mirror of
https://git.yoctoproject.org/poky
synced 2026-07-06 11:13:41 +02:00
tiff: fix CVE-2026-4775
Fix CVE-2026-4775
Reference: 782a11d6b5
(From OE-Core rev: 5a9bd4598fb446330c991fb51eaed372d96f39ff)
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
59
meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch
Normal file
59
meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch
Normal file
@@ -0,0 +1,59 @@
|
||||
From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 22 Feb 2026 23:32:47 +0100
|
||||
Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap
|
||||
overflow on images with huge width in YCbCr tile decoding functions
|
||||
|
||||
Fixes https://gitlab.com/libtiff/libtiff/-/issues/787
|
||||
|
||||
CVE: CVE-2026-4775
|
||||
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c]
|
||||
|
||||
Signed-off-by: Naman Jain <namanj1@kpit.com>
|
||||
---
|
||||
libtiff/tif_getimage.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index 4543dddae..fa82d0910 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -2224,7 +2224,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
|
||||
uint32_t *cp1 = cp + w + toskew;
|
||||
uint32_t *cp2 = cp1 + w + toskew;
|
||||
uint32_t *cp3 = cp2 + w + toskew;
|
||||
- int32_t incr = 3 * w + 4 * toskew;
|
||||
+ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
|
||||
|
||||
(void)y;
|
||||
/* adjust fromskew */
|
||||
@@ -2364,7 +2364,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
|
||||
DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
|
||||
{
|
||||
uint32_t *cp1 = cp + w + toskew;
|
||||
- int32_t incr = 2 * toskew + w;
|
||||
+ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
|
||||
|
||||
(void)y;
|
||||
fromskew = (fromskew / 4) * (4 * 2 + 2);
|
||||
@@ -2522,7 +2522,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
|
||||
DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
|
||||
{
|
||||
uint32_t *cp2;
|
||||
- int32_t incr = 2 * toskew + w;
|
||||
+ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
|
||||
(void)y;
|
||||
fromskew = (fromskew / 2) * (2 * 2 + 2);
|
||||
cp2 = cp + w + toskew;
|
||||
@@ -2625,7 +2625,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
|
||||
DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
|
||||
{
|
||||
uint32_t *cp2;
|
||||
- int32_t incr = 2 * toskew + w;
|
||||
+ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
|
||||
(void)y;
|
||||
fromskew = (fromskew / 1) * (1 * 2 + 2);
|
||||
cp2 = cp + w + toskew;
|
||||
--
|
||||
GitLab
|
||||
|
||||
@@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
|
||||
file://CVE-2023-52356.patch \
|
||||
file://CVE-2024-7006.patch \
|
||||
file://CVE-2025-9900.patch \
|
||||
file://CVE-2026-4775.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
|
||||
|
||||
Reference in New Issue
Block a user