1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch
new file mode 100644
index 0000000000..a022fd41e2
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch
@@ -0,0 +1,45 @@
+From a80b9eb70a8137e2571b2f32bd05d1a22a5603c4 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 5 Oct 2024 09:45:30 -0700
+Subject: [PATCH 2/7] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid
+ input, addresses issue #650
+CVE: CVE-2024-13978
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ tools/tiff2pdf.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 6dfc239..2010fee 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -1371,8 +1371,24 @@ void t2p_read_tiff_init(T2P *t2p, TIFF *input)
+             t2p->pdf_xrefcount += (t2p->tiff_tiles[i].tiles_tilecount - 1) * 2;
+             TIFFGetField(input, TIFFTAG_TILEWIDTH,
+                          &(t2p->tiff_tiles[i].tiles_tilewidth));
+            if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
+            {
+                TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
+                          t2p->tiff_tiles[i].tiles_tilewidth,
+                          TIFFFileName(input));
+                t2p->t2p_error = T2P_ERR_ERROR;
+                return;
+            }
+             TIFFGetField(input, TIFFTAG_TILELENGTH,
+                          &(t2p->tiff_tiles[i].tiles_tilelength));
+            if (t2p->tiff_tiles[i].tiles_tilelength < 1)
+            {
+                TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
+                          t2p->tiff_tiles[i].tiles_tilelength,
+                          TIFFFileName(input));
+                t2p->t2p_error = T2P_ERR_ERROR;
+                return;
+            }
+             t2p->tiff_tiles[i].tiles_tiles = (T2P_TILE *)_TIFFmalloc(
+                 TIFFSafeMultiply(tmsize_t, t2p->tiff_tiles[i].tiles_tilecount,
+                                  sizeof(T2P_TILE)));
+-- 
+2.47.3

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch new file mode 100644 index 0000000000..a022fd41e2 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_2.patch
@@ -0,0 +1,45 @@
	1	From a80b9eb70a8137e2571b2f32bd05d1a22a5603c4 Mon Sep 17 00:00:00 2001
	2	From: Lee Howard <faxguy@howardsilvan.com>
	3	Date: Sat, 5 Oct 2024 09:45:30 -0700
	4	Subject: [PATCH 2/7] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid
	5	input, addresses issue #650
	6
	7	CVE: CVE-2024-13978
	8	Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
	9	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
	10	---
	11	tools/tiff2pdf.c \| 16 ++++++++++++++++
	12	1 file changed, 16 insertions(+)
	13
	14	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
	15	index 6dfc239..2010fee 100644
	16	--- a/tools/tiff2pdf.c
	17	+++ b/tools/tiff2pdf.c
	18	@@ -1371,8 +1371,24 @@ void t2p_read_tiff_init(T2P t2p, TIFF input)
	19	t2p->pdf_xrefcount += (t2p->tiff_tiles[i].tiles_tilecount - 1) * 2;
	20	TIFFGetField(input, TIFFTAG_TILEWIDTH,
	21	&(t2p->tiff_tiles[i].tiles_tilewidth));
	22	+ if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
	23	+ {
	24	+ TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
	25	+ t2p->tiff_tiles[i].tiles_tilewidth,
	26	+ TIFFFileName(input));
	27	+ t2p->t2p_error = T2P_ERR_ERROR;
	28	+ return;
	29	+ }
	30	TIFFGetField(input, TIFFTAG_TILELENGTH,
	31	&(t2p->tiff_tiles[i].tiles_tilelength));
	32	+ if (t2p->tiff_tiles[i].tiles_tilelength < 1)
	33	+ {
	34	+ TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
	35	+ t2p->tiff_tiles[i].tiles_tilelength,
	36	+ TIFFFileName(input));
	37	+ t2p->t2p_error = T2P_ERR_ERROR;
	38	+ return;
	39	+ }
	40	t2p->tiff_tiles[i].tiles_tiles = (T2P_TILE *)_TIFFmalloc(
	41	TIFFSafeMultiply(tmsize_t, t2p->tiff_tiles[i].tiles_tilecount,
	42	sizeof(T2P_TILE)));
	43	--
	44	2.47.3
	45