tiff: upgrade to 4.5.1

Also remove old CVE_CHECK_IGNOREs which are no longer needed due to CPE
updates.

(From OE-Core rev: 2200fde7011c4206382150c2602b2eb17423d45e)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch

@@ -1,29 +0,0 @@
-CVE: CVE-2022-48281
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
-From: Su Laus <sulau@freenet.de>
-Date: Sat, 21 Jan 2023 15:58:10 +0000
-Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
-
----
- tools/tiffcrop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 14fa18da..7db69883 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
-                     cropsize + NUM_BUFF_OVERSIZE_BYTES);
-             else
-             {
--                prev_cropsize = seg_buffs[0].size;
-+                prev_cropsize = seg_buffs[i].size;
-                 if (prev_cropsize < cropsize)
-                 {
-                     next_buff = _TIFFrealloc(
--- 
-GitLab
-

meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch

@@ -1,99 +0,0 @@
-From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
-From: Su_Laus <sulau@freenet.de>
-Date: Tue, 14 Feb 2023 20:43:43 +0100
-Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
- Fix issue 527
-
-Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
-
-Closes #527
-
-CVE: CVE-2023-26965
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
-Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
----
- tools/tiffcrop.c | 47 +++++++++++++----------------------------------
- 1 file changed, 13 insertions(+), 34 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index d7ad5ca8..d3e11ba2 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
-     uint32_t tw = 0, tl = 0; /* Tile width and length */
-     tmsize_t tile_rowsize = 0;
-     unsigned char *read_buff = NULL;
--    unsigned char *new_buff = NULL;
-     int readunit = 0;
--    static tmsize_t prev_readsize = 0;
- 
-     TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
-     TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
-@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
-     }
- 
-     read_buff = *read_ptr;
--    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
--    /* outside buffer */
--    if (!read_buff)
-+    /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
-+     * outside buffer */
-+    /* Reuse of read_buff from previous image is quite unsafe, because other
-+     * functions (like rotateImage() etc.) reallocate that buffer with different
-+     * size without updating the local prev_readsize value. */
-+    if (read_buff)
-     {
--        if (buffsize > 0xFFFFFFFFU - 3)
--        {
--            TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
--            return (-1);
--        }
--        read_buff =
--            (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
-+        _TIFFfree(read_buff);
-     }
--    else
-+    if (buffsize > 0xFFFFFFFFU - 3)
-     {
--        if (prev_readsize < buffsize)
--        {
--            if (buffsize > 0xFFFFFFFFU - 3)
--            {
--                TIFFError("loadImage",
--                          "Unable to allocate/reallocate read buffer");
--                return (-1);
--            }
--            new_buff =
--                _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
--            if (!new_buff)
--            {
--                free(read_buff);
--                read_buff = (unsigned char *)limitMalloc(
--                    buffsize + NUM_BUFF_OVERSIZE_BYTES);
--            }
--            else
--                read_buff = new_buff;
--        }
-+        TIFFError("loadImage", "Required read buffer size too large");
-+        return (-1);
-     }
-+    read_buff =
-+        (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
-     if (!read_buff)
-     {
--        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-+        TIFFError("loadImage", "Unable to allocate read buffer");
-         return (-1);
-     }
- 
-@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
-     read_buff[buffsize + 1] = 0;
-     read_buff[buffsize + 2] = 0;
- 
--    prev_readsize = buffsize;
-     *read_ptr = read_buff;
- 
-     /* N.B. The read functions used copy separate plane data into a buffer as
--- 
-2.39.0
-

meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch

@@ -1,39 +0,0 @@
-From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 29 Apr 2023 12:20:46 +0200
-Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
- strip whith a missing end-of-information marker (fixes #548)
-
-CVE: CVE-2023-2731
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]
-
----
- libtiff/tif_lzw.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index ba75a07e..d631fa10 100644
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
- 
-     if (sp->read_error)
-     {
-+        TIFFErrorExtR(tif, module,
-+                      "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
-+                      "previous error",
-+                      tif->tif_row);
-         return 0;
-     }
- 
-@@ -742,6 +746,7 @@ after_loop:
-     return (1);
- 
- no_eoi:
-+    sp->read_error = 1;
-     TIFFErrorExtR(tif, module,
-                   "LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
-                   tif->tif_curstrip);
--- 
-2.34.1
-

meta/recipes-multimedia/libtiff/tiff_4.5.1.bb

@@ -8,13 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 
 CVE_PRODUCT = "libtiff"
 
-SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
-           file://CVE-2022-48281.patch \
-           file://CVE-2023-2731.patch \
-           file://CVE-2023-26965.patch \
-"
+SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
+SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
 
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
@@ -22,11 +18,6 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
 # and 4.3.0 doesn't have the issue
 CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
 
 inherit autotools multilib_header