2 files changed, 115 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch
new file mode 100644
index 0000000000..4a47db8789
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch
@@ -0,0 +1,114 @@
+From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 17 May 2024 15:11:10 +0000
+Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after
+ free)
+CVE: CVE-2023-3164
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/a20298c4785c369469510613dfbc5bf230164fed]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tools/tiffcrop.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b11fec93a..aaf6bb280 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -449,6 +449,7 @@ static uint16_t defcompression = (uint16_t) -1;
+ static uint16_t defpredictor = (uint16_t) -1;
+ static int    pageNum = 0;
+ static int    little_endian = 1;
+static tmsize_t check_buffsize = 0;
+ 
+ /* Functions adapted from tiffcp with additions or significant modifications */
+ static int  readContigStripsIntoBuffer   (TIFF*, uint8_t*);
+@@ -2081,6 +2082,11 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+                  TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS);
+                  exit (EXIT_FAILURE);
+                   }
+                if ((page->cols * page->rows) < 1)
+                {
+                    TIFFError("No subdivisions", "%d", (page->cols * page->rows));
+                    exit(EXIT_FAILURE);
+                }
+                 page->mode |= PAGE_MODE_ROWSCOLS;
+                break;
+       case 'U':        /* units for measurements and offsets */
+@@ -4433,7 +4439,7 @@ combineSeparateTileSamplesBytes (unsigned char *srcbuffs[], unsigned char *out,
+     dst = out + (row * dst_rowsize);
+     src_offset = row * src_rowsize;
+ #ifdef DEVELMODE
+-    TIFFError("","Tile row %4d, Src offset %6d   Dst offset %6d", 
+    TIFFError("","Tile row %4d, Src offset %6d   Dst offset %6zd", 
+               row, src_offset, dst - out);
+ #endif
+     for (col = 0; col < cols; col++)
+@@ -5028,7 +5034,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
+         break;
+         }
+ #ifdef DEVELMODE
+-      TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d",
+      TIFFError("", "Strip %2"PRIu32", read %5zd bytes for %4"PRIu32" scanlines, shift width %d",
+                strip, bytes_read, rows_this_strip, shift_width);
+ #endif
+       }
+@@ -6446,6 +6452,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+         TIFFError("loadImage", "Unable to allocate read buffer");
+         return (-1);
+     }
+    check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES;
+ 
+   read_buff[buffsize] = 0;
+   read_buff[buffsize+1] = 0;
+@@ -7076,6 +7083,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+         TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset); 
+ #endif
+      if (src_offset + full_bytes >= check_buffsize)
+      {
+        printf("Bad input. Preventing reading outside of input buffer.\n");
+        return(-1);
+      }
+       _TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes);
+       dst_offset += full_bytes;
+       }        
+@@ -7110,6 +7122,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+       bytebuff1 = bytebuff2 = 0;
+       if (shift1 == 0) /* the region is byte and sample aligned */
+         {
+          if (offset1 + full_bytes >= check_buffsize)
+          {
+            printf("Bad input. Preventing reading outside of input buffer.\n");
+            return(-1);
+          }
+        _TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes);
+ 
+ #ifdef DEVELMODE
+@@ -7129,6 +7146,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+         if (trailing_bits != 0)
+           {
+       /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+      if (offset1 + full_bytes >= check_buffsize)
+      {
+        printf("Bad input. Preventing reading outside of input buffer.\n");
+        return(-1);
+      }
+          bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
+           sect_buff[dst_offset] = bytebuff2;
+ #ifdef DEVELMODE
+@@ -7154,6 +7176,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+           {
+           /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+           /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+          if (offset1 + j + 1 >= check_buffsize)
+          {
+            printf("Bad input. Preventing reading outside of input buffer.\n");
+            return(-1);
+          }
+           bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+           bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
+           sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index a47fc4bd34..5ec7b20e61 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-6277-3.patch \
           file://CVE-2023-6277-4.patch \
           file://CVE-2024-7006.patch \
+           file://CVE-2023-3164.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch new file mode 100644 index 0000000000..4a47db8789 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch
@@ -0,0 +1,114 @@
		1	From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Fri, 17 May 2024 15:11:10 +0000
		4	Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after
		5	free)
		6
		7	CVE: CVE-2023-3164
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/a20298c4785c369469510613dfbc5bf230164fed]
		9	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		10	---
		11	tools/tiffcrop.c \| 31 +++++++++++++++++++++++++++++--
		12	1 file changed, 29 insertions(+), 2 deletions(-)
		13
		14	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		15	index b11fec93a..aaf6bb280 100644
		16	--- a/tools/tiffcrop.c
		17	+++ b/tools/tiffcrop.c
		18	@@ -449,6 +449,7 @@ static uint16_t defcompression = (uint16_t) -1;
		19	static uint16_t defpredictor = (uint16_t) -1;
		20	static int pageNum = 0;
		21	static int little_endian = 1;
		22	+static tmsize_t check_buffsize = 0;
		23
		24	/* Functions adapted from tiffcp with additions or significant modifications */
		25	static int readContigStripsIntoBuffer (TIFF, uint8_t);
		26	@@ -2081,6 +2082,11 @@ void process_command_opts (int argc, char argv[], char mp, char *mode, uint32
		27	TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS);
		28	exit (EXIT_FAILURE);
		29	}
		30	+ if ((page->cols * page->rows) < 1)
		31	+ {
		32	+ TIFFError("No subdivisions", "%d", (page->cols * page->rows));
		33	+ exit(EXIT_FAILURE);
		34	+ }
		35	page->mode \|= PAGE_MODE_ROWSCOLS;
		36	break;
		37	case 'U': /* units for measurements and offsets */
		38	@@ -4433,7 +4439,7 @@ combineSeparateTileSamplesBytes (unsigned char srcbuffs[], unsigned char out,
		39	dst = out + (row * dst_rowsize);
		40	src_offset = row * src_rowsize;
		41	#ifdef DEVELMODE
		42	- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d",
		43	+ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd",
		44	row, src_offset, dst - out);
		45	#endif
		46	for (col = 0; col < cols; col++)
		47	@@ -5028,7 +5034,7 @@ static int readSeparateStripsIntoBuffer (TIFF in, uint8_t obuf, uint32_t lengt
		48	break;
		49	}
		50	#ifdef DEVELMODE
		51	- TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d",
		52	+ TIFFError("", "Strip %2"PRIu32", read %5zd bytes for %4"PRIu32" scanlines, shift width %d",
		53	strip, bytes_read, rows_this_strip, shift_width);
		54	#endif
		55	}
		56	@@ -6446,6 +6452,7 @@ loadImage(TIFF* in, struct image_data image, struct dump_opts dump, unsigned c
		57	TIFFError("loadImage", "Unable to allocate read buffer");
		58	return (-1);
		59	}
		60	+ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES;
		61
		62	read_buff[buffsize] = 0;
		63	read_buff[buffsize+1] = 0;
		64	@@ -7076,6 +7083,11 @@ extractImageSection(struct image_data image, struct pageseg section,
		65	#ifdef DEVELMODE
		66	TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset);
		67	#endif
		68	+ if (src_offset + full_bytes >= check_buffsize)
		69	+ {
		70	+ printf("Bad input. Preventing reading outside of input buffer.\n");
		71	+ return(-1);
		72	+ }
		73	_TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes);
		74	dst_offset += full_bytes;
		75	}
		76	@@ -7110,6 +7122,11 @@ extractImageSection(struct image_data image, struct pageseg section,
		77	bytebuff1 = bytebuff2 = 0;
		78	if (shift1 == 0) /* the region is byte and sample aligned */
		79	{
		80	+ if (offset1 + full_bytes >= check_buffsize)
		81	+ {
		82	+ printf("Bad input. Preventing reading outside of input buffer.\n");
		83	+ return(-1);
		84	+ }
		85	_TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes);
		86
		87	#ifdef DEVELMODE
		88	@@ -7129,6 +7146,11 @@ extractImageSection(struct image_data image, struct pageseg section,
		89	if (trailing_bits != 0)
		90	{
		91	/* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
		92	+ if (offset1 + full_bytes >= check_buffsize)
		93	+ {
		94	+ printf("Bad input. Preventing reading outside of input buffer.\n");
		95	+ return(-1);
		96	+ }
		97	bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
		98	sect_buff[dst_offset] = bytebuff2;
		99	#ifdef DEVELMODE
		100	@@ -7154,6 +7176,11 @@ extractImageSection(struct image_data image, struct pageseg section,
		101	{
		102	/* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
		103	/* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
		104	+ if (offset1 + j + 1 >= check_buffsize)
		105	+ {
		106	+ printf("Bad input. Preventing reading outside of input buffer.\n");
		107	+ return(-1);
		108	+ }
		109	bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
		110	bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
		111	sect_buff[dst_offset + j] = (bytebuff1 << shift1) \| (bytebuff2 >> (8 - shift1));
		112	--
		113	GitLab
		114


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index a47fc4bd34..5ec7b20e61 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
54	file://CVE-2023-6277-3.patch \	54	file://CVE-2023-6277-3.patch \
55	file://CVE-2023-6277-4.patch \	55	file://CVE-2023-6277-4.patch \
56	file://CVE-2024-7006.patch \	56	file://CVE-2024-7006.patch \
		57	file://CVE-2023-3164.patch \
57	"	58	"
58		59
59	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	60	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"