4 files changed, 297 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..9b4724a325
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,148 @@
+From 02875964eba5c4a2ea98c41562835428214adfe7 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 7 Mar 2020 13:21:56 +0100
+Subject: [PATCH] tiff2rgba: output usage to stdout when using -h
+also uses std C EXIT_FAILURE / EXIT_SUCCESS
+see #17
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 39 ++++++++++++++++++++++++---------------
+ 1 file changed, 24 insertions(+), 15 deletions(-)
+---
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 2eb6f6c4..ef643653 100644
+--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
+@@ -39,6 +39,13 @@
+ #include "tiffiop.h"
+ #include "tiffio.h"
+ 
+#ifndef EXIT_SUCCESS
+#define EXIT_SUCCESS 0
+#endif
+#ifndef EXIT_FAILURE
+#define EXIT_FAILURE 1
+#endif
+
+ #define        streq(a,b)      (strcmp(a,b) == 0)
+ #define        CopyField(tag, v) \
+     if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v)
+@@ -68,7 +75,7 @@ main(int argc, char* argv[])
+        extern char *optarg;
+ #endif
+ 
+-       while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
+       while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
+                switch (c) {
+                        case 'b':
+                                process_by_block = 1;
+@@ -86,7 +93,7 @@ main(int argc, char* argv[])
+                                else if (streq(optarg, "zip"))
+                                        compression = COMPRESSION_DEFLATE;
+                                else
+-                                       usage(-1);
+                                       usage(EXIT_FAILURE);
+                                break;
+ 
+                        case 'r':
+@@ -105,17 +112,20 @@ main(int argc, char* argv[])
+                                bigtiff_output = 1;
+                                break;
+ 
+                       case 'h':
+                               usage(EXIT_SUCCESS);
+                               /*NOTREACHED*/
+                        case '?':
+-                               usage(0);
+                               usage(EXIT_FAILURE);
+                                /*NOTREACHED*/
+                }
+ 
+        if (argc - optind < 2)
+-               usage(-1);
+               usage(EXIT_FAILURE);
+ 
+        out = TIFFOpen(argv[argc-1], bigtiff_output?"w8":"w");
+        if (out == NULL)
+-               return (-2);
+               return (EXIT_FAILURE);
+ 
+        for (; optind < argc-1; optind++) {
+                in = TIFFOpen(argv[optind], "r");
+@@ -132,7 +142,7 @@ main(int argc, char* argv[])
+                }
+        }
+        (void) TIFFClose(out);
+-       return (0);
+       return (EXIT_SUCCESS);
+ }
+ 
+ static int
+@@ -166,7 +176,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+     if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+     {
+        TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+-       exit(-1);
+       exit(EXIT_FAILURE);
+     }
+     raster = (uint32*)_TIFFmalloc(rastersize);
+     if (raster == 0) {
+@@ -182,7 +192,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+     if (tile_width != wrk_linesize / sizeof (uint32))
+     {
+         TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+-       exit(-1);
+       exit(EXIT_FAILURE);
+     }
+     wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+     if (!wrk_line) {
+@@ -279,7 +289,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+     if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+     {
+        TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+-       exit(-1);
+       exit(EXIT_FAILURE);
+     }
+     raster = (uint32*)_TIFFmalloc(rastersize);
+     if (raster == 0) {
+@@ -295,7 +305,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+     if (width != wrk_linesize / sizeof (uint32))
+     {
+         TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+-       exit(-1);
+       exit(EXIT_FAILURE);
+     }
+     wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+     if (!wrk_line) {
+@@ -528,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
+             return( cvt_whole_image( in, out ) );
+ }
+ 
+-static char* stuff[] = {
+const static char* stuff[] = {
+     "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+@@ -547,13 +557,12 @@ static char* stuff[] = {
+ static void
+ usage(int code)
+ {
+-       char buf[BUFSIZ];
+        int i;
+       FILE * out = (code == EXIT_SUCCESS) ? stdout : stderr;
+ 
+-       setbuf(stderr, buf);
+-        fprintf(stderr, "%s\n\n", TIFFGetVersion());
+        fprintf(out, "%s\n\n", TIFFGetVersion());
+        for (i = 0; stuff[i] != NULL; i++)
+-               fprintf(stderr, "%s\n", stuff[i]);
+               fprintf(out, "%s\n", stuff[i]);
+        exit(code);
+ }
+ 
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..b6e1842a54
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,27 @@
+From ca70b5e702b9f503333344b2d46691de9feae84e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 3 Oct 2020 18:16:27 +0200
+Subject: [PATCH] tiff2rgba.c: fix -Wold-style-declaration warning
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+---
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index ef643653..fbc383aa 100644
+--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
+@@ -538,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
+             return( cvt_whole_image( in, out ) );
+ }
+ 
+-const static char* stuff[] = {
+static const char* stuff[] = {
+     "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..129721ff3e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,119 @@
+From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
+fixes #207
+fixes #209
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+---
+CVE: CVE-2020-35521
+CVE: CVE-2020-35522
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index fbc383aa..764395f6 100644
+--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
+@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+/* malloc size limit (in bytes)
+ * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+ 
+ 
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -75,8 +79,11 @@ main(int argc, char* argv[])
+        extern char *optarg;
+ #endif
+ 
+-       while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
+       while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
+                switch (c) {
+                       case 'M':
+                               maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+                               break;
+                        case 'b':
+                                process_by_block = 1;
+                                break;
+@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+                  (unsigned long)width, (unsigned long)height);
+         return 0;
+     }
+    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
+       TIFFError(TIFFFileName(in),
+                 "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
+                 (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
+        return 0;
+    }
+ 
+     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out)
+        TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+        CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ 
+       if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
+       {
+               TIFFError(TIFFFileName(in),
+                         "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
+                         (uint64)TIFFStripSize(in), (uint64)maxMalloc);
+               return 0;
+       }
+         if( process_by_block && TIFFIsTiled( in ) )
+             return( cvt_by_tile( in, out ) );
+         else if( process_by_block )
+@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+ 
+ static const char* stuff[] = {
+-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+     " zip\t\tZip/Deflate encoding",
+@@ -551,6 +571,7 @@ static const char* stuff[] = {
+     " -b (progress by block rather than as a whole image)",
+     " -n don't emit alpha component.",
+     " -8 write BigTIFF file instead of ClassicTIFF",
+    " -M set the memory allocation limit in MiB. 0 to disable limit",
+     NULL
+ };
+ 
+-- 
+GitLab
+From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:08:42 +0100
+Subject: [PATCH 2/2] tiff2rgba.1: -M option
+---
+ man/tiff2rgba.1 | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
+index d9c9baae..fe9ebb2c 100644
+--- a/man/tiff2rgba.1
+++ b/man/tiff2rgba.1
+@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
+ Currently this does not work if the
+ .B \-b
+ flag is also in effect.
+.TP
+.BI \-M " size"
+Set maximum memory allocation size (in MiB). The default is 256MiB.
+Set to 0 to disable the limit.
+ .SH "SEE ALSO"
+ .BR tiff2bw (1),
+ .BR TIFFReadRGBAImage (3t),
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index cfea18ed29..43f210111d 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -12,6 +12,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2020-35523.patch  \
           file://CVE-2020-35524-1.patch \
           file://CVE-2020-35524-2.patch \
+           file://001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
+           file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
+           file://CVE-2020-35521_and_CVE-2020-35522.patch \
          "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"

diff --git a/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..9b4724a325 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,148 @@
		1	From 02875964eba5c4a2ea98c41562835428214adfe7 Mon Sep 17 00:00:00 2001
		2	From: Thomas Bernard <miniupnp@free.fr>
		3	Date: Sat, 7 Mar 2020 13:21:56 +0100
		4	Subject: [PATCH] tiff2rgba: output usage to stdout when using -h
		5
		6	also uses std C EXIT_FAILURE / EXIT_SUCCESS
		7	see #17
		8
		9	Signed-off-by: akash hadke <akash.hadke@kpit.com>
		10	---
		11	tools/tiff2rgba.c \| 39 ++++++++++++++++++++++++---------------
		12	1 file changed, 24 insertions(+), 15 deletions(-)
		13	---
		14	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch]
		15	---
		16	diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
		17	index 2eb6f6c4..ef643653 100644
		18	--- a/tools/tiff2rgba.c
		19	+++ b/tools/tiff2rgba.c
		20	@@ -39,6 +39,13 @@
		21	#include "tiffiop.h"
		22	#include "tiffio.h"
		23
		24	+#ifndef EXIT_SUCCESS
		25	+#define EXIT_SUCCESS 0
		26	+#endif
		27	+#ifndef EXIT_FAILURE
		28	+#define EXIT_FAILURE 1
		29	+#endif
		30	+
		31	#define streq(a,b) (strcmp(a,b) == 0)
		32	#define CopyField(tag, v) \
		33	if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v)
		34	@@ -68,7 +75,7 @@ main(int argc, char* argv[])
		35	extern char *optarg;
		36	#endif
		37
		38	- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
		39	+ while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
		40	switch (c) {
		41	case 'b':
		42	process_by_block = 1;
		43	@@ -86,7 +93,7 @@ main(int argc, char* argv[])
		44	else if (streq(optarg, "zip"))
		45	compression = COMPRESSION_DEFLATE;
		46	else
		47	- usage(-1);
		48	+ usage(EXIT_FAILURE);
		49	break;
		50
		51	case 'r':
		52	@@ -105,17 +112,20 @@ main(int argc, char* argv[])
		53	bigtiff_output = 1;
		54	break;
		55
		56	+ case 'h':
		57	+ usage(EXIT_SUCCESS);
		58	+ /NOTREACHED/
		59	case '?':
		60	- usage(0);
		61	+ usage(EXIT_FAILURE);
		62	/NOTREACHED/
		63	}
		64
		65	if (argc - optind < 2)
		66	- usage(-1);
		67	+ usage(EXIT_FAILURE);
		68
		69	out = TIFFOpen(argv[argc-1], bigtiff_output?"w8":"w");
		70	if (out == NULL)
		71	- return (-2);
		72	+ return (EXIT_FAILURE);
		73
		74	for (; optind < argc-1; optind++) {
		75	in = TIFFOpen(argv[optind], "r");
		76	@@ -132,7 +142,7 @@ main(int argc, char* argv[])
		77	}
		78	}
		79	(void) TIFFClose(out);
		80	- return (0);
		81	+ return (EXIT_SUCCESS);
		82	}
		83
		84	static int
		85	@@ -166,7 +176,7 @@ cvt_by_tile( TIFF in, TIFF out )
		86	if (tile_width != (rastersize / tile_height) / sizeof( uint32))
		87	{
		88	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
		89	- exit(-1);
		90	+ exit(EXIT_FAILURE);
		91	}
		92	raster = (uint32*)_TIFFmalloc(rastersize);
		93	if (raster == 0) {
		94	@@ -182,7 +192,7 @@ cvt_by_tile( TIFF in, TIFF out )
		95	if (tile_width != wrk_linesize / sizeof (uint32))
		96	{
		97	TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
		98	- exit(-1);
		99	+ exit(EXIT_FAILURE);
		100	}
		101	wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
		102	if (!wrk_line) {
		103	@@ -279,7 +289,7 @@ cvt_by_strip( TIFF in, TIFF out )
		104	if (width != (rastersize / rowsperstrip) / sizeof( uint32))
		105	{
		106	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
		107	- exit(-1);
		108	+ exit(EXIT_FAILURE);
		109	}
		110	raster = (uint32*)_TIFFmalloc(rastersize);
		111	if (raster == 0) {
		112	@@ -295,7 +305,7 @@ cvt_by_strip( TIFF in, TIFF out )
		113	if (width != wrk_linesize / sizeof (uint32))
		114	{
		115	TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
		116	- exit(-1);
		117	+ exit(EXIT_FAILURE);
		118	}
		119	wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
		120	if (!wrk_line) {
		121	@@ -528,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
		122	return( cvt_whole_image( in, out ) );
		123	}
		124
		125	-static char* stuff[] = {
		126	+const static char* stuff[] = {
		127	"usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
		128	"where comp is one of the following compression algorithms:",
		129	" jpeg\t\tJPEG encoding",
		130	@@ -547,13 +557,12 @@ static char* stuff[] = {
		131	static void
		132	usage(int code)
		133	{
		134	- char buf[BUFSIZ];
		135	int i;
		136	+ FILE * out = (code == EXIT_SUCCESS) ? stdout : stderr;
		137
		138	- setbuf(stderr, buf);
		139	- fprintf(stderr, "%s\n\n", TIFFGetVersion());
		140	+ fprintf(out, "%s\n\n", TIFFGetVersion());
		141	for (i = 0; stuff[i] != NULL; i++)
		142	- fprintf(stderr, "%s\n", stuff[i]);
		143	+ fprintf(out, "%s\n", stuff[i]);
		144	exit(code);
		145	}
		146
		147	--
		148	GitLab


diff --git a/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..b6e1842a54 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,27 @@
		1	From ca70b5e702b9f503333344b2d46691de9feae84e Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sat, 3 Oct 2020 18:16:27 +0200
		4	Subject: [PATCH] tiff2rgba.c: fix -Wold-style-declaration warning
		5
		6	Signed-off-by: akash hadke <akash.hadke@kpit.com>
		7	---
		8	tools/tiff2rgba.c \| 2 +-
		9	1 file changed, 1 insertion(+), 1 deletion(-)
		10	---
		11	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch]
		12	---
		13	diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
		14	index ef643653..fbc383aa 100644
		15	--- a/tools/tiff2rgba.c
		16	+++ b/tools/tiff2rgba.c
		17	@@ -538,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
		18	return( cvt_whole_image( in, out ) );
		19	}
		20
		21	-const static char* stuff[] = {
		22	+static const char* stuff[] = {
		23	"usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
		24	"where comp is one of the following compression algorithms:",
		25	" jpeg\t\tJPEG encoding",
		26	--
		27	GitLab


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..129721ff3e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,119 @@
		1	From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001
		2	From: Thomas Bernard <miniupnp@free.fr>
		3	Date: Sun, 15 Nov 2020 17:02:51 +0100
		4	Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
		5
		6	fixes #207
		7	fixes #209
		8
		9	Signed-off-by: akash hadke <akash.hadke@kpit.com>
		10	---
		11	tools/tiff2rgba.c \| 25 +++++++++++++++++++++++--
		12	1 file changed, 23 insertions(+), 2 deletions(-)
		13	---
		14	CVE: CVE-2020-35521
		15	CVE: CVE-2020-35522
		16	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch]
		17	---
		18	diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
		19	index fbc383aa..764395f6 100644
		20	--- a/tools/tiff2rgba.c
		21	+++ b/tools/tiff2rgba.c
		22	@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1;
		23	int process_by_block = 0; /* default is whole image at once */
		24	int no_alpha = 0;
		25	int bigtiff_output = 0;
		26	+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
		27	+/* malloc size limit (in bytes)
		28	+ * disabled when set to 0 */
		29	+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
		30
		31
		32	static int tiffcvt(TIFF* in, TIFF* out);
		33	@@ -75,8 +79,11 @@ main(int argc, char* argv[])
		34	extern char *optarg;
		35	#endif
		36
		37	- while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
		38	+ while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
		39	switch (c) {
		40	+ case 'M':
		41	+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
		42	+ break;
		43	case 'b':
		44	process_by_block = 1;
		45	break;
		46	@@ -405,6 +412,12 @@ cvt_whole_image( TIFF in, TIFF out )
		47	(unsigned long)width, (unsigned long)height);
		48	return 0;
		49	}
		50	+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
		51	+ TIFFError(TIFFFileName(in),
		52	+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
		53	+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
		54	+ return 0;
		55	+ }
		56
		57	rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
		58	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
		59	@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out)
		60	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
		61	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
		62
		63	+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
		64	+ {
		65	+ TIFFError(TIFFFileName(in),
		66	+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
		67	+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
		68	+ return 0;
		69	+ }
		70	if( process_by_block && TIFFIsTiled( in ) )
		71	return( cvt_by_tile( in, out ) );
		72	else if( process_by_block )
		73	@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out)
		74	}
		75
		76	static const char* stuff[] = {
		77	- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
		78	+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
		79	"where comp is one of the following compression algorithms:",
		80	" jpeg\t\tJPEG encoding",
		81	" zip\t\tZip/Deflate encoding",
		82	@@ -551,6 +571,7 @@ static const char* stuff[] = {
		83	" -b (progress by block rather than as a whole image)",
		84	" -n don't emit alpha component.",
		85	" -8 write BigTIFF file instead of ClassicTIFF",
		86	+ " -M set the memory allocation limit in MiB. 0 to disable limit",
		87	NULL
		88	};
		89
		90	--
		91	GitLab
		92
		93
		94	From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001
		95	From: Thomas Bernard <miniupnp@free.fr>
		96	Date: Sun, 15 Nov 2020 17:08:42 +0100
		97	Subject: [PATCH 2/2] tiff2rgba.1: -M option
		98
		99	---
		100	man/tiff2rgba.1 \| 4 ++++
		101	1 file changed, 4 insertions(+)
		102
		103	diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
		104	index d9c9baae..fe9ebb2c 100644
		105	--- a/man/tiff2rgba.1
		106	+++ b/man/tiff2rgba.1
		107	@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
		108	Currently this does not work if the
		109	.B \-b
		110	flag is also in effect.
		111	+.TP
		112	+.BI \-M " size"
		113	+Set maximum memory allocation size (in MiB). The default is 256MiB.
		114	+Set to 0 to disable the limit.
		115	.SH "SEE ALSO"
		116	.BR tiff2bw (1),
		117	.BR TIFFReadRGBAImage (3t),
		118	--
		119	GitLab


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index cfea18ed29..43f210111d 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -12,6 +12,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12	file://CVE-2020-35523.patch \	12	file://CVE-2020-35523.patch \
13	file://CVE-2020-35524-1.patch \	13	file://CVE-2020-35524-1.patch \
14	file://CVE-2020-35524-2.patch \	14	file://CVE-2020-35524-2.patch \
		15	file://001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
		16	file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
		17	file://CVE-2020-35521_and_CVE-2020-35522.patch \
15	"	18	"
16	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"	19	SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
17	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"	20	SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"