meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

From 8a7a48d7a645992ca83062b3a1873c951661e2b3 Mon Sep 17 00:00:00 2001
From: Lee Howard <faxguy@howardsilvan.com>
Date: Sun, 11 Aug 2024 16:01:07 +0000
Subject: [PATCH] Attempt to address tiffcrop Coverity scan issues 1605444, 
 1605445, and 1605449.

CVE: CVE-2025-8851
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3]

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 tools/tiffcrop.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 1b072d4..e16bc2d 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5024,7 +5024,14 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
       buff = srcbuffs[s];
       strip = (s * strips_per_sample) + j; 
       bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
-      rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
+      if (bytes_read < 0)
+      {
+         rows_this_strip = 0;
+      }
+      else
+      {
+         rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
+      }
       if (bytes_read < 0 && !ignore)
         {
         TIFFError(TIFFFileName(in),
@@ -5434,14 +5441,14 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
       rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
       }
 
-    if ((lmargin + rmargin) > image->width)
+    if (lmargin == 0xFFFFFFFFU || rmargin == 0xFFFFFFFFU || (lmargin + rmargin) > image->width)
       {
       TIFFError("computeInputPixelOffsets", "Combined left and right margins exceed image width");
       lmargin = (uint32_t) 0;
       rmargin = (uint32_t) 0;
       return (-1);
       }
-    if ((tmargin + bmargin) > image->length)
+    if (tmargin == 0xFFFFFFFFU || bmargin == 0xFFFFFFFFU || (tmargin + bmargin) > image->length)
       {
       TIFFError("computeInputPixelOffsets", "Combined top and bottom margins exceed image length"); 
       tmargin = (uint32_t) 0;
@@ -5977,14 +5984,14 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
       vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
       }
 
-    if ((hmargin * 2.0) > (pwidth * page->hres))
+    if (hmargin == 0xFFFFFFFFU || (hmargin * 2.0) > (pwidth * page->hres))
       {
       TIFFError("computeOutputPixelOffsets", 
                 "Combined left and right margins exceed page width");
       hmargin = (uint32_t) 0;
       return (-1);
       }
-    if ((vmargin * 2.0) > (plength * page->vres))
+    if (vmargin == 0xFFFFFFFFU || (vmargin * 2.0) > (plength * page->vres))
       {
       TIFFError("computeOutputPixelOffsets", 
                 "Combined top and bottom margins exceed page length"); 
-- 
2.40.0