1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
new file mode 100644
index 0000000000..9199cc6090
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
@@ -0,0 +1,57 @@
+From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 11 Jun 2025 19:45:19 +0000
+Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
+ rows at TIFFReadRGBAImageOriented()
+CVE: CVE-2025-9900
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99]
+Changes-
+- Use old API TIFFWarningExt instead of TIFFWarningExtR.
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a9cd48f..4c807ad 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
+                "No \"put\" routine setupl; probably can not handle image format");
+                return (0);
+     }
+    /* Verify raster width and height against image width and height. */
+    if (h > img->height)
+    {
+        /* Adapt parameters to read only available lines and put image at
+         * the bottom of the raster. */
+        raster += (size_t)(h - img->height) * w;
+        h = img->height;
+    }
+    if (w > img->width)
+    {
+        TIFFWarningExt(img->tif, TIFFFileName(img->tif),
+                        "Raster width of %d shall not be larger than image "
+                        "width of %d -> raster width adapted for reading",
+                        w, img->width);
+        w = img->width;
+    }
+     return (*img->get)(img, raster, w, h);
+ }
+@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+        if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+                img.req_orientation = (uint16_t)orientation;
+-               /* XXX verify rwidth and rheight against width and height */
+-               ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+-                       rwidth, img.height);
+        ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+                TIFFRGBAImageEnd(&img);
+        } else {
+                TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
+--
+2.40.0

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch new file mode 100644 index 0000000000..9199cc6090 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
@@ -0,0 +1,57 @@
	1	From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001
	2	From: Su Laus <sulau@freenet.de>
	3	Date: Wed, 11 Jun 2025 19:45:19 +0000
	4	Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
	5	rows at TIFFReadRGBAImageOriented()
	6
	7	CVE: CVE-2025-9900
	8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99]
	9
	10	Changes-
	11	- Use old API TIFFWarningExt instead of TIFFWarningExtR.
	12
	13	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
	14	---
	15	libtiff/tif_getimage.c \| 20 +++++++++++++++++---
	16	1 file changed, 17 insertions(+), 3 deletions(-)
	17
	18	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
	19	index a9cd48f..4c807ad 100644
	20	--- a/libtiff/tif_getimage.c
	21	+++ b/libtiff/tif_getimage.c
	22	@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
	23	"No \"put\" routine setupl; probably can not handle image format");
	24	return (0);
	25	}
	26	+ /* Verify raster width and height against image width and height. */
	27	+ if (h > img->height)
	28	+ {
	29	+ /* Adapt parameters to read only available lines and put image at
	30	+ * the bottom of the raster. */
	31	+ raster += (size_t)(h - img->height) * w;
	32	+ h = img->height;
	33	+ }
	34	+ if (w > img->width)
	35	+ {
	36	+ TIFFWarningExt(img->tif, TIFFFileName(img->tif),
	37	+ "Raster width of %d shall not be larger than image "
	38	+ "width of %d -> raster width adapted for reading",
	39	+ w, img->width);
	40	+ w = img->width;
	41	+ }
	42	return (*img->get)(img, raster, w, h);
	43	}
	44
	45	@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
	46
	47	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
	48	img.req_orientation = (uint16_t)orientation;
	49	- /* XXX verify rwidth and rheight against width and height */
	50	- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
	51	- rwidth, img.height);
	52	+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
	53	TIFFRGBAImageEnd(&img);
	54	} else {
	55	TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
	56	--
	57	2.40.0