mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-28 04:19:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

tiff: patch CVE-2023-3164

Browse Source 
Backport fix from upstream.

There was style refactoring done in the code meanwhile, so the patch mas
assembled manually by applying each change on 4.3.0 sources.

(From OE-Core rev: fda622289ef26fac38e7dc41e6f0c9d7c866f06e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko
2024-12-31 22:25:09 +01:00
committed by Steve Sakoman
parent 08538e11df
commit 3d3f3d4334
2 changed files with 115 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch Normal file
View File

@@ -0,0 +1,114 @@
From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001
From: Lee Howard <faxguy@howardsilvan.com>
Date: Fri, 17 May 2024 15:11:10 +0000
Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after
free)
CVE: CVE-2023-3164
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/a20298c4785c369469510613dfbc5bf230164fed]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
tools/tiffcrop.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index b11fec93a..aaf6bb280 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -449,6 +449,7 @@ static uint16_t defcompression = (uint16_t) -1;
static uint16_t defpredictor = (uint16_t) -1;
static int pageNum = 0;
static int little_endian = 1;
+static tmsize_t check_buffsize = 0;
/* Functions adapted from tiffcp with additions or significant modifications */
static int readContigStripsIntoBuffer (TIFF*, uint8_t*);
@@ -2081,6 +2082,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS);
exit (EXIT_FAILURE);
}
+ if ((page->cols * page->rows) < 1)
+ {
+ TIFFError("No subdivisions", "%d", (page->cols * page->rows));
+ exit(EXIT_FAILURE);
+ }
page->mode |= PAGE_MODE_ROWSCOLS;
break;
case 'U': /* units for measurements and offsets */
@@ -4433,7 +4439,7 @@ combineSeparateTileSamplesBytes (unsigned char *srcbuffs[], unsigned char *out,
dst = out + (row * dst_rowsize);
src_offset = row * src_rowsize;
#ifdef DEVELMODE
- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d",
+ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd",
row, src_offset, dst - out);
#endif
for (col = 0; col < cols; col++)
@@ -5028,7 +5034,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
break;
}
#ifdef DEVELMODE
- TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d",
+ TIFFError("", "Strip %2"PRIu32", read %5zd bytes for %4"PRIu32" scanlines, shift width %d",
strip, bytes_read, rows_this_strip, shift_width);
#endif
}
@@ -6446,6 +6452,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate read buffer");
return (-1);
}
+ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES;
read_buff[buffsize] = 0;
read_buff[buffsize+1] = 0;
@@ -7076,6 +7083,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset);
#endif
+ if (src_offset + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
_TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes);
dst_offset += full_bytes;
}
@@ -7110,6 +7122,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
bytebuff1 = bytebuff2 = 0;
if (shift1 == 0) /* the region is byte and sample aligned */
{
+ if (offset1 + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
_TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes);
#ifdef DEVELMODE
@@ -7129,6 +7146,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0)
{
/* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ if (offset1 + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
@@ -7154,6 +7176,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
{
/* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
/* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ if (offset1 + j + 1 >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
--
GitLab

1
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
View File

@@ -54,6 +54,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-6277-3.patch \
file://CVE-2023-6277-4.patch \
file://CVE-2024-7006.patch \
file://CVE-2023-3164.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"