+     read_buff[buffsize + 1] = 0;
+     read_buff[buffsize + 2] = 0;
+ 
+-    prev_readsize = buffsize;
+     *read_ptr = read_buff;
+ 
+     /* N.B. The read functions used copy separate plane data into a buffer as
+-- 
+2.35.7
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..220f7e2816 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -11,6 +11,8 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2022-48281.patch \
           file://CVE-2023-2731.patch \
+           file://CVE-2023-25434.patch \
+           file://CVE-2023-26965.patch \
 "
 SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch new file mode 100644 index 0000000000..a78c9709f9 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch
@@ -0,0 +1,159 @@
		1	From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Sun, 29 Jan 2023 11:09:26 +0100
		4	Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
		5	image width and length parameters when only cropped image sections are
		6	rotated. Remove buffptr from region structure because never used.
		7
		8	Closes #492 #493 #494 #495 #499 #518 #519
		9
		10	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
		11	CVE: CVE-2023-25434
		12
		13	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		14	---
		15	tools/tiffcrop.c \| 51 ++++++++++++++++++++++++++++--------------------
		16	1 file changed, 30 insertions(+), 21 deletions(-)
		17
		18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		19	index fc5b34b..6e1acc4 100644
		20	--- a/tools/tiffcrop.c
		21	+++ b/tools/tiffcrop.c
		22	@@ -296,7 +296,6 @@ struct region
		23	uint32_t width; /* width in pixels */
		24	uint32_t length; /* length in pixels */
		25	uint32_t buffsize; /* size of buffer needed to hold the cropped region */
		26	- unsigned char buffptr; / address of start of the region */
		27	};
		28
		29	/* Cropping parameters from command line and image data
		30	@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
		31	static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
		32	uint32_t, uint32_t, uint8_t , uint8_t );
		33	static int rotateImage(uint16_t, struct image_data , uint32_t , uint32_t *,
		34	- unsigned char **);
		35	+ unsigned char **, int);
		36	static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		37	unsigned char *);
		38	static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		39	@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_mask *cps)
		40	cps->regionlist[i].width = 0;
		41	cps->regionlist[i].length = 0;
		42	cps->regionlist[i].buffsize = 0;
		43	- cps->regionlist[i].buffptr = NULL;
		44	cps->zonelist[i].position = 0;
		45	cps->zonelist[i].total = 0;
		46	}
		47	@@ -7221,8 +7219,13 @@ static int correct_orientation(struct image_data *image,
		48	return (-1);
		49	}
		50
		51	- if (rotateImage(rotation, image, &image->width, &image->length,
		52	- work_buff_ptr))
		53	+ /* Dummy variable in order not to switch two times the
		54	+ * image->width,->length within rotateImage(),
		55	+ * but switch xres, yres there. */
		56	+ uint32_t width = image->width;
		57	+ uint32_t length = image->length;
		58	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr,
		59	+ TRUE))
		60	{
		61	TIFFError("correct_orientation", "Unable to rotate image");
		62	return (-1);
		63	@@ -7291,7 +7294,6 @@ static int extractCompositeRegions(struct image_data *image,
		64	/* These should not be needed for composite images */
		65	crop->regionlist[i].width = crop_width;
		66	crop->regionlist[i].length = crop_length;
		67	- crop->regionlist[i].buffptr = crop_buff;
		68
		69	src_rowsize = ((img_width * bps * spp) + 7) / 8;
		70	dst_rowsize = (((crop_width * bps * count) + 7) / 8);
		71	@@ -7552,7 +7554,6 @@ static int extractSeparateRegion(struct image_data *image,
		72
		73	crop->regionlist[region].width = crop_width;
		74	crop->regionlist[region].length = crop_length;
		75	- crop->regionlist[region].buffptr = crop_buff;
		76
		77	src = read_buff;
		78	dst = crop_buff;
		79	@@ -8543,7 +8544,7 @@ static int processCropSelections(struct image_data *image,
		80	reallocate the buffer */
		81	{
		82	if (rotateImage(crop->rotation, image, &crop->combined_width,
		83	- &crop->combined_length, &crop_buff))
		84	+ &crop->combined_length, &crop_buff, FALSE))
		85	{
		86	TIFFError("processCropSelections",
		87	"Failed to rotate composite regions by %" PRIu32
		88	@@ -8668,7 +8669,7 @@ static int processCropSelections(struct image_data *image,
		89	*/
		90	if (rotateImage(crop->rotation, image,
		91	&crop->regionlist[i].width,
		92	- &crop->regionlist[i].length, &crop_buff))
		93	+ &crop->regionlist[i].length, &crop_buff, FALSE))
		94	{
		95	TIFFError("processCropSelections",
		96	"Failed to rotate crop region by %" PRIu16
		97	@@ -8815,7 +8816,7 @@ static int createCroppedImage(struct image_data image, struct crop_mask crop,
		98	CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		99	{
		100	if (rotateImage(crop->rotation, image, &crop->combined_width,
		101	- &crop->combined_length, crop_buff_ptr))
		102	+ &crop->combined_length, crop_buff_ptr, TRUE))
		103	{
		104	TIFFError("createCroppedImage",
		105	"Failed to rotate image or cropped selection by %" PRIu16
		106	@@ -9531,7 +9532,7 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,
		107	/* Rotate an image by a multiple of 90 degrees clockwise */
		108	static int rotateImage(uint16_t rotation, struct image_data *image,
		109	uint32_t img_width, uint32_t img_length,
		110	- unsigned char **ibuff_ptr)
		111	+ unsigned char **ibuff_ptr, int rot_image_params)
		112	{
		113	int shift_width;
		114	uint32_t bytes_per_pixel, bytes_per_sample;
		115	@@ -9747,11 +9748,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
		116
		117	*img_width = length;
		118	*img_length = width;
		119	- image->width = length;
		120	- image->length = width;
		121	- res_temp = image->xres;
		122	- image->xres = image->yres;
		123	- image->yres = res_temp;
		124	+ /* Only toggle image parameters if whole input image is rotated. */
		125	+ if (rot_image_params)
		126	+ {
		127	+ image->width = length;
		128	+ image->length = width;
		129	+ res_temp = image->xres;
		130	+ image->xres = image->yres;
		131	+ image->yres = res_temp;
		132	+ }
		133	break;
		134
		135	case 270:
		136	@@ -9834,11 +9839,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
		137
		138	*img_width = length;
		139	*img_length = width;
		140	- image->width = length;
		141	- image->length = width;
		142	- res_temp = image->xres;
		143	- image->xres = image->yres;
		144	- image->yres = res_temp;
		145	+ /* Only toggle image parameters if whole input image is rotated. */
		146	+ if (rot_image_params)
		147	+ {
		148	+ image->width = length;
		149	+ image->length = width;
		150	+ res_temp = image->xres;
		151	+ image->xres = image->yres;
		152	+ image->yres = res_temp;
		153	+ }
		154	break;
		155	default:
		156	break;
		157	--
		158	2.35.7
		159


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch new file mode 100644 index 0000000000..09161c9165 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,99 @@
		1	From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Tue, 14 Feb 2023 20:43:43 +0100
		4	Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
		5	Fix issue 527
		6
		7	Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
		8
		9	Closes #527
		10
		11	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
		12	CVE: CVE-2023-26965
		13	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		14	---
		15	tools/tiffcrop.c \| 47 +++++++++++++----------------------------------
		16	1 file changed, 13 insertions(+), 34 deletions(-)
		17
		18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		19	index fb0fbb2..58ed3ab 100644
		20	--- a/tools/tiffcrop.c
		21	+++ b/tools/tiffcrop.c
		22	@@ -6746,9 +6746,7 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
		23	uint32_t tw = 0, tl = 0; /* Tile width and length */
		24	tmsize_t tile_rowsize = 0;
		25	unsigned char *read_buff = NULL;
		26	- unsigned char *new_buff = NULL;
		27	int readunit = 0;
		28	- static tmsize_t prev_readsize = 0;
		29
		30	TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
		31	TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
		32	@@ -7072,43 +7070,25 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
		33	}
		34
		35	read_buff = *read_ptr;
		36	- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
		37	- /* outside buffer */
		38	- if (!read_buff)
		39	+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
		40	+ * outside buffer */
		41	+ /* Reuse of read_buff from previous image is quite unsafe, because other
		42	+ * functions (like rotateImage() etc.) reallocate that buffer with different
		43	+ * size without updating the local prev_readsize value. */
		44	+ if (read_buff)
		45	{
		46	- if (buffsize > 0xFFFFFFFFU - 3)
		47	- {
		48	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		49	- return (-1);
		50	- }
		51	- read_buff =
		52	- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		53	+ _TIFFfree(read_buff);
		54	}
		55	- else
		56	+ if (buffsize > 0xFFFFFFFFU - 3)
		57	{
		58	- if (prev_readsize < buffsize)
		59	- {
		60	- if (buffsize > 0xFFFFFFFFU - 3)
		61	- {
		62	- TIFFError("loadImage",
		63	- "Unable to allocate/reallocate read buffer");
		64	- return (-1);
		65	- }
		66	- new_buff =
		67	- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
		68	- if (!new_buff)
		69	- {
		70	- free(read_buff);
		71	- read_buff = (unsigned char *)limitMalloc(
		72	- buffsize + NUM_BUFF_OVERSIZE_BYTES);
		73	- }
		74	- else
		75	- read_buff = new_buff;
		76	- }
		77	+ TIFFError("loadImage", "Required read buffer size too large");
		78	+ return (-1);
		79	}
		80	+ read_buff =
		81	+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
		82	if (!read_buff)
		83	{
		84	- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
		85	+ TIFFError("loadImage", "Unable to allocate read buffer");
		86	return (-1);
		87	}
		88
		89	@@ -7116,7 +7096,6 @@ static int loadImage(TIFF in, struct image_data image, struct dump_opts *dump,
		90	read_buff[buffsize + 1] = 0;
		91	read_buff[buffsize + 2] = 0;
		92
		93	- prev_readsize = buffsize;
		94	*read_ptr = read_buff;
		95
		96	/* N.B. The read functions used copy separate plane data into a buffer as
		97	--
		98	2.35.7
		99


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb index ca4a3eff91..220f7e2816 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -11,6 +11,8 @@ CVE_PRODUCT = "libtiff"
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12	file://CVE-2022-48281.patch \	12	file://CVE-2022-48281.patch \
13	file://CVE-2023-2731.patch \	13	file://CVE-2023-2731.patch \
		14	file://CVE-2023-25434.patch \
		15	file://CVE-2023-26965.patch \
14	"	16	"
15		17
16	SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"	18	SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"