From 1c227185c7a89df04f81c08881fd5e28aa185a21 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 4 Dec 2024 07:49:09 +0100 Subject: [PATCH] tiff: update 4.6.0 -> 4.7.0 Drop all CVE backports. Signed-off-by: Alexander Kanavin Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- .../libtiff/tiff/CVE-2023-52355-0001.patch | 238 ------------------ .../libtiff/tiff/CVE-2023-52355-0002.patch | 28 --- .../libtiff/tiff/CVE-2023-52356.patch | 49 ---- .../libtiff/tiff/CVE-2023-6228.patch | 31 --- ...277-Apply-1-suggestion-s-to-1-file-s.patch | 27 -- ...ompare-data-size-of-some-tags-data-2.patch | 36 --- ...-compare-data-size-of-some-tags-data.patch | 162 ------------ .../libtiff/tiff/CVE-2024-7006.patch | 65 ----- .../libtiff/{tiff_4.6.0.bb => tiff_4.7.0.bb} | 15 +- 9 files changed, 3 insertions(+), 648 deletions(-) delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch rename meta/recipes-multimedia/libtiff/{tiff_4.6.0.bb => tiff_4.7.0.bb} (79%) diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch deleted file mode 100644 index f5520fcafd4..00000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch +++ /dev/null @@ -1,238 +0,0 @@ -From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Thu, 1 Feb 2024 13:06:08 +0000 -Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst - and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes. - -CVE: CVE-2023-52355 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4] - -Signed-off-by: Yogita Urade ---- - doc/functions/TIFFDeferStrileArrayWriting.rst | 5 +++ - doc/functions/TIFFError.rst | 3 ++ - doc/functions/TIFFOpen.rst | 13 +++--- - doc/functions/TIFFOpenOptions.rst | 44 ++++++++++++++++++- - doc/functions/TIFFStrileQuery.rst | 5 +++ - doc/libtiff.rst | 31 ++++++++++++- - 6 files changed, 91 insertions(+), 10 deletions(-) - -diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst -index 60ee746..705aebc 100644 ---- a/doc/functions/TIFFDeferStrileArrayWriting.rst -+++ b/doc/functions/TIFFDeferStrileArrayWriting.rst -@@ -61,6 +61,11 @@ Diagnostics - All error messages are directed to the :c:func:`TIFFErrorExtR` routine. - Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. - -+Note -+---- -+ -+This functionality was introduced with libtiff 4.1. -+ - See also - -------- - -diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst -index 99924ad..cf4b37c 100644 ---- a/doc/functions/TIFFError.rst -+++ b/doc/functions/TIFFError.rst -@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`. - Furthermore, a **custom defined data structure** *user_data* for the - error handler can be given along. - -+Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the -+application-specific handler introduced with libtiff 4.5. -+ - Note - ---- - -diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst -index db79d7b..adc474f 100644 ---- a/doc/functions/TIFFOpen.rst -+++ b/doc/functions/TIFFOpen.rst -@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the - file should be closed using its file descriptor *fd*. - - :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`, --but options, such as re-entrant error and warning handlers may be passed --with the *opts* argument. The *opts* argument may be NULL. -+but options, such as re-entrant error and warning handlers and a limit in byte -+that libtiff internal memory allocation functions are allowed to request per call -+may be passed with the *opts* argument. The *opts* argument may be NULL. - Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument - parameters. The allocated memory for :c:type:`TIFFOpenOptions` - can be released straight after successful execution of the related -@@ -105,9 +106,7 @@ can be released straight after successful execution of the related - but opens a TIFF file with a Unicode filename. - - :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`, --but options, such as re-entrant error and warning handlers may be passed --with the *opts* argument. The *opts* argument may be NULL. --Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument. -+but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed. - - :c:func:`TIFFSetFileName` sets the file name in the tif-structure - and returns the old file name. -@@ -326,5 +325,5 @@ See also - - :doc:`libtiff` (3tiff), - :doc:`TIFFClose` (3tiff), --:doc:`TIFFStrileQuery`, --:doc:`TIFFOpenOptions` -\ No newline at end of file -+:doc:`TIFFStrileQuery` (3tiff), -+:doc:`TIFFOpenOptions` -diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst -index 5c67566..23f2975 100644 ---- a/doc/functions/TIFFOpenOptions.rst -+++ b/doc/functions/TIFFOpenOptions.rst -@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer. - :c:func:`TIFFOpenOptionsFree` releases the allocated memory for - :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions` - can be released straight after successful execution of the related --TIFF open"Ext" functions like :c:func:`TIFFOpenExt`. -+TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`. - - :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the - maximum single memory limit in byte that ``libtiff`` internal memory allocation - functions are allowed to request per call. - -+.. note:: -+ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc` -+ and :c:func:`_TIFFrealloc` **do not apply** this internal memory -+ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`! -+ - :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to - an application-specific and per-TIFF handle (re-entrant) error handler. - Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data* -@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL. - :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler, - which is invoked through :c:func:`TIFFWarningExtR` - -+Example -+------- -+ -+:: -+ -+ #include "tiffio.h" -+ -+ typedef struct MyErrorHandlerUserDataStruct -+ { -+ /* ... any user data structure ... */ -+ } MyErrorHandlerUserDataStruct; -+ -+ static int myErrorHandler(TIFF *tiff, void *user_data, const char *module, -+ const char *fmt, va_list ap) -+ { -+ MyErrorHandlerUserDataStruct *errorhandler_user_data = -+ (MyErrorHandlerUserDataStruct *)user_data; -+ /*... code of myErrorHandler ...*/ -+ return 1; -+ } -+ -+ -+ main() -+ { -+ tmsize_t limit = (256 * 1024 * 1024); -+ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */}; -+ -+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); -+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); -+ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data); -+ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts); -+ TIFFOpenOptionsFree(opts); -+ /* ... go on here ... */ -+ -+ TIFFClose(tif); -+ } -+ - Note - ---- - -diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst -index f8631af..7931fe4 100644 ---- a/doc/functions/TIFFStrileQuery.rst -+++ b/doc/functions/TIFFStrileQuery.rst -@@ -66,6 +66,11 @@ Diagnostics - All error messages are directed to the :c:func:`TIFFErrorExtR` routine. - Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. - -+Note -+---- -+ -+This functionality was introduced with libtiff 4.1. -+ - See also - -------- - -diff --git a/doc/libtiff.rst b/doc/libtiff.rst -index 6a0054c..d96a860 100644 ---- a/doc/libtiff.rst -+++ b/doc/libtiff.rst -@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture. - :c:func:`realloc`, and :c:func:`free` routines in the C library.) - - To deal with segmented pointer issues ``libtiff`` also provides --:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove` -+:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp` - routines that mimic the equivalent ANSI C routines, but that are - intended for use with memory allocated through :c:func:`_TIFFmalloc` - and :c:func:`_TIFFrealloc`. - -+With ``libtiff`` 4.5 a method was introduced to limit the internal -+memory allocation that functions are allowed to request per call -+(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`). -+ - Error Handling - -------------- - -@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`. - Likewise warning messages are directed to a single handler routine - that can be specified with a call to :c:func:`TIFFSetWarningHandler` - -+Further application-specific and per-TIFF handle (re-entrant) error handler -+and warning handler can be set. Please refer to :doc:`/functions/TIFFError` -+and :doc:`/functions/TIFFOpenOptions`. -+ - Basic File Handling - ------------------- - -@@ -139,7 +147,7 @@ a ``"w"`` argument: - main() - { - TIFF* tif = TIFFOpen("foo.tif", "w"); -- ... do stuff ... -+ /* ... do stuff ... */ - TIFFClose(tif); - } - -@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any - buffered information to a file. Note that if you call :c:func:`TIFFClose` - you do not need to call :c:func:`TIFFFlush`. - -+.. warning:: -+ -+ In order to prevent out-of-memory issues when opening a TIFF file -+ :c:func:`TIFFOpenExt` can be used and then the maximum single memory -+ limit in byte that ``libtiff`` internal memory allocation functions -+ are allowed to request per call can be set with -+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. -+ -+Example -+ -+:: -+ -+ tmsize_t limit = (256 * 1024 * 1024); -+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); -+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); -+ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts); -+ TIFFOpenOptionsFree(opts); -+ /* ... go on here ... */ -+ - TIFF Directories - ---------------- - --- -2.40.0 - diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch deleted file mode 100644 index 19a1ef727ac..00000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001 -From: Timothy Lyanguzov -Date: Thu, 1 Feb 2024 11:19:06 +0000 -Subject: [PATCH] Fix typo. - -CVE: CVE-2023-52355 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4] - -Signed-off-by: Yogita Urade ---- - doc/libtiff.rst | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/doc/libtiff.rst b/doc/libtiff.rst -index d96a860..4fedc3e 100644 ---- a/doc/libtiff.rst -+++ b/doc/libtiff.rst -@@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`. - - In order to prevent out-of-memory issues when opening a TIFF file - :c:func:`TIFFOpenExt` can be used and then the maximum single memory -- limit in byte that ``libtiff`` internal memory allocation functions -+ limit in bytes that ``libtiff`` internal memory allocation functions - are allowed to request per call can be set with - :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. - --- -2.40.0 diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch deleted file mode 100644 index 75f5d8946ad..00000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 1 Feb 2024 11:38:14 +0000 -Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of - col/row (fixes #622) - -CVE: CVE-2023-52356 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] - -Signed-off-by: Yogita Urade ---- - libtiff/tif_getimage.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 41f7dfd..9cd6eee 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster, - if (TIFFRGBAImageOK(tif, emsg) && - TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) - { -+ if (row >= img.height) -+ { -+ TIFFErrorExtR(tif, TIFFFileName(tif), -+ "Invalid row passed to TIFFReadRGBAStrip()."); -+ TIFFRGBAImageEnd(&img); -+ return (0); -+ } - - img.row_offset = row; - img.col_offset = 0; -@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster, - return (0); - } - -+ if (col >= img.width || row >= img.height) -+ { -+ TIFFErrorExtR(tif, TIFFFileName(tif), -+ "Invalid row/col passed to TIFFReadRGBATile()."); -+ TIFFRGBAImageEnd(&img); -+ return (0); -+ } -+ - /* - * The TIFFRGBAImageGet() function doesn't allow us to get off the - * edge of the image, even to fill an otherwise valid tile. So we --- -2.40.0 diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch deleted file mode 100644 index 2020508fdf5..00000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Wed, 17 Jan 2024 06:57:08 +0000 -Subject: [PATCH] codec of input image is available, independently from codec - check of output image and return with error if not. - -Fixes #606. - -CVE: CVE-2023-6228 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a] - -Signed-off-by: Yogita Urade ---- - tools/tiffcp.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index aff0626..a4f7f6b 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out) - if (!TIFFIsCODECConfigured(compression)) - return FALSE; - TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); -+ if (!TIFFIsCODECConfigured(input_compression)) -+ return FALSE; - TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); - if (input_compression == COMPRESSION_JPEG) - { --- -2.40.0 diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch deleted file mode 100644 index 5d15dff1d9b..00000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch +++ /dev/null @@ -1,27 +0,0 @@ -From e1640519208121f916da1772a5efb6ca28971b86 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 31 Oct 2023 15:04:37 +0000 -Subject: [PATCH 3/3] Apply 1 suggestion(s) to 1 file(s) - -CVE: CVE-2023-6277 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] -Signed-off-by: Khem Raj ---- - libtiff/tif_dirread.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index fe8d6f8..58a4276 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5306,7 +5306,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, - { - uint64_t space; - uint16_t n; -- filesize = TIFFGetFileSize(tif); - if (!(tif->tif_flags & TIFF_BIGTIFF)) - space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4; - else --- -2.43.0 - diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch deleted file mode 100644 index 9fc8182fef3..00000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch +++ /dev/null @@ -1,36 +0,0 @@ -From f500facf7723f1cae725dd288b2daad15e45131c Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Mon, 30 Oct 2023 21:21:57 +0100 -Subject: [PATCH 2/3] At image reading, compare data size of some tags / data - structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with - file size to prevent provoked out-of-memory attacks. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -See issue #614. - -Correct declaration of ‘filesize’ shadows a previous local. - -CVE: CVE-2023-6277 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] -Signed-off-by: Khem Raj ---- - libtiff/tif_dirread.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index c52d41f..fe8d6f8 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5305,7 +5305,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, - if (td->td_compression != COMPRESSION_NONE) - { - uint64_t space; -- uint64_t filesize; - uint16_t n; - filesize = TIFFGetFileSize(tif); - if (!(tif->tif_flags & TIFF_BIGTIFF)) --- -2.43.0 - diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch deleted file mode 100644 index d5854a9059b..00000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch +++ /dev/null @@ -1,162 +0,0 @@ -From b33baa5d9c6aac8ce49b5180dd48e39697ab7a11 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Fri, 27 Oct 2023 22:11:10 +0200 -Subject: [PATCH 1/3] At image reading, compare data size of some tags / data - structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with - file size to prevent provoked out-of-memory attacks. - -See issue #614. - -CVE: CVE-2023-6277 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] -Signed-off-by: Khem Raj ---- - libtiff/tif_dirread.c | 90 +++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 90 insertions(+) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 2c49dc6..c52d41f 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry, - datasize = (*count) * typesize; - assert((tmsize_t)datasize > 0); - -+ /* Before allocating a huge amount of memory for corrupted files, check if -+ * size of requested memory is not greater than file size. -+ */ -+ uint64_t filesize = TIFFGetFileSize(tif); -+ if (datasize > filesize) -+ { -+ TIFFWarningExtR(tif, "ReadDirEntryArray", -+ "Requested memory size for tag %d (0x%x) %" PRIu32 -+ " is greather than filesize %" PRIu64 -+ ". Memory not allocated, tag not read", -+ direntry->tdir_tag, direntry->tdir_tag, datasize, -+ filesize); -+ return (TIFFReadDirEntryErrAlloc); -+ } -+ - if (isMapped(tif) && datasize > (uint64_t)tif->tif_size) - return TIFFReadDirEntryErrIo; - -@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, - if (!_TIFFFillStrilesInternal(tif, 0)) - return -1; - -+ /* Before allocating a huge amount of memory for corrupted files, check if -+ * size of requested memory is not greater than file size. */ -+ uint64_t filesize = TIFFGetFileSize(tif); -+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); -+ if (allocsize > filesize) -+ { -+ TIFFWarningExtR(tif, module, -+ "Requested memory size for StripByteCounts of %" PRIu64 -+ " is greather than filesize %" PRIu64 -+ ". Memory not allocated", -+ allocsize, filesize); -+ return -1; -+ } -+ - if (td->td_stripbytecount_p) - _TIFFfreeExt(tif, td->td_stripbytecount_p); - td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc( -@@ -5807,6 +5836,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, - dircount16 = (uint16_t)dircount64; - dirsize = 20; - } -+ /* Before allocating a huge amount of memory for corrupted files, check -+ * if size of requested memory is not greater than file size. */ -+ uint64_t filesize = TIFFGetFileSize(tif); -+ uint64_t allocsize = (uint64_t)dircount16 * dirsize; -+ if (allocsize > filesize) -+ { -+ TIFFWarningExtR( -+ tif, module, -+ "Requested memory size for TIFF directory of %" PRIu64 -+ " is greather than filesize %" PRIu64 -+ ". Memory not allocated, TIFF directory not read", -+ allocsize, filesize); -+ return 0; -+ } - origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, - "to read TIFF directory"); - if (origdir == NULL) -@@ -5921,6 +5964,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, - "directories not supported"); - return 0; - } -+ /* Before allocating a huge amount of memory for corrupted files, check -+ * if size of requested memory is not greater than file size. */ -+ uint64_t filesize = TIFFGetFileSize(tif); -+ uint64_t allocsize = (uint64_t)dircount16 * dirsize; -+ if (allocsize > filesize) -+ { -+ TIFFWarningExtR( -+ tif, module, -+ "Requested memory size for TIFF directory of %" PRIu64 -+ " is greather than filesize %" PRIu64 -+ ". Memory not allocated, TIFF directory not read", -+ allocsize, filesize); -+ return 0; -+ } - origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, - "to read TIFF directory"); - if (origdir == NULL) -@@ -5968,6 +6025,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, - } - } - } -+ /* No check against filesize needed here because "dir" should have same size -+ * than "origdir" checked above. */ - dir = (TIFFDirEntry *)_TIFFCheckMalloc( - tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory"); - if (dir == 0) -@@ -7164,6 +7223,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips, - return (0); - } - -+ /* Before allocating a huge amount of memory for corrupted files, check -+ * if size of requested memory is not greater than file size. */ -+ uint64_t filesize = TIFFGetFileSize(tif); -+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); -+ if (allocsize > filesize) -+ { -+ TIFFWarningExtR(tif, module, -+ "Requested memory size for StripArray of %" PRIu64 -+ " is greather than filesize %" PRIu64 -+ ". Memory not allocated", -+ allocsize, filesize); -+ _TIFFfreeExt(tif, data); -+ return (0); -+ } - resizeddata = (uint64_t *)_TIFFCheckMalloc( - tif, nstrips, sizeof(uint64_t), "for strip array"); - if (resizeddata == 0) -@@ -7263,6 +7336,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips, - } - bytecount = last_offset + last_bytecount - offset; - -+ /* Before allocating a huge amount of memory for corrupted files, check if -+ * size of StripByteCount and StripOffset tags is not greater than -+ * file size. -+ */ -+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; -+ uint64_t filesize = TIFFGetFileSize(tif); -+ if (allocsize > filesize) -+ { -+ TIFFWarningExtR(tif, "allocChoppedUpStripArrays", -+ "Requested memory size for StripByteCount and " -+ "StripOffsets %" PRIu64 -+ " is greather than filesize %" PRIu64 -+ ". Memory not allocated", -+ allocsize, filesize); -+ return; -+ } -+ - newcounts = - (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), - "for chopped \"StripByteCounts\" array"); --- -2.43.0 - diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch deleted file mode 100644 index 785244bdea3..00000000000 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 8ee0e7d2bdcc1a5a5a3241904b243964ab947b7b Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Fri, 1 Dec 2023 20:12:25 +0100 -Subject: [PATCH] Check return value of _TIFFCreateAnonField(). - -Fixes #624 - -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] -CVE: CVE-2024-7006 -Signed-off-by: Siddharth Doshi ---- - libtiff/tif_dirinfo.c | 2 +- - libtiff/tif_dirread.c | 16 ++++++---------- - 2 files changed, 7 insertions(+), 11 deletions(-) - -diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c -index 0e705e8..4cfdaad 100644 ---- a/libtiff/tif_dirinfo.c -+++ b/libtiff/tif_dirinfo.c -@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, - if (fld == NULL) - { - fld = _TIFFCreateAnonField(tif, tag, dt); -- if (!_TIFFMergeFields(tif, fld, 1)) -+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) - return NULL; - } - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 58a4276..738df9f 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif) - dp->tdir_tag, dp->tdir_tag); - /* the following knowingly leaks the - anonymous field structure */ -- if (!_TIFFMergeFields( -- tif, -- _TIFFCreateAnonField(tif, dp->tdir_tag, -- (TIFFDataType)dp->tdir_type), -- 1)) -+ const TIFFField *fld = _TIFFCreateAnonField( -+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); -+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) - { - TIFFWarningExtR( - tif, module, -@@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, - "Unknown field with tag %" PRIu16 " (0x%" PRIx16 - ") encountered", - dp->tdir_tag, dp->tdir_tag); -- if (!_TIFFMergeFields( -- tif, -- _TIFFCreateAnonField(tif, dp->tdir_tag, -- (TIFFDataType)dp->tdir_type), -- 1)) -+ const TIFFField *fld = _TIFFCreateAnonField( -+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); -+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) - { - TIFFWarningExtR(tif, module, - "Registering anonymous field with tag %" PRIu16 --- -2.44.1 - diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb similarity index 79% rename from meta/recipes-multimedia/libtiff/tiff_4.6.0.bb rename to meta/recipes-multimedia/libtiff/tiff_4.7.0.bb index 6bf7010ba28..474fe1e8fd9 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb @@ -8,18 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3" CVE_PRODUCT = "libtiff" -SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ - file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch \ - file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \ - file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \ - file://CVE-2023-6228.patch \ - file://CVE-2023-52355-0001.patch \ - file://CVE-2023-52355-0002.patch \ - file://CVE-2023-52356.patch \ - file://CVE-2024-7006.patch \ - " - -SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" +SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz" + +SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976" # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" -- 2.47.3